SOX SUX
This continues a series of my posts on Sarbanes Oxley. This one is about a viewpoint from academia. Courtesy of Thomas Otter, I saw this paper “The
Sarbanes-Oxley Debacle: What We've Learned; How to Fix It”
"Although investors do not like to be defrauded and do want some regulation, they will find such regulation valuable only if the benefit from reduced fraud is greater than the cost of compliance by the firms they invest in. SOX attempts to create a world with zero fraud.
SOX will surely turn into a festival for trial lawyers.
Litigation on this scale should not be confused with shareholder protection.
SOX has created a ticking litigation time bomb.
It is highly unlikely Congress could outthink (our dynamic financial) system, particularly during the regulatory panic of 2002."
The authors would like to see repeal but practically would like to see it significantly scaled back. Now we just need to convince the trial lawyers, the accountants and the tech vendors who think SOX ROX.
Vinnie,
I'll admit that I got stuck on the software vendor bandwagon chasing SOX in a previous life. Having seen the inside of a few too many finance groups as a result I have to say that the parts of the abstract you pick up seem to copy the sentiments of wilder parts of the business press, rather than the balanced 'College of Law' writing I would have expected.
I would like to comment on some of the statements from the abstract, to see if people have their own views and experiences.
>> "SOX attempts to create a world with zero fraud."
I'm surprised at this one most of all. External auditors, who it seemed has most to gain from SOX in the first couple of years, converged on a 'risk-based' approach to SOX. By actually looking at your processes within the structure of the COSO framework, and seeing where the highest significance and highest likelihood risks were, organizations were encouraged to fix the biggest problems first. Other fraud or loss risks (e.g. employees raiding the envelope stash in the closet in the corner) were considered a risk not worth bothering about. Whereas segregation of duties problems (me having access to the checkbook and authority to sign) were addressed immediately with new processes and security. If the combined effects of a particular risk over a year were not large enough to represent damage to the bottom line, they may well have been put on the back-burner.
"festival for trial lawyers" - maybe this will happen. Companies must keep their records of SOX activities and audits. So passing this year does not mean that all problems have past. But at the same time it is the external auditors that really had the festival, as noted above. And the controls in place now make it harder for another Andersen event.
The fact that made SOX so difficult for many companies was that they had no idea how they were running their business at almost every level. At a minimum, writing this down often highlights significant issues that no-one had thought of before.
It would seem almost dangerous to me to have a (imaginary) process that sees multimillion dollar revenues, but nobody in the organization really knows how it runs end to end, except by word of mouth. The potential for fraud or pure poor accounting is enormous.
SOX was an expensive issue, with a lot of thinking required in the first year or two. I hope now that we are seeing companies that have improved their processes, understand them, and are applying a level of quality to what they do. That removes risk, yes, and can actually have positive efficiency and operational benefits as well.
Repealing SOX is not going to happen. So live with it - your company WILL be better for it.
Anyone else have opposing thoughts?
Phil
-- http://improving-nao.blogspot.com --
Posted by: Phil Ayres | July 13, 2006 at 09:17 AM
I can find very little academic support for SOX. Most criticise it as a kneejerk reaction, and a poorly drafted piece of law.
This paper here may be useful reading too.
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=887176
For the moment though, SOX is here to stay.
Automate as much of the basic 404 etc issues as you can, and build a method of managing risk more clearly. If we can come out of the muddle that is SOX with automated controls and a clearer view of risk, then we have made the best out a poor piece of law.
Posted by: Thomas Otter | July 13, 2006 at 11:12 AM
Phil and Thomas- you make some good points but, Phil I have not seen much tangible from the other side either - mostly fear mongering and why investors will sleep well. see for example
http://dealarchitect.typepad.com/deal_architect
/2006/04/the_unexpected__1.html
It would be travesty if SOX is not scaled back dramatically. The Chinese and the Indians are laughing at us for tying one hand to the back! No SOX tax there...
Thomas, for basic automation as you call it we are spending huge amounts on s/w, accountants - we may end up spending a billion for each of 164 words in section 404.
Posted by: viinnie mirchandani | July 13, 2006 at 01:49 PM