That's even though the law was a reaction to the corporate misdeeds that rocked Enron and WorldCom.
Peter Dorrington, head of fraud solutions at the SAS Institute, said companies are storing vast amounts of data but giving little thought to what is being stored. "There is just a lot of storage going on," Dorrington said. "But there is no interpretation of that data."
That situation could make the occasional instances of fraud or anomalous data far more difficult to spot, he said.
"Fraudsters are reliant upon their transaction being a tree hidden a forest," Dorrington said. The vast amounts of data being stored as part of efforts to comply with the Sarbanes-Oxley Act are simply increasing the size and density of that forest, he said.
"The more data there is, the easier it is to hide," Dorrington said. "There is little thought being given to whether companies should look to understand what is going on within that data."
Many companies believe that they are playing it safe by simply keeping everything, Dorrington said, seeing it as the easiest way to ensure that they keep the right things.
"Any company which simply stores everything is creating problems for themselves further down the line," said James Governor, an analyst at RedMonk. "Storing everything is just abdicating responsibility, rather than following policy and understanding what they should be storing."
Governor added that plainly storing everything may also be in breach of corporate policies dictating that certain data may only be kept on record for six or nine months. While such policies must be adhered to, they create a no-win situation, also conflicting with the retention requirements of regulations such as Sarbane-Oxley, he said.
"This is going to break a lot of corporate policy," he said.
Even if a fraud comes to light, the sheer volume of unnecessary data being stored in order to cover all bases means that companies are faced with the near-impossible task of wading through it all.
"If we think of finding fraud as being a hunt for a needle in a haystack, then what many, many companies are now doing is comparable to pouring on a lot more hay," Governor said.
"This is a very significant problem," Governor added. "Rather than just spending more and more money on storage, it would make sense to invest a lot more money in working out exactly what companies need to store."
Shaun Fothergill, security strategist and compliance expert at Computer Associates International, believes that despite problems settling in, Sarbanes-Oxley will improve matters for businesses when implemented effectively. However, he warned that compliance may start to provoke even more instances of fraud.
"Compliance and regulation is forcing the business of IT to do things right," Fothergill said. "So organisations will begin to measure and monitor more than they did before."
"This may actually give the impression that more fraud is occurring, when, in fact, organisations are just monitoring what they should have monitored in the first place," he said. "As the anomalies and fraud issues are corrected, the indicators of problems will be moved from red to amber, then to green."
"These new indicators will initially highlight greater deficiency, when, in fact, the business and IT are just getting it right," Fothergill said.
Such confusion may be one reason the Sarbanes-Oxley deadline for companies based in European countries has been set back another year this week. Originally, the controversial Section 404, which outlines the requirement to archive data, was to come into effect on July 15 this year.
However, Mark Strauch, chief operating officer of business alignment company Business Engine, warned: "The extension of the 404 deadline should not, in any way, be viewed by U.K. companies as a reason to postpone or sideline compliance projects in favor of other projects."
"The long-term potential for companies to credibly improve transparency within their organisations in line with section 404 should be seen as an opportunity to produce benefits in other areas, such as reducing risk by being able to see early on where problems lie (and) thus deal with issues more effectively," he said.
The Sarbanes Oxley Act is a typical example of an extreme reaction to an extreme situation. The large frauds uncovered in 2001 and 2002 indicated that something was definitively wrong in corporate governance and in the way the public accountants used to perform their duties. However, it is naive to believe that the new rules will prevent these unfortunate events from happening again.
I think that the improvement of the internal control and the reinforcement of the independance of the external auditor were necessary. Before the Sarbanes-Oxley Act was enacted, the internal control of a number of companies was deficient, the role of the internal auditors was not considered seriously by the management, the external auditors were considered more as "suppliers" of unqualified opinion than as independant controllers, audit committees were not in place or did not perform their work as they were expected to. Significant improvements in these areas are definitively to put at the credit of the new regulations.
However, the section 404 of the Sarbanes-Oxley Act presents 2 main biais : first of all, I don't believe that the current rules will prevent large frauds from happening. As a matter of fact, large frauds are generally initiated by the top management and imply often some level of collusion. Controls over top management are not properly covered by the new SOX rules. It is easy to put additional controls in place on the lower hierarchical levels. It is much harder to control the higher levels and even more difficult to test these controls. Secondly, the SOX rules focus too much on the documentation of the controls. We can see lots of companies developping manuals of policies and procedures (that no one will ever read), checklists, etc. The reason is that it is easy to show a manual. It is much harder (even impossible) to demonstrate the controls which are the most important to prevent and uncover fraud or unintentional errors : knowledge and competencies of the employees and management, common sense, business ethics, overall control environment, etc. By putting too much focus on documentation of the controls, don't we take the risk to distract management from their tasks which are, among others, to perform the controls, using common sense and diligence, and to achieve business objectives ? Don't we take the risk that SOX will maybe increase the visibility and reliability of financial reporting, but will also impact the profitability and the growth of the concerned companies. The costs linked to SOX compliance are huge. Recent statistics show that they amount to almost 1% of sales. The adequate internal control must provide a reasonable ****urance but not a perfect ****urance that the management's objectives are met (including reliability of financial reporting). There is a point where improve the internal control further will cost more than the potential benefits that could be obtained through this improvement. It seems to me that this cost/benefit approach has been totally forgotten.