Ross Armstrong Senior Research Analyst Info-Tech

Small to mid-sized enterprises (SMEs) can benefit from implementing control objectives for governance, compliance, and improved security. The Securities and Exchange Commission’s (SEC) recent Sarbanes-Oxley (SOX) announcement puts an end to several years of speculation, so SMEs must get on top of their control game.

Executive Summary
Sarbanes-Oxley (SOX) is here to stay for small to mid-sized enterprises (SMEs), which the Securities and Exchange Commission (SEC) defines as any publicly traded company with less than $75 million in market capitalization. Despite the fact that auditing standards have been adjusted for smaller organizations, many SMEs still need to prioritize and strengthen those internal IT controls that protect information assets.
The Information Systems Audit and Control Association (ISACA) is the organization that sets standards for auditing and grants certification to auditors. New studies from ISACA pinpoint the top controls that are the most important for SMEs. This research note discusses:
» The latest SOX developments in the SME space.
» Key findings from the ISACA study.
» Which tactics SMEs can use to satisfy internal IT controls.

SMEs must implement control objectives for compliance and improved security, but have limited means to do so. The ISACA study prioritizes the most important IT controls so that SMEs can get on top of their control game.

Optimization Point
Sarbanes-Oxley (SOX) was enacted in 2002 as an anti-fraud measure in the wake of large accounting scandals such as Enron and WorldCom. Until recently, the Securities and Exchange Commission (SEC) applied the same SOX auditing practices to all companies, regardless of their size, infrastructure, level of risk, or available resources. As long as it was publicly traded, whether the market cap was less than $75 million or more than $100 billion, the same auditing rules and standards applied for all companies.
The financial strain that SOX compliance put on SMEs caused a huge backlash against the SEC and its affiliated audit watchdog, the PCAOB. In December 2006, the SEC announced that it is going to relax the auditing standards to accommodate the limited resources of public SMEs. This so-called “materiality standard” will guide auditors in scrutinizing only those controls that could have a reasonable risk of having a material impact on financial statements. Normally, the SME would have all controls examined.

SOX Hurts
Up until now, there was no “light” version for SOX auditing procedures, and SMEs were expected to adhere to the same SOX requirements as Fortune 500 enterprises. Consequently, auditors did not take into account the limited resources for smaller businesses.

As a result, the one-size-fits-all approach cost SMEs a disproportionately higher amount than larger organizations in order to comply. To put this in perspective, a large company generally pays 0.1% of annual revenue to comply with SOX, while a smaller company has traditionally about 1%.

The new SME standard will also discourage auditors from conducting multiple tests of the same controls, instead relying on prior years’ audits for their assessments. The end result for the SME is cost savings on two fronts:
» Reduced billable hours because the auditor is testing fewer controls.
» Reduced technology and process spend because fewer weaknesses are found.

However, despite the fact that auditing standards have recently been adjusted for smaller organizations, many SMEs have yet to prioritize and strengthen those internal IT controls that protect information assets.

ISACA to the Rescue
SMEs have limited resources and IT staff for controlling risk and may not know how to prioritize these risks. Compromised controls have a proportionately greater impact on SMEs as well: while a large enterprise will be able to absorb financial losses (e.g. due to fines from the SEC for SOX violations), the SME may face severe loss of customers or even bankruptcy.

For the purposes of this research note, a “small” IT shop is defined as five or less workers. ISACA conducted a study in 2006 to determine the top IT controls that SMEs should have in place for securing information assets. The ISACA study involved a panel of experts who were given a list of 30 control objectives derived from COBIT. These experts were asked to boil down the list, using the Delphi method to achieve consensus.

The top COBIT controls, as recommended in the ISACA study, follow in the table below, along with a list of tactical solutions that satisfy those controls:

Key Considerations
1. Taking on unacceptable business risks due to budget concerns. Based on industry analysis and client feedback, Info-Tech has noticed a distinct trend towards non-compliance, with more than 60% of SMEs stating they do not expect to be compliant with Section 404 of SOX by the deadline. Furthermore:

» Since SOX costs SMEs nearly 10 times more than what it does for large enterprises, the money used to pay for compliance is being drawn predominantly from funds that are intended for research and development.
» In many cases, going public will be as limiting to SME near-term growth as staying private. In other words, remaining private could prove more beneficial to long-term growth.
» Some CxOs of smaller enterprises tend to have a stronger stomach for risk, and will weigh the possibility that non-compliance is an acceptable risk.
» Others cannot afford high compliance costs, and will risk non-compliance before they risk financial dissolution.

2. Ability to identify existing controls. Much like a DRP, IT controls are safety precautions that one hopes will never have to be used (much like disability insurance, for example). When it comes to compliance, all that auditors want to see is that the enterprise has put reasonable controls in place to protect data. What causes confusion is the fact that no one seems to have a full grasp of the definition of the word “reasonable.” IT control objectives (the driving principle behind the controls themselves) are meant to provide guidance only – it’s up to the business to decide which controls to implement, and how to do it.

3. Obtaining an internal sponsor. Many small enterprises do not have a CIO that can guide business risk-driven projects. However, these same enterprises almost always have a financial director, CFO, or manager with deep accounting experience. IT must look to this individual to obtain advice for strategic direction on compliance and risk-related initiatives.

Improvement & Optimization
1. Implement ISACA’s recommended controls and document current controls. Controls can come in all shapes and sizes, such as policies, technologies that restrict access to sensitive data, or even a type of process within an application. More often than not, IT controls must be documented in order to meet audit requirements. The minimum documentation required for IT controls includes (but is not limited to) the following:

Controls
Information Security:
Policies, procedures, standards, risk assessments, authentication controls, user-level controls, access controls, logging, monitoring, configurations, physical security

Change Management and Development:
Development standards, development procedures, prioritization, requests, approvals, maintenance, testing, quality assurance, Software Development Life Cycle documentation

Operations:
Batch jobs, backups

2. IT shops with fewer than 10 employees should look at COBIT Quickstart. The SEC announcement puts an end to months of procrastination, so SMEs must begin their compliance initiatives now if they are to meet SEC requirements. Info-Tech strongly advises the use of COBIT Quickstart to help meet compliance goals. COBIT Quickstart is a baseline for small IT shops, or for SMEs for whom IT is not mission-critical. Quickstart is a subset of the broader COBIT publication, and contains only the most critical control objectives. These objectives were specifically chosen because they retain COBIT’s fundamental principles for core IT processes, but can be implemented quickly.

3. Seek outside help. A small company with severely limited staff resources (e.g. only one or two IT workers) is going to need a consultant to help implement certain controls. For example, if the enterprise is largely unfamiliar with file access privilege control, then a third party should be brought in to help implement it (whether through software solutions or a directory service built in to the operating system). In addition, building a DRP will require an objective third party to assess risks and vulnerabilities. While money might be an issue, the cost of non-compliance is far higher:

» Since the enactment of SOX in 2002, total fines have soared to roughly $8 billion, and the number of financial fraud actions filed has increased by 70%.
» The filings and subsequent fines generate significant government revenue, so it comes as little surprise that the SEC will aggressively pursue non-compliant companies from now on.
» SOX has teeth. Former CEOs such as Bernard Ebbers (WorldCom) and Jeffrey Skilling (Enron) have both been handed lengthy prison sentences.

Bottom Line
SMEs can benefit from implementing control objectives for governance, compliance, and improved security. The SEC’s recent SOX announcement puts an end to several years of speculation, so SMEs must get on top of their control game.