FRAMINGHAM (06/29/2010) - I will let the various legal and accounting pundits decide how this week's Supreme Court ruling will effect SOX regulation. (The court ruled that Congress stepped on some separation-of-powers issues when it set up the Public Company Accounting Oversight Board (PCAOB) that oversees enforcement of the law, noting that the SEC and the President should have more power than was originally granted to remove members from that board.) From my practitioner perspective, my biggest beef with SOX has always been how the now-unconstitutional Public Company Accounting Oversight Board (PCAOB) let the auditing firms develop their own standards for what constituted "SOX compliance".
I figure the lack of a clear standard of compliance cost public companies billions (yes, billions with a "b") in excess costs and confusion in those early years.
My approach to SOX has always been that if I am using quality, proven practices to mitigate major IT risks, SOX should be a non-event. In other words, I don't need SOX (or my auditors) to tell me that I should use best practices for how I migrate changes into production. Same with controlling user access to critical data. If I want to be a credible provider of information services, I need to know whether or not the right people have access to only what they need.
But, in reacting to the public outrage over the Enron and Global Crossing shenanigans, Congress and the PCAOB started off by letting the auditing companies select their own auditing standards. In my case, this resulted in experiences like:
1.A fresh-from-college auditor telling me that SOX required me to implement a centralized governance model. I told him that a centralized governance model made no sense for my highly-decentralized business. He insisted that decentralization would put my compliance at risk. I then told him that I had forgotten more about IT than he knew. In the resulting stare down, he backed down and we passed our audit with flying colors.
2.An accounting auditor explaining to me that the PCAOB defined "top-down risk assessment" as anything that was included in our balance sheet statements. In other words, everything was in scope. If we made a one-time, $10 purchase, that, too, was part of our control environment because it would be in our asset column. This was in scope because, if we made millions of such purchase (and who says that we, in the future, won't), the dollar amount becomes non-trivial. I won that argument by threatening an appeal to the same PCAOB that failed to provide meaningful, tight guidelines to the auditors.
The initial reaction and over-reaction to SOX has tempered over the past few years. The PCAOB provided examples of what compliance meant and for most of us, SOX has become a non-event. Yet some nagging problems remain.
Personally, I have come to the conclusion that no amount of regulation will deter someone who is determined to lie, cheat and steal. If it is at least partially true that the economic meltdown of 2008 was started by Lehmann Brothers and AIG, I am guessing that Lehmann and AIG passed their SOX audits every year. If that is the case, I wonder why someone, rather than determining the constitutionality of the PCAOB, doesn't question the value of SOX. What if, after the cost and turmoil of eight years of SOX, it plays no meaningful role in telling investors who is playing fast and loose with financial risk?
But, that is for bigger thinkers than me to explore. I will keep my focus on doing the right things by implementing best practices, ensuring that my IT controls not only work but also generate business value, and training the this year's hiring class of fresh-out-of-school auditors that know pretty much nothing except how to use the SOX checklist their auditing firm gave them to use.
Niel Nickolaisen serves as CIO for Headwaters, Inc.
Read more about compliance in CIO's Compliance Drilldown.