From the seemingly endless testing of IT controls, to the escalating costs, to the extra burden on limited staff resources, IT professionals know full well the pains of Sarbanes-Oxley compliance.

SOX Section 404 has been roundly criticized by both IT and business executives for lax guidelines that have bred a checklist approach to assessing companies' internal controls. This prescriptive approach to auditing has led, in some cases, to serious over-testing of IT general controls, encompassing even those with only peripheral connections to business processes that impact on corporate financial statements, or worse yet, have no relationship at all.

In fiscal year 2006, the total average cost for SOX Section 404 compliance was $2.9 million, according to a Financial Executives International survey of 172 companies with market capitalization above $75 million. This forced march to SOX does have its advantages, including better insight into ways to bring down operational costs, better documentation and more standardization of IT and other processes, and a stronger control environment. However, despite the overall cost of compliance coming down from 2005 thanks to efficiency gains, audit fees were largely unchanged.

Now, organizations have the opportunity to reap the benefits of SOX compliance with far less pain.

Thanks to the May 2007 adoption of Auditing Standard No. 5 (AS 5), auditors now have greater authority in making judgments about which IT general controls must be tested. They can now focus their attention on the ones that relate to processes that should help a company avoid material weaknesses in financial statements. Following right on the heels of the SEC's new guidelines for Section 404 -- which advise companies to hone in on controls that present the greatest risks for impacting their financial reports -- AS 5 takes a complementary, principles-based and top-down approach to risk assessment.

With greater authority over which systems must be tested, Auditors can focus their attention on those processes that should help a company avoid material weaknesses in financial statements. Such anti-fraud controls are a cornerstone of governance. They support the proper operations of applications and automated calculations for "in-scope" systems (for example, anything that eventually contributes to a company's financial statements, as well as operating systems). They also protect against unauthorized changes to programs and data, even though deficiencies within these controls themselves do not directly cause material weaknesses.