May 09, 2012, 9:22 PM — In my last column, I talked about how time-consuming SOX compliance is for companies like mine. Unfortunately, it's about to get worse.
For various reasons I won't go into here, the number of Sarbanes-Oxley Act controls we must deal with and the amount of evidence we need to gather is increasing by about 30%, starting this quarter. On top of that, I'm spending a lot of time in meetings reviewing each control, both old and new.
I'm all for anything that improves security, and regulations like SOX seem to be very effective at forcing companies to do the right things. But regulations are a double-edged sword. We've definitely crossed the line of diminishing returns -- we're spending more time documenting our control activities for the benefit of the auditors, and spending more time with the internal and external auditors themselves, than we spend on performing security-enhancing activities like user account review, checking and certifying the security settings of servers, and validating backups. In fact, I would say we're spending at least twice as much time on the audits than we spend on the activities. Our internal audit department has four times the number of people that I have -- and our external auditors resemble a small army. That seems unbalanced, and inefficient. And I'm only dealing with the security-related SOX controls, which are only a fraction of all the SOX controls in my company.
There's got to be a better way. It's reaching the point where SOX compliance is almost all I'll be able to spend my time on -- displacing other, important security activities and the expansion and improvement of our security posture. As I said, I'm in favor of regulations that improve security. They can be effective in getting security the focus and priority it should have. But I'm starting to think SOX is harming us at the same time, because it's overblown and expensive, and it's consuming resources better spent elsewhere.
Part of the problem is that SOX activities tend to be very manual. There's a lot of human effort involved in performing controls, collecting evidence, inputting data into a system of record, reviewing script results and settings (and creating new scripts when new controls are added). And after all that work is done, we spend even more time sitting with the auditors going through it all. Twice. Once with the internal auditors, and again with the external auditors.