May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

RBAC as a Weapon against SOX Perversions and Kafkaesque Bureaucratization of IT

News See Also Recommended Links Critique Recommended Papers Solaris Zones
RBAC IT Skeptic Lysenkoism Corporate governance costs Humor Etc

Road to hell is paved with good intensions


Franz Kafka writings demonstrate a prescient knowledge of how it feels to be involved in a SOX compliance project!

The history of SOX was in a way tragic. Was initially a sound regulation was perverted into very expensive bureaucratic games.  They financial firms escaped completely...

All SOX-related games played by big accounting firms for fun and profit are based on arbitrary interpretation of the section 404 of SOX (Sarbanes-Oxley - Financial and Accounting Disclosure Information), the section that has nothing to do with IT, because the law itself was designed to prevent Enron type fraud by high level executives, not fudging of data in Oracle databases by some low level schmucks. 

But SOX interpretation by Big Five was pretty similar to  installing the regime of Kafkaesque bureaucracy in IT systems of all large US corporations. Bill Joy once proposed an elegant explanation for the apparently inevitable metamorphosis of cool start-ups into hideous corporations, which he called the Bozo2 Principle.

Wizards, he said, hire other Wizards. Bozos hire Bozos. As a company grows rapidly, it is inevitable that some Wizards will slip and hire Bozos, given the scarcity of the former and plenitude of the latter. However, once a Bozo has been hired, he hires another, and "everything beneath them turns Bozo after that." (This is related to Steve Jobs' famous: "A people hire A people. B people hire C people."). As in IT SOX-inspired managers by definition are type B people, the fact which actually means that for the long-term survival of the corporation it might be useful to can the most enthusiastic of whose who  participated in SOX compliance efforts, preferably the next day after compliance documents were signed ;-)

In some way it looks like the major reversal of Cold War results with one brilliant stroke of pen: entrenched "red bureaucracies"  of the former Eastern Europe Communist Block extracting revenge  from the grave  by imposing their "rules of the game" on major US corporations using Big Five as a fifth column :-).  Suddenly Franz Kafka "Trial" looks like a very contemporary book.

 Here is the section 4040 of SOX for reference:

Section 404

Management Assessment Of Internal Controls

I would like to stress it again that with all this noise about SOX compliance one of the few things that make sense in IT is the adoption of RBAC.  Most of SOX activities resemble Y2K-style activity with the same bozos in charge of the effort. They also represent a very expensive and superficial effort that benefits mainly (or exclusively) large auditing firms and (to a lesser extent) companies with semi-useless or harmful security products that effect may be why IBM paid so much money for ISS with their semi-useless IDS products ;-)

But good, type A managers can play their cards more intelligently that regular PHBs and try to add technologies which time has come, but which would never be implemented unless they are in SOX compliance bandwagon with its financial excesses ;-). Role-based access control (RBAC) is definitely one of such technologies. 

Persuading higher level managers to implement RBAC under SOX-compliance sauce is relatively easy (in fact, SOX does not even specify what are "adequate internal control", nor which solutions organizations must implement in order to meet that requirement). Using RMAC as "adequate integral control" solution makes a lot of sense.

RBAC aside it might be also beneficial instead of addition direct compliance measures to consider some kind of Security Monitoring that helps to increase effectiveness of existing controls without implementation of additional costly and/or paralyzing measures.  One of the few useful direct compliance measures might be  End of year assessment might also benefit from presence of additional reporting tools.

Solaris Zones can greatly complement RBAC implementation by ensuring real separation of duties. Solaris zones essentially allows application owner to control it own lightweight virtual machine and as such greatly reduce conflicts in access control in Unix environment. The problem of "too much privileges for application owners" which is essentially irresolvable in ordinary Unix environment no matter how many documents are produced or meeting conducted can be finally at least partially addressed in a way that minimally hurt (and even can in a way benefit) all parties involved.

Top Visited
Past week
Past month


Old News ;-)

[Mar 22, 2011] More on the Lack of Criminal Prosecutions Was the SEC Deterred by a Widely Overlooked Ruling

March 22, 2011 | naked capitalism

The US needs to do one of two things:

1. Enforce SarbOx against individuals and companies that have violated its provisions to the point of bringing the countriy's economy to its knees; or

2. Announce that SarbOx has failed at its purpose, thereby penalizing honest, law-abiding executives and companies by increasing costs while failing to rein in dishonest, fraudulent book-keeping.

This is another example of the US quagmire of regulations where we mandate lots of inefficient activity while the purpose of the regulations is not actually being met due to poorly written regulations, conflicts between regulators, or a simple desire not to enforce regulations.

The lack of a social contract on this country on the balance between regulation, enforcement, and efficiency is probably our single biggest impediment to moving forward in the next century. One of the reasons why "socialist" countries can actually do well is because they have developed that social contract over the past few decades. Instead we end up with both the worst of socialism and libertarianism without enough of the benefits.

Middle Seaman:

Possibly, the lack of social contract causes the country the recent difficulties. It also possible, however, that the distinction between the US and countries such as Germany, the Scandinavian countries and France lies in our lack of solid industry. Somewhere after 1980, we have decided to relinquish traditional industry. Instead, we shifted to finances, semi-information and massive outsourcing of everything in sight (e.g. medical diagnosis, legal document analysis and, of course, traditional manufacturing).

The latter process has developed a super class that is above the law, highly subsidized by the government, politically powerful and despises non-members. This sends Rick Scott to govern Florida instead of jail and Mozilo to lose a Infinitesimal part of his loot instead of spending decades in "Club Med."

The only ways to escape our misery lies in the elimination of the super class and reindustrialize the country befitting the 21st century. Don't hold your breath.

RT :

Here's the relevant portion of the Black decision:

In Count VIII, the SEC alleges that Black violated Rule 13a-14(b) which, in accordance with Sarbanes-Oxley, required that Black, as International's CEO, certify as to the 2002 Form 10-K that: "Based on his or her knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary to make the statements made, in light of the circumstances under which such statements were made, not misleading with respect to the period covered by the report." 17 C.F.R. § 240.13a-14(b) (2) (2003). The parties agree that Black signed such a certification for the 2002 Form 10-K.FN20 As previously discussed, it is established that this certification was knowingly false in that Black knew the APC payments and Supplemental Payments were misleadingly reported or omitted.

FN20. The certification requirement was not in effect at the time the 2001 Form 10-K was filed.

Black contends a violation of the certification requirement of Rule 13a-14(b) does not support a separate cause of action. He contends such conduct is only actionable if it violates some other actionable provision of the securities laws. Two district court cases have so held, see In re Intelligroup Sec. Litig., 468 F.Supp.2d 670 706-07 (D.N.J.2006) (no private right of action for violation of certification requirement); In re Silicon Storage Tech., Inc., Sec. Litig., 2007 WL 760535 *17 (N.D.Cal. March 9, 2007) (no independent claim for a false certification), and the SEC so indicated at the time it first proposed Rule 13a-14, see SEC Release No. 8124, 2002 WL 3170215 *9 (Aug. 28, 2002) ("An officer providing a false certification potentially could be subject to Commission action for violating Section 13(a) or 15(d) of the Exchange Act and to both Commission and private actions for violating Section 10(b) of the Exchange Act and Exchange Act Rule 10b-5."); 67 Fed.Reg. 57,276, 57,280 (Sept. 9, 2002) (same). The SEC contends cases have held that the SEC may base enforcement actions directly on violations of Rule 13a-14. The two cases cited by the SEC, however, hold that sufficient facts are alleged to state the Rule has been violated by a false certification, but neither addresses whether a false certification can stand as an independent claim. See SEC v. Brady, 2006 WL 1310320 *5 (N.D.Tex. May 12, 2006); FN21 SEC v. Sandifur, 2006 WL 538210 *8 (W.D.Wash. March 2, 2006).FN22 Many cases have held that a violation of the certification requirement may be considered in determining whether scienter is adequately alleged or proven, though cases differ as to the weight of such allegations or evidence. See In re Intelligroup Sec. Litig., 527 F.Supp.2d 262, 356-57 (D.N.J.2007); In re Procruest Sec. Litig., 527 F.Supp.2d 728, 742-43 (E.D.Mich.2007); In re BearingPoint, Inc. Sec. Litig., 525 F.Supp.2d 759, 773 (E.D.Va.2007).

FN21. The entire discussion in Brady directly addressing the certification claim is the following. "SEC asserts that Brady and Beecher are directly liable under … SEC Rule 13a-14, 17 C.F.R. § 240.13a-14 (2008)." Brady, 2006 WL 1310320 at *2. "As to the books-and-records claims, SEC has adequately pleaded … that Beecher committed a primary violation of Rule 13a-14." Id. at *5.

FN22. The entire discussion in Sandifur, 2006 WL 538210 at *8, is: "The tenth claim alleges that Defendant Ness signed a false Sarbanes-Oxley certification that was included in Metropolitan's 2002 10-K. (Compl.¶ 94.) In addition to this specific allegation, the claim also relies on and incorporates the complaint's other preceding allegations. As in the first, second and sixth claims, the Court finds that the allegations adding up to the tenth claim provide the who (Defendant Ness), what (false certification), when (filed December 31, 2002), where (in the 2002 10-K), and how (by signing it) necessary to allow Defendant Ness to prepare his defense. Therefore, the tenth claim is pled with sufficient particularity and Defendant Ness's motion as to this claim is DENIED."

*17 Consistent with the SEC Release and the two cases that have addressed the issue, it is held that a false Sarbanes-Oxley certification does not state an independent violation of the securities law. Therefore, summary judgment will not be granted as to Count VIII. Instead, Count VIII will be dismissed for failing to state a claim.


The elite corporate and banking structure, needed a puppet to provide amnesty. They found one. They bought and paid for him and sold him as some savior to a bunch of dipshits. It is as simple as that. Justice is just a matter of cost.

jake chase:

The SEC was a toothless tiger when I worked there in 1967. I suspect it was a toothless tiger under James Landis (income tax evasion) and Joe Kennedy (crimes too numerous to mention). The mission has always been to pretend to police Wall Street. Those who have never worked there cannot possibly imagine what the place is like. The only time work of any kind gets done is when a call comes in from a Congressman or a Wall Street or Washington law firm. On those occasions the ass kissing and genuflecting and foot shuffling and forelock tugging rivals an episode of celebrity apprentice. Giving the SEC more resources makes as much sense as relecting Obama to improve the condition of working people. It is nice to see others finally recognizing the truth about this Washington sinkhole.

[Oct 10, 2007] New Report Reveals Causes for Shareholder Value Destruction

Companies are focused on compliance, but strategy and operational mistakes destroy more shareholder value.

New York, November 18, 2004 - Is compliance the biggest issue for business today? In recent years, corporate missteps have wiped out hundreds of billions of dollars in shareholder value, in industries ranging from telecom to energy to healthcare. The result has been a compliance backlash, with an onerous wave of regulatory reform that threatens to hinder growth and innovation. However, a new report from Booz Allen Hamilton found that more shareholder value has been destroyed in the past five years as a result of strategic mismanagement and poor execution than was lost in all of the recent compliance scandals combined.

Booz Allen analyzed approximately 1,200 firms with market capitalizations over $1 billion as of 12/31/1998 for the five-year period from 1999 through 2003 and identified the poorest performers - the 356 companies that trailed the lowest-performing index for that period, the S&P 500. The companies lost more than 2 percent a year in shareholder value on a Compound Annual Growth Rate basis over the five-year period.

The results were startling - only 13 percent of the decrease in shareholder value in these companies resulted from compliance failures. Sixty percent of the value destruction was attributable to strategic mistakes, such as misjudging customer demand or competitive pressure, or management ineffectiveness. An additional 27 percent was due to operational blunders, such as cost overruns or poorly managed integration during mergers and acquisitions.

"The problem runs deeper than a few bad apples, and compliance is not the main culprit in the destruction of shareholder value," notes Booz Allen Senior Vice President Paul Kocourek. "Risk governance is the key to finding the balance between control and innovation. Companies need to develop a process that both protects shareholder value, by eliminating earnings surprises, and also enhances it, by fostering growth."

Booz Allen identified five imperatives for developing a risk governance program that fosters growth while managing risk:

Industry Findings

The study revealed significant industry differences in its examination of shareholder value destruction. Strategic losses were the most common cause in the telecom, media, tech and manufacturing industries, at 70 percent of the total. By contrast, strategic losses made up only 30 percent of the total in energy, and 42 percent in the transportation industry.

Operational losses were highest in the transportation (50 percent) and energy (48 percent) industries. Energy (22 percent) and financial services (21 percent) had the greatest compliance-related losses, but compliance was consistently the smallest factor overall in shareholder value destruction. International results were relatively consistent, with one exception - in Latin America, strategic losses were lower than the global average, (50 percent vs. 60 percent), but compliance losses averaged 25 percent of overall decline in shareholder value, nearly double the global average of 13 percent.

"Risk management needs to be about more than compliance with regulatory mandates - it should be a tool to position a company for uninterrupted growth," said Booz Allen Principal Jim Newfrock. "Companies that take a narrow and defensive approach and reduce risk management to a 'box-checking' activity will have a harder time innovating and growing in today's networked, global economy."

Additional Information:

Downloadable Documents...

[Sep 1, 2007] The Hidden Costs of Compliance Low Employee Morale

Jan 7, 2007

Low employee morale and job dissatisfaction. Consultants. Rising audit fees. Dozens of new internal auditors. Executive meetings. Revenue-generating projects put on hold. The tangible and intangible costs of Sarbanes-Oxley compliance hit almost every public company in the United States and will soon reach many more around the globe.

