Curated for content, computing, and digital experience professionals

Sarbanes-Oxley: Too Narrow?

I have been spending a lot of time with the Sarbanes-Oxley Act (SOX) lately — and have run across a really useful book. The title is Beyond COSO: Internal Control to Enhance Corporate Governance, by Steven J. Root (Wiley, 1998).

Yes, I know … the book predates SOX. When it was published, people were still talking about what a great company Enron was. Undergraduate accounting students were still hoping to land a job with Arthur Andersen. That is part of what makes the book useful.

As many of you probably know, SOX and the SEC don’t  prescribe just how a company must set up internal controls — the SEC only requires that you use a suitable, recognized control framework. In the final rule, the SEC points out that COSO — the framework developed by the “Committee of Sponsoring Organizations” of the Treadway Commision — is such a “suitable” framework.

What make’s Root’s book so interesting is that it is a critique of COSO.  At the heart of this critique is Root’s concern that COSO focuses too narrowly on controls to ensure accurate financial reporting, giving short shrift to the kinds of operational controls that often really make a difference between a business that succeeds and one that doesn’t.

When you look at SOX, you can take Root’s concerns and add an exponent.  Compliance with section 404 of SOX takes what little emphasis there is in COSO on matters other than financial reporting and discards it: 404 compliance is ALL about internal controls to ensure the accuracy of financial reports.

To be sure, accurate financial reporting is a good thing. But it is a rare CEO who decides that what it will take to make his or her company great is better financial reporting.  Improved quality, a stronger connection to the customer, returns exceeding the cost of capital — yes — these are things that management focuses on.  But, better financial reporting?

The sad thing is that improved internal controls really can improve quality, customer response time, and the decision making required to improve return on investment.  But a company that focuses solely on SOX compliance is going to miss these things.

Is this a topic — a concern — arising in your companies as you come to terms with SOX?

Anyway, take a look at Root’s book. It provides a historical perspective on SOX that is missing from some of the recent focus on “compliance.”


  1. Sebastian Holst

    Bill, like you, I have also been tracking Sarbanes-Oxley activity across public corporations, audit firms, analysts and technology suppliers. What I have observed is that, as a rule, each of these communities has long standing blind spots in their respective world views regarding compliance, its impact on operations and the potential role of technology. SOX’s ongoing sequence of deadlines and the perceived risk of a qualified opinion have brought an unprecedented level of attention to compliance; for the first time, many of these “disconnects” are coming to light. As you point out, the issues that surround SOX go far beyond specific SOX topics and require fluency in regulations, enforcement standards, operational risk management and, of course, the potential role of technology. For many, SOX has created the impetus to get smart about the broader category of governance, risk and compliance management category – but it is a much larger topic than most appreciate.
    With regards to the limited scope of the COSO Internal Control – Integrated Framework, I doubt anyone would agree more that its authors. In November of 2004, COSO published the first major extension to this seminal work: The COSO Enterprise Risk Management – Integrated Framework (see Contrasting these two works is beyond the scope of this format – but I think this excerpt from the FAQ on the COSO site sets our expectations appropriately. It reads as follows…
    “Companies that want to move beyond internal control and get more out of their efforts, now have a framework that will help them go to the next level. … The Enterprise Risk Management – Integrated Framework details, for the first time, the link between value, risk, strategy, objective setting, performance measurement, risk response and control processes.”
    The work here is getting a lot of attention and the executive summaries and FAQ’s also serve as excellent subject matter introductions (to be clear, I have nothing to do with COSO or this material).
    I firmly believe that the automation and integration regulatory, operational and financial compliance represents one of the greatest opportunities today for technology suppliers to transform modern enterprises and further establish their role in today’s economy and culture. However, multi-disciplinary approaches are required and that means we all are going to have to learn a lot more about topics outside of our comfort zones (wherever those may be).

  2. Glen Secor

    Based upon conversations with various people in the “compliance” space, there seems to be a fairly broad understanding that compliance transcends any specific law, including SOX. In order to move forward with ECM-based compliance, the enterprise must translate externally-imposed regulations and internally-generated policies into business rules. In this context it becomes clear that “compliance” is really a subset of the broader and more relevant task of “content governance.”
    Content governance at its simplest level involves the establishment and enforcement of business rules aimed at access to and usage of various types of content. Viewed in this light, we can see that content governance includes not only compliance with externally-imposed regulations and internally-generated policies, but also collaboration between individuals within and outside of a given enterprise in the creation and management of content. Substituting “rights” for “business rules,” we can turn to enterprise rights management (ERM) as the key to content governance. Successful ERM requires the articulation of policies as business rules governing the access to and usage of content. Once articulated as such, these rules can then be enforced by ERM technology.
    Compliance and collaboration are essentially two sides of the same content governance coin. Writ large, content governance is achieved through series of business rules dictating what various content sets must consist of, who must (and must not) have access to content, who can (and cannot) have access even if his or her access is not mandated, and what those individuals can (and cannot) do with that content. Whether dealing with the financial control and reporting requirements of SOX or with the collaboration between individuals in R&D and Marketing on the development of a new product, the core dynamic is the same: policies governing access to and usage of content must be established and then enforced through technology and, if applicable, other means (such as old-fashioned physical access to hard copy files).
    Compliance with SOX (or HIPAA, or any number of other regulations, or internal policies governing such matters as employee and customer privacy) is but one manifestation of content governance. Just as the compliance discussion must move beyond SOX, so must the content governance discussion move beyond compliance. In fact, utilization of ERM/ECM solutions to meet compliance needs might not become widespread until organizations recognize and seek to realize the true benefits of content collaboration.
    I wager that many people in the content management space view compliance as something an enterprise must do, while collaboration is something an enterprise should do. It won’t be long before strategic and financial considerations force us to recognize that content collaboration is also a requirement and not just an option. That’s the point at which the full potential of ERM will be brought to bear on the content governance challenge.

Leave a Reply

© 2024 The Gilbane Advisor

Theme by Anders NorenUp ↑