Slashdot Mirror
Sarbanes-Oxley Costs Exceed Benefits
coondoggie writes "Two years of compliance with the Sarbanes-Oxley Act (SOX) have shored up corporate accounting practices - but with lopsided costs compared to benefits gained.
Bill Gradison, acting chairman of the Public Company Accounting Oversight Board (PCAOB), said that guidance the SEC issued last year and PCAOB's latest auditing standard may not be enough to clarify the rules that govern the reporting and auditing of internal controls. 'Based on the information we already have, it would seem that some further changes may be in order,' Gradison said."
I have workd with SOX work - 95% of it is just bull work. The controls and testing for the IT portion is not adequate enough....and clients are heavily charged. The cost increase, which means that down the road, companies are not keen to have SOX work to be done....the work has to be changed.
I can go and on about the work, but clients are kinda screwed with lame ass testing done with auditors. All companies need to do is have their own checklist, match up polices and procedures and let auditors review them that is all...
Here's the title of the article: "Execs tell regulators Sarbanes-Oxley costs exceed benefits". Here's the slashdot title: "Sarbanes-Oxley Costs Exceed Benefits". Notice the difference?
Sarbanes-Oxley is a *very good thing* - it exists to prevent another Enron. It makes CEOs criminally liable for when their companies cook the books. Amazingly, for some inexplicable reason, they don't seem to like it. Everyone reading this should go over to Netflix and add Enron: The Smartest Guys in the Room to their queues. It shows exactly how Enron was able to pull off the accounting shell-game that kept them afloat for years.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
But laws like this wouldn't really be necessary if businesses had followed the laws in the first place, huh?
Too bad it only takes a few bad apples to ruin it for everyone.
High-level Corporate Executives agreed at a recent meeting with Other High-Level Corporate Executives that recent cookie-control legislation was inhibiting their ability to take cookies directly from the jar without telling anyone.
They're the executives of the companies. The act was designed to protect against their misdeeds. Moreover, the benefits can't exactly be measured in terms of dollars, because a large part of the act is preventive. That is, you can't measure what never occurred, especially when there is little statistical data from which to back up an analysis.
SOX is a very heavy burden on small businesses that are public. The real winners under SOX are the auditing firms.
What is completely overlooked is that in the long run, such a system may have unintended/unforeseen benefits that make the current costs worthwhile. In addition, the hardening of accounting systems is amazingly beneficial for avoiding fraud and other "disappearing funds" problems that plague the previous system.
What we don't need is engineering sites spewing this kind of crap. Lots of engineers make a lot of money implementing these systems, and the more support for it we can muster from the engineering press, the more iPods and Ferraris we can keep ourselves in.
S-Ox is great. Keep up the good work.
First, of course companies are saying this. Sarbanes-Oxley requires them to do things that they don't want to do, namely properly assess their controls and have the CEO and CFO officially sign off on financial reporting.
But the real issue is that proper external financial reports aren't for the business (though they do help it, as long as the business pays attention to what they say.) They're for external users. And I can tell you right now that while banks who are looking to loan money, analysts who are grading performance, and investors who are looking to invest in a company's stock or bonds wouldn't mind seeing any costs cut, they don't think that the benefits are outweighed by the costs. They'll take the best information they can get, no matter what has to be done (within some modicum of reason.) And that's the point of Sarbanes-Oxley.
In 2004, GE spent about $33 million on Section 404 compliance, and costs ran about the same in 2005, Ameen said.
According to a quick perusal of GE's 2004 10-K, they had $20 billion in pre-tax income. I don't think $33 million is remotely too much to insure that that 10-K is correct.
The thing designed to make it harder for companies to make money illicitly is preventing the corporations from making money?
Sweet merciful crap, that's obviously a poorly designed bill.
Execs ought to be criminally liable for all the illegal decisions they make, and for failure to report illegal actions.
Just imagine if the Microsoft anti-trust trial put all the execs in jail or worse. Actually, the mere threat of this would have prevented the problems in the first place.
One reason why costs might be higher than benefits is that system integrators jumped on SOX (like white on rice) as a pure sales tool. Sales training at all the big firms and even regional players pumped SOX as a great issue, and they caught executives feeling exposed and therefore willing to pay all kinds of money just to feel covered.
I think the mentality created was something like "well, no one ever got fired for protecting the company from SOX", and it didn't matter what it cost. A lot of the people selling "solutions" to this problem had no idea even what it meant, just that executives were scared of SOX.
Fear is a great motivator.
The accounting laws needed to be tightened up, but SOX was definitely overkill.
What happened in the 1990's was some new loopholes opened up and reforms were needed. However, the big 5 auditors along with a lot of corporations and and investment banks used their political muscle to stop any new laws (see the book Against the Street, by Arthur Levitt, who was head of the SEC at the time).
Then we started having all those accounting scandals, but Bush was president and he had appointed accounting industry lapdog Harvey Pitt as SEC chairman, and insisted it was not due to structural problems, but only a few "bad applies" (like Ken Lay, Bush's long time friend and political supporter).
