On July 31, 2002, the Sarbanes-Oxley Act (commonly referred
to as SOX) became law in the United States following a series
of corporate financial scandals, including Enron, Tyco International
and WorldCom (now MCI), that shook the foundations of the
North-American securities business. This landmark legislation
becomes effective this year for all publicly traded companies.
Among its chief provisions: penalties (civil and criminal)
for securities violations; independence of the auditors who
check the internal audit work of a company; increased disclosure
of financial statements, a ban on most personal loans to
any executive officer or director and increased reporting
on insider trading.
SOX imposed draconic restrictions and swift changes to the
accounting practices of large companies in the US,
but it created a ripple effect
on a global scale. For SOX influences
IT practices and systems that support corporate accounting
and reporting and the IT workers who program and implement
these systems.
Whether the legislation’s objectives to “sanitize” the
business environment have been met is still debated by those
in the field and by academia. In the spring edition of the
Harvard Business Review, Stephen Wagner and Lee Dittmar,
both from Deloitte & Touche USA LLP, discussed the unexpected
benefits of SOX. A number of companies, they point out, have
begun to “standardize and consolidate key financial
processes, eliminate redundant information systems and unify
multiple platforms.” The benefits of this re-organization
is that it automates manual processes, integrates “far-flung
offices and acquisitions,” brings new employees “up
to speed faster” and both broadens responsibility for
controls while at the same time eliminating unnecessary controls.
Henry Butler, from Chapman University in California and
Larry Ribstein, from the University of Illinois, have recently
published a book that conceives of a very different view
of SOX. In the words of these two professors: “SOX
is a colossal failure, poorly conceived and hastily enacted
during a regulatory panic. SOX supporters are dead wrong
in their assessment of SOX—both logic and evidence
make it clear that SOX was a costly mistake."
Costly, indeed. Sources agree that the costs of compliance
with SOX far exceeded the initial projections. But beyond
the financial costs, there are human costs to consider as
well. Sources abound on figures and trends on the former,
yet very little is said about the latter. Here is what some
IT people in a position to implement compliance mechanisms
had to say:
Richard Savage, Manager of IT Standards and Compliance for
an entertainment company in Toronto, is worried that SOX
will dampen the spirit of
IT
workers – who are independent and innovative types
by definition - and will present managers with new challenges.
Said Savage: “This is a real culture shift for many
organizations. For most workers, it means heavy paperwork,
loss of control, and narrowing of focus or ability. It can
be very frustrating for people. While an Accounting Department
may be very used to the idea of regulations, IT people are
not. They rail against it. It seems to me that consideration
of EI (Emotional Intelligence) for people in this situation
is non-existent, and it will play out in burn-out, passive-aggressive
games, stress-leave, or the defection of some very competent
workers from publicly traded organizations because the work
is now incompatible with them.”
But opponents of SOX say that the legislation is finally
bring to the IT industry methods of business that were overdue
anyway, and which will benefit the IT organizations and its
people in the long run. As Bob Gilbert, who recently implemented
SOX compliance for a Canadian forest products company, states, “For
the majority of staff, it would be fair to say that SOX is
a drag on productivity because of the need to develop formal
policies and procedures and then (gasp!) actually follow
them and keep the evidence required for SOX audits. On the
flip side, I think that in the long run most shops will be
much better shops from an overall governance perspective.
Having been around in IT for ‘a while’ I’ve
seen very little in SOX that any well run shop shouldn’t
have been doing all along. But there are always costs for ‘doing
it right’ in terms of increased bureaucracy and record
keeping.”
The advent of SOX has also prompted some companies to implement
programs in ethical training. Legislation can only go so
far and there is a need for people to be able to follow not
only the letter but the spirit of the law. As one writer
commented in a SOX forum debate: “Ultimately there
are weasels out there who will do anything they think they
can get away with, and this is a personality type that will
persist under any set of rules.” For more information on SOX, check out these links:
http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act
http://www.entrust.com/governance/sox.htm
Do you have a comment or feedback on
this article? Email
us and let us know what you think.
|
