I've come up with a solution for solving world poverty: Every time a representative of an IT vendor uses Sarbanes-Oxley or SOX in relation to their product you make a $1 donation to Oxfam. Better yet, you could set up a SOX-free compliance unit in your office and then fine the vendors when they make irrelevant breaches. Given that most of the IT products or services currently available purport to help with SOX compliance, Oxfam coffers would soon be overflowing.
My gripe isn't with SOX per se, or the need for regulation, but I do object strongly with the way "compliance" is abused by salespeople. Why do they insist on wrapping foreign laws - which for all but the biggest Australian companies have no relevance - around their "offerings"? What relevance has SOX got for the Victorian government, or for that matter 95 percent of Australian businesses?
Compliance is hardly a recent phenomenon. Australia has long had jurisdictional recordkeeping requirements. Organizations have always had to retain corporate records for at least seven years. In fact, Brisbane-based Watchdog Compliance advises that there are currently over a staggering 1000 pieces of compliance legislation in Australia, most of which significantly pre-dates SOX.
Undaunted, it seems that a number of bright sparks in the marketing departments of many of the IT vendors have come to the enlightened observation that perhaps recordkeeping and IT systems could be one and the same. Jumping on the Sarbanes-Oxley bandwagon is the path to riches for their company. The problem with this is that only reinforces IT's (or in this case, IT vendors') reputation for over promising. SOX follows hot on the tails of office automation, open systems, client/server, Y2K and services-oriented architecture. Unfortunately, when the promise fails to materialize, usually after some significant corporate investment, the reputation of the IT industry, and those working in it, suffers in the eyes of the executive.
A good friend of mine has devised a short test that you can give any ICT vendor sales- or marketing-type who claims to address SOX with their product. My friend advises you ask these three key questions:
1.Can you tell me which clauses of the Sarbanes Oxley legislation will affect us?
2.Has your software actually been changed to assist with SOX compliance in any way and, if so, how?
3.Has your company actually changed the integrity of data collection as a result of SOX?
I suspect that in 95 percent of cases you will get a "no" to all of the above. If so you may wish to remind the salesperson about the Trade Practices Act, which has penalties of $500,000 personally, and $2 million corporately for misleading and deceptive practices. (And it's Australian, not US, legislation.) Regulators like ASIC, ACCC, and APRA enforce and require organizations to provide expensive corrective action if breaches occur. However these regulators seldom ask that an organization fix their computer systems. Instead they target the organizational culture and business environment.
And surely that is where CIOs should focus their energies in compliance activities. How are the appropriate compliance policies formulated? How are they communicated? How are they enforced? Where can IT assist with this work?
One thing is certain. In the current corporate climate, with the stock market at record highs, CIOs will not be short of compliance work to do.
Peter Hind is a freelance consultant and commentator with nearly 25 years experience in the IT industry. He is co-author of The IT Manager's Survival Guide and ran the InTEP IS executive gatherings in Australia for over 10 years
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.