Friday, October 14, 2005

U.S. Department of Justice visits the Spectator

No, I'm not in trouble--at least I don't think so.

I just noticed that a visitor from the US DoJ hit this website today and read five articles, the first of which was "SOX insanity takes hold in the IT department," and the last of which was "Sarbanes-Oxley compliance too often a wasted effort."

Hopefully, this is a good sign that someone at DoJ is paying attention to the enormous waste of time, money, and effort going on in the U.S. economy under the name of Sarbanes-Oxley.

2 comments:

Anonymous said...

You think SOx is a waste of time and money, Frank?
In many ways, so do I. Just like CMM compliance is a waste of time, unless you wish to do business with DoD entities.

It is high time that parties who can weild a big stick came out with clear guidelines on various issues. (Mostly, quality assurance ones - being in the UK market and observing the track record of government IT projects, i'd say that QA and sponsor understanding are two huge holes in such initiatives)
This should, of course, be an opt-in scheme, as many smaller companies do not have the time, scope, or expertise to comply with all the regulations in force globally.
Is SOx an answer? No.
Is it a good step forward? Yes
Will it need to be harshly reviewed, or die a needless death? Almost certainly.

In the mean time, the "waste" you refer to might actually pay internal dividends for companies as they review loose, dangling, or undocumented processes.

If this were a poker game, i'd be checking right now, waiting to see which way other players jump.

Nic

Frank Scavo said...

Good points, Nic.

The issue, in my opinion, is not SOX itself, but the way companies--under the advice of their auditors and consultants--are implementing internal controls for SOX compliance under Section 404.

The problem is that many companies are not taking a risk-based approach, treating all potential risks as equal, thereby overcontrolling some processes and undercontrolling others. Many of the internal controls implemented only add cost, without adding value.

Your suggestion for regulatory bodies to issue clear guidance is a good point. I'm not sure that SOX 404 needs to be revised, maybe it does. But it certainly needs to be supplemented with some clear guidance concerning the need for a risk-based approach.