Hole in My SOX

There’s a silver lining in the compliance clouds, after all

Please allow me to eat some humble pie. Last year I used one of these columns ("SOX It to Them") to call for IT vendors to put a sock in all their pronouncements about Sarbanes-Oxley. I believed SOX compliance had no relevance for Australian companies. It is American legislation I argued. However, today I'm going to say how useful SOX might be. You see I've spent a fair amount of time this year assessing the compliance phenomenon. I've come to appreciate it is a global trend. Furthermore, I think it's something that CIOs might welcome.

For CIOs there is a growing appreciation that compliance has strengthened operating controls

Forward thinking companies have come to see compliance as a blessing in disguise. Since compliance became vogue, many of the major stock market indices - including the All Ords and the Dow Jones - have reached record high levels. Rather than being discouraged by compliance, investors have clearly been heartened by the fact that public companies now have standards to meet. This success means that compliance requirements are unlikely to go away.

For CIOs there is a growing appreciation that compliance has strengthened operating controls. Compliance legislation has sought to improve risk management and offered CIOs some protection from getting embroiled in ill-thought-out projects. Compliance has also encouraged process mapping, which aids CIOs with business continuity planning and workflow redesign. And it has encouraged a focus on records management to assist CIOs with better information management.

Studies of SOX compliance in the US reveal that businesses are tackling compliance in one of two ways. The first group understood and accepted that compliance represents a new era of government thinking, and from the outset invested in processes and systems to automate the work. Today these companies undertake their compliance activity for least cost and have significantly improved their business management processes at the same time. The other group of companies fulfil their compliance obligations each year at the last moment by throwing resources at the task. These companies have little to show for their compliance endeavours.

The unfortunate news is that analysis shows the latter group is probably in the majority. AMR Research report that expenditure on compliance has grown in the US in the three years since SOX was enacted. Clearly, it will take time for the penny to drop in many organizations that compliance is not a chore, but a new way of doing business. Meanwhile many of these backward companies will probably be looking to the CIO and IT for help in digging them out of this mess.

The challenge many CIOs face with compliance is how to educate their executive that, in the long run, they should take compliance seriously. Perhaps CIOs should take a leaf out of the books of their suppliers. IT vendors have long used fear, uncertainty and doubt (FUD) as motivations to influence their clients' behaviour. Perhaps then CIOs need to remind their organizations that unless they face up to their compliance obligations the work will prove an ongoing drain on operating expenditure budgets for many years to come. What might be worse for these executives is the prospect that their competitors could be doing better. They might have found the silver lining in the compliance clouds much sooner.

Peter Hind is a freelance consultant and commentator with nearly 25 years experience in the IT industry. He is co-author of The IT Manager's Survival Guide and ran the InTEP IS executive gatherings in Australia for over 10 years