Hidden fraud risk in Sarbanes-Oxley?
Spotting fraud in huge amounts of corporate compliance data is like finding a needle in a haystack, analysts say.
That's even though the law was a reaction to the corporate misdeeds that rocked Enron and WorldCom.
Peter Dorrington, head of fraud solutions at the SAS Institute, said companies are storing vast amounts of data but giving little thought to what is being stored. "There is just a lot of storage going on," Dorrington said. "But there is no interpretation of that data."
That situation could make the occasional instances of fraud or anomalous data far more difficult to spot, he said.
"Fraudsters are reliant upon their transaction being a tree hidden a forest," Dorrington said. The vast amounts of data being stored as part of efforts to comply with the Sarbanes-Oxley Act are simply increasing the size and density of that forest, he said.
"The more data there is, the easier it is to hide," Dorrington said. "There is little thought being given to whether companies should look to understand what is going on within that data."
Many companies believe that they are playing it safe by simply keeping everything, Dorrington said, seeing it as the easiest way to ensure that they keep the right things.
"Any company which simply stores everything is creating problems for themselves further down the line," said James Governor, an analyst at RedMonk. "Storing everything is just abdicating responsibility, rather than following policy and understanding what they should be storing."
Governor added that plainly storing everything may also be in breach of corporate policies dictating that certain data may only be kept on record for six or nine months. While such policies must be adhered to, they create a no-win situation, also conflicting with the retention requirements of regulations such as Sarbane-Oxley, he said.
"This is going to break a lot of corporate policy," he said.
Even if a fraud comes to light, the sheer volume of unnecessary data being stored in order to cover all bases means that companies are faced with the near-impossible task of wading through it all.
"If we think of finding fraud as being a hunt for a needle in a haystack, then what many, many companies are now doing is comparable to pouring on a lot more hay," Governor said.
"This is a very significant problem," Governor added. "Rather than just spending more and more money on storage, it would make sense to invest a lot more money in working out exactly what companies need to store."
Shaun Fothergill, security strategist and compliance expert at Computer Associates International, believes that despite problems settling in, Sarbanes-Oxley will improve matters for businesses when implemented effectively. However, he warned that compliance may start to provoke even more instances of fraud.
"Compliance and regulation is forcing the business of IT to do things right," Fothergill said. "So organizations will begin to measure and monitor more than they did before."
"This may actually give the impression that more fraud is occurring, when, in fact, organizations are just monitoring what they should have monitored in the first place," he said. "As the anomalies and fraud issues are corrected, the indicators of problems will be moved from red to amber, then to green."
"These new indicators will initially highlight greater deficiency, when, in fact, the business and IT are just getting it right," Fothergill said.
Such confusion may be one reason the Sarbanes-Oxley deadline for companies based in European countries has been set back another year this week. Originally, the controversial Section 404, which outlines the requirement to archive data, was to come into effect on July 15 this year.
However, Mark Strauch, chief operating officer of business alignment company Business Engine, warned: "The extension of the 404 deadline should not, in any way, be viewed by U.K. companies as a reason to postpone or sideline compliance projects in favor of other projects."
"The long-term potential for companies to credibly improve transparency within their organizations in line with section 404 should be seen as an opportunity to produce benefits in other areas, such as reducing risk by being able to see early on where problems lie (and) thus deal with issues more effectively," he said.
Will Sturgeon of Silicon.com reported from London.