One can imagine that in some companies, the SOX compliance effort has uncovered serious deficiencies in internal controls that otherwise might have been found. If readers know if such cases I would love to hear about them, because from what I've seen and heard, SOX compliance has not been a meaningful exercise.
- One company now requires the CFO to personally hand out payroll checks to its employees, instead of allowing the payroll manager to do so.
- Another company failed a SOX audit because auditors found that a sales rep only needed one signature instead of two to buy $15 worth of donuts for a client meeting.
- Or, how about this example from Eaton, a $9.8 billion manufacturer? Apparently, its auditors decided that Eaton was at risk from loss of a back up computer server. So, it designed internal controls that included "taking digital photographs of the smoke detector in a backup server closet...and sending the auditors receipts for the batteries."
Software vendors are quick to encourage the insanity, and will look to charge top dollar if they believe that compliance is the driving factor in the purchase of a particular product.
For example, a reader, who wishes to remain anonymous, gave me some insight on Virsa, a small vendor that provides software to enforces segration of duties within an ERP system (e.g. a user that is authorized to generate purchase orders should not also have rights to authorize vendor payments.) Virsa was content to sell its product last year for $75,000 to $100,000. But that was before they formed a partnership with SAP to resell Virsa's product. According to my source,
SAP's U.S. reps now offer this exact same (and fairly basic) product for around one million dollars. Quite the cunning scam.So, what's the result of all these expenditures of time, money, and effort? Are financial reports of public companies much more trustworthy? Are business risks being better managed?
The funny thing is, as soon as SAP reps selling the Virsa product are asked by customers about competing products, the price drops, sometimes even down to zero, just to get the deal. But that's the point: SAP/Virsa rest their hopes on customers doing NO due diligence when purchasing compliance software. Instead they tout a close SAP relationship as key.
It's similar to rug dealers in Turkey who start at an absurdly high price in the hope of tricking an ignorant tourist into massive overpayments. The U.S. SAP reps must hope that a one million dollar line item on the bill will go unnoticed by CIOs with large budgets. But it's still a scam nevertheless.
The question is not trivial. Every dollar wasted on meaningless compliance is a dollar not spent taking real actions to mitigate real risks to the business.
According to Scott Powell at the Hoover Institute, the price is high.
In practice, new initiatives have gone right out the door at many companies. Project after project has been postponed or canceled in order to focus on ensuring Sarbox compliance. William Zollars, CEO of Yellow Roadway, the largest trucker in the United States, says that "it requires an army of people to do the paperwork." In addition to diverting some 200 employees to work on Sarbox in the fourth quarter of 2004, Zollars spent $9 million — more than 3 percent of his firm’s annual profit — on outside accountants and auditors. But Yellow Roadway may be getting off cheaply, as Business Week puts the average large-company compliance price tag at upward of $35 million.If you've got your own story of SOX insanities, please post a comment on this article, or email me.
Related posts
Help is on the way: software for SOX compliance
Making SOX compliance a meaningful exercise
Sarbanes-Oxley compliance: too often a wasted effort
Sarbanes-Oxley spotlights need for controls in IT
Checklist for Sarbanes-Oxley compliance
Sarbanes-Oxley spotlights need for controls in IT
Cost of compliance with Sarbanes-Oxley isn't mainly in new systems
Is Sarbanes-Oxley the new Y2K?
1 comment:
I love the Eaton example.
This can only make USA listed companies less competitive in the world.
I do agree with preventing Enron, but by establishing a good Whistle Blower method, this would have been suffice.
Post a Comment