Nearly half of financial executives feel the biggest issue related to SOX compliance is the need to avoid low employee morale in those responsible for compliance, according to the 2005 Oversight Systems Financial Executive Report on Sarbanes-Oxley. (Reducing internal and external costs ranks as the second most frequently cited challenge to ongoing compliance.)

The survey results hits on the key compliance issue: SOX compliance presents ongoing requirements, and companies cannot afford to repeat their year-one compliance efforts. The tangible costs have been extremely high while compliance burdens employees with extra work, which the employees view as redundant, unnecessary and a distraction from their real job and their goal of creating enterprise value, all leading to low employee morale.

Low employee morale and high job dissatisfaction present hidden expenses to SOX compliance, but the costs can quickly add up. First, a rise in employee turnover leads to direct expenses in job training as well as repeating the compliance education that went into year-one SOX compliance. Second, low employee morale threatens the business benefits achieved in the first year of SOX. And finally, executives must recognize the threat to the company's culture and its tone toward financial integrity and compliance.

The solution is to link SOX compliance to tangible business benefits and automate the rote compliance tasks, such as testing and monitoring internal controls.

Read full article in PDF format.

[Aug 17, 2007] On Wall Street - A SourceMedia and Investcorp publication

From OWS Magazine | April 2007 Issue

By Milton Ezrati

... Audit costs have risen dramatically. According to "The Nature and Disclosure of Fees Paid to Auditors"--a study published in The CPA Journal by accounting professors Ariel Markelevich, Charles A. Barragato and Rani Hoitash--auditing fees have jumped an estimated 80% since SOX became law.

There have also been questions about what SOX has done to board efficiency. Research quoted widely in academic and professional literature shows that larger boards are not only expensive, but they're also generally less effective than smaller ones. Furthermore, SOX seems to have increased board turnover, which Linck, Netter and Yang estimate has risen to almost three times its rate during the years just before the law was passed. Many experts also question the merits of SOX's tendency to turn boards more toward oversight than to their other crucial function: offering business advice to the companies they serve.

These impositions have hurt American investors and markets in several ways. Many firms, for instance, have gone private. According to a General Accounting Office (now known as the Government Accountability Office) survey of available academic research, the number of firms that went private jumped by 80% the first year after SOX was enacted. And that number has continued to grow (albeit at a slower pace).

As a variation on this theme, evidence points to an increase of firms "going dark." This is a practice in which firms avoid SEC filings by deregistering their securities, though they continue to trade in the over-the-counter (OTC) market. While going dark--like taking a company private--doesn't necessarily hurt the economy or financial markets, there's an implied inefficiency when the move is largely made to avoid regulatory burdens.

Probably most unsettling is that SOX-related costs have been pegged as the reason many firms have chosen to list outside the U.S. Before SOX, American exchanges captured some 90% of all foreign equity offerings.

In 2005, the last year for which complete data was available, the reverse was true. None of the Top 10 listings occurred on an American exchange, and 22 of the Top 25 listings occurred outside the U.S. In addition, 2005 saw 129 major new listings overseas, compared to only six for the New York Stock Exchange and 14 for the Nasdaq.

[Aug 17, 2007] Union Urges Auditors to Dig Deeper for Exec Options Excesses

This is the usage of SOX within its intended window of applicability.

Sarbanes Oxley narrowed the reporting window for option grants in a way that was designed to make options backdating harder. Grants were supposed to be reported within two days of the grant. But there are signs that the abuse continued even after the law was passed. Now, the AFL-CIO is putting pressure on audit firms to go back and scour the books, especially around the time the law was enacted, for possible abuses. The union argues that auditors need greater access to executives and boards to ferret all this out and that auditors examine more documents and board minutes. This is yet another reason to go overboard when you grant options. Leave no room for suspicion. The reality is that there are many cases that will not be prosecuted. Still, you want to leave nothing to chance. If you have nothing to hide, invite your auditor in.

[Aug 17, 2007] Sarbanes Oxley Outfoxing SOX

This is an example that even with the limited window of applicability SOX is not that efficient. It might well be the redirecting it to IT compliance is a shrewd maneuver, putting a nice smokescreen between the facts and the law...

Sarbanes-Oxley banned sweetheart loans to greedy executives. So, corporations are giving them free money instead. Greedy corporate executives were briefly constrained by Sarbanes-Oxley, the federal legislation passed two-and-a-half years ago in response to massive abuses at Enron, WorldCom, and others. But wily CEOs are now devising clever new methods to circumvent one of SOX's most popular provisions: the ban on sweetheart loans to executives and directors.

In the old days, companies regularly made loans to the likes of Dennis Kozlowski, the former CEO of Tyco who's currently on trial (for the second time). He received a $61 million relocation loan pre-SOX. Bernie Ebbers, the former WorldCom chieftain who's also now on trial, owed his company just over $400 million at one point. Largely because of these abuses, Sarbanes-Oxley outlawed such favorable loans.

But now companies have realized they can avoid the ban if they give money away to their top executives instead of loaning it. The amounts aren't as eye-popping as the loans made to Ebbers et al., but hey, it's free money. These giveaways are disclosed with varying levels of clarity in the company's SEC filings and are almost always on top of the other compensation and routine perks that top executives receive. Here are some of the new strategies...

[Mar 11, 2007] Business Pushes Back Against Regulation Financial News - Yahoo! Finance

The price of SOX is the loss of competitive edge

Bloomberg and Sen. Charles Schumer, D-N.Y., released a report in January saying that the burden of tough regulation is contributing to New York City's loss of its competitive edge in the financial services industry to cities like London and Hong Kong. Unless remedies are made, they warned, New York's -- and thereby America's -- leadership in global finance will be eroded, reducing jobs and chilling the U.S. economy.

[Feb 10, 2007] Curiouser and Curiouser!

How the protection of law was lost is a fascinating piece about the state of the modern American justice system. It begins with a consideration of the impact of Sarbanes-Oxley and a brief history of how previous attempts at financial regulation have lead to this point. As the article says:

Reformers assume that rules can substitute for character, and they ignore the unintended incentives created by rule making.

which could be read as the more familiar:

The road to hell is paved with good intentions.

[Feb 10, 2007] GOVERNMENT FAILURE VERSUS MARKET FAILURE Preliminary draft--not for quotation by C. Winston

See also SOX Related Links Page 1. GOVERNMENT FAILURE VERSUS MARKET FAILURE Clifford Winston Brookings Institution November 2005 Preliminary draft -- not for quotation

John Berlau on Sarbanes-Oxley on National Review Online

This is clearly a threat to overall economic vitality. Alfred C. Eckert III, CEO of the GSC Partners investment firm, also worries that both Section 404 and the law's mandates for boards of directors will lead to the "bureaucratization" of large American firms: "We're going to have people who are much more bureaucratic ... and who are frightened and will react in always the most conservative course and will rely on process dictated by lawyers rather than good business judgment." Eckert warns that if Bush and Congress ignore these effects of Sarbanes-Oxley, Bush's planned tax and Social Security reforms will not come to full fruition. "[Sarbanes-Oxley] will make capital more expensive and lower the rate of growth of America. It's very simple."

EDITOR'S NOTE: This piece appears in the April 11, 2005, issue of National Review.

Early this year, an unusual full-page ad appeared in the Wall Street Journal and other financial newspapers. The ad attempted to refute claims from businessmen about the costs imposed by the mandates of the Sarbanes-Oxley Act, the "corporate reform" law Congress passed in 2002 after accounting scandals hit Enron, Worldcom, and other companies. Yes, procedures stemming from that law "are neither simple nor inexpensive," the ad said, but the costs are well worth it if the result is restored investor confidence. "The [law's] greater goal and promise," the ad proclaimed, "is that the rigorous demands of compliance can lay the groundwork for improved and more reliable financial reporting, leading to a higher level of public trust."

The ad's message itself was not unusual; it mirrored the standard response the law's defenders give to complaints about cost. A Washington Post editorial intoned, "The nation's corporate chieftains . . . complain about the cost of this new regulation, not pausing to mention the cost of Enron-type scandals." But what this newspaper ad shows is that not all corporate chieftains oppose this law. The expensive ad was not paid for by a pension fund or another group representing the investors the law was intended to serve: Its sponsor was, rather, PricewaterhouseCoopers, the multi-billion-dollar accounting firm making a bundle in fees for doing all the audits the law has ended up requiring of business. By creating so many hurdles for public companies, the law has birthed a golden goose for those who audit them. And ironically, despite the media and legislative clamor to "get" the big accounting firms after Enron imploded, it's the Big Four accounting firms that have turned out to be the big winners from Sarbanes-Oxley.


"Auditors who lost their jobs when Arthur Andersen folded in the wake of the Enron scandal now find themselves up to their ears in work . . . auditing local businesses that are racing to meet Sarbanes-Oxley regulations," the San Jose Mercury News reported in December. According to BusinessWeek, PricewaterhouseCoopers has hired more than 1,600 new auditors and 400 temps from English-speaking lands to perform the extensive audits of businesses. The Big Four are hiring big-time, and have stepped up their recruiting efforts on college campuses: BusinessWeek says KPMG has upped its college recruitment by 40 percent in the last two years. Accounting is now a hot major. A headline in the magazine Practical Accountant summed up the accounting frenzy: "Cash in on Sarbanes-Oxley; reform unleashed a plethora of new and varied engagement opportunities."

But what's good for the Big Four isn't necessarily good for America. Other businesses, and ultimately the economy as a whole, are footing the bill for this regulation-driven auditing boom. Mounting evidence shows that the accounting-industry growth generated by Sarbanes-Oxley is coming at the expense of productivity, new jobs, and innovation in the general business world. A survey by Korn/Ferry International found that the law cost Fortune 1000 companies an average of $5.1 million in compliance expenses last year. For middle-market public companies, the law firm Foley & Lardner found that the act has increased the "cost of being public" - everything from audit fees to director insurance - by 130 percent. Substantial man-hours have also been diverted to Sarbanes-Oxley from other, more productive tasks. The industry group Financial Executives International found that the average firm was spending at least 30,700 man-hours a year on compliance with this law. As a result, a number of small U.S. and big foreign firms are rushing to deregister from U.S. stock exchanges - a blow to the U.S. capital markets, and, in turn, to the smaller U.S. companies that depend on these capital markets for financing.

Still, despite business complaints, the administration and the congressional majority - who have other critics, ones accusing them of wanting to repeal the New Deal - show no signs of willingness to scale back what has been called the greatest expansion of federal corporate law since FDR. Congress passed Sarbanes-Oxley less than a month after Worldcom announced it was in serious trouble; it was also six months after Enron's bankruptcy, and three months before the 2002 midterm elections. The Senate, then under Democratic control, had crafted a sweeping corporate overhaul bill by Sen. Paul Sarbanes, Democrat of Maryland. The House had passed a more modest bill by House Financial Services Committee chairman Mike Oxley, Republican of Ohio. When Worldcom announced the earnings restatement that would lead to its bankruptcy, the Bush administration and congressional Republicans went into crisis mode and approved Sarbanes's bill with very minor changes; about the only thing the House Republicans added to the final bill was a provision increasing the jail terms for those convicted of corporate wrongdoing. The bill passed the Senate 99-0, and the House approved it with only three members voting no.

The final product, the Sarbanes-Oxley Act, goes against a 30-year trend of general economic deregulation under Republican and Democratic presidents. It undermines federalism, by going where the federal government has never gone before in areas of corporation law that had long been provinces of the states; UCLA law professor Stephen Bainbridge wrote in Regulation magazine that the act has ushered in "the creeping federalization of corporate law." It regulates the structure and functions of boards of directors, and prescribes the duties of specific employees and board members. Intentionally or unintentionally, the law takes a significant step toward the longtime goal of Ralph Nader and other leftists: federal chartering of corporations. Environmental and labor activists are looking at ways to use the law to launch "shareholder complaints" to force companies to bend to their agenda. As William Greider noted approvingly in a recent cover article in The Nation, this new leftist "reform impulse is different because it seeks to change the system from within, using workers' capital as the driving wedge."

Oxley and the administration are standing firmly behind the law and seem opposed to significant changes in it. When I recently asked Oxley's office for his current views on the law, I was referred to remarks he made early last year at an event with Sarbanes at Washington's National Press Club, in which he said that "the objective ways that you measure this seems to me on the positive side," and that the market had gotten better since the law was passed. As for compliance costs, he said, they "pale in comparison to the costs of corporate fraud that could have occurred without this legislation." Treasury secretary John Snow in a recent BusinessWeek interview praised Sarbanes-Oxley as "critically important legislation" and said Congress didn't need to modify the law.

Meanwhile, the law is fulfilling its promise to create, in President Bush's words at the signing ceremony, "the most far-reaching reforms of American business practices since the time of Franklin Delano Roosevelt." Indeed, one section of the law threatens to become the most extensive day-to-day regulation of American business since FDR's National Industrial Recovery Act, the price-and-output regulatory scheme struck down by a unanimous Supreme Court in 1935. Just as the NIRA created industry boards that had to approve prices and output, Sarbanes-Oxley's Section 404 and its regulatory extensions mandate that the most minute bookkeeping practices have to be okayed by auditors.


