Enough SOX already

There has been a stream of blogs recently by Dennis, Thomas and Vinnie on governance, risk and compliance (GRC). Much of it centred about the SAP offerings and Sarbanes-Oxley (SOX).

If you don’t work for a US-based company that conversation stream is only slightly relevant. Where is the conversation about Basle 2, which is an international GRC issue for banks? Why don’t I see someone asking about the Cadbury (UK) issues? Why is it all focused around SOX – enough already!

A little while back, Thomas mentioned how hopelessly ignorant US software companies were of the unique payroll requirements in European countries. I would make that same comment about their knowledge of compliance issues outside the US.

For example, in SA we have our own GRC issues – the King recommendations, and for larger companies BBBEE (broad-based black economic empowerment) . In most companies I have seen, BBBEE is an Excel spreadsheet because the ERP vendor didn’t have the details in its HR application.

Depending on how you see the market in SA, there might be a niche for a small company to develop a BBBEE management app that can attach to ERP systems like SAP, Oracle or AX. But would any international (read US) vendor take the trouble to provide BBBEE functionality in its system, hardly likely.


12 thoughts on “Enough SOX already

  1. Simon – we’re getting there – worry not – there’s a follow up – and I’m in Spain where your life is regulated!!

  2. Manitore (Simon),
    Indeed. That is the whole point of the GRC strategy, to move away from individual point solutions that try to solve just one regulation. I’m equally tired of what James governor aptly called “sox reductionism. ”

    As I’ve said more than once.
    “GRC is about putting a framework in place to handle laws and regulations in a flexible and agile way. It is a pity that the noise on section 404 of SOX drowns out what should be a much broader and richer discussion”

    But if SAP’s critics focus on SOX costs, then I’m forced to defend it there.

    SAP South Africa has done quite a bit of work on the NQF and other regulations so you may be surprised. Drop me a note and I can put you in touch with the folks there.

    I’d also suggest you have a look at the Pioneer Foods presentation from Sapphire. It puts the controls framework in a non-sox context rather well. It makes the point I was trying to get across, namely that good controls make good business sense.

    The King report is one of the best works I have seen on corporate governance. South Africa provides a clear case of where corporate governance is mission critical. Without functioning corporate social responsibility, business quickly becomes compromised.

    It may also explain why the first major non-US GRC deals were in South Africa.

    Next time I’m over we should do a beer.

  3. Simon – I disagree. SOX, is unfortunately the poster child for any group of politicians around the world who want to opportunisitically implement a set of compliance legislation. And frankly a clinical study in how professional accountants and others ignore their own standards when the market conditions are appropriate. And now, it is being glamorized as having helped the Dow get to as high as it is for “restoring investor confidence”. This could happen anywhere in the world, any time. My huge concern with GRC is this creeping sense that around pollution, corruption – whatever we are going to keep sons of SOX

    Accountants and vendors like SAP always claim – we never make laws, we just help companies comply. Really? There is so much lobbying to keep SOX (or other compliance) going – and guess who pays for many of the lobbyists?

    On the best of days, most of us are wary of big business. My point is we need to be similarly wary of big government. Every compliance law should claerly identify cost of compliance, have quarterly reviews etc – and I think beneficiaries like accoutnants and software companies should be recused from lobbying or otherwise influencing them.

  4. Simon.
    this does rather prove your point.


    I would have hoped you to be at least open to the evidence from elsewhere in the world. If you read the King report, (incidently the first version of which was written in 1992 I believe), you will see that corporate governance has been a significant business issue in South Africa for some time. Environmental law has been strengthening around the world, even if the US beats a different drum.

    The cost of SOX is miniscule compared to the losses to investors through fraud, options scandals, restatement of results and so on. How many more CEO’s other than Jeff from GE I need to quote. I guess we will never agree.

    From my reading of your arguments it seems as if you wish for a return to Victorian free for all capitalism, with the exception of Software companies and auditors who should be regulated to the nth degree.

    Read this speech from earlier this year by the chairman of the SEC and then look me in the eye and tell me we don’t need strong regulation and compliance law. http://www.sec.gov/news/speech/2007/spch030807cc.htm

    I’ll finish with this quote from the SEC Chairman, also earlier this year.

