Vinnie, Dennis, James and I are having a rather longwinded discussion on Compliance, Governance and Risk , and in partly the Sarbanes-Oxley Act of 2002. (We had a similar run in last year)
I don’t really like it when the broader compliance discussion ends up focusing on the costs of section 404 of SOX, but this is where the debate always seems to end up. (I’ll save that rant for another day, but there is more to SOX than audit, more to compliance than SOX, and more to GRC than compliance) In this post I won’t discuss software. I’ll focus on SOX.
Vinnie, I don’t think I am glamourising compliance, but at the risk of being trite I’d suggest that you are looking at business through a set of rose-coloured specs. Options scandals , excessive executive pay anyone?
I’m not arguing that SOX is perfect, just that is working. Investor confidence is up, transparency is up, and costs are on the way down. Yes, Audit costs are still way too high, but recent reforms may help to address this.
I was updating my reading list this morning. I wish I’d found this blog earlier. Lots of interesting, well researched stuff on compliance. Well worth a long perusal. The site pretty much debunks the argument that SOX is a failure, and also points out that many business leaders are strong supporters of SOX.
The blog is maintained by Prof Brown from The University of Denver. Herewith a excerpt from a recent paper.
Sarbanes-Oxley (SOX) was adopted in a rush, political expediency necessitating that something be done before the 2002 election to minimize voter backlash from the collapse of Enron and WorldCom. Despite the rush, the Act contained a number of improvements on the current state of regulation, including a separation of accounting and consulting services, increase in the strength and independence of the audit committee, certification of financial statements by top officers, and assessment of internal controls by managers and auditors
Indeed.
The blog led me to this piece written by Joel Seligman is president of the University of Rochester and has written several books about securities regulation. Harvey J. Goldschmid is Dwight Professor of Law at Columbia Law School and served as a commissioner of the SEC from 2002 to 2005, and general counsel of the SEC in 1998 and 1999
It is important to remember the context in which SOX was passed.
Go back about five years. This country was in the midst of the largest securities fraud wave in its history. Daily news stories highlighted the alleged misconduct of major corporations, including Enron Corp. and WorldCom Inc. As significant were several other lesser known trends. Financial restatements had grown linearly between 1997, when there were 116 restatements, and 2001, when there were 305. Not all of the restatements should be attributed to fraud, but a significant number fairly could be. The staff of the SEC had not grown by a single position between 1995 and 1998. Deterrence, as we entered the new century, had been grievously weakened. Significant areas of concern, such as research analysts, were largely unaddressed by the commission. In the months running up to the enactment of the Sarbanes-Oxley Act, aggregate stock market values declined by more than $7 trillion between selected dates in March 2000 and July 2002.
These developments led Congress (by a vote of 99-0 in the Senate and 423-3 in the House), the SEC, the New York Stock Exchange and the National Association of Securities Dealers to respond vigorously with the Sarbanes-Oxley Act and other important reforms. Conflicts of interest in the auditing profession and in corporate board practice have been systematically reduced. Internal auditing controls have been effectively strengthened through executive certification and the much-criticized § 404 of Sarbanes-Oxley. The SEC’s budget was dramatically increased, and the SEC and Justice Department devoted much greater resources to enforcement. And private securities class actions have played an important role in deterring corporate misconduct.
They go on to note:
Is the system perfect today? Of course not. It is nearly universally recognized that compliance costs with respect to § 404 of Sarbanes-Oxley have been too high, particularly for small and medium- sized firms. But the system is working. The Public Company Accounting Oversight Board has recently proposed revising its most expensive Audit Standard No. 2 (the basis for most complaints about § 404) and replacing it with a streamlined Audit Standard No. 5. The SEC itself has offered constructive guidance that should further reduce compliance costs.
See also what the Business Roundtable had to say in 2003. I’d argue they are more representative of the CEO than Fortune magazine is. (given that it directly represents one third of listed companies, rather than the whims of an editor)
The following is submitted on behalf of The Business Roundtable, an association of chief executive officers of leading corporations with a combined workforce of more than 10 million employees in the United States and $3.7 trillion in revenues. …
The Business Roundtable strongly supported the enactment of the Sarbanes-Oxley Act of 2002 (the “Sarbanes-Oxley Act”), and we applaud the Commission’s efforts to implement the Sarbanes-Oxley Act.