Section 404 requires that a business's executives sign off on the "internal controls" over financial statements and that the company's outside auditors "attest to" the soundness of these controls. The law also created the quasi-private Public Company Accounting Oversight Board to regulate accountants and set auditing standards. Although the Big Four initially opposed the tougher regulation this body would entail as well as the law's bans on consulting services that can be sold to an audit client, they quickly decided that having the board define "internal controls" as broadly as possible would likely more than make up for their losses. "We love the PCAOB and we love Section 404, especially given the other regulations in the law that affect us," says a staffer in the Washington, D.C., office of a Big Four firm.

The PCAOB, non-affectionately referred to as "Peekaboo" by many in the companies that are under its thumb, gave the accountants what they wanted: Last March, it defined internal controls as "controls over all relevant financial statement assertions related to all significant accounts and disclosures in the financial statements." It also defined the law's phrase "attestation" as a full-blown audit of each of these controls, just as the company's numbers have traditionally been audited. In practice, this means that such things as the technology used to derive accounting numbers must be audited every year by the accountants. The board states that "the nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting." This passage alarms public-company tech employees, because no technology is perfect, and even knowledgeable techies disagree about which is the best software. One public company's chief financial officer says this could mean that an auditor could label a computer with Windows 97, rather than an updated version, a bad internal control.

Daniel Goelzer, a member of the PCAOB, says this isn't likely: "I can't offhand think of a way that using an old version of Windows would make it more likely that your financial statements would be inaccurate." But he adds, "Maybe if there's something about the way that your Windows 95 interacted with the rest of the accounting software at a particular company, maybe it's conceivable." It's really up to the judgment of the individual auditor to decide whether a control passes muster, he says. "We have definitions, but I would certainly say to you that applying those definitions to a particular company requires judgment. That's why auditing's a profession, not a trade."

Yet it's a profession that the law is turning into a mini-regulator. And it's troubling when auditors have the power to second-guess management's best judgment on matters like technology, particularly when this power is combined with other parts of the law requiring "material weaknesses" discovered by auditors to be disclosed to shareholders and establishing criminal penalties for "willfully" disregarding proper accounting procedures. If management, which presumably knows the company better than anyone, has to go against its judgment of what's best to please an auditor, shareholders could lose out as well. And with every new business venture, there's a whole new set of internal controls. This could lead to a slowdown in business investment.

As if all this weren't enough for businesses to cope with, a whole bunch of interest groups now have their own definitions of "internal controls" they want to have imposed. The Oakland-based Rose Foundation for Communities and the Environment has called on the PCAOB to mandate that "independent auditors include reviewing the financial impacts of environmental conditions and environmental liabilities as part of their scope."

Many companies are hurrying to escape Sarbanes-Oxley by leaving the stock exchanges: According to a Wharton study, 198 American companies deregistered from exchanges in 2003, the year after the law was passed - nearly triple the number that deregistered in 2002. Prominent European firms, such as Siemens, are also considering pulling their U.S. listing because of the law. In 2004, the New York Stock Exchange had only ten new foreign listings.

This is clearly a threat to overall economic vitality. Alfred C. Eckert III, CEO of the GSC Partners investment firm, also worries that both Section 404 and the law's mandates for boards of directors will lead to the "bureaucratization" of large American firms: "We're going to have people who are much more bureaucratic . . . and who are frightened and will react in always the most conservative course and will rely on process dictated by lawyers rather than good business judgment." Eckert warns that if Bush and Congress ignore these effects of Sarbanes-Oxley, Bush's planned tax and Social Security reforms will not come to full fruition. "[Sarbanes-Oxley] will make capital more expensive and lower the rate of growth of America. It's very simple."

- John Berlau is the Warren T. Brookes Journalism Fellow at the Competitive Enterprise Institute.

[May 10, 2006] Leader Get off the SOX compliance hamster wheel - By

Published: Tuesday 15 November 2005

Are you on the regulation hamster wheel, wheezing as you try to keep up with the latest edict dumped on you from above? Are you pulling out the system you put in last month because it doesn't comply with this week's ruling?

Regulation isn't going to stop anytime soon, unless we can find something more useful for all the bureaucrats to do - like breaking rocks.

But don't make the mistake of chopping and changing each time a new package of red tape drops off the regulatory production line.

Instead of rushing to comply each time, look for ways to jump off this nasty merry-go-round.

Migrating to new systems might have got you through SOX last year but what if the advice from the auditors is different this year - and requires yet more expensive changes when you'd rather be working on new projects?

If you are sitting there smugly because SOX didn't touch you, what about MiFID looming on the horizon? And what if European regulation tsars decide they want their own SOX to pull on too?

Instead of rushing to comply each time, look for ways to jump off this nasty merry-go-round.

Investment bank DrKW has realised this already. The key is to have the right environment in place to cope with every regulatory curve ball, rather than just deal with each one as it comes along. After all, what most regulation wants to create - consistent and secure processes and systems - is what most companies would aim for anyway.

Can you build your business processes and IT systems so they can bend to each regulatory whim without being broken by them? Try it - you'll save yourself a lot of effort in the long run.

[May 19, 2005] American capitalism

Damaged goods. The American economic model is doing all right. It could be doing even better

LOOKING around the world, you do not see many economies, least of all rich ones, doing as well as America's. In the inexhaustible capacity of its private sector to innovate, in its seemingly unquenchable desire to reinvent itself, the United States still leads the world, and reaps the material rewards of that leadership. Its brand of capitalism appears to have something going for it-so it may seem churlish, even perverse, to wonder how much better a country as successful as this might do if it really tried. And yet it could indeed be doing better. That's right: American capitalism is not beyond improvement.

In 2001-02, at the height of the Enron scandal, and amid the other corporate debacles that stained the reputation of American business, that would have seemed too obvious to be worth stating. But concerns about corporate probity have receded of late. This is for a variety of reasons. One of them, or so its designers hope, was the Sarbanes-Oxley statute, the measure conceived in response to those scandals. But that law is not in fact proving to be the unalloyed blessing that its creators envisaged. Meanwhile, other flaws in the American business model remain unattended to; they were simply not addressed by SOX (as it is now, not always affectionately, known). So, pleasant though it must be for the United States to contemplate the current performance of the continental European alternative, it would be wrong, as well as unAmerican, to be complacent. There is still some work to do at home.

Repent at leisure

The trouble with Sarbanes-Oxley is that it was designed in a panic and rushed through in a blinding fervour of moral indignation. This is not to say that the problems it addressed were imaginary. The calamities at Enron, WorldCom and the others warranted remedial action. And accounting failures-the focus of SOX's efforts-were undoubtedly among the things that went wrong. But it would be difficult to argue that mere book-keeping was the main thing. Yes, it is outrageous that the true state of those companies was disguised. But when firms collapse that way, it is usually because they have borrowed too much and squandered the money. Accounting impropriety may conceal those errors, for a time, but is hardly ever the main cause. Bad business judgment, with or without criminal intent, is far more often to blame. And bad economic policy can sometimes contribute to bad business judgment.

Sarbanes-Oxley was right to attack the long-recognised conflict of interest in the audit profession, and to put some distance back between a company's auditors (who are there to safeguard shareholders' interests) and its managers (who sometimes forget that that is their job too). This needed to be done, and in fact the act might have gone even further in this respect. But the statute, carried along by rage and by the desire of Congress to do something dramatic, ranged wider than was necessary to achieve that particular goal. Its daunting requirements on managers, with the threat of severe criminal penalties to back them up, are imposing substantial costs, direct and indirect, on American business (see article).

The book-keeping industry, having been fingered (wrongly) as the main culprit in the great scams of recent years, is suddenly elated: thanks to Congress, its incomes are soaring. On the other hand, many of the men actually running American business, not all of them robbers or frauds, are dismayed. Congress has made their job harder-and, ultimately, it is the economy at large that will bear the cost. Fortunately, some of this excess burden is already being lightened, as calls for a less rigid interpretation of the law are heeded. More "flexibility" of that sort, as it is called, would be welcome.

A world beyond audit

The rest of a suitably ambitious agenda for improving the performance of American capitalism might run as follows: genuine, as opposed to phoney, corporate-governance reform; tort reform; tax reform; and corporate-welfare reform. The Bush administration seems to be keen on some parts of this package, but is decidedly opposed to others.

The challenge for corporate-governance reformers is easily stated: to hold managers more accountable to shareholders. However, one can only expect so much of auditors, with or without SOX, or regulatory agencies, of which America has no lack. It would be more fruitful to pay attention to the market for corporate control. Nothing is better calculated to make managers concentrate on pleasing the owners than the threat of a possible takeover. Policy should aim to invigorate this market-whereas at present, through an unplanned accretion of statutory and judicial interventions, it does the opposite.

The Bush administration rightly advocates tax reform and tort reform, both of which are needed to iron out mangled economic incentives. But advocacy is no substitute for action. The tax system cries out for radical simplification-which is apparently not what Mr Bush intends. Recent changes to the taxation of dividends have helped to lessen the tax code's bias in favour of borrowing, but this harmful distortion has by no means been removed. It is one of the main ways in which policy leans on households and businesses to take bigger financial risks than they would if left to their own devices.

A fine way to deal with this would be to cut corporate taxes (against which debt service can be deducted, hence the pro-debt bias); and an excellent way to pay for that would be to launch an assault on corporate welfare-the $100 billion a year or so, conservatively estimated, of special-interest subsidies and handouts that the government pays to American businesses. Preferably, don't just cut that lot, eliminate it.

This last recommendation is one that George Bush will be especially reluctant to accept. Mr Bush is the classic instance of a conservative politician who confuses support for particular businesses with support for enterprise in general. These seemingly similar ideas are in fact directly contradictory. The way to support enterprise-American enterprise, the best in the world-is to be as unEuropean as possible. Mr President, look at France. Notice their economic policies. See how they subsidise this and protect that. Do we have to spell it out?

New laws to drive '04 security agenda - Computerworld

WASHINGTON -- The need to comply with an array of complex data laws will dominate the security agenda in 2004, according to attendees at the Computer Security Institute conference here last week.

As in previous years, IT security managers expect to spend considerable time and resources fending off destructive intrusions and insider threats.

But the most daunting challenge will be dealing with laws such as the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, California's SB 1386 privacy law and international data integrity and privacy laws, they said. As a result, the emphasis will be on issues such as:

"As far as my business and industry in general goes, the single biggest driver is compliance with all the new data and privacy laws," said Michael Kamens, global network security manager at Thermo Electron Corp., a $2 billion manufacturer of scientific equipment in Waltham, Mass.

As a publicly traded U.S. manufacturer with multinational operations, Thermo has to deal with compliance issues ranging from Sarbanes-Oxley to a Chinese encryption requirement that involves filling out forms in Mandarin. "It is requiring me to quadruple the effort that I have to put in on a daily basis to ensure that my company is in compliance and that I'm safeguarding its good name," Kamens said.

United Government Services LLC, a Milwaukee-based provider of administrative and consulting services for publicly funded health care systems, is governed by 400 security requirements issued by the Centers for Medicare and Medicaid Services. Meeting all of them will be a "very large driver" of security efforts next year, said systems security officer Todd Fitzgerald.

For the most part, the efforts will focus not on technology improvements but on implementing security policies and management processes to ensure regulatory compliance. "It's a process that will involve spending a lot more time working with management and end users, educating them on what the security risks are," Fitzgerald said.

Third-party connectivity issues are a priority at St. Jude Medical Inc. in St. Paul, Minn.

As a $1.6 billion manufacturer of cardiovascular equipment, with 15 facilities worldwide and customers in 120 countries, St. Jude has to make sure it avoids liability for security breaches involving its supply chain or business partners, said David Stacey, global IT security director.

"Regulation is a massive issue, and most organizations are clearly not ready to deal with the myriad issues and details involved," said Ben Rothke, a senior security consultant at Thrupoint Inc., a management services company in New York.

Complying with data regulations will mean turning traditional notions of the IT security function and its role within organizations upside down, said Terri Curran, director of research at the Center for Digital Forensic Studies Ltd. in Auburn Hills, Mich.

"CSOs in the near future are going to have to get more creative about things like privacy, risk acceptance, forensics, industry-related regulations, and state and federal laws that are really going to affect them," Curran said.

Former White House cybersecurity czar calls for security audit standards - Computerworld

OCTOBER 20, 2003 ( COMPUTERWORLD ) - LAKE BUENA VISTA, Fla. -- Former White House cybersecurity expert Richard Clarke yesterday urged for stronger standards for security audits of U.S. companies, saying congressional action is needed.

"The Securities and Exchange Commission thinks it can [require audits] under its existing authority, but what I'm predicting is it will be a very vague statement and there will be no real auditing against that standard," Clarke told reporters at the opening of Gartner Symposium ITxpo 2003 here. Clarke is now a private security consultant, serving as chairman of Good Harbor Consulting LLC in Arlington, Va. He joined Good Harbor in July.

"You've got to have a relatively specific standard ... with some real probability that someone will show up at the door to audit. That will take a congressional act," he said.

Clarke also said standards should encourage automatic audits, so network probes could quickly determine security levels, "instead of bringing in PriceWaterhouse for $500,000" to do the audit.

Similar to banking audits, only 90% of what will be audited should be known, so companies won't prepare for audits and nothing else, he said.

Clarke, who resigned from his U.S. government cybersecurity role in January after serving in three administrations, made his comments after being asked about Sarbanes-Oxley Act and Health Insurance Portability and Accountability Act security requirements. Both federal mandates require companies to provide security certification. But "what do they certify, and who is going to say that they are wrong?" Clarke asked.

