In-Depth

In Brief

Executives Decry Cost of SOX, IM Security Still a Concern, and a Mobile Phone Worm Evolves

• By Mathew Schwartz
• 04/13/2005

SOX Compliance Costs Exceed Estimates

If your company’s Sarbanes-Oxley bill is bigger than expected, over-execution may be to blame.

Those findings come from Financial Executives International (FEI), a professional organization for senior financial executives, which surveyed members at 217 public companies with average annual revenues of $5 billion. FEI compared the results with a similar survey conducted last year.

Today, only half of organizations (though 83 percent of companies with over $25 billion in revenue) think Sarbanes-Oxley Section 404 is doing its job, giving investors faith that a company’s books are valid. While there’s some disagreement over effectiveness, there’s little debate over the price tag: 94 percent say compliance costs exceed the benefits of compliance.

What is Sarbanes-Oxley compliance costing? The average cost for complying is $4.4 million, compared with the average of $3.1 million companies expected to pay. Notably, such Sarbanes-Oxley costs as external consulting, software, and services increased 66 percent since last year, while the fees external auditors charge also rose 58 percent.

At the same time, companies are streamlining how they approach Sarbanes-Oxley.

Based on survey respondents’ experience, 71 percent recommend a more risk-based approach to auditing, 66 percent advocate reducing the amount of documentation, and 60 percent suggest remaining flexible in the fourth quarter of the fiscal calendar, should any problems with Sarbanes-Oxley controls manifest and need remediation.

In addition, many executives forecast some relief: 85 percent say they expect non-auditor-related costs to decrease by about 40 percent. At the same time, two-thirds expect auditor costs to increase by about 25 percent.

Given the cost data, some are urging a change in how companies approach Sarbanes-Oxley efforts and how auditors do their job. “Now that we’ve gone through the first run of this mammoth compliance effort, it’s time to review what we have learned and identify ways to improve the annual assessment process,” says Colleen Cunningham, FEI’s president and CEO, noting, “Section 404 is well intentioned, but the implementation effort is guilty of over-kill.”

Cunningham argues for a more laissez-faire approach to auditing, and in particular using risk-based analysis, rather than full-fledged audits, “to obtain a reasonable assurance of the integrity of a company’s systems.”

Information Security is Top IM Concern

Despite the prevalence of instant messaging (IM), including enterprise-grade IM, security remains a top concern. In a survey of 210 organizations, 65 percent of respondents rated the security of information transmitted over IM as their chief concern related to using the technology.

The findings come from Osterman Research, which released its twice-yearly Enterprise IM Tracking Survey.

Overall, half of all businesses officially use IM for business communications. Only 9 percent have no plans to use it, and only 7 percent of companies say they actively block IM.

While security is a reported concern, many organizations still rely upon free IM tools, which are unprotected without add-on encryption products. All told, 64 percent of organizations say they use enterprise-grade IM, while 83 percent say they use consumer-grade IM.

One-third of companies say their IT department blocks some IM—either IM outright or unapproved clients, while 70 percent don’t block IM.

Business use of IM still has the trappings of its grass root adoption. Only 32 percent of organizations saying they’ve standardized on one or more IM clients. Using multiple IM systems is the norm, and the average company has about three IM systems in use internally. Those IM clients, as a percentage of the number of organizations using them, include: AOL Instant Messenger (63 percent), Microsoft MSN Messenger (56 percent), Yahoo! Messenger (55 percent), Lotus Instant Messaging and Web Conferencing—also known as Sametime (30 percent), ICQ (24 percent), and Microsoft Windows Messenger (23 percent).

Another Mobile Phone Worm Appears

F-Secure reports the appearance of a new worm that spreads via Bluetooth and affects Symbian phones, though the worm hasn’t appeared in the wild. The worm’s code appears to be based on Cabir, an earlier worm with similar qualities, except that the new worm, dubbed Mabir, has MMS capabilities—a multimedia standard, used by some phones, able to transmit files, including video, audio, and (now) worms.

“The MMS spreading function of Mabir.A uses a new social engineering technique,” reports F-Secure. “Instead of just reading all phone numbers from the local address book, the Mabir.A listens for any SMS or MMS messages that arrive to the phone,” then sends itself as an MMS message to the sender’s phone number.