Should We be Grateful for SOX and Other Regulations?

Enacted by Congress in 2002, the Sarbanes-Oxley Act (SOX) was put into place to protect investors from fraudulent company accounting and reports, which saw investors lose billions of dollars in companies like Worldcom and Enron in the early 2000s.

For publicly traded companies, complying with the new SOX regulations meant the development of new rules for reports, accounting, and financial record keeping that impacted almost all of their systems.

In 2006, four years after SOX was passed, the Manufacturers Alliance estimated from a survey of 40 large companies that it was costing the average large enterprise $1.6 million for external audit fees for Section 404 SOX compliance, plus about $1.9 million for internal compliance work.  Sixteen years later, in 2022, Protiviti’s survey of companies found that the number of companies spending more than $2 million during the 2021 fiscal year on internal SOX compliance efforts was still increasing,

The costs of SOX compliance are unwelcome, and to most individuals charged with implementing and maintaining SOX, the work is unwelcome, too.

SOX requires organizations to control access to company records, monitor, and report on information access controls, and install technology and practices for safeguarding and protecting data from tampering or corruption. IT activities on data, networks, and systems must be continuously tracked, with all attempted data and electronic breaches being logged, documented, and reported. For the accounting and financial teams, new suites of detailed reports that span the data on diverse systems must be certified by corporate executives. Then, those reports must be issued to both internal and external stakeholders.

Related:4 Big Regulatory Issues To Ponder in 2023

Just reading through this to-do list makes it easy to understand why SOX compliance has been and continues to be a time- and resource-consuming project for corporate IT. But could it be that compliance with SOX and other regulatory measures might have their silver linings, too?

The Silver Lining of Regulation

The silver lining for regulatory measures like SOX is that they force other issues relating to IT infrastructure investment to be brought to the budget table. Requesting more money for infrastructure would otherwise be difficult for IT to sell if it were only infrastructure that IT was asking for.

Let’s look at SOX as a regulatory example. 

From an IT perspective, conforming to a regulation like SOX requires new investments in system integration and integration toolsets so that data from disparate systems can be consolidated into new financial reports. Additional storage and processing may be needed, as well as more offsite records management. Finally, new investments in network security, observability, access and activity-tracking software, and even zero-trust networks, might need to be added to IT budgets.

Related:SEC Wall Street Probe Slides into Direct Messages

The Takeaway

For IT managers, that critical IT infrastructure is what they need. That infrastructure can go unappreciated by non-IT executives like the CFO, but it is much easier to obtain funding for it if the investments are bundled together with mission-critical projects and regulatory requirements that the end business wants and needs.

Regulatory requirements provide a rich avenue for IT infrastructure bundling because most regulations like SOX require cross-system data consolidations and reporting, and network-wide security, access monitoring, activity tracking, and record keeping that spans all systems and IT resources. Inevitably, these compliance operations require upgrades in systems, networks, network management software and toolsets, security, observability, processing, and storage.

From a budget perspective, these IT resources, whether they are expensed or capitalized, can be itemized under the business project or regulation that requires them, and the CIO can explain why they are needed there. This gives visibility and business relevance to IT infrastructure for those who are ultimately accountable for funding it.

Related:3 Ways Data Engineers Can Ensure Compliance

There is also an additional side narrative to this.

Many IT managers get into the budget room and start by asking for more storage or processing just because a particular system or resource is “slowing down” or
“maxing out.”

In a lean year, an argument like that is likely to inspire the CFO to say, “Well, the system is still running, so let’s try to make it through until sales improve.” This is also a major reason why so many companies have aging workstations, disk drives, servers, and networks: It’s never a strong justification at budget time to ask for more resources just because you feel you need them.

The best practice for obtaining IT infrastructure budget approvals is to align these infrastructure improvements in a way that they support and are included with the projects that are at the heart of the business and where the business wants to invest.

If your company is losing a thousand new hotel reservations an hour because your server CPU is too slow, you can easily justify beefing up the CPU to recover the lost revenue opportunities.

This is the message of SOX, the business regulations like it, and the mission-critical projects that the business views as important. They provider a viable silver lining and on-ramp for infrastructure improvements you otherwise might not get.