Curated content for content, computing, and digital experience professionsals

Day: January 8, 2005

Sarbanes-Oxley: Too Narrow?

I have been spending a lot of time with the Sarbanes-Oxley Act (SOX) lately — and have run across a really useful book. The title is Beyond COSO: Internal Control to Enhance Corporate Governance, by Steven J. Root (Wiley, 1998).

Yes, I know … the book predates SOX. When it was published, people were still talking about what a great company Enron was. Undergraduate accounting students were still hoping to land a job with Arthur Andersen. That is part of what makes the book useful.

As many of you probably know, SOX and the SEC don’t  prescribe just how a company must set up internal controls — the SEC only requires that you use a suitable, recognized control framework. In the final rule, the SEC points out that COSO — the framework developed by the “Committee of Sponsoring Organizations” of the Treadway Commision — is such a “suitable” framework.

What make’s Root’s book so interesting is that it is a critique of COSO.  At the heart of this critique is Root’s concern that COSO focuses too narrowly on controls to ensure accurate financial reporting, giving short shrift to the kinds of operational controls that often really make a difference between a business that succeeds and one that doesn’t.

When you look at SOX, you can take Root’s concerns and add an exponent.  Compliance with section 404 of SOX takes what little emphasis there is in COSO on matters other than financial reporting and discards it: 404 compliance is ALL about internal controls to ensure the accuracy of financial reports.

To be sure, accurate financial reporting is a good thing. But it is a rare CEO who decides that what it will take to make his or her company great is better financial reporting.  Improved quality, a stronger connection to the customer, returns exceeding the cost of capital — yes — these are things that management focuses on.  But, better financial reporting?

The sad thing is that improved internal controls really can improve quality, customer response time, and the decision making required to improve return on investment.  But a company that focuses solely on SOX compliance is going to miss these things.

Is this a topic — a concern — arising in your companies as you come to terms with SOX?

Anyway, take a look at Root’s book. It provides a historical perspective on SOX that is missing from some of the recent focus on “compliance.”

Taxonomies, Folksonomies & Controlled Vocabularies

There is an enlightening discussion going on between Lou Rosenfeld, Clay Shirky and others on the utility of folksonomies as used by Flickr and del.icio.us, vs. subject-matter-expert developed taxonomies. As one of the commenters has pointed out, this is not an “either/or” issue. Certain applications where the scope of the content and users is bounded will benefit from the discipline of a carefully architected vocabulary. Other applications where the scope of either the content or the user community is less well-defined will either suffer or, more likely, the users will ignore the prescriptions (this is why the “semantic web“, if I understand it at all, is hopeless). The key issues are related: cost and adoption (cost is usually a function of adoption, not development), and I think they both would agree on this point. How these approaches might work together is trickier and well worth exploring. In any case, this debate provides a condensed lesson in many issues that most enterprise content managers have probably not thought through, but even those that have should check out this thread.