SEC Begins Sarbox Study, Makes SMB Deadline Delay Official

Lora Bentley

On Friday, the Securities and Exchange Commission officially began a cost-benefit analysis of Sarbanes-Oxley section 404 for small businesses. According to an agency press release, the study will consist of both a Web-based survey of subject companies and "in-depth interviews" with companies new to 404 compliance. The study will analyze "real-world" costs and effects under the SEC's new principles-based guidance for Sarbox implementation.


Also on Friday, Sen. John Kerry, D-Mass., and Sen. Olympia Snowe, R-Maine, praised the SEC for taking the time to gather more information before requiring small businesses to comply. (The SEC approved another extension of the compliance deadline for small businesses late in 2007.) PR Newsire quotes Snowe as follows:

When you consider that businesses that employ fewer than 20 people spend more than $2,000 per employee in regulatory compliance costs than businesses who employ more than 500 people, it's painfully clear that we could be doing more to help small businesses succeed. I am pleased that the SEC has taken steps today to help address and rectify this discrepancy.

Add Comment      Leave a comment on this blog post
Feb 9, 2008 2:31 AM John Walker John Walker  says:
The issue here that has not been widely articulated is that if one regards Sarbanes/Oxley (SOX) as purely a compliance chore, and adopts the traditional methodology to achieve such compliance, then it becomes a significant irretrivable expense. This is the view that has currently achieved the status of 'broad-based conventional wisdom' and that has prevailed to cause the recent onre-year moritorium on mandatory compliance. Another, far more erudite approach is available. If an enterprise adopts a process-based management system approach to compliance base don the same premises as ISO 9001, then, as opposed to the traditional documentation or event-based approach, it can not only readily achieve compliance to SOX but also to many other industry standards such as ISO 9001, ISO 14001 (Environmentally responsible) and OHSAS 18001 (Occupational health and safety). It can thus differentiate itself from its competition both compliance-wise and commercially (efficiency-wise). In short, SOX compliance more than pays for itself. Reply
Feb 17, 2008 6:00 AM Danny Lieberman Danny Lieberman  says:
John makes an extremely important point that if Sarbanes/Oxley is a check box chore for compliance then it is a non-value added expense for the business.It is crucial to remember that Sarbox and PCI DSS are not regulations for the sake of compliance. The objective is to improve the way a business manages and governs its activity, reducing risk to itself, its customers suppliers and share holders.As the SEC puts it, an SMB should be able to use common business sense to find material weaknesses in their internal controls. Business process mapping is valuable -however a small business of less than 20 people has fairly simple business processes and it might be inappropriate to try and fit an enterprise tool like BPM on a small business considering the costs of an external BPM consultant.I always recommend that a small business rely on their common sense. You may want to check out a methodology and user friendly desktop software from an Israeli company called Practical Threat Technologies. (PTA). Their web site is here http://www.ptatechnologies.comUsing PTA, anyone can identify their key business assets, their vulnerabilities, the threats that exploit the vulnerabilities and the controls that mitigate the threats. By using the PTA methodology a small business can quickly identify their key risks and fix them, reducing risk and gaining compliance - it's a slam dunk for a business and money well worth spent.Danny Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.