Sarbox through rose-colored glasses
A W$J article discusses how it’s going “[t]hree years into the Sarbanes-Oxley era.”:
After a bit of a rocky start, not too badly.When the strict new corporate-governance law was enacted in 2002, companies struggled to meet shifting demands and deadlines -- and battled their auditors over how to interpret the requirements. But now companies have started to find their footing. And they're taking the lessons they've learned and codifying them into company policy.
Assuming this article's anecdotes about big companies tell us anything, the article gives a rather narrow and unrealistic view of the total picture. I have my own assessment, Sarbanes-Oxley after Three Years, which surveys the data. I point out that the main problems with Sarbox will occur after the start-up costs are over. Among other observations in the article:
- "SOX imposes significant new liability risks, since a clever trial lawyer might be able to trace virtually any business problem, in hindsight, to a failure to implement some internal control."
- "[T]he burden of uncertainty falls on auditors or executives who sign off on the internal control reports. These individuals or firms are less able to bear the risk than the firm’s shareholders who can own the shares as part of a diversified portfolio. The internal controls reports therefore may end up negating the risk-bearing advantages of modern capital markets."
- "The effects of this reallocation of risk are likely to be greatest for start-up or innovative firms, which face more inherent uncertainty than established firms. To the extent that SOX impedes these firms from raising capital, the effect may be to reduce socially beneficial entrepreneurial activity."
- "The internal controls rule also places a particularly heavy burden on smaller firms." [Notably, the WSJ story focuses on big firms.]
Moreover, as discussed in my previous post, even if it’s all just about startup costs, we have to ask whether these costs produced anything worthwhile. The Refco mess shows what always should have been obvious -- that all this paperwork isn’t very good at catching deliberate fraud.
The new liability risks are indeed very real and I do not see much debate about it. We at cBrain develop systems to help 404 and 802 compliance. This will make legal discovery of documents and messages of "material significance" much faster and transparent. Companies will for example have much better control (and documentation) of their decisions for revenue recognition entries in a "dynamic change order" environment that exist in many project based organizations. It is also a huge exposure because some journal entries will by their nature always be a judgement call and NOT an exact science (did we really meet that milestone?). Management and auditors have to be right all the time -- trial lawyers has to be right once.
Posted by: Poul Hebsgaard | October 17, 2005 at 02:59 PM
My company does a ton of IT related rollouts and upgrades for large companies and we use a LOT of contracted employees. SarBox, from my perspective, has cost quite a few jobs. Companies are scared to pull the trigger on major capitol expenditures and terrified to take any operations dealing with hardware out of house. In our area, two business that provided refurb, imaging and shipping services for Wal-Mart have shut down their local operations as WM tries to bring everything back inside (not very successfully, BTW).
Posted by: Matt | October 19, 2005 at 04:55 PM