Yesterday I wrote about the new AeA
report on the problems companies are encountering with Sabanes-Oxley Section
404. Another concern raised in the report has to do with innovation and IT
spending. Quoting from the report …
Instead of taking a principles-based approach, COSO and COBIT provide a super-checklist for all companies, set a cookie-cutter approach for how one must run a business, and they create a limitless necessity to document, document, document, rather than to do, do, do.
The external auditing firms also come in for criticism in the AeA report for
using "cookie-cutter" approaches. One CFO quoted in the report
complains about armies of auditors in their mid-twenties who know nothing about
business and whose "judgment" is confined to whether or not they can
check off a box on some list.
The fact that Big Four firms are reporting a doubling of auditing revenues,
thanks to Sarbanes-Oxley, invites a cynical view of their situation. But,
a "big picture" take on the issue needs to consider the risks and
incentives on the auditing side of the problem. If something does go
wrong, auditors know that shareholders will be coming after them for
damages. It is hard to see the upside for the auditor in being
"reasonable" and in trying to consider the special circumstances of
smaller companies. (I am not arguing that the inability to deal with the
special needs of smaller firms is "right" — but simply that the
auditors, too, are constrained by the business and litigious realities
surrounding SOX.)
So … what are the consequences of this "cookie-cutter"
approach? According to the AeA Report:
A specific example of the damage that this does relates to new IT productivity projects. The only way that U.S. companies successfully can compete with companies based in low-cost countries is to be more efficient. The key to greater efficiency is to invest in new and improved IT and automated systems. Because COSO requires an internal control to be ‘mature’ to be considered effective, it is not practical to implement major new IT systems in the third and fourth fiscal quarters because the control will not be mature.
Ouch! Is this really happening? Are readers finding that SOX
Section 404 is turning into a moratorium on IT systems implementation for half
the year? Send me an email or add a
comment …
One problem…small businesses aren’t typically publically traded and thus SOX 404 wouldn’t kick in.
Only if they were “divisions” of larger companies would this be an issue.
IT Security & Enterprise Architecture
Seemed like I stirred up some trouble in my last blog entry on IT security professionals. Guess some folks are offended that I referred to them as big fat idiots who are doing a disservice to the industry by blogging…