It's been about eight months since the internal control requirements (Section 404) of the Sarbanes-Oxley Act (SOX) first went into effect. Up to that deadline, and since then, SOX compliance has become a front-burner issue for the CIOs of publicly-held companies.
One can imagine that in some companies, the SOX compliance effort has uncovered serious deficiencies in internal controls that otherwise might have been found. If readers know if such cases I would love to hear about them, because from what I've seen and heard, SOX compliance has not been a meaningful exercise
- One company now requires the CFO to personally hand out payroll checks to its employees, instead of allowing the payroll manager to do so.
- Another company failed a SOX audit because auditors found that a sales rep only needed one signature instead of two to buy $15 worth of donuts for a client meeting.
- Or, how about this example from Eaton, a $9.8 billion manufacturer? Apparently, its auditors decided that Eaton was at risk from loss of a back up computer server. So, it designed internal controls that included "taking digital photographs of the smoke detector in a backup server closet...and sending the auditors receipts for the batteries."
Automation seems to be taking a back seat to documentation. In the rush to build internal controls in time to meet SOX 404 deadlines, companies are creating reams of documentation on paper and in network folders. In some cases, processes that were automated prior to SOX are now being complemented by paper-intensive manual processes, just for the sake of generating audit trails.
Software vendors are quick to encourage the insanity, and will look to charge top dollar if they believe that compliance is the driving factor in the purchase of a particular product.
For example, a reader, who wishes to remain anonymous, gave me some insight on Virsa, a small vendor that provides software to enforces segration of duties within an ERP system (e.g. a user that is authorized to generate purchase orders should not also have rights to authorize vendor payments.) Virsa was content to sell its product last year for $75,000 to $100,000. But that was before they formed a partnership with SAP to resell Virsa's product. According to my source,
SAP's U.S. reps now offer this exact same (and fairly basic) product for around one million dollars. Quite the cunning scam.
The funny thing is, as soon as SAP reps selling the Virsa product are asked by customers about competing products, the price drops, sometimes even down to zero, just to get the deal. But that's the point: SAP/Virsa rest their hopes on customers doing NO due diligence when purchasing compliance software. Instead they tout a close SAP relationship as key.
It's similar to rug dealers in Turkey who start at an absurdly high price in the hope of tricking an ignorant tourist into massive overpayments. The U.S. SAP reps must hope that a one million dollar line item on the bill will go unnoticed by CIOs with large budgets. But it's still a scam nevertheless.
So, what's the result of all these expenditures of time, money, and effort? Are financial reports of public companies much more trustworthy? Are business risks being better managed?
The question is not trivial. Every dollar wasted on meaningless compliance is a dollar not spent taking real actions to mitigate real risks to the business.
According to Scott Powell
at the Hoover Institute, the price is high.
In practice, new initiatives have gone right out the door at many companies. Project after project has been postponed or canceled in order to focus on ensuring Sarbox compliance. William Zollars, CEO of Yellow Roadway, the largest trucker in the United States, says that "it requires an army of people to do the paperwork." In addition to diverting some 200 employees to work on Sarbox in the fourth quarter of 2004, Zollars spent $9 million — more than 3 percent of his firm’s annual profit — on outside accountants and auditors. But Yellow Roadway may be getting off cheaply, as Business Week puts the average large-company compliance price tag at upward of $35 million.
If you've got your own story of SOX insanities, please post a comment on this article, or email me.Related postsHelp is on the way: software for SOX complianceMaking SOX compliance a meaningful exerciseSarbanes-Oxley compliance: too often a wasted effortSarbanes-Oxley spotlights need for controls in ITChecklist for Sarbanes-Oxley complianceSarbanes-Oxley spotlights need for controls in ITCost of compliance with Sarbanes-Oxley isn't mainly in new systemsIs Sarbanes-Oxley the new Y2K?