Critics maintain that the final version of the Sarbanes-Oxley Act has holes in it big enough to drive a truck through. One hole is that while the act requires both a financial audit and an audit of the IT systems that generate financial information, these two groups of auditors rarely talk to each other and, according to Sharon O’Bryan, a former IT auditor at Arthur Andersen, chief information security officer with ABN Amro North America and now an independent consultant, nothing has changed.“I recently worked with an organization that had every problem you could imagine,” O’Bryan says. Audit trails weren’t kept, people had access to systems that they weren’t supposed to, and the administrative passwords were never changed from the vendor presets. “Yet the audit was signed off [by the auditor],” she says incredulously. All the auditors consulted for this article said that if they found violations, their first step would be to work with the CIO to fix the problem. While that might improve controls for the future, it wouldn’t do anything to certify the accuracy of the financial statements submitted under the compromised control environment. And even if a company does submit fraudulent or inaccurate numbers, its odds of getting caught are small. While the SEC won’t say how it spots phony statements, Rob Seiden, director and president of Fortress Global Investigations, says that most of the time a miscreant is found thanks to whistle-blowers, as was the case last month when HealthSouth CEO Richard Scrushy was indicted on accounting fraud charges. Second most common, Seiden says, is by accident, when an SEC regulator trips over a floridly fraudulent document. One former auditor says that when the SEC does investigate, its research is usually limited to dinner with the company’s executives.Eventually, everyone agrees, the SEC will make an example of someone for noncompliance. But if the first Sarbanes-Oxley case is any indication, that day may be a long time coming. Over the summer, the CEO and CFO of Rica Foods, a $131 million Miami-based importer, attested to the fact that the company’s auditor had approved its financial statement. In fact, the auditor had done no such thing. In an August settlement, Rica promised not to lie again, and the CEO paid a $25,000 civil penalty. The Rica case, say critics, illustrates one of the weaknesses in Sarbanes-Oxley. “Internal controls do not prevent collusion,” says Joseph W. Hearington Jr., corporate director for internal auditing at Universal, a $2.6 billion tobacco company. “All the scandals, the Enrons and WorldComs, all had one thing in common?collusion. This will do nothing to prevent that. This is a feel-good piece of legislation.” -B.W. Related content brandpost Sponsored by Freshworks When your AI chatbots mess up AI ‘hallucinations’ present significant business risks, but new types of guardrails can keep them from doing serious damage By Paul Gillin Dec 08, 2023 4 mins Generative AI brandpost Sponsored by Dell New research: How IT leaders drive business benefits by accelerating device refresh strategies Security leaders have particular concerns that older devices are more vulnerable to increasingly sophisticated cyber attacks. By Laura McEwan Dec 08, 2023 3 mins Infrastructure Management case study Toyota transforms IT service desk with gen AI To help promote insourcing and quality control, Toyota Motor North America is leveraging generative AI for HR and IT service desk requests. By Thor Olavsrud Dec 08, 2023 7 mins Employee Experience Generative AI ICT Partners feature CSM certification: Costs, requirements, and all you need to know The Certified ScrumMaster (CSM) certification sets the standard for establishing Scrum theory, developing practical applications and rules, and leading teams and stakeholders through the development process. By Moira Alexander Dec 08, 2023 8 mins Certifications IT Skills Project Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe