Tuesday, May 15, 2007

2007-05-15 Materiality to Change to a Qualitative Test?

The latest issue of Compliance Magazine reports that the SEC is thinking about, if not formally considering, reviewing and changing the definition of materiality. The last revision to that definition was, according to the article, eight years ago, and the current question is whether to shift from a quantitative to a qualitative definition. This type of shift would actually align with the shift to "risk based" guidelines. My bet is that the SEC does shift to this, because it will appear to allow more wiggle room. If this shift does occur, it will open a litigation floodgate, because a failure to implement proper info-sec policies and processes, which only by extension could be argued to be material, now would be a component of materiality (what's info-sec if not qualitative)

I've had (rather loud) discussions as to whether info-sec policies and processes can be factored into current materiality criteria. A good argument can be made for content authentication technology, but PKI deployments such as identity authentication present more attenuated analyses.


Substituting, or even incorporating a qualitative test into a materiality analysis would, imo, remove the attenuation between info-sec and materiality. It would also open the litigation floodgates.


No comments: