Happy Anniversary SOX - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Analytics
12:56 PM
Mitch Irsfeld
Mitch Irsfeld

Happy Anniversary SOX

It's been three years since the Sarbanes-Oxley Act was signed into law, and public companies are well into their second year of compliance. So where do we stand?

It's been three years since the Sarbanes-Oxley Act was signed into law, and public companies are well into their second year of compliance. So where do we stand?The answer to that question seems to rest partly on whom you ask, when you ask, and who's within hearing range when you ask. It also depends on how the question is interpreted, since SOX has implications for IT managers, business managers, top executives and boards of directors. Oh yes, it also has implications for investors. In fact, when the legislation was drafted, wasn't it envisioned that investors would be the main beneficiaries of the improved controls and corporate honesty that SOX would generate?

And the questions continue: Will the new SEC chairman Christopher Cox get fully behind Sarbanes-Oxley or will he, as some predict, be looking to make changes in the way it is drawn up and enforced?

It's been impossible to get an accurate pulse on SOX because all the recent surveys have taken readings from different parts of the subject. And since most of the surveys are vendor-sponsored or conducted directly by vendors, they tend to gather information from companies that have implemented a certain type of technology, or companies that were surveyed because they haven't yet implemented a technology.

So we find, for instance, that companies that have automated their processes for verifying controls under section 404 tend to have a more optimistic view that SOX has improved their processes and controls and elevated investor confidence. Similarly we find that companies that have not implemented an e-mail archiving system are less optimistic about their ability to pass a controls audit.

And, of course, those that spent the money up front to automate SOX compliance activities are reporting that their auditing and accounting costs have not increased as much as they anticipated.

The problem I have with all these reports is that they are exactly as you might expect. That's not to say they are inaccurate, they just don't present the entire picture. So here's how I would ask the questions, and from where I sit, here's how I anticipate the majority of honest folks would answer them:

Q: Taking into consideration all the costs and benefits, not just particular costs and benefits, is your business and your industry better off as a result of SOX?

A: I don't know.

Q: Was legislation like SOX necessary to achieve the results of corporate transparency and accountability, or would public companies have made the necessary changes on their own accord?

A: Probably not because the changes would have come about anyway.

Q: Was SOX an overreaction to a real problem?

A: Yes.

Q: Has SOX made yours a better company to do business with or invest in?

A: Most definitely, but it's been too expensive.

Q: Has the legislation been effective? A: Too early to tell. Dishonest and deceptive practices continue, but compliance also points out inadvertent and unknown problems.

Q: Should SOX be revisited, refined and redrafted?

A: Probably, but only if the changes don't require additional spending.

Q: Will the cost of SOX go down over time?

A: That's the promise but we're not seeing it yet.

Q: Have you improved your IT operations as a result of SOX?

A: Depends on whom you ask. Many IT managers were able to push through projects that might otherwise have not been funded. Top executives still need convincing that the IT spending was worth cost and effort.

Q: Have your business processes improved as a result of SOX?

A: I don't know.

The thing we lose site of talking about the technology behind the new SOX compliance initiatives is that most business leaders felt their controls were adequate and that they were a good company to do business with before the legislation. Some just had an easier time proving it. And business people don't like to spend money proving what they already know unless there is a return in it.

It might take another three years to really get a handle on the impact of Sarbanes-Oxley. The question of improved business processes will be a contentious one, as it was before SOX. Processes automation doesn't always mean process improvement. And improvement means different things to different stakeholders.

For many, mitigating risk is a different mindset and different set of activities than process improvement. For instance, I've automated the process of securing my computers from outside threats, at least to the extent that I can afford to, but I still get hit now and again and have to deal with the problem manually. Am I better off with the automated defenses? I think so. Am I happy with the state of my virus and spyware defenses? No. How much more would I be willing to spend to improve them? Not a whole heck of a lot.

And that's the way many businesses view compliance spending. It's risk management, not process automation. Avoiding downside risk isn't the same thing as return on investment. Perhaps that will change. But for now, three years into Sarbanes-Oxley, I think that is were we are still at. IT managers will have to step up lead the way for true process improvement.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll