Happy Anniversary SOX

It's been three years since the Sarbanes-Oxley Act was signed into law, and public companies are well into their second year of compliance. So where do we stand?The answer to that question seems to rest partly on whom you ask, when you ask, and who's within hearing range when you ask. It also depends on how the question is interpreted, since SOX has implications for IT managers, business managers, top executives and boards of directors. Oh yes, it also has implications for investors. In fact, when the legislation was drafted, wasn't it envisioned that investors would be the main beneficiaries of the improved controls and corporate honesty that SOX would generate?

And the questions continue: Will the new SEC chairman Christopher Cox get fully behind Sarbanes-Oxley or will he, as some predict, be looking to make changes in the way it is drawn up and enforced?

It's been impossible to get an accurate pulse on SOX because all the recent surveys have taken readings from different parts of the subject. And since most of the surveys are vendor-sponsored or conducted directly by vendors, they tend to gather information from companies that have implemented a certain type of technology, or companies that were surveyed because they haven't yet implemented a technology.

So we find, for instance, that companies that have automated their processes for verifying controls under section 404 tend to have a more optimistic view that SOX has improved their processes and controls and elevated investor confidence. Similarly we find that companies that have not implemented an e-mail archiving system are less optimistic about their ability to pass a controls audit.

And, of course, those that spent the money up front to automate SOX compliance activities are reporting that their auditing and accounting costs have not increased as much as they anticipated.

The problem I have with all these reports is that they are exactly as you might expect. That's not to say they are inaccurate, they just don't present the entire picture. So here's how I would ask the questions, and from where I sit, here's how I anticipate the majority of honest folks would answer them:

Q: Taking into consideration all the costs and benefits, not just particular costs and benefits, is your business and your industry better off as a result of SOX?

A: I don't know.

Q: Was legislation like SOX necessary to achieve the results of corporate transparency and accountability, or would public companies have made the necessary changes on their own accord?

A: Probably not because the changes would have come about anyway.

Q: Was SOX an overreaction to a real problem?

A: Yes.

Q: Has SOX made yours a better company to do business with or invest in?

A: Most definitely, but it's been too expensive.

Q: Has the legislation been effective? A: Too early to tell. Dishonest and deceptive practices continue, but compliance also points out inadvertent and unknown problems.

Q: Should SOX be revisited, refined and redrafted?

A: Probably, but only if the changes don't require additional spending.

Q: Will the cost of SOX go down over time?

A: That's the promise but we're not seeing it yet.

Q: Have you improved your IT operations as a result of SOX?

A: Depends on whom you ask. Many IT managers were able to push through projects that might otherwise have not been funded. Top executives still need convincing that the IT spending was worth cost and effort.

Q: Have your business processes improved as a result of SOX?

A: I don't know.

The thing we lose site of talking about the technology behind the new SOX compliance initiatives is that most business leaders felt their controls were adequate and that they were a good company to do business with before the legislation. Some just had an easier time proving it. And business people don't like to spend money proving what they already know unless there is a return in it.

It might take another three years to really get a handle on the impact of Sarbanes-Oxley. The question of improved business processes will be a contentious one, as it was before SOX. Processes automation doesn't always mean process improvement. And improvement means different things to different stakeholders.

For many, mitigating risk is a different mindset and different set of activities than process improvement. For instance, I've automated the process of securing my computers from outside threats, at least to the extent that I can afford to, but I still get hit now and again and have to deal with the problem manually. Am I better off with the automated defenses? I think so. Am I happy with the state of my virus and spyware defenses? No. How much more would I be willing to spend to improve them? Not a whole heck of a lot.

And that's the way many businesses view compliance spending. It's risk management, not process automation. Avoiding downside risk isn't the same thing as return on investment. Perhaps that will change. But for now, three years into Sarbanes-Oxley, I think that is were we are still at. IT managers will have to step up lead the way for true process improvement.