SOX forces businesses to think holistic, says risk expert

The Sarbanes-Oxley Act has had the "single greatest impact" in making companies focused and disciplined around the area of IT controls, says a Deloitte & Touche consultant.
Written by Vivian Yeo, Contributor

SINGAPORE--The compliance wave created by regulatory requirements, such as Sarbanes-Oxley, gives businesses a reason to view security and risk in a more holistic manner.

Philip Chong, director of Deloitte & Touche Enterprise Risk Services, told participants at a security conference in the island-state that the SOX Act has had the "single greatest impact" in getting companies focused and disciplined around the area of IT controls.

That is because there has long been a disconnect between IT security and business requirements, and companies have not placed enough emphasis on maintaining tighter internal controls, explained the Singapore-based Chong.

The risk consultant said businesses need to have a reliable financial reporting system and proper documentation trail in place. By requiring businesses to demonstrate how IT controls enable the reliability of financial reporting, the SOX regulations facilitate the implementation of the right security controls, he added.

In the region, China, Hong Kong, Japan and Korea have come up with their own versions of SOX or have similar existing regulations in place, said Chong. Singapore is also considering amendments to its regulations regarding company listings.

According to Chong, corporate governance involving control and compliance is a result of sound security architecture, IT governance in the form of CobiT (Control Objectives for Information and Related Technologies), best practices in security management and IT operations, and the alignment of IT to business objectives.

In the area of risk management, companies should consider all types of business risk and not just focus on security, cautioned Chong.

Security is often "not the single biggest [business] risk", he noted.

Chong added that a business must not look to IT to manage every risk it faces. "The response to a risk need not be technology--it can be financial," he pointed out.

To illustrate the point, he noted that in the event of the avian flu breakout, a typical business would focus on issues relating to operations and business continuity, not technology. In contrast, a travel agency would be concerned with liquidity, and therefore would need to work out a cash flow plan, such as seeking indemnification from banks or getting insured, he added.

Editorial standards