DRAFT SP 800-39, Managing Risk from Information Systems: An Organizational Perspective
NIST announces the release of the initial public draft of Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective. This publication provides guidelines for managing risk to organizational operations, organizational assets, individuals, other organizations, and the Nation resulting from the operation and use of information systems. Special Publication 800-39 is the flagship document in the series of FISMA-related publications developed by NIST and provides a disciplined, structured, flexible, extensible, and repeatable approach for managing that portion of risk resulting from the incorporation of information systems into the mission and business processes of the organization. Comments will be accepted through December 14, 2007. Email comments to: firstname.lastname@example.org
URL to DRAFTS page:
URL to PDF file for Draft SP 8000-39:
US regulators yesterday approved measures to ease compliance with Sarbanes-Oxley five years after the law was passed in the wake of big corporate scandals.
The move is a sign a more "principles-based" approach to financial regulation is gaining ground in the US.
Critics of the way Sarbox has been implemented said reliance on rules and a "box-ticking" mentality to internal controls checks have been cumbersome and added needlessly to costs.
The Securities and Exchange Commission's five commissioners agreed unanimously to the establishment of a set of guidelines for company management on how they should carry out internal control checks mandated under Section 404 of the law.
Section 404 requires management to check controls over financial statements and have those signed off by an external auditor.
Critics of the way Sarbox was written had argued that the lack of such guidance had led to over-reliance by executives on the checks carried out by their external auditors, leading to often unnecessary audits.
Specifically, the SEC's new "interpretive guidance for management" would allow executives to "scale and tailor their procedures to fit the facts and circumstances" of a company's situation, according to SEC chairman Christopher Cox.
Michael Ryan, executive director of the Centre for Capital Markets Competitiveness at the US Chamber of Commerce, said: "This major rewrite is a clear step forward and recognises how seriously off-track Section 404 implementation has become."
The guidance is not only "scalable" according to size of company but also takes account of the complexity of a company's business.
Annette Nazareth, one of two Democrats on the commission, said: "I strongly support this principles-based interpretive guidance.
"It encourages innovation instead of a one-size-fits-all approach. I hope that it will help liberate companies by allowing them to apply the guidance to their own situations. It will provide overarching principles without forcing companies to fit into a prescribed mould."
The SEC also sharpened its definition of "material weakness" in accounts - a key uncertainty in previous audit cycles - as "a deficiency, or combination of deficiencies, in internal control over financial reporting" such that there is "a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis".
The new guidance is likely to have the biggest effect on smaller companies, which will have to comply with the SEC's management controls provisions of Section 404 by year-end.
Today the Public Company Accounting Oversight Board, the US accounting watchdog, is expected to produce new rules for auditors checking a company's internal controls.