He also criticized Homeland Security Secretary Tom Ridge's recommendations for security certification as ineffective. "Frankly, it was Tom Ridge's idea that there be a Y2k-like statement [about security protection steps] to the SEC, but if that happens, it is going to be at such a high level of aggregation that you are never going to know what it means," Clarke said.

Asked if cybersecurity failures could have caused the power blackout in Canada and the Northeast in August, Clarke ticked off a string of power outages and attacks on energy systems globally in recent months, including the loss of power throughout Italy in September. "We don't know what caused any of these so far," he said. "We do know that Norway and Israel at least are saying there were cyber-hacking attempts to bring down the power grids in their countries.

"If the Aug. 14 outage was not caused by a hack attack, could it have been?'' Clarke said. "Could you bring down the power grid with a hack attack? I fully believe the answer is yes."

Clarke also endorsed new technology from PGP Corp. in Palo Alto, Calif., and is expected to take part in a presentation on behalf of that company today at the symposium. PGP last month announced the first version of its Universal product, which is designed to automatically provide end-to-end e-mail security. The burden of protecting critical information resides on the network and not a user's desktop, reducing the security burden on end users, Clarke and company officials said.

Generally, IT managers need to make security encryption as automatic as possible, he said. "The key here is whoever makes the decision to use encryption in the organization [so] that after that, it becomes automatic," Clarke said. "Establishing elaborate systems [for security] is a pain in the ass, frankly, and they require lots of people to run them, and that's why they don't work and why people don't do them."

Clarke also noted a humorous personal problem with unsolicited commercial e-mail, saying that last week he got a spam from himself. He said it was obviously because somebody or some program had spoofed his e-mail address and then sent the spam with his address back to him.

Clarke said it would be "really easy" for e-mail users to start their personal "do not call" lists for e-mail by taking any of several programs now available to allow e-mail only from certain people, which could be combined with e-mail encryption to provide a private system

Spotlight on Sarbanes-Oxley Rulemaking and Reports

Sarbanes-Oxley mandates lead to IT certification push - Computerworld

CEOs and chief financial officers who are obligated by the Sarbanes-Oxley Act to stand behind the financial accounting controls used by their companies are increasingly asking operating units, including IT, to certify that they have put adequate safeguards in place.

"I'm hearing a lot of discussion about that," said Chris McLaughlin, global director of financial services marketing at FileNet Corp., a Costa Mesa, Calif.-based software vendor that sells document management tools for use in Sarbanes-Oxley compliance projects.

With CEOs and CFOs now being held accountable for the accuracy of the financial reporting at their companies, "they are looking for ways to distribute that responsibility downward through their organizations," McLaughlin said. That includes asking IT managers to certify the systems used to process financial data, he added.

Some companies are doing internal audits using certification standards such as SAS 70 to give their IT operations the equivalent of a Good Housekeeping Seal of Approval.

SAS 70-known formally as the Statement on Auditing Standards No. 70, Service Organizations-was developed by the New York-based American Institute of Certified Public Accountants.

In addition, some outsourcing vendors have started offering SAS 70 audits to their clients. That was an unexpected windfall for Energy Absorption Systems Inc. after the Chicago-based maker of highway crash barriers hired an application service provider (ASP) earlier this year to manage its finance applications.

"We see them as another group to help us improve on our internal controls," said Bob Latek, senior vice president and controller at Energy Absorption Systems.

Latek, who spoke at an IT conference for CFOs last month (see story), said that letting the ASP run the certification process should help his company cut its Sarbanes-Oxley compliance costs in half "and save us a lot of time, too."

Anthony Noble, director of IT audits at Viacom Inc., said that at the next meeting of the company's divisional CIOs in January, he plans to raise the issue of whether the New York-based parent company of MTV, CBS, Blockbuster Video and other entertainment businesses should conduct IT certifications.

Noble said he understands the potential usefulness of such certifications as a sort of "life insurance policy." But he added that he's skeptical about the way some big auditing firms are using SAS 70 as a sales tool to generate incremental business through Sarbanes-Oxley consulting deals.

Ed Trainor, senior vice president of information systems at Paramount Pictures Corp., a Hollywood-based Viacom unit, said IT certifications "are a commendable thing to do for a variety of reasons." However, they "require a considerable investment, and the benefit must be weighed against other needs and priorities for scarce resources," added Trainor, who is also president of the Chicago-based Society for Information Management.

The SAS 70 Type II report that companies can use to document the effectiveness of their internal IT controls will have to be updated to meet requirements specific to Sarbanes-Oxley, such as quantifying the extent of testing done on financial systems, said Lynn Edelson, a Los Angeles-based consultant at PricewaterhouseCoopers.

Gold Wire Technology News & Events Press Releases

Formulator Three PLUS Assures the Integrity of the Infrastructure that Runs the Enterprise; Quickly Demonstrates Process Compliance, Enhances Access Control Security, Reduces Risks & Downtime

Formulator® line of appliances adds standards verification features to meet today's stringent regulatory and standards compliance requirements such as Sarbanes Oxley Rule 404, AICPA SAS–70, ISO 17799 and FFIEC. The new Formulator ThreePLUS software also incorporates UNIX server access control, expanded network device support, and new modular software packaging. Formulator helps business officers quickly verify and demonstrate process compliance for access control, change accuracy and data privacy as mandated by external and internal regulations.

With Formulator ThreePLUS, operating executives can secure essential infrastructure, minimize the risk of control errors, accelerate the resolution of exceptions and improve availability. They can easily demonstrate and document the effectiveness of their underlying business processes and, through this single integrated platform, assure the integrity of the infrastructure - UNIX servers and network devices - that supports critical enterprise missions. Customers now using Formulator include Bear Stearns, automotive applications service provider ADP Dealer Services, a major office supply retailer, Fortune 1000 enterprises and Federal government agencies. Formulator ThreePLUS is available now and sold directly by Gold Wire Technology.

Today's tighter regulatory climate demands that CFOs, CIOs, corporate security heads and network operations executives go beyond putting controls in place; they now must demonstrate they are enforcing and verifying compliance with a widening set of standards and regulations. Yet decentralized networks are inherently challenging to configure, monitor and control - exposing the business to expensive compliance breaches, security incidents, and revenue-impacting downtime caused by human error.

Gold Wire Technology's Formulator ThreePLUS assures that network and security personnel can demonstrate tight control of a large, multi-vendor server and network device infrastructure. It consolidates access to the systems that comprise the infrastructure -- pre-verifying that desired changes conform to security standards, generating real-time "Who/What/When/Where" forensics of operator access and configuration changes, and then correlating this data with complementary network-wide event data. Formulator ThreePLUS reduces operator-induced network vulnerabilities and speeds corrective action in the case of disasters or mistakes -- increasing availability. The system lets executives focus on managing their business, knowing that their teams can demonstrate compliance verification with minimal effort when required, and that effectiveness and enforcement is standard operating procedure.

What's New in Formulator Version ThreePLUS

Network configuration tool upgrade targets Sarbanes-Oxley compliance - Computerworld

Gold Wire Technology Inc. today announced a software upgrade for its Formulator line of network configuration management appliances, adding features that it said can help users meet the requirements of the Sarbanes-Oxley Act and other regulations.

Waltham, Mass.-based Gold Wire also said the new release will be able to track configurations of Unix servers in addition to its existing support for network devices made by vendors such as Cisco Systems Inc. and Nortel Networks Ltd. The upgrade is available now; pricing for Gold Wire's Formulator 200 systems starts at $22,000, plus a per-user license fee of $275.

Jim Sherer, director of ASP operations at ADP Inc.'s Dealer Services unit in Hoffman Estates, Ill., said he plans to test the new Formulator release within the next month. The company, which provides computing services to 6,500 auto dealers in the U.S., has been using Gold Wire's current version since February to track changes to systems that are maintained by 1,700 technical support workers.

The new regulatory compliance component is "extremely important" to ADP Dealer Services as it seeks to run required security audits on its systems, Sherer said. Gold Wire's technology should help the ADP unit track end users and check whether they have proper authentication, he said.

In addition to the regulatory features, the upgrade gives users increased reporting capabilities, Sherer said.

Gold Wire is part of an emerging group of network configuration management vendors that also includes Voyence Inc., AlterPoint Inc. and Rendition Networks Inc., said Glenn O'Donnell, an analyst at Meta Group Inc.

"They're all trying to demonstrate a way to do configuration better, since it's a horribly manual state of affairs right now with lots of errors and inconsistencies," O'Donnell said. He added that Nortel's Optivity technology and Cisco's CiscoWorks software can manage configurations for their respective devices but not for a diverse network.

Users struggle to pinpoint IT costs of Sarbanes-Oxley compliance - Computerworld

Sarbanes-Oxley readiness costs can be hard for companies to pin down, partly because complying with the new financial reporting law isn't a one-time event like Y2k, several IT managers said last week.

Eastman Chemical Co. hasn't even tried to evaluate the IT costs associated with its Sarbanes-Oxley Act compliance initiative, because the work is viewed as "an ongoing effort," said Mark Montgomery, director of administrative operations support and technology systems at the Kingsport, Tenn., company.

Montgomery and other executives said Sarbanes-Oxley's requirement that companies annually document and attest to the effectiveness of their financial controls means compliance work will have to be done on a continual basis.

"A lot of people have this mind-set that it's a one-time project," said Kyle Didier, vice president of finance at Regis Corp., a Minneapolis-based operator of 9,700 hair salons in the U.S. and Europe. But Didier added that he expects Regis to test its internal financial controls as an ongoing process, using software called Certainty that was developed by Movaris Inc. in Campbell, Calif.

Regis has been working on Sarbanes-Oxley readiness for the past nine months and expects to complete the documentation and testing phase by the end of December. Didier said the company expects to spend slightly more than $100,000 on IT over the course of its compliance effort. That includes both software and manpower costs, he added.

John Van Decker, an analyst at Meta Group Inc. in Stamford, Conn., said most companies currently are focusing on Section 404 of the law, which spells out the requirement that CEOs and CFOs certify the effectiveness of the financial controls they have in place. Companies with market capitalizations of $75 million or more have to comply for fiscal years that end on or after June 15, 2004. Smaller businesses and foreign-owned companies have until April 15, 2005.

Financial Executives International, a Florham Park, N.J.-based association of corporate finance managers, surveyed its members last May on cost estimates for complying with Section 404. On average, the 83 respondents said they expect to spend $480,000 on software, consulting services and employee training in advance of the compliance deadlines.

Mark Nagelvoort, vice president and internal control manager at Hudson United Bank in Mahwah, N.J., said the subsidiary of Hudson United Bancorp expects its IT costs tied to Sarbanes-Oxley to come in at less than $500,000, though he declined to be more specific. That includes the bank's use of a software tool called SOXA Accelerator from HandySoft Global Corp. in Vienna, Va., plus expenses for 10 IT staffers who will spend between 5% and 10% of their time working on Sarbanes-Oxley readiness.

"We're saving significant dollars because we're utilizing almost all in-house personnel," Nagelvoort said. And because the banking industry is highly regulated, much of the information that Hudson United needs has already been documented for internal and external auditors, he added.

John Hagerty, an analyst at AMR Research Inc. in Boston, estimates that Fortune 1,000 companies on average will spend about $2.5 million on Sarbanes-Oxley work this year. Technology costs represent just 5% to 10% of the overall tab, Hagerty said, although that doesn't reflect the cost of IT-related staff time being dedicated to compliance efforts.

Hagerty added that it's tough to pinpoint an average IT spending figure for Sarbanes-Oxley "because it's influenced by organizational and systems complexity." For instance, a company with $5 billion in annual revenue and highly centralized business units and IT operations might spend $3 million on compliance, while a similar-sized company that's decentralized could end up spending $10 million, he said.

[Jan. 7, 2005] MSNBC - Sarbanes-Oxley A sense of 'siege' A Q&A with Treasury Secretary John Snow on corporate reform

As a former business leader, Treasury Secretary John W. Snow is well aware of difficulties that Washington policymakers can cause for Corporate America. So it's not surprising that when company chieftains complain about the costs of complying with the Sarbanes-Oxley corporate-reform laws, he listens.

In an interview with BusinessWeek Senior Writer Rich Miller on Jan. 4, Snow shared his thoughts on what should - and shouldn't - be done in response. Edited excerpts of his remarks follow:

Q: Should Congress consider modifying Sarbanes-Oxley?

A: I don't think that's the real problem. Sarbanes-Oxley was critically important legislation that met a real need for the country at the time of those scandals ... Sarbanes-Oxley played a very important role in reaffirming the norms of good corporate behavior, and, in some ways, I think [it] was absolutely essential. Corporate capitalism depends on trust.

Q: Are the regulators enforcing the law too aggressively?

'It's important not to criminalize innocent mistakes. The nature of business is that you aren't always going to be right ... We ought to make sure, to the extent we can, that the regulators, the litigators, the prosecutors, and so on are working in a way that isn't excessively duplicative or burdensome, creating untoward risks of multiple prosecutions and regulatory investigations.'

- John Snow> U.S. Treasury Secretary

Sarbanes-Oxley Trumps IM at Some Firms - Computerworld

Concerns about security, archiving prompt companies to unplug instant messaging systems
News Story by Thomas Hoffman

>AUGUST 08, 2005 (COMPUTERWORLD) - In another case of fallout from the passage of the Sarbanes-Oxley Act, some companies are disabling their instant messaging systems because of concerns that the technology's security and archival controls aren't strong enough to comply with the law, according to IT executives, lawyers and auditors interviewed last week.

Section 302 of Sarbanes-Oxley requires CEOs and chief financial officers to certify that their companies have established internal controls and are regularly evaluating the effectiveness of the control measures. Although vendors such as FaceTime Communications Inc. and IMlogic Inc. offer tools for storing messaging traffic and protecting against malware, users like Jefferson Wells International Inc. are erring on the side of caution by simply unplugging their IM systems.

Jefferson Wells disconnected its MSN Messenger system because of concerns that the company wouldn't be able to detect software viruses embedded in messages, said Scott Robertson, manager of corporate IT operations at the Brookfield, Wis.-based provider of technology risk management and other professional services.

"We never had the comfort level that we could scan instant messages appropriately," Robertson said. Another factor that contributed to the decision to disable the IM system last year is that many of the company's employees work at client locations, he added. Executives from Jefferson Wells didn't want to run the risk of having a virus or worm infect a customer's network.

Jefferson Wells is a subsidiary of Manpower Inc. The decision to unplug IM was made as part of the unit's evaluation of whether its IT controls met the provisions of Sarbanes-Oxley, said John Rostern, New York-based director of technology risk management at Jefferson Wells.

Since the system was disabled, the company's IT staff hasn't bothered to evaluate the available IM security tools because it isn't being pushed by workers to re-establish IM, Robertson said.

Steve Ross, a director at Deloitte & Touche LLP in New York and a past president of the Information Systems Audit and Control Association, said he knows of two Deloitte clients that have disabled their IM systems because of Sarbanes-Oxley concerns. Ross declined to identify the companies, saying only that one is a services company in the southern U.S. and the other is a large New York-based insurer.

Other corporate users are taking steps to strengthen the data security and archiving capabilities of their IM systems in order to satisfy Sarbanes-Oxley's requirements.

For example, Chevron Corp. is moving to block outside connections to an IM system used within one of its operating units, said Jay White, global information protection architect at the San Ramon, Calif.-based energy company. The expanded effort follows the adoption in June 2003 of controls for maintaining audit records and reducing security risks on the IM system.

"We manage our own IM system internally on our WAN, but the external connections have presented security [issues]," added White, who declined to identify the business unit involved.

Some observers contended that companies are overreacting to Sarbanes-Oxley by disabling IM. "You can't control a phone call, so I don't see what the difference is between IM and a phone call," said Diana McKenzie, chairwoman of the IT group at Chicago-based law firm Neal Gerber Eisenberg LLP. "To me, it's not logical."

Greg Hedges, managing director of technology risk at Protiviti Inc., a Menlo Park, Calif.-based company that provides internal auditing and business-risk consulting services, said some companies have disconnected IM systems under the pretense of complying with Sarbanes-Oxley instead of justifying those actions for business purposes.

"Sarbanes-Oxley is a wonderful vehicle for taking things out of people's hands," said Hedges, who added that some companies have applied the same rationale for disconnecting wireless systems.

But Ross said that viruses embedded in instant messages could cripple networks. "Given that [corporate] management feels the necessary controls haven't been implemented or can't be," he said, "unplugging instant messaging wouldn't be overkill

Sarbanes Action Plan

JUNE 02, 2003 (COMPUTERWORLD) - Imagine asking 40 CIOs in six cities what their biggest worries are these days. I'd expect to hear about freeze-dried IT budgets, unfinished projects, sinking staff morale or loss of corporate confidence.

I'd be way off base.

What I never would have guessed was the Sarbanes-Oxley Act of 2002, that Loch Ness monster of new financial reporting and disclosure requirements enacted by Congress in the aftermath of Enron and a string of other corporate scandals. Nobody quite knows how far-reaching its impact on IT infrastructures will be, but ignorance is the opposite of bliss here.

"The CIOs feel blindsided by this," says Cathy Hotka, principal of Cathy Hotka & Associates and former VP of IT at the National Retail Federation. In a recent series of CIO roundtables she moderated, Hotka was surprised to find SOX (as the finance types call the act) a topic of so much consternation among senior IT execs. "They know the CFOs have it on their radar screens, and they don't like that feeling. Nobody has a handle on this yet," she says.

Sarbanes-Oxley is reverberating throughout IT management like an eerie echo of Y2k, with compliance deadlines looming and businesses feeling threatened and uncertain about the extent of the potential damage (that is, legal trouble) if changes aren't made. As one of Hotka's CIO dinner guests observed, "I could end up spending $1 million to fix a $100,000 problem!"

"There's a tremendous amount of confusion" about what IT should be doing to ensure compliance with Sarbanes-Oxley, says John Hagerty, an analyst at AMR Research Inc. in Boston. A recent AMR poll of 60 companies found that while 85% are anticipating changes in system and application infrastructures, an equally whopping 80% are unsure of what the changes will be.

In light of all this free-floating anxiety, last week's news that the Securities and Exchange Commission had extended the deadline for Sarbanes-Oxley compliance another nine months (to June 2004) might seem like a welcome relief.

But senior IT managers should be using this gift of time to get their information engines in gear -- not to relax.

Step 1: Dive in and do some research. Online in our IT Management Knowledge Center, we've compiled a special topics page [QuickLink a3250] with all of our ongoing coverage of Sarbanes-Oxley and additional links to sister publication CIO magazine's recent series on legislative issues. We'll keep adding resources to that page, so let us know what kind of additional information you need. If you search on Google for "Sarbanes-Oxley and CIOs," you'll get more than 700 hits. Many are worth looking over for advice, checklists, additional resources and examples of what other companies are doing.

Step 2: Survey the vendor landscape. A number of them are circling their wagons and offering upgraded products or new features geared to tracking, safeguarding or guaranteeing data veracity. So far, the vendors include Oracle, Hyperion, SAS Institute and PeopleSoft, and there are also several vendors of reporting tools, supply chain software and document management applications with offerings.

Step 3: Formulate an action plan that includes a presentation to the CFO about the proactive measures IT is looking into (or, even better, ready to implement) to address a range of Sarbanes-related concerns:

[More action items are online at QuickLink 34225.]

Like it or not, IT will be at the heart of your company's Sarbanes solution. And if you're ready and informed, you'll be at the head of it.

Maryfran Johnson is editor in chief of Computerworld. You can contact her at [email protected]. Sarbanes-Oxley Sarbanes-Oxley law. It is costing plenty-but is it working?

THE Sarbanes-Oxley statute, which the United States enacted in an atmosphere of extraordinary agitation in 2002, is one of the most influential-and controversial-pieces of corporate legislation ever to have hit a statute book. Its original aim, on the face of it, was modest: to improve the accountability of managers to shareholders, and hence to calm the raging crisis of confidence in American capitalism aroused by the scandals at Enron, WorldCom and other companies. The law's methods, however, were anything but modest, and its implications, for good or ill, are going to be far-reaching.

Since the new accounting rules and regulatory infrastructure that goes with them are still bedding in, it is too soon for a definitive judgment. (That time may never come, in fact: academics are still arguing about the pros and cons of the Glass-Steagall act of 1933, a similarly momentous initiative.) It is early days for academic appraisals, but the ones that have been ventured so far tend to the view that costs will exceed benefits. Meanwhile, many of America's businessmen are deeply unhappy, and with reason: the initial costs of the new law have been bigger than expected. And it can be argued that, when it comes to repairing American corporate governance, the law anyway addresses symptoms more than causes.

With time, no doubt, the law's balance of costs and benefits will improve significantly: some of the costs have been once-and-for-all. Right now, though, the balance looks pretty unfavourable.

Alan Greenspan, chairman of the Federal Reserve, spoke up in defence of the statute this week. It was faint praise. He said he was surprised that a law which had been passed so rapidly had worked as well as it has-less of an endorsement than it first seemed, since laws dealing with issues as complex as these and passed as "rapidly" as was Sarbanes-Oxley can normally be expected to fail abjectly.

Mr Greenspan also noted that the law will be fine-tuned as experience accumulates. Quite so. Next day, the Securities and Exchange Commission (SEC), along with the Public Company Accounting Oversight Board (PCAOB, created by the law), told accountants that they were being too inflexible, "overly cautious" and "mechanical" in interpreting the statute. They called for the exercise of greater discretion-something which, three years ago, the architects of the statute had seemed to frown on. Whether good or bad, therefore, SOX, as it has become known, is by no means as yet a settled regime, but a work in progress.

Its initial provisions are wide-ranging. As well as establishing the accounting-oversight board, the statute prohibits audit firms from doing a variety of non-audit work for their clients (in order to address some obvious conflicts of interest). It requires companies to establish independent audit committees. It forbids company loans to company executives. It calls on top executives to certify company accounts. And it extends protection for whistleblowers: no company may "discharge, demote, suspend, threaten, harass, or in any other manner discriminate against an employee" because of any lawful provision of information about suspected fraud. (Tip-offs from insiders are by far the most common method of detecting fraud.)

The law's most complained-of provision, however, is its section 404. This makes managers responsible for maintaining an "adequate internal control structure and procedures for financial reporting"; and demands that companies' auditors "attest" to the management's assessment of these controls and disclose any "material weaknesses". Draconian new criminal penalties await transgressors.

Worse than the disease?

The cost of all this is steep. According to one study that has attracted a lot of attention, the net private cost amounts to $1.4 trillion. This astonishing figure comes from a paper by Ivy Xiying Zhang of the William E. Simon Graduate School of Business Administration at the University of Rochester. It is an econometric estimate of "the loss in total market value around the most significant legislative events"-ie, the costs minus the benefits as perceived by the stockmarket as the new rules were enacted. In principle, this ought to reflect all the anticipated costs and benefits, direct and indirect, that impinge on company values. If this number were true, SOX would have to prevent an awful lot of unforeseen losses due to fraud before it could be judged a good buy.

To help see whether the estimate is plausible, can any more light be shed on different categories of costs? Direct costs are much the easiest to measure. A survey by the FEI, an association of top financial executives, found that companies paid an average of $2.4m more for their audits last year than they had anticipated (and far more than the statute's designers had envisaged). Deloitte, a big accounting firm, has said that large firms have on average spent nearly 70,000 additional man-hours complying with the new law.

This underlines a notable unintended consequence of the legislation: it has provided a bonanza for accountants and auditors-a profession thought to be much at fault in the scandals that inspired the law, and which the statute sought to rein in and supervise. The demand for accountants has surged to such an extent that the PCAOB has had to curb its own growth plans. In January, Thomas Hohman, the agency's CFO, told Accounting Today, "We would like more [experienced auditors], but we recognise this is a very tight employment market." This shortage of personnel in a profession on whose shoulders the law has placed heavy new responsibilities is one of the uncertainties hanging over the act's future effectiveness.

Already reduced in number by consolidation and the demise of Arthur Andersen, the big accounting firms are now known more often as the Final Four than the Big Four, since any further reduction is thought unlikely. Section 701 of the new law instructed the General Accounting Office (GAO), the investigative arm of Congress, to look into the concentration of the accounting industry and its impact. The GAO, in its findings published in July 2003, said that there was a potentially unhealthy degree of concentration.

The Final Four-Ernst & Young, Deloitte, PricewaterhouseCoopers (PwC) and KPMG-audit 97% of all large companies in America. The GAO also noted that smaller accounting firms face "significant barriers to entry" and that "market forces are not likely to result in the expansion of the Big Four". The American Electronics Association (AeA), which represents 2,500 companies and is an outspoken critic of the law, maintains that lack of competition "is significantly increasing the costs of section 404 certification".

Last year a number of big companies switched to smaller auditors., an online research company, reckons that the big firms lost more clients last year than they gained. After 25 years with PwC, Scientific Technologies, an instrument-maker with a turnover of $58m, switched to BDO, the largest of the pack pursuing the Final Four auditors. The company reckoned that the switch could cut its audit fees by 25-50%. Many firms have seen much bigger increases than that. According to, the fees paid by Advanced Micro Devices more than trebled last year. Bristol-Myers Squibb paid fees of $27.4m in 2004, more than twice as much as the year before.

The burden on smaller firms is a particular concern to the AeA and others. Regulators have already been obliged to bend the rules for them. Smaller companies were given extra time to file their accounts this year, the first in which they had to include section 404 reports. More such flexibility is likely in future. In December last year, the SEC set up a panel to review the act's impact on smaller companies.

The auditors emphasise that a good deal of the cost arises from a one-off learning process involved in first adopting the act's requirements. Samuel DiPiazza, chief executive of PwC and an enthusiastic advocate of the new law, says that the costs of applying section 404 were exceptional in the first year and will fall in due course. Eugene O'Kelly, the head of KPMG's American business, has said he reckons auditors' attestation fees related to section 404 should fall by 15-25% this year.

Less visible costs have also been incurred. Far harder to measure, these may be even larger than the direct costs-and would certainly have to be, if the total, net of private benefits, were ever to amount to anything like $1.4 trillion. Some non-American companies have threatened not to list in New York because of the cost of the legislation; others that have recently delisted from an American stock exchange are said to have done so partly because of Sarbanes-Oxley; and some 20% of public companies in a study by Foley & Lardner, a law firm, said that they were considering going private to avoid the costs of the act. It would be regrettable if a law intended to improve the quantity and quality of financial information available to investors led many companies to seek relatively unregulated forms or jurisdictions-but that does seem to be happening.

Another hidden cost which many business leaders complain of is the effect which the law will have in discouraging risk. Steps to discourage risks of the kind taken by Enron might seem entirely warranted-indeed, you might argue, that was the whole point of the law-but many of the statute's critics say that in threatening (as they see it) to criminalise ordinary business mistakes it goes too far. Small firms, put at a particular disadvantage by the added regulatory burden, also tend to be more inclined than big ones to take risks.

