In the last couple of weeks, I get many requests regarding "EuroSOX" - the nickname for the 8th EU Company Law Directive which has become EU law last summer. The official name is "Directive 84/253/EEC", called the 8th Company Law Directive, repealed by 2006/43/EC, and it is very tight to the 4th and 7th Company Law Directive.
The EuroSOX naming itself is quite confusing because there is very less similarity with US Sabanes-Oxley (SOX) than the nickname try to delude.
In the U.S., the big scandals of Enron and MCI caused a lot of publicity and triggered the immediate creation of the SOX legislation and its nationwide adoption. In contrast, the legislative process in the European Union takes time. While the EU Company Law Directives from 2006 had implementation deadlines for the member states (June and September 2008), the time to go through the legislative process varies from member state to member state. I.e., in Germany the directive is adopted in the new law called "Bilanzrechtsmodernisierungsgesetz" (BilMoG), whilst UK meets the directive requirements with their "Combined Code" and don't initiate any new legislation to adopt the directive, similar to France with their "Loi sur la Sécuriité Financière" (LSF).
So the adoption varies from country to country, and companies have to monitor new corporate governance laws on a per-country basis from now on, and should listen to experts that show country expertise, support their risk management efforts, facilitate segregation of duties and automate controls.
Simply put, there is not a thing like a "EuroSOX" project, and you shouldn't listen to vendors that want to sell tools to make you EuroSOX-compliant. They simply do not understand the complexity of the problem.
From IT security and information risk point of view the directive demands high conditions for information security systems and internal IT control systems.
Whilst the directive doesn't mandate a specific standard or framework it clearly shows that established international standards and frameworks such as ISO 27001/27002, COBIT and COSO (Enterprise Risk Management) are very solid instruments to ensure that the company will pass the audit of their internal IT control and information security management system.
No doubt, companies will be faced with more and more mandates from now on, and this means that they are faced with more and more audit requirements, higher assessment frequencies and volume.
In general, if you are faced with more and more audit demands, Symantec Control Compliance Suite can help you to automate key IT compliance processes.
Companies on a high IT Governance, Risk and Compliance Management maturity level are leaders because they have less amount of significant deficiencies and policy violations. And they have less numbers of significant deficiencies because they do more frequent audits. But more frequent audits usually result into higher costs.
So their key question becomes “how to be a leader, and have less significant deficiencies, without incurring the cost typically associated with being a leader”.
The answer to this question is all about automation of assessments and processes.
If you want to talk about it, please don't hesitate to contact me.
-Guido Sanchidrian