Critics maintain that the final version of the Sarbanes-Oxley Act has holes in it big enough to drive a truck through. One hole is that while the act requires both a financial audit and an audit of the IT systems that generate financial information, these two groups of auditors rarely talk to each other and, according to Sharon O’Bryan, a former IT auditor at Arthur Andersen, chief information security officer with ABN Amro North America and now an independent consultant, nothing has changed.“I recently worked with an organization that had every problem you could imagine,” O’Bryan says. Audit trails weren’t kept, people had access to systems that they weren’t supposed to, and the administrative passwords were never changed from the vendor presets. “Yet the audit was signed off [by the auditor],” she says incredulously. All the auditors consulted for this article said that if they found violations, their first step would be to work with the CIO to fix the problem. While that might improve controls for the future, it wouldn’t do anything to certify the accuracy of the financial statements submitted under the compromised control environment. And even if a company does submit fraudulent or inaccurate numbers, its odds of getting caught are small. While the SEC won’t say how it spots phony statements, Rob Seiden, director and president of Fortress Global Investigations, says that most of the time a miscreant is found thanks to whistle-blowers, as was the case last month when HealthSouth CEO Richard Scrushy was indicted on accounting fraud charges. Second most common, Seiden says, is by accident, when an SEC regulator trips over a floridly fraudulent document. One former auditor says that when the SEC does investigate, its research is usually limited to dinner with the company’s executives.Eventually, everyone agrees, the SEC will make an example of someone for noncompliance. But if the first Sarbanes-Oxley case is any indication, that day may be a long time coming. Over the summer, the CEO and CFO of Rica Foods, a $131 million Miami-based importer, attested to the fact that the company’s auditor had approved its financial statement. In fact, the auditor had done no such thing. In an August settlement, Rica promised not to lie again, and the CEO paid a $25,000 civil penalty. The Rica case, say critics, illustrates one of the weaknesses in Sarbanes-Oxley. “Internal controls do not prevent collusion,” says Joseph W. Hearington Jr., corporate director for internal auditing at Universal, a $2.6 billion tobacco company. “All the scandals, the Enrons and WorldComs, all had one thing in common?collusion. This will do nothing to prevent that. This is a feel-good piece of legislation.” -B.W. Related content feature Expedia poised to take flight with generative AI CTO Rathi Murthy sees the online travel service’s vast troves of data and AI expertise fueling a two-pronged transformation strategy aimed at growing the company by bringing more of the travel industry online. By Paula Rooney Jun 02, 2023 7 mins Travel and Hospitality Industry Digital Transformation Artificial Intelligence case study Deoleo doubles down on sustainability through digital transformation The Spanish multinational olive oil processing company is immersed in a digital transformation journey to achieve operational efficiency and contribute to the company's sustainability strategy. By Nuria Cordon Jun 02, 2023 6 mins CIO Supply Chain Digital Transformation brandpost Resilient data backup and recovery is critical to enterprise success As global data volumes rise, business must prioritize their resiliency strategies. By Neal Weinberg Jun 01, 2023 4 mins Security brandpost Democratizing HPC with multicloud to accelerate engineering innovations Cloud for HPC is facilitating broader access to high performance computing and accelerating innovations and opportunities for all types of organizations. By Tanya O'Hara Jun 01, 2023 6 mins Multi Cloud Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe