[ISN] Hidden fraud risk in Sarbanes-Oxley?

InfoSec News isn at c4i.org
Tue Mar 8 02:19:53 EST 2005


http://news.com.com/Hidden+fraud+risk+in+Sarbanes-Oxley/2100-1002_3-5602776.html

By Will Sturgeon 
Special to CNET News.com
March 7, 2005

The complex and copious amounts of data stored on corporate networks
post-Sarbanes-Oxley may be creating greater opportunities for fraud,
analysts said.

That's even though the law was a reaction to the corporate misdeeds
that rocked Enron and WorldCom.

Peter Dorrington, head of fraud solutions at SAS, said that companies
are storing vast amounts of data but giving little thought to what is
being stored. "There is just a lot of storage going on," Dorrington
said. "But there is no interpretation of that data."

That situation could make the occasional instances of fraud or
anomalous data far more difficult to spot, he said.

"Fraudsters are reliant upon their transaction being a tree hidden a
forest," Dorrington said. The vast amounts of data being stored as
part of efforts to comply with the Sarbanes-Oxley Act are simply
increasing the size and density of that forest, he said.

"The more data there is, the easier it is to hide," Dorrington said.  
"There is little thought being given to whether companies should look
to understand what is going on within that data."

Dorrington believes many companies believe they are playing it safe by
simply keeping everything, seeing it as the easiest way to ensure they
keep the right things.

James Governor, an analyst at Red Monk, said: "Any company which
simply stores everything is creating problems for themselves further
down the line. Storing everything is just abdicating responsibility,
rather than following policy and understanding what they should be
storing."

Governor added that it may also be in breach of corporate policies
which dictate certain data may only be kept on record for six or nine
months. While such policies must be adhered to, they create a no-win
situation, in which they also conflict with the retention requirements
of other regulation such as Sarbane-Oxley, he said.

"This is going to break a lot of corporate policy," he said.

Even if a fraud comes to light, the sheer volume of unnecessary data
being stored in order to cover all bases means that companies are
faced with the near-impossible task of wading through it all.

Governor said: "If we think of finding fraud as being a hunt for a
needle in a haystack then what many, many companies are now doing is
comparable to pouring on a lot more hay."

"This is a very significant problem," Governor added. "Rather than
just spending more and more money on storage, it would make sense to
invest a lot more money in working out exactly what companies need to
store."

Shaun Fothergill, security strategist and compliance expert at
Computer Associates, believes despite problems settling in,
Sarbanes-Oxley will improve matters for businesses when implemented
effectively. However, he warned that compliance may start to throw up
even more instances of fraud.

Fothergill said: "Compliance and regulation is forcing the business of
IT to do things right. So organizations will begin to measure and
monitor more than they did before."

"This may actually give the impression that more fraud is occurring,
when in fact organizations are just monitoring what they should have
monitored in the first place," he said. "As the anomalies and fraud
issues are corrected, the indicators of problems will be moved from
red to amber then to green."

"These new indicators will initially highlight greater deficiency,
when in fact the business and IT are just getting it right,"  
Fothergill said.

 Such confusion may be one reason why the Sarbanes-Oxley deadline for
companies based in European countries has been put back a further year
this week. Originally the controversial Section 404, which outlines
the requirement to archive data, was to come into effect on July 15
this year.

However, Mark Strauch, chief operating officer of business alignment
company Business Engine, warned: "The extension of the 404 deadline
should not in any way be viewed by U.K. companies as a reason to
postpone or sideline compliance projects in favor of other projects."

"The long-term potential for companies to credibly improve
transparency within their organizations in line with section 404
should be seen as an opportunity to produce benefits in other areas,
such as reducing risk by being able to see early on where problems
lie, (and) thus deal with issues more effectively," he said.

Will Sturgeon of Silicon.com reported from London.





More information about the ISN mailing list