Last Friday’s evening edition of the American Public Media radio program
"Marketplace" had a short piece about Sarbanes Oxley. (Here is a
link
to the program — I am not sure how long the link will be good ..).
The gist of the story was that Sarbanes Oxley sure seemed like a good idea right
after Enron, but–now that companies are facing the effort and costs of
implementation–there is backlash leading to an effort to get Congress to change
the law. According to this story, there is a significant lobbying effort
underway, led by the US Chamber of Commerce and others, to make
"technical corrections" to SOX.
There is a related story in today’s online edition of Business Week Online,
titled "A
Dream of Simpler Accounting," bylined by Amey Stone. Stone’s
article covers a speech given by Don Nicolaisen, the Securities & Exchange Commission’s accounting chief,
at the New York State Society of Public Accountant’s conference yesterday.
Nicolaisen’s speech focused on his desire to simplify accounting rules by
moving away from detailed prescriptions to an approach based more on adherence
to principles. (One of the problems with very detailed rules is that they
can encourage companies to "game" the system … finding ways to skirt
the edge of ethics and of sound accounting principles while still technically
staying within the bounds of the rules. Another problem, of course, is
that detailed rules, universally imposed, can be onerous for many companies,
particularly mid-sized companies.) But, as Amey Stone reported in her BW
article, Nicolaisen’s speech on principles soon devolved into a defense of the
very detailed rules associated with Sarbanes Oxley. Nicolaisen reported
that he hears a lot of "noise" about Section 404 compliance.
I’d love to get a discussion going with some readers here as to whether SOX
is onerous and too detailed, or whether it is a necessary step in the direction
of guaranteeing standards of internal control over financial reporting.
But, apart from that discussion, it seems that, for many companies, Sarbanes
Oxley is JUST about compliance, rather than about making an investment that will
pay off in improved performance.
"Compliance" just means that you have followed the rules and can be
(relatively) free from fear of sanctions and penalties. But internal
control can be so much more than that. It can be about improved processes,
increased efficiency, and more effective governance. When companies talk about
"compliance" initiatives, does that imply that they are more focused
on avoiding the negatives than on seeking return from the positives?
There are a number of dimensions to consider when evaluating the cost and complexity of SOX compliance. One important dimension is the enforcement standard. The US sentencing commission has a clear and unambiguous set of guidelines to define “an effective compliance and ethics program” that has been in existence for 15 years and has been recently updated to ensure alignment with SOX. Visit
for the definition and the alignment with SOX which reads in part…
“This section sets forth the requirements for an effective compliance and ethics program. This section responds to section 805(a)(2)(5) of the Sarbanes-Oxley Act of 2002, Public Law 107–204, which directed the Commission to review and amend, as appropriate, the guidelines and related policy statements to ensure that the guidelines that apply to organizations in this chapter “are sufficient to deter and punish organizational criminal misconduct.””
What is important to consider is that while the enforcement standard is unambiguous, the rigor with which it will be enforced is very much open to interpretation. For example, HIPAA enforcement has been scaled back considerably specifically because of the cost of compliance (that is not to say that there is no enforcement). There are also specific allowances for differing levels of effort based upon the size of a company (also defined).
I would not want to predict the future of SOX legislation, but what I am sure will happen is a rapid convergence on enforcement rigor that will hopefully account for level of effort and cost to comply for smaller organizations.
It is important to note that if a company can demonstrate that they have an effective compliance program, there is an explicit formula that can result in (up to) a 95% reduction in any fines and can be used to completely circumvent prosection. If an organization is not familiar with the US Sentencing Guidelines, the calculations on penalty and the definition of an effective compliance program, they are running a race with no understanding of where the finish line is – and if you don’t know if you are in a sprint, hurdle or marathon – or if you are running on a track or cross country – how can you win?