From: "Rich Gauszka" 

I never realized that it involved that much logging

"Under current Sarbanes-Oxley rules, a company must log every
transaction the DBA (database administrator) performs."

http://weblog.infoworld.com/realitycheck/archives/2007/05/major_revision.html


On May 24, the Public Company Accounting Oversight Board (PCAOB) will vote
on Auditing Standard No. 5. If approved, this new standard for audits of
internal control will bring about significant changes to Sarbanes-Oxley
regulations, which now operate under Auditing Standard No. 2.

In particular, Section 404 of the Sarbanes-Oxley Act of 2002 requires
companies to assess their internal controls over financial reporting and
offer an auditor's report on that assessment. To bring this to fruition,
Auditing Standard No. 2 was adopted by the Securities and Exchange
Commission.

However, in its latest report, the PCAOB admits that although the oversight
has "produced significant benefits" with an increased focus on
corporate governance, these benefits "have come with significant
cost." If approved by the PCAOB, Audit Standard No. 5 will then be
sent on to the SEC, which will decide how long the regulation will be open
for public comment before it votes on the standard.

The SEC's goal, according to a PCAOB representative, is to finalize the new
rules in time for the next cycle of audits of internal controls for fiscal
years ending after Nov. 15, 2007.

I spoke with Patrick Taylor, president and CEO of Oversight Systems, which
provides security systems for financial business processes.

The purpose of Sarbanes-Oxley remains the same, to identify fraudulent
earning and/or fraudulent financial reports. The difference, however,
between Audit Standard No. 5 and Standard No. 2 is the approach. And that
difference will have an appreciable effect on IT, in a good way.

"From an IT perspective, [Audit Standard No. 5] will take a lot of the
bureaucracy out of compliance," Taylor told me. After four years of
dealing with the issues surrounding Section 404, the SEC is actually
getting more pragmatic.

The PCAOB admits that the current standard encourages auditors to
"perform procedures that are not necessary in order to achieve the
intended benefits."

Taylor offers a simple example to explain what that means: Under current
Sarbanes-Oxley rules, a company must log every transaction the DBA
(database administrator) performs. The DBA can't log in to a database
without a trouble ticket. So, when the auditors come in, they want to see
that someone at the company verified all DBA transactions against trouble
tickets, a huge waste of time considering that no one will know whether the
DBA, who may have written in his notes that he went into the database to
reindex a column, actually performed the task.

Rather than getting lost in minutiae, the new standard will look at the
bigger picture. In a sense, the SEC will relax some nitpicky procedures in
favor of a top-down approach. Which is probably a good idea, given that the
real risk lies at the top. According to an Aberdeen study, 73 percent of
all fraudulent activity is initiated by executives and managers rather than
the employees who answer to them.

Fraudulent financial reporting most likely stems from someone manipulating
the general ledger or during revenue recognition. Because of this, the new
proposals will direct the auditor's attention to financial statements and
company-level controls rather than "process-level aspects of
control."

One more example from the PCAOB proposal that put a smile on my face was
the suggested rewording of the definition of a control deficiency from one
that is "more than inconsequential" to a "significant"
deficiency.

Proof once more that the pen is mightier than the sword!

If you haven't looked at the full full 131-page proposal, I suggest you do so.

http://www.pcaob.org/Rules/Docket_021/2006-12-19_Release_No._2006-007.pdf

--- BBBS/NT v4.01 Flag-5