International corporate spending on compliance with the Sarbanes-Oxley data security legislation has come at the expense of dealing with other security threats, according to the Information Security Forum (ISF).
An ISF report said that many of its members expected to spend more than $10m (£5.7m) on complying with the US Sarbanes-Oxley legislation.
But despite the expenditure, many firms are facing problems in achieving full compliance and are also struggling to protect other areas of their business.
The ISF has 260 corporate members worldwide, including half of the Fortune 100 – the 100 largest public companies in the US. ISF members make up a significant number of firms that the Sarbanes-Oxley Act is aimed at.
The ISF said that the business imperative to comply with the data security legislation also meant that in many cases the true cost of compliance was unknown.
According to the report, problem areas that companies are struggling to overcome include poor documentation, informal controls and use of spreadsheets, lack of clarity when dealing with outsource providers, and insufficient understanding of the internal workings of large business applications.
“In the wake of financial scandals like Enron and WorldCom, the Sarbanes-Oxley Act was designed to improve corporate governance and accountability but has proved difficult to interpret for information security professionals,” said ISF consultant Andy Jones.
“The diversion of information security attention from other risk areas to Sarbanes-Oxley compliance may lead to important business risks being neglected," he added.