Both sides of the double edged sword called SOX are being debated vigorously. One side argues that compliance is taking longer and more costly than before the passage of the act. The other argues that SOX has many benefits to the overall effectiveness and efficiency of the organization so focusing on its cost provides only part of the picture.
Who is right?
I believe in the latter argument. Complying with SOX requires understanding the processes of your organization. This cannot possibly be a bad thing for large companies that live in process silos that cause inefficiencies and a tremendous loss of shareholder value. It is the fiduciary responsibility of any company to ensure the maximization of shareholder value. SOX is just making sure your representations of the same are honest and accurate. SOX does not preclude the need for efficiency and effectiveness. Whether they do it for SOX or in memory of their dead grandmother, management must endure effective and efficient processes. Period. In other words, compliance is the fundamental responsibility of the management of a company – SOX or not.
Why does SOX cost so much? Because – as is the case with most things in life – the zealots have ceased upon the fear of the law and amplified it for their advantage. The vague nature of the law, the widespread ignorance and the general herd mentality of management has made this possible.
So, who are these zealots? Both IT departments – yes that would be you – and auditors have had a lot to gain from SOX – or shall we call it the “war on error?” After Y2K, IT departments needed a new war to gain importance and resulting funding. Remember Y2K? Planes were supposed to drop from the sky and nuclear missiles were supposed to take off without notice! Auditors, who given the right price will sign on just about anything, are using it to make money through never ending audits. Lawyers have made out like bandits because of the intense data requirements of the law.
The irony is that the intent of congress in passing the law was to protect shareholders but its compliance is resulting in waste of shareholders’ money!
Now that the corporate world has realized that the fears were exaggerated and that the law itself does not have teeth – how many SOX convictions so far? – it is going about its business as usual. The government i.e. PCAOB and SEC, having failed in its responsibility to uphold the law, is issuing “clarifications” and “opinions.” And the investors? Content in the feeling that the law has made this world a better place and ecstatic with a skyrocketing market are happily looking the other way.
Till the next Enron, the world will be at this new state of blissful ignorance, living the curse of history: we are bound to ignore it so it can repeat itself!
Well, what does all the eloquence do for your day to day compliance responsibility?�
| This excellent presentation provides an overview to IT Governance and then connects it with the three key frameworks - Sarbanes Oxley (SoX), CoSo and CoBiT.
| This presentation makes the connection between corporate governance, information technology IT governance, information security governance, and risk management.
| This paper presents a process-oriented approach to manage organizational change needed to improve information security compliance. The approach uses Business Aligned Information Security anagement (BAISeM) and principles that have been derived from...
| This case study details the internal audit and IT audit strategy for Novelis - the world's largest manufacturer of rolled aluminum products.
Posted on 05/22/2009 by