    That said, it is wrong to conflate the implementation problems of 404 with the entirety of the Sarbanes-Oxley Act. While it’s a handy whipping boy, overall the law has had important positive effects. It may fairly be credited with correcting the most serious problems that beset our markets just a few years ago. It has played a significant and valuable role in restoring integrity to our markets. Remember where we were, and what happened. We needed decisive action. Sarbanes-Oxley delivered.

    We have come a long way since 2002. Investor confidence has recovered. There is greater corporate accountability. Financial reporting is more reliable and transparent. Auditor oversight is significantly improved. And despite the fact that the global capital markets, consisting of over 50 exchanges worldwide with a total market capitalization of more than $46 trillion, are more competitive today than ever before, the United States continues to be the market leader with the largest global share.

    Christopher COX, SEC chairman.

  5. James, my statement was broader than SOX.

    every major corporation has lobbyists in major capitals. They work many different issues – and the influence game is not to blatantly. loudly work one particular issue. An SAP exec told me 2 years ago something to the effect of “we have the pulse of major congressmen and senators – where they stand on SOX”. You think the accounting firms sat silently the last few years when so much of their revenue stream was SOX dependent?

    I happen to think it is a healthy practice to recuse beneficiaries from discussing/influencing legistation they benefit from. Naive view, may be…but my view.

  6. Thomas, not Victorian free for all, but not business is bad, government is good moves towards socialism either. The Fortune article which prompted my trigger post Shambala made a significant point. Not only has Big Business in US turned itself around in the eyes of the public, but in contrast Big government looks incompetent with the handling of Iraq, Hurricane Katrina, its own scandals etc.

    The lesson from SOX, even though it is US and financial centric is, politicians and governments do not have the right anwers either. To me SOX should have been dramatically scaled back within 2 years of implementation. Now after 5 years we may be finally getting there. In the mean time we, as society paid a few hundred billion on SOX compliance, and try to “feel good” investor confidence is back.

    You know I am all about efficiency, productivity etc. It bugs me so see that much waste. Of c ourse, we need compliance. But we also need to be cynical about compliance. Big government is usally worse than Big Business.

  7. Hi gents
    It was nice to see such dicussion generated.
    I suppose what I was complaining about in my blog post was that GRC seemed to be synonomous with SOX. Regulation used to be a major issue for only certain industries, like pharmaceuticals, but nowadays it seems every business is having to deal with it. So software that handles GRC should be general and flexible enough to handle more issues than just the SOX ones. If we are going to focus on the SOX issues then I reckon that is what the software developers will focus on, and it will end up like the HR and payroll apps, only applicable in the US.

  8. Simon, you hit the nail on the head. There is already too much compliance in every industry and more coming as we go green, push other social responsibility. And if each compliance initiative is a spending orgy like SOX was with questionable payback, yes we should all pray. Technology to me is about creating magic, delivering breakttrough innovation and productivity not ambulance chasing after politicians as they dream up more compliance. Depends on your POV – I will take Big Business with its evils any day over Big Government.

  9. Vinnie,
    I would like to bring in one website to your notice that I recently came across which provides a wonderful tool to comply with regulations like SOX and at the same it also helps in complying with many other regulations also like HIPAA, ISO 17799. A crosswalk matrix poster between different regulations of Symantec is a very useful tool for compliance team and risk management office. This poster is crosswalk between: Sarbanes Oxley, HIPAA, ISO 17799, COBIT 4.0, Payment Card Industry (PCI), GLBA, NERC standards CIP and PIPEDA (Canada) http://www.compliancehome.com/symantec/compliance.html

  10. Contingency plan templates created by http://www.training-hipaa.net can jump start HIPAA, Sarbanes Oxley (SOX), FISMA, ISO 17799 and many other regulations/standards contingency plan project which includes risk assessment, business impact analysis (BIA), business continuity plan (BCP), disaster recovery program (DRP), emergency mode operation plan (EMOP), data backup plan, testing and revision procedures and many other projects. These templates can also be used by IT departments of different companies, security consulting companies, manufacturing company, servicing companies, financial institutions, educational organizations, law firms, pharmaceuticals & biotechnology companies, telecommunication companies and others. Any organization large or small can be use these templates


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s