Be patient

What then of the benefits? PwC told the SEC, "The costs are tangible, quantifiable and immediate, while many of the benefits are intangible, harder to quantify and longer term." Donald Nicolaisen, chief accountant of the SEC, echoed the sentiment: "I suspect that the costs are not easy to estimate," he told an audience in October 2004, "but I know that it is even tougher to quantify the benefits."

Michael Oxley, co-sponsor of the law, himself said earlier this year: "How can you measure the value of knowing that company books are sounder than they were before?" The chairman of the House of Representatives' financial-services committee acknowledged that the act, named after him and Senator Paul Sarbanes, imposes real costs on firms. It is, he said, "an investment for the future".

This year, for the first time, companies have been filing the reports required by section 404. Fewer large companies are reporting problems with their internal controls than had been expected. Moody's, a rating agency, says that about 5% of the companies that it rates had reported material weaknesses up to April 1st this year, compared with the 10-20% that the market had been expecting. That figure might rise as smaller companies, which have been given an extension to their reporting deadline, start to file. There is also a fear that there may be a disproportionate number of problems with companies (typically retailers) whose financial year closed at the end of January.

Moody's says that the most serious control problems lie not with the reported delinquents, but with the late filers-the companies that were unable to get their reports to the SEC on time. This group includes notorious cases such as AIG and Fannie Mae, but also Delphi, a big car-parts manufacturer with close links to General Motors that has said it needs to restate its accounts back to 2001, and the Interpublic group of advertising agencies.

Moody's, a front-line consumer of financial reports, takes a positive view of the impact of section 404. In April it wrote, "We perceive that companies are strengthening their accounting controls and investing in the infrastructure needed to support quality financial reporting." In the past, companies used to rely on their auditors for advice on many of their more complicated accounting issues. "Many companies," says Huron, a consulting firm, in its latest review of financial reporting, "are just now realising how much they used to depend on their auditor, and that the burden is on them to adjust to a new reality."

Because of Sarbanes-Oxley, firms now have to make accounting decisions for themselves. This has, says Moody's, "inspired companies to reinvest in accounting personnel". It has also spurred many of them to look more closely at their business processes, the fountainhead of their raw accounting data.

At a discussion in April chaired by the SEC, the act was said to have had a "chilling effect" on the relationship between managers and auditors. A good thing too, you might say. Many of the problems at Enron remained hidden because the relationships between its managers and its auditors, Arthur Andersen, were far too warm, with accounting personnel even switching between the two organisations. A little chilling might be just what was needed. Big chunks of the act were explicitly intended to keep a distance between the two parties. Hence the limits on other services that auditors can provide to their audit clients, and the requirement that audit committees (the interface with the auditing profession) consist of independent directors receiving no other form of compensation from the company.

But will the law really help reduce financial fraud in corporate America-and by enough to justify its formidable costs? It might. It has certainly been a salutary reminder to corporate leaders that they are paid a lot of money because they are responsible for a lot of things-in particular, for ensuring that their companies' accounts provide investors with as honest a view as possible of the state of their organisation. At the end of April, Dennis Nally, the chairman of PwC (admittedly not a disinterested observer), said that he believes, over time, America will see "fewer incidents involving accounting fraud".

Time will tell. But it is also possible that Sarbanes-Oxley will come to be seen as both too much and too little. In due course it might well be argued that the act was right to make the relationship between auditors and their "clients" more distanced and adversarial-but then went far beyond what was necessary in that respect by, among other things, imposing responsibilities on CEOs that they are not, in fact, in a position to discharge. At the same time, this argument might go, the underlying failures at Enron and the others were not accounting irregularities as such but other kinds of corporate-governance failure altogether, not even addressed by Sarbanes-Oxley. The first great post-SOX corporate scandal-you can bet there will be one-should be very revealing.

[Feb 12, 2004] NYT/European Companies Seek New Ways to Avoid Compliance With U.S. Laws

EUROPEAN companies, worried about the costs and restrictions of complying with the Sarbanes-Oxley Act, are mounting a drive to make it easier for them to stop complying with United States securities laws.

In a letter to William H. Donaldson, the chairman of the Securities and Exchange Commission, 11 organizations saying they represented 100,000 European companies, including more than 100 whose securities are traded in the United States, asked for changes that would make it easier for them to stop being registered with the S.E.C.

The letter was made public Wednesday.

While some European companies are "quite satisfied with their experience in the U.S. market," others have concluded that the costs are not worth the benefits, said the letter, which was signed by business leaders including Alain Joly, the president of the European Association for Listed Companies and the chairman of the supervisory board of Air Liquide, a company that has chosen not to list on a United States exchange.

Edward F. Greene, a partner in the London office of Cleary, Gottlieb, Steen & Hamilton, who prepared a proposal for changes in United States rules for the European companies, said, "There is a feeling of, 'Why do you want to have a U.S. listing?' "

"The costs of Sarbanes-Oxley have been substantial," he said. "The hidden sleeper has been the upcoming attestation of internal controls. It really is a substantial effect on costs and audit fees."

The rule he referred to, which will affect foreign companies starting in 2005, requires corporate executives to certify that internal financial controls are adequate and requires outside auditors to certify that the management's conclusions are accurate. Companies have complained that this will raise audit fees substantially.

Mr. Greene, a former S.E.C. general counsel, said that many companies were also concerned about a ban on company loans to executives. That provision was included in Sarbanes-Oxley when it was passed in 2002 in the aftermath of the Enron and WorldCom scandals, each of which involved loans to executives.

Under current law, a company that wants to sell securities to the public in the United States, or to list securities on a market there, such as the New York Stock Exchange or the Nasdaq, must reconcile its financial statements to United States accounting rules and comply with American securities laws, including Sarbanes-Oxley.

A company that no longer values a United States listing can easily delist from the exchange, Mr. Greene said. But it remains subject to the securities laws unless it can show that it has fewer than 300 American investors. To do that, it must conduct research to determine who its actual shareholders are, regardless of whether those holders bought the shares in America or overseas. That is a difficult standard to meet, and even if it is met, the company might have to resume complying with the American rules in a later year if the number goes back above 300.

So the European company associations have proposed that European concerns be able to drop their registration if they delist and show that less than 5% of their total share volume is in the United States. That would cover many prominent European companies, including some that trade in substantial volume in New York. For example, hundreds of thousands of shares of Deutsche Telekom, the German telephone company, are traded each day on the Big Board. But that volume is dwarfed by its volume in Germany.

The proposal by the European companies would not apply to Japanese or other overseas companies because it assumes the European companies would follow new international accounting standards, as they are expected to do beginning in 2005, although some European companies are resisting the international rule on accounting for derivatives. The companies would have to provide English translations of the financial statements they filed at home, but would not need to adjust them when American rules would produce different numbers.

An S.E.C. spokesman in Washington declined to comment on the letter. But the proposal is likely to run into some opposition in America, since it would be seen as a step on the road to acceptance of international standards as being equivalent to American ones.

European companies that have listed in the United States have done so in some cases to be able to use stock to acquire American companies, or to gain access to American capital markets. But many have found that American institutional investors are willing to buy shares overseas, wherever the most liquidity is. And companies that are not listed in the United States can sell securities there in private offerings, under an S.E.C. rule known as 144A, so long as the buyers are institutional investors.

"As a result," the letter said, "many of our member companies with U.S. listed securities find that they have no greater access to the U.S. market than other companies whose securities are listed only in Europe."

[Nov 24, 2003] Panel Beware of Sarbanes-Oxley barriers, pitfalls - Computerworld By THOMAS HOFFMAN

CEOs and CFOs may be the ones on the hook to certify their organizations' financial controls and procedures under the Sarbanes-Oxley Act, but IT executives had better be paying attention, too.

Among other things, CIOs will need to determine whether they need directors and officers insurance in case financial missteps at their companies lead to shareholder or investor lawsuits in which they could be named as defendants. Meanwhile, they will also have to figure out how to allocate staff resources between Sarbanes-Oxley efforts and other critical projects.

Those were a few of the topics discussed at a Sarbanes-Oxley panel discussion held on Thursday at a meeting in Rye Brook, N.Y., of the Fairfield County, Conn., and Westchester County, N.Y., chapter of the Society for Information Management.

The panelists were Patti Roer, associate counsel at Wiggin & Dana LLP in Stamford, Conn.; Christopher Keegan, regional practice leader for information risk at Marsh-FINPRO in New York; Mark Keeley, a partner at PricewaterhouseCoopers LLP in Hartford, Conn.; and Hank Zupnick, CIO at GE Real Estate in Stamford, Conn.

Questions were posed by Computerworld's Thomas Hoffman, the panel moderator and by members of the audience.

Excerpts of that discussion follow.

What are the biggest stumbling blocks that companies are facing in their Sarbanes-Oxley initiatives?

Keeley: The amount of resources they think this is going to take. Companies are really struggling with how broad this needs to be. You don't have to assign resources to do all of your procedures all over again. [Most companies] have procedure policy manuals in place.

What's the status of GE's compliance efforts?

Zupnick: General Electric, which GE Real Estate is a part of, has taken a very proactive and aggressive approach to Sarbanes-Oxley. The government mandates that [the deadline for] compliance is June 2004 [for publicly held companies with a market cap exceeding $75 million], but we will be fully compliant by the end of this year.

We've determined that good governance is good business. We believe it will build and maintain investor confidence, and customer confidence as well. So we are looking at our processes and our procedures and making sure that they are all air-tight.

One of the biggest challenges is estimating the amount [of staff time and work] that is needed. Sarbanes-Oxley has not yet been tested in the courts. And what company wants to be the test case because they haven't done as much as they should have?

Patti, what are the legal issues you've been focusing on most with clients?

Roer: The biggest area we've been dealing with is document management, document retention and destruction policies. A lot of the work falls on in-house legal counsel, but we're finding more and more that the role of the IT staff [in locating and isolating data] is critical.

Do middle managers need to obtain directors' and officers' (D&O) insurance in the event of shareholder or investor lawsuits? What are the D&O implications for IT executives?

Keegan: From a Sarbanes viewpoint, we're looking at the board of directors. They're responsible for pushing this down through the ranks.

That's not to say that if you're not on the board you shouldn't have insurance. [Shareholders and investors] will sue anybody and everybody they think has responsibility for failure [over controls]. Whether you're legally responsible for those decisions or not, you may end up with defense costs.

Because companies will have to document and certify the procedural controls they have in place, will this prevent companies from outsourcing?

Keeley: Some of my more astute clients have said, "This is not new stuff. Controls are controls." They [the SEC] are asking the same thing in this controls framework that they were asking 10, 20 years ago.

If you outsource controls, you should ask your outsourcer to prepare a report for you with a SAS 70 opinion [an IT certification approach]. That's been around for over a decade, and that takes you a long way toward Sarbanes [compliance], because it shows that the outsourcer has had to go through that controls exercise.

What do CIOs need to concern themselves with?

Zupnick: Suddenly you've got a significant project that won't add a penny to your bottom line and won't take out a penny in costs. I have to take people out of revenue-enhancing projects or cost-cutting projects and put them on this other thing. There's a challenge in getting management understanding in why these things are critical.

Another critical thing is engaging the right people. Consultants like PricewaterhouseCoopers can help answer questions, but you've got to do the job yourself with your own staff. The people who have the most detailed knowledge about your processes and your financial systems are the people in your organization, and you've got to involve them and you've got to figure out how to pull them away from their day jobs.

Recommended Links

Google matched content

Softpanorama Recommended

Top articles


Parkinson's law - Wikipedia, the free encyclopedia

Parkinson's Law, by Prof. Cyril Northcote Parkinson

Sarbanes-Oxley Act - Special Coverage

Eurekify Sage for Compliance with Sarbanes-Oxley Section 404 Regulations

Users struggle to pinpoint IT costs of Sarbanes-Oxley compliance

Bring On the Scrutiny

Data destruction: What they can't find can get you 20 years

The New Rules of Storage

"Sarbanes-Oxley Act" RSS feed

XML news feed F.A.Q.


Sarbanes-Oxley - Financial and Accounting Disclosure Information


[Jan 23, 2004] Floyd Norris Too Much Regulation Corporate Bosses Sing the Sarbanes-Oxley Blues

THEY'VE gone too far,'' the chief executive of a large American company complained. "Our audit bill is going to double."

Two years after Enron collapsed, complaints of overregulation are beginning to be heard. "Corporate America is spending an awful lot of money on internal controls that are not benefiting shareholders,'' said that chief executive, after getting assurances his identity would be protected.

A survey of global chief executives released by PricewaterhouseCoopers at the World Economic Forum found that 59 % viewed overregulation as a significant risk or, worse, one of the biggest threats to the growth of their companies - far more than viewed global terrorism or currency fluctuations as posing major risks.

What has alarmed many is Section 404 of the Sarbanes-Oxley Act, which requires chief executives and chief financial officers to certify the adequacy of their internal controls. Then outside auditors must attest to that opinion.

That provision is not in effect yet, but many companies are going through 404 audits this year to get ready. The idea is to find problems while there is still time to fix them without getting a bad audit report.

And it is working. In recent years, said Dennis M. Nally, the United States chief executive of PricewaterhouseCoopers, "internal controls were a passing thought" to many auditors. Now, "the opportunity on 404 is for companies to look at controls and systems and see if there is a more efficient, effective way."