Read the full submission here. And if you go to the Business Roundtable site you will see continued, consistent support for SOX.
Brown’s blog also led me to this business week article, not everyone hates Sarbox.
Lost amid all the boos over SarbOx, they say, are some major benefits. The biggest: SarbOx and related reforms have produced much more reliable corporate financial statements, which investors rely on when deciding whether to buy or sell shares. For them, SarbOx has been a godsend.
At the end of the day though, SOX is about the investors. Since the passage of SOX, the Dow has almost doubled, some of the credit for this should go those that passed and implemented the law.
I’ll finish with a link to a bad couple of weeks for critics of SOX
, GRC
Vendorprisey 
Thomas, I worry for SAP if this is the kind of justification you have for GRC versus good solid business cases
SOX depressed the market and the economy for several years. Greenspan last year warned it was driving stock listings away from US. And now SOX fans (or beneficiaries) take credit for the Dow as high as it is?
Like I said please go back to making money helping your customers optimize their supply chains and customer facing processes. Depending on politicians and accoutants and lawyers is bad business.
Vinnie,
Firstly, you know this blog is mine, not SAP’s. My views have developed out of my LLM and my PhD research rather than from any product positioning perspective. That said, the business case for GRC is strong. It wouldn’t be selling otherwise. CIOs and CFOs are smart enough to know if this stuff makes sense or not. The panic buying took place long before we had our offering on the market.
Corporate governance is a complex set of checks and balances. The recent speech by the head of the SEC, Christopher Cox does a good job of highlighting the challenges.
http://law.du.edu/jbrown/corporateGovernance/secGovernance/documents/Speech.Cox.Chamber.March14_2007.doc
His discussion of the challenges of the first SEC chairman in the 1930’s are really illuminating.
It would be nice if business could work without laws, but it doesnt. Software that reduces the cost of compliance, be it trade, tax, audit , health, environmental or otherwise is goodness.
GRC is about putting a framework in place to handle laws and regulations in a flexible and agile way. It is a pity that the noise on section 404 of SOX drowns out what should be a much broader and richer discussion.
I would love to be discussing carbon neutral supply chain optimisation strategies, fair trade certification, GRI reporting, architecting for M&A.
It is clear I can’t convince you but I will take solice in this chap’s words:
“None of us likes more regulation, but I actually think SOX 404 is helpful. It takes the process
control discipline we use in our factories and applies it to our financial statements. Implementing SOX 404 cost GE $33 million in 2004. But we think it is a good investment … Investors should demand high standards of governance and great performance. Some managers failed investors in the late ‘90s. Companies were destroyed, value was lost, and billions are being paid because of fraud. This happened. SOX 404 is by no means perfect, but it is a price we are willing to pay to restore investor trust.”
Jeffrey Immelt, Chairman & CEO, General Electric, February 11, 2005
I am a big Immelt fan, but seriously he said it
a) to be a good corporate citizen and industry leader when a number of his peers were ready to cruficy Oxley, SEC, their auditors for the bloody waste SOX was/is
b) GE has already a huge Six Sigma investment and their auditors probably did not have the guts to question GE’s operational areas. Most other companies had young auditors questioning stuff they could not even spell…
If your software does reduce cost of compliance, that is a great payback metric.
. But SAP’s track record on cost and payback is not that impressive…I would love to see a law which puts compliance on SAP and ecosystem to report precise costs of implementation and support. So we could see actuals rather than promises on rapid this and payback that…
I sense we could have another debate on SAP’s track record.
I’ll return to the reducing cost of compliance stuff in another post, but there is masses of stuff to support this.
Expand on the last point, I’m not sure what you are asking for. Sounds like yet more work for Auditors.
Simon (of the Manticore blog) makes a good point.
Readers may find this article on the King Report interesting. http://www.cliffedekker.co.za/files/CD_King2.pdf