Why Sox Sucks
By Laton McCartney
It's been awhile since I've heard anyone talk about Sarbanes-Oxley, Sarbox or SOX.
You may recall that the so-called Sarbanes-Oxley Act came into being in 2002 in the wake on the Enron scandal and other corporate shenanigans that involved smoke, mirrors and malfeasance on a massive scale.
Sox was supposed to put an end to the corporate version of three-card monte, provide complete transparency into the financial dealings of publicly held companies, ultimately protect shareholders and restore public confidence in corporate America.
Signing SOX into law, President Bush stated it included "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt."
But there were problems with SOX from the outset. First of all, it was incredibly complicated and only got more so as it evolved. Those of us who write about technology and finance turned out endless, migraine-inducing stories trying to explain what it was, why it mattered and how it was being implemented. Somewhere in a retro-version of Dante’s Inferno, there’s a room filled with journalists who have been relegated to spend eternity writing about SOX.
But we're the lucky ones compared to the IT chiefs and financial types who actually had to implement the various phases of SOX with little guidance—there was no methodology or prior guidelines since the SOX mandate had sprung full blown from the minds of Washington bureaucrats. To meet looming and largely unrealistic deadlines, CIOs first had to make quick fixes to their systems to deal with Sox compliance. Then, they had to go back and find more permanent solutions that somehow might actually yield cost efficiencies down a very long and twisted road.
As a result, the costs of SOX compliance were on a par with those of Y2K. Want numbers? The average large corporation spent $7.3 million for first year implementation costs and $4.36 the million second year. The Sox compliance software market topped $6 billon in 2006, and, of course, much of that spending came out of the IT budget.
All this so the regulators at the SEC would have a window into even the most complicated and convoluted financial workings of our publicly traded banks, brokerage houses, credit card companies, insurance firms, and other financial institutions. See Merrill Lynch, Bear Strerns, Lehman Brothers, et al. And with that window they would protect us from fiscal funny business—you know, things like leveraging what were already worthless investments to a fair thee well and ignoring risk management so that traders and CEOs could take home seven and even eight figure end of the year bonuses.
IT did its job in providing the SEC with the transparency tools it mandated. But where were the regulators? Asleep? Out to lunch? On a six year coffee break? Right now Congress is questioning SEC officials about the causes of our present financial debacle. I have a question for the present
SEC chairman, Christopher Cox: Sir, with all due respect, what was SOX all about?