That is especially true at companies that have made a series of acquisitions. Standardizing controls was seldom a priority. In some of the audits now being done, companies are learning that their controls do not mesh, just as their computer systems sometimes did not.

"We are finding things that need to be changed,'' said William G. Parrett, the United States chief executive of Deloitte Touche Tohmatsu. But he said it was too early to know if the benefits would justify the costs.

Even the chief executive who was so angry over rising costs conceded that his auditors had found issues in the company's treasury operations that needed fixing.

Additional spending on controls may be wasteful for some companies, but improving controls could be critical for others. Good controls can create environments in which it is much harder for crooked bosses to make the changes in financial records needed to create phony profits and in which honest bosses can be confident that the numbers they are being given are accurate.

The new audit report on controls could also provide a useful change to the pass-fail audit system of the past, when auditors never commented on the quality of a company's accounting, just on whether it met minimal requirements of complying with the rules. That is still true for the main audit: auditors are supposed to discuss quality issues with audit committees, but not tell the public.

But the attestation of controls could take a different path. No company's controls are perfect, and it would be good if auditors were able to comment on shortcomings without infuriating companies - or panicking investors over relatively minor issues.

Some chief executives are not worried. "For big, established companies that already do the right thing, it's no big thing,'' said Michael S. Dell of Dell Computer.

But he also passed along a song being circulated on the Internet about a supposed chief executive who has nightmares about being led away in handcuffs.

"I really miss the good old days, when I told my board what to do,'' he sings. "Now my audit committee is slapping me silly. Got the Sarbanes-Oxley blues."

[Jan. 7, 2005] MSNBC - Sarbanes-Oxley A sense of 'siege'A Q&A with Treasury Secretary John Snow on corporate reform

As a former business leader, Treasury Secretary John W. Snow is well aware of difficulties that Washington policymakers can cause for Corporate America. So it's not surprising that when company chieftains complain about the costs of complying with the Sarbanes-Oxley corporate-reform laws, he listens.

In an interview with BusinessWeek Senior Writer Rich Miller on Jan. 4, Snow shared his thoughts on what should - and shouldn't - be done in response. Edited excerpts of his remarks follow:

Q: Should Congress consider modifying Sarbanes-Oxley?

A: I don't think that's the real problem. Sarbanes-Oxley was critically important legislation that met a real need for the country at the time of those scandals ... Sarbanes-Oxley played a very important role in reaffirming the norms of good corporate behavior, and, in some ways, I think [it] was absolutely essential. Corporate capitalism depends on trust.

Q: Are the regulators enforcing the law too aggressively?

'It's important not to criminalize innocent mistakes. The nature of business is that you aren't always going to be right ... We ought to make sure, to the extent we can, that the regulators, the litigators, the prosecutors, and so on are working in a way that isn't excessively duplicative or burdensome, creating untoward risks of multiple prosecutions and regulatory investigations.'

- John Snow

U.S. Treasury Secretary

A: The concern is with balance. The important thing is that, as fraud is dealt with, we recognize that all mistakes aren't fraud. It's important not to criminalize innocent mistakes. The nature of business is that you aren't always going to be right ... We ought to make sure, to the extent we can, that the regulators, the litigators, the prosecutors, and so on are working in a way that isn't excessively duplicative or burdensome, creating untoward risks of multiple prosecutions and regulatory investigations.

Q: Has the balance shifted a little bit too far in that direction?

A: I think we need to look at that question. It's an important question. I get a sense - and you can't quantify this - but I get a sense that the system may have become too prosecutorial, and without enough consultation between and among the regulators and the prosecutors. The sense that many businesspeople have is that they're under siege from serial investigations, and serial regulatory prosecutions, and criminal and civil prosecutions.

Recommended Papers

Sarbanes-Oxley Documentation for Administrators September 2004 by Emmett Dulaney

In the shadow of the collapse of several large firms due to accounting irregularities, the U.S. Sarbanes-Oxley Act of 2002 was created to try to avert such catastrophes in the future at publicly traded companies. While the heart of the act focuses on accountability for the finance department and corporate officers, it has a very real impact on IT departments and administrators. One of the worst situations you can find yourself in is to be unprepared, or under-prepared, for a compliance audit.

In this article, I'll examine the U.S. Sarbanes-Oxley Act of 2002 from a systems administrator's viewpoint and look at some tips to help you be better prepared for such an assessment.

Examining SOX

Like most pieces of legislation, the Sarbanes-Oxley Act (known as SOX) is quite lengthy and involved. If you want to read it all, you can find it posted at a number of different places on the Web including In a nutshell, all financial data and reports must be accurate, agreed to (and signed off on) by those who are paid to oversee them, and they must be maintained for historical and audit purposes.

IT figures into this equation in the section of the Act known as 404 (see This section implies that there should be internal controls on the data and reports to assure that they are safe, uncorrupted, accurate, and so on.

If a company is large enough to be publicly traded, and it keeps its data on elaborate computer systems, then suddenly it is up to the administrator and IT department to be able to prove that measures are in place to keep the network secure and to justify everything that is done to and with data.

It is not enough to know that data is secure, or even to say that it is secure - you must document that it is secure.

Audits are then done to verify that the proper measures are in place to make certain the data is secure. The following tips will help you understand what should be documented.

Creating the Documentation

There are a number of ways to create the necessary documentation for this act. The IT Governance Institute proposes a 9-step approach to Sarbanes-Oxley compliance:

  1. Plan and scope.
  2. Perform risk assessment.
  3. Identify significant accounts/controls.
  4. Document control design.
  5. Evaluate control design.
  6. Evaluate operational effectiveness.
  7. Determine and remediate deficiencies.
  8. Document process and results.
  9. Build sustainability.
I propose that there are 10 guiding principles that you need to know to begin the task:

1. Although a number of frameworks can be used as a model for this activity, they all agree that the noun you want to focus on is "control." Everything is a control. Instead of mixing in terms to describe what you do such as "activity", "process", "procedure", etc., put yourself in a mindset to think of everything as an "internal control". If it helps you to draw a parallel or analogy, you can think "change controls". No matter how you want to visualize it, though, you must think of everything as a control. Your goal is to create a list of all the controls that are in place in your environment. The ideal organization has an effective control framework that covers all the possibilities of what can be done with data. Just as an example, consider backups and all that it entails:

Given this type of logic, you can exponentiate every administrative task associated with data security and integrity out to a very large number of controls.

2. Recognize that while all controls are important, some controls are much more so than others. Yes, it is important to back up individual client workstations, but backing up the server is much more important and should be given a higher priority. That priority also applies when you start elaborating your narrative. You want to document the controls with the highest importance first, then move to the next most important, and so on until your documentation is complete.

3. Understand that some controls are preventive while others are detective, and label them accordingly. At the same time, some controls are manual while others are automatic (system). You want to have as few manual controls as possible, but it is next to impossible to get away from them completely. If you see the possibility to turn a manual control into a system control - but you don't currently do so - make a note of it.

4. When creating your documentation, you want to elaborate on each control. The following items should appear for each:

A. A description of the control - what is it?
B. A list of the risks associated with it that it prevents. For example, you do backups because the risk of not doing them is that you would be unable to restore data in the event of a system failure.
C. The frequency that each control is performed (daily, weekly, etc.) and the type of control that it is (preventive, system, etc.).
D. The procedures involved in running the control - fire off a script, load a backup tape, etc.
E. A list of any evidence that exists to indicate that it was done (a report showing the backup completed successfully, an entry in a log file, a message that is sent to a pager, and so on).

5. While not required, understand that visuals are helpful. When you look at a visual representation of something, often it is easier to understand than when you simply read text. By using Visio or any other drawing program, you can create a flowchart showing how operations are done that will enable an auditor to understand what you are conveying much more clearly than without the visual.

To truly add a touch of class, you should add a table of contents, index, and a list of figures to your document. While these items are not required, they do make the documentation look much more complete.

Think of the documentation as you would if it were your job to sit down and review (audit) this organization and you did not work there or know anything about it. Consider that you've walked through the front door and been handed a stack of papers to pore through. These papers are supposed to tell you everything you need to know before you can complete your report and move on to the next company. Auditors are human and there is enormous value in aesthetics when applied to a mountain of paperwork that one must tackle.

6. Accept that fact that the more information you can give, the better. No one likes writing tomes, but in some instances you need to. Your goal in creating this documentation is to show the auditors that all the precautions are in place to protect the data. From a purely subjective point of view, the data looks a lot more secure when there are 100 pages detailing why it is than when there are only three pages.

Conversely, don't get bogged down in specifics. If you list everything - for example, if you include the text of every script file that is run - you overwhelm the reader and create a document that will be outdated the minute any one item (like a line in a script file) changes. Instead, include in your documentation references to other documents that exist and can be checked during an audit (checklists for system builds, procedure manuals, etc.).

7. You should include in your documentation a set of definitions or a lexicon of terms that may exist in your environment but are not standard to the industry. You would not include "TCP/IP" in the set, since it is a standard acronym that any IT auditor should recognize. You should, however, include "TL" if it is used to mean Testing Lab within your corporation.

8. Recognize and accept that there is an overlap in activities and in controls. Because of this, there will be an overlap in the documentation you create. For example, suppose your company does full backups once a week and incrementals six times a week. When creating documentation for the controls, there will be a great deal of overlap between describing how to do a full backup and how to do an incremental one.

You can approach this from two perspectives: either admit that there will be the overlap and repeat the text over and over, or list it only once and refer back to it as needed. One way is not better than the other, but you should be consistent in whatever approach you take.

9. As you're creating your documentation, try to get as many others involved in the process as possible. The last thing you want to happen is to spend months working on this project only to get into an argument with members of another team over how operations are really done.

Involve management as much as possible and get approval (written, preferably), for the documentation you create. Getting signatures signing off on what you finish not only adds legitimacy to what you generate but has a CYA element to it as well.

10. Be honest. There is no such thing as a perfect company. While we would all like to strive toward perfection in our jobs, we all know that there is something that can be done better than it is. For example, we're supposed to run a virus scan every day but often the latest definitions don't get downloaded during peak times, and so on.

While it may hurt you to do so, it is ethically your obligation to point out your flaws. Sometimes there is value in admitting that you don't do something but are looking at ways of so doing in the future. If the auditors see you are honest, they much more likely to accept your flaws and write them up rather than digging even deeper.

Flaws are not the end of the world, and usually lead to remediation wherein you are given a chance to correct critical controls and have a subsequent audit of only those found to be lacking.

Recommended Resources

Protiviti, which performs SOX audits, has posted a "Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements" at

An 86-page PDF on "IT Control Objectives for Sarbanes-Oxley" from the IT Governance Institute can be found at:

KPMG's 48-page overview of PCAOB's (Public Company Accounting Oversight Board's) requirements can be found at:

Emmett Dulaney is the author of several books on Linux, Unix, and certification. He is a former partner in Mercury Technical Solutions and can be reached at [email protected].

Corporate governance costs

[Feb 01, 2006] Ongoing SOX Costs

Ongoing SOX Costs
How much has been spent, how much will be spent, and what it may soon have to do with you if you're a foreign company or small firm

$14 billion has been spent to date on Sarbanes-Oxley (SOX) compliance efforts, according to a recent research alert from AMR.

The figure is expected to climb to $20 billion by the end of this year, by which time $15.3 billion will go to internal staff time plus external consulting and the rest to technology spending.

These figures are no surprise to larger U.S. companies, which have been working towards compliance for two years. However, different classes of companies will soon find themselves impacted by SOX.

AMR points out that companies outside the U.S. who trade stock or issue debt in this country must become SOX-compliant for fiscal years after July 2006. Meanwhile, U.S. companies with market capitalizations of less than $75 million must become compliant between 2007 and 2008, "a date that's been pushed out multiple times because of concerns that small companies lack the resources to address issues sooner."

An AMR survey of 300 companies turned up the following SOX facts:

One-third of companies reported that SOX spending exceeded expectations in 2005. None reported lower than anticipated expenses.

The breakdown of 2006 expenses is 39% internal labor and head count, 32% technology, and 29% outsourced services.

Over 50% of surveyed organizations plan to spend more than $1M on SOX in 2006, with 24% planning to spend more than $5M. The average expense for SOX remains approximately $1M per $1B in revenue.

Looking forward, 83% expect SOX expenditures to stay the same or increase in 2007; the remaining 17% expect budget decreases next year. This is the first year that the number of companies expecting a downturn in expense exceeds those that plan to increase spending.

SOX The Cost to Investors

The Trickle Down of SOX
Since the Sarbanes Oxley Act ("SOX") was passed, much has been written on the cost of compliance levied upon Wall Street brokerage firms (I include the Spitzer Settlement in this calculation) and corporations (specifically Section 404 which mandates an audit of internal accounting controls). However, little has been said about the cost to investors.

The cost of compliance is now trickling down to the end user, the investor, and can be classified as direct and indirect. This tax on the market and its participants could have an adverse impact on the US economy.

Direct Costs
Direct costs consist of the reduction in earnings, earnings growth, and dividends that result from the high cost of complying with SOX. The increased accounting and auditing fees that are required in order to comply with SOX are new and sizeable expenses that increase with the size of the company. In an efficient market, the reduction in earnings and growth potential will be reflected in the stock price.

According to a study done by the Financial Executives Institute, companies expect to spend an average of $3 million to comply with Section 404 of SOX. Companies with revenues in excess of $5 billion expect to spend an average of $8 million (0.2% of sales) and companies with sales less than $100 million think the average cost will be $550,000 (0.6% of sales). You can add to this price tag the cost of higher Director & Officer Insurance and the need to make more regularity filings with increased speed and frequency. This "investment" will not increase a company's competitiveness or its profitability.

This data indicates that the cost of SOX compliance will impact profit margins and weighs heavier on smaller companies. The cost is expected to be highest in the near term as companies determine how to comply with Section 404, which systems need improvement and auditors charge to test the new systems.

The short term accounting costs are higher than they might have been for three main reasons. First, competition among the major accounting firms was reduced when Arthur Andersen was taken out (due to its involvement with Enron). Arthur's former clients had to scramble to find a replacement, allowing the remaining firms to raise prices.

The looming deadline for compliance with Section 404 is the second main factor resulting in higher accounting fees. Some accountants are claiming that the higher fees are due to the need to implement recently issued guidance from PCAOB (Standard No.2) and the 2005 deadline. Although Section 404 was public knowledge for over a year, accountants waited for guidance before creating the systems needed to perform the required audits.

But perhaps the main reason for the high near term cost is that nobody knows what they are doing. The accounting practices in Section 404 have been around for a long time, but the current environment of malpractice risk makes the players cautious. And fees rise with uncertainty. Fees are thus set to not only cover the base costs, but also include risk premiums for the hard costs of malpractice insurance and soft costs that allow partners to sleep at night.

While you might expect fees to decline once everyone gets more comfortable with the new reality of Section 404, don't count on it. Costs could increase as miscreants test the limits of the law (as they always do), resulting in new regulations and the need to invest in new systems and audits in order to comply with the new regs.

The bottom line is that the spending on compliance will divert funds that could be invested for a profitable return that would boost earnings and dividends. As a result, valuations will experience a quantum shift downward from what they could have been.

There are also "soft dollar" direct costs, the biggest of which is reduced productivity. While some of the hard dollar costs noted above may include an estimate of the hourly cost of management's time, I think the real soft costs are understated. How can you quantify the opportunity cost of the time management spends on determining how to comply, implementing new systems, and constantly monitoring these systems instead fo growing the business? The thousands of hours spent on compliance divert managements from focusing on becoming more competitive and profitable.

In the financial industry, the compliance costs are already evident. We already have seen the cost structures of brokerage firms change as they have had to erect higher Chinese Walls and fund the Spitzer Settlement. Wall Street firms have had to increase legal and compliance expenses because they need to have a babysitter every time an analyst talks with someone in investment banking.

Indirect Costs

Indirect costs are those that result from the unintended consequences of SOX. These costs consist of the reduction in research coverage, the growing number of companies that chose to de-list, a decline in productivity, and the inability of companies to access the capital markets. It is these costs that could have the greatest detrimental impact on the US economy.

The significant decline in research coverage created an Information Gap which resulted in inefficient pricing by the market. Prior to the implementation of the Spitzer settlement and the creation of SOX, the number of companies that lacked research coverage was large and growing. I did a study in 2002 that indicated that almost 70% of the publicly traded companies lacked adequate research coverage (defined as 2 or more analysts). Since that time, I think the situation has gotten worse. The number of analysts declined as brokerage firms reduced their market making activity. The wave of mergers in the late 1990s significantly reduced the number of regional brokerage firms that use to focus on small cap stocks in their "back yards." The surviving brokerage firms reduced their coverage lists to the biggest and most liquid issues. As a consequence of the combination of a lack of research and SOX costs, a growing number of firms are delisting themselves from the major exchanges.

The trend toward de-listing (also known as "going dark") is another indirect cost to investors. Delisting is a relatively simple step whereby companies can move from the larger exchanges (NYSE, AMEX, and NASDAQ) and have their shares trade on the OTC Bulletin Board (aka "Pink Sheets"). While trading on the Pink Sheets does not have the stigma that it use to have, an "aura" remains and it does increase the cost to trade. Whether real or perceived, there are inefficiencies that increase the cost to invest in Bulletin Board stocks that have not been offset by electronic trading mechanisms. But the most significant indirect cost is the cumulative impact of all of the above to the economy as a whole. As the result of SOX, the cost to access capital has increased, the ability to access capital markets has decreased (lack of research coverage and market making), and the efficiency of the market pricing mechanism has decreased.

To illustrate, consider the small entrepreneurial firm. It has always been the source of innovation and economic growth in the US economy. Pre-SOX, the small firm could focus on its core competency and develop a market for its product. While it had to deal with regulatory costs, access to capital was less costly because research coverage was more available because there was a network of regional brokerage firm that could provide investment banking and market making services to these small firms. Today, the few remaining regional firms are hard pressed to provide the needed services due to the increased cost of compliance and reduced margins. Due to these increased costs, brokerage firms are focusing their efforts on the biggest and most liquid stocks in order to maintain operating margins.

The Bottom Line

Change was needed to correct the excesses that were manifest during the dotcom bubble and many of the post-bubble regulations are beneficial because they provide investors with more information. However SOX, despite having some very good points, may turn out to be the modern day equivalent of the Smoot-Hawley Tariff Act, doing more harm than good.

Both SOX and Smoot-Hawley were enacted in an attempt to correct systemic wrongs but both had unintended consequences. Smoot-Hawley was enacted in the wake of the Great Stock Market Crash of 1929 as a way to protect the US economy. However, it had the exact opposite effect and caused the Great Depression. SOX and other post-bubble regulations have changed how the markets function in a way that may actually reduce the future growth potential of the US economy because they have reduced the ability of small entrepreneurial firms to tap the capital markets. This may prove to be the biggest cost to investors.

[Jul 16, 2004] PwC Cos. Aren't Tracking SOX Costs Despite complaints by some companies about the increased costs and regulatory burden imposed by Sarbanes-Oxley, more than half of companies surveyed by PricewaterhouseCoopers are not tracking the costs.

In the PwC Management Barometer, which polled senior executives of U.S.-based multinational companies, 56% of those surveyed said their company does not track and report internally on the costs of Sarbanes-Oxley and other compliance programs. Forty-one percent do track such costs.

"Given the early outcry about Sarbanes-Oxley's added costs, it's surprising that most companies do not document and track this expense," said Dan DiFilippo, a PwC partner and governance practice leader. "However, many companies have only recently begun to understand the types of costs and value associated with compliance efforts. We expect more aggressive monitoring as companies examine the effectiveness of their compliance approach."

In addition, 79 % of those surveyed acknowledged that their company needs to make improvements in order to comply with Section 404 of Sarbanes-Oxley, which requires companies to file a management assertion and auditor attestation on the effectiveness of internal controls over financial reporting. Among areas needing remediation:

55% - Financial processes
48% - Computer controls
37% - Internal audit effectiveness
35% - Security controls
26% - Audit committee oversight
24% - Fraud programs

Looking ahead, 93% of executives expect their company to launch process improvement initiatives to streamline future Sarbanes-Oxley compliance, including financial reporting, risk identification and assessment, IT security strategy and implementation, internal audit, and compliance management.

"Companies recognize the need to make improvements in order to comply with the requirements of Sarbanes-Oxley," said DiFilippo. "When executives are confident that they are in compliance, many will want to find ways to streamline business processes and make future compliance less difficult." / The corporate governance racket Corporate governance reforms have thus given us the corporate governance racket.

The special report on corporate governance in yesterday's WSJ (sub. req'd) included an interesting article by Phyllis Plitch entitled A Piece of the Action: Corporate governance is hot -- and there's no shortage of companies promising to help:

With corporate governance showing no signs of fading as a hot business buzzword as executives scramble to meet new regulations, companies of all kinds and sizes are trying to get a piece of the action. "This looks like the first widespread new potential to sell software and services to the whole economy since the dot-com bust three years ago," says Lane Leskela, research director at Gartner Inc. Mr. Leskela says he found at least 50 high-tech vendors marketing services related to the Sarbanes-Oxley Act of 2002, the legal centerpiece of sweeping reforms aimed at preventing corporate malfeasance. The businesses, he says, range "from the usual suspects all the way down to companies no one has really heard of before." ...
To critics, however, the onslaught of "you must hire us" pitches can scare companies into thinking they have no choice but to pony up big bucks. Some promotions "seem designed to put the fear of God in companies -- that complying is so difficult, you can't possibly do it without expensive and extensive outside help," says Beth Young, senior research associate at the Corporate Library, an independent research firm and corporate watchdog. "It's making people extremely paranoid about the requirements and what it takes to comply."
Well, that's just great. As an investor, I don't want my portfolio companies spending a dollar on "good corporate governance" unless doing so adds at least a buck to the bottom line. I don't have any voice in how much to spend on corporate governance, however. The board of directors and top management make that decision (as they should, of course). Unfortunately for the bottom line, however, directors and management have a strong incentive to over-invest in corporate governance consultants and so on.

Why? The answer lies in the incentive structures of the relevant players. Who pays the bill if a director is found liable for breaching his federal or state duties? The director. if the director has adequately processed decisions and consulted with advisors, will the director be held liable? Unlikely. Who pays the bill for hiring corporate governance consultants, lawyers, investment bankers and so on to advise the board? The corporation and, ultimately, the shareholders. Suppose you were faced with potentially catastrophic losses, for which somebody offered to sell you an insurance policy. Better still, you don't have to pay the premiums, someone else will do so. Buying the policy therefore doesn't cost you anything. Would not you buy it? isn't that exactly the choice we're giving directors and senior managers?

Corporate governance reforms have thus given us the corporate governance racket. We know that these reforms have significantly raised the regulatory burden on Corporate America. Will we get a commensurate bang for our buck? Regular readers know that I'm very skeptical. What I've tried to show here is even modest reforms can result in costs that outweigh their benefits so long as those upon whom the reforms impose new liabilities control the purse strings. /SOX Costs

From Financial Executives Int'l (link via Broc), here's an analysis of what it is costing corporation to comply with just one provision of Sarbanes Oxley (§ 404):
In looking at initial one-time expenses for a "typical" $3 billion company, The Johnsson Group estimates incremental unanticipated expenditures totaling $1.1 to $3.5 million, itemized as follows:
And that's just the beginning. Given the heightened new requirements, companies can reasonably expect to incur ongoing incremental costs in the range of $800,000 to $2.8 million:

Where are these extra costs coming from?

Outside audit fees will increase at least 25 % due to broad changes in the scope of an audit. Internal audit departments will expand by adding professional staff to focus more heavily on controls. Corporate reporting departments will also require more finance professionals and administrators to ensure that disclosure information is generated in a consistent, well-controlled manner and procedures are well documented. Consulting fees will soar as consultants help overburdened internal departments in areas where staff resources are thin or otherwise deployed. Consultants will also be called on to provide independent assessments and assist in the installation of new software and database systems to document and capture consistent control environment data.
As I observed in my post The corporate governance racket, it is hard to imagine that investors are going earn a return commensurate with all these extra.

[Nov. 19, 2004] SOX Costs Average $16 Million Per Company (SmartPros)

A survey of corporate boards released by RHR International and Directorship reveals annual Sarbanes-Oxley compliance costs average $16 million -- a jump of 77 % from last year.

Findings of the first annual Directorship/RHR International Board Survey also reveal that nearly half (47 %) of companies surveyed do not have a CEO successor in place, although 61 % expect that CEO leadership transition will go smoothly, according to the poll of almost 270 board directors at U.S. companies.

Sarbanes-Oxley requirements have caused companies such as GE to spend a reported $30 million on internal control requirements alone. Last May, AIG chairman and CEO Maurice "Hank" Greenberg indicated that the world's largest insurer was spending $300 million a year fulfilling the new requirements.

Of the 266 board directors surveyed, almost two-thirds (64 %) reported that the new regulations have changed their participation as a director. One major change is highlighted in the compensation of the company CEO. Nearly two-thirds (63 %) of the directors indicated plans to change either the CEO salary or salary relative to bonus.

"It's clear that not all board directors are fully engaged," says J.P. Donlon, Editor-in-Chief of Directorship. "For example, almost one-fourth do not visit with employees, customers or suppliers, which means their only source of information is what management tells them."

Survey results also suggest that most directors express a high degree of confidence in the judgement of their fellow directors, but only a third say the level of dissent at board meetings is high.

"The capacity of a board to not only tolerate dissent, but make it an expected and productive part of the culture of the board is important. In the absence of an open and candid culture, some individuals will have undue influence by default," said Constance Dierickx, board services practice leader, RHR International.

Ninety-five % of directors report they are "mostly" or "absolutely" confident in the current CEO, and an almost equal %age (90 %) note that they provide frequent, candid CEO feedback. While Karen West, Consultant, RHR International views the strong level of confidence among board members in their CEOs as "encouraging," she warns that, "without a succession plan, companies risk losing much of the momentum and results that today's CEOs are building."

Seven Critical Actions for Board Effectiveness

  1. Roll up your sleeves and master the performance drivers of the business.
  2. Understand the business by reading management's reports and through personal experience.
  3. Perform CEO evaluations frequently and systematically. Informal exchanges alone will not suffice.
  4. Foster a culture of contrarian thinking and vigorous debate to permit meaningful support for decisions.
  5. Be intolerant of cliques.
  6. Know the unvarnished truth about the management team. Actively manage succession including selection, development and transition for the top team.
  7. "Stress test" management's candor.

"The way board members manage their relationship with the CEO as well as the senior management team is indicative of the level of communication that takes place throughout an organization," said Dierickx.



Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy


War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes


Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law


Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

Copyright © 1996-2021 by Softpanorama Society. was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site


The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019