But then came the WorldCom collapse and Bush was forced to suddenly reverse direction and support the legistation that was in the hopper at the time, Sarbannes-Oxley, which was unfortunately too extreme. If Bush had been working for reform all along, something sensible could have been passed, but instead we got a bill that imposes greatly unjust burdens on industry.
Well, we have seen it in operation for a few years, so maybe now it will get adjusted.
I have quite a bit of experience with Sarbanes-Oxley and UNIX compliance. One weak area is auditing root and shared account access. Generally the developers know the application account's password (like oracle or db2) and it's really hard to audit who did what. I created the tool Enterprise Audit Shell (EAS) which centrally logs shell access and sessions in an enterprise environment. Sessions can be snooped in real-time or played back at a later time. Each session is digitally signed and transmitted via OpenSSL. Project Site http://sourceforge.net/projects/eash Support Forum http://eas.strchr.net/
CEOs are whining about laws that prevent them from looting millions. Couldn't have see that one coming, huh?
In other breaking news...
Murderers say the costs of laws preventing murder exceed the benefits.
Yep, this is just like executive pay: executives agree that executive pay is too low. Since executives are on the boards of directors that define the pay of other executive, the are always giving each other raises. It's a fair and ballanced system with full transparency that responds to the will of the market and results in an efficient distribution of resources. Please stay quiet while we steal what's left of your paycheck, retirement and healthcare. The system works!
Government regulation always increases costs, because the regulation has costs of compliance.
Crooks don't comply, because they're crooks.
Customers, that's us, end up with higher prices for the things we buy, and higher taxes to pay for all the new auditors.
Martha Stewart goes to jail while the real criminals get away with what they've always gotten away with.
Politicians get reelected for having "done something".
To quote from the movie Spartacus, "I'll take a little republican [style of government, not party] corruption, along with republican freedom!"
Want to really put the screws to "corporate executive" crime? Then eliminate the government granted limited liability that a "corporation" represents. Allow thereby the officers of a company to be directly liable for their decisions, their accounting practices, their performance.
It's easy to follow the Big Lies handed down by the sensationalist press that don't want you looking at their own corporations and unions. S-O doesn't solve anything. It merely adds another layer of bureaucracy to the effort of getting anything accomplished.
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
"That's the general consensus of a wide range of business executives and auditors who gathered Wednesday in Washington, D.C., for an all-day roundtable hosted by the U.S. Securities and Exchange Commission and the Public Company Accounting Oversight Board (PCAOB)."
Uhhh, so who is networkworld.com, why should I believe what the regulated have to say to the regulators, and why did the article summary assert what they stated to congress as certain truth?
I appears Corporate America is viewing SOX as damage and attempting to route around it. The Charlie Rose Show had on a couple of the biggest private equity fund managers the other night and they were talking about companies which are moving headquarters and operations off-shore because of SOX. They hate it.
However well-intentioned SOX is/was, if this trend continues, we don't get the SOX purported benefits, and we lose the economic benefits of these companies on US soil.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I think you have gotten the words "Everybody" and "Somebody" confused.
From my experience at having to deal with IT compliance with SOX for two different companies, I have to say that the only people made better off by SOX are the auditors and consultants....it's a shame they didn't have to pay for this law like normal corporations.
Kind thoughts do not change the world
"But laws like this wouldn't really be necessary if [individuals] had followed the laws in the first place, huh? Too bad it only takes a few bad apples to ruin it for everyone."
That reminds me. Anyone have the BT for the latest movie?
Sooo... tally up the cost of the Enron scandel:
1) The company went under, costing investors billions.
2) Some of the investors were people working for retirement, count up the cost of medicare and other public support they will need.
3) The manipulation of the elect. market caused a number of bad side effects including lower competitiveness of businesses in the affected areas (e.g. California).
4) Some business, I have no doubt, went out of business due to increased costs. Good ideas may have been lost, peoples lives and dreams shattered.
5) Senior who had to decide between drugs and utilites, some decided on utilities perhaps causing premature death.
6) Davis was unjustly (ok, he wasn't perfect but who is?) run out of office and instead you have a 'wanna be' called 'Ahnold'. They manipulated the politcal process.
SOX should be a reminder that large corps. can have huge impacts. And so the execs should be aware and bound to use their power in a moral and ethical manner. And since they cannot police themselves, external controls are needed. SOX isn't perfect, but we need to understand that we need to protect our people and economy.
If I had my way Lay et. al. would be on trial for terrorism and manslaughter for the people who died and the damage to the US economy.
(I will now step down off of my soap box...)
putting the 'B' in LGBTQ+
Because now, if there are *any* new features in an update to a program, the company who created it *must* charge for that upgrade. This totally changes how software is developed and marketed...
/dev/null. But if I were a software company, I sure-as-hell would be looking for an upside in the SO legislation, and I don't see any other "good" routes...
Previously, if I had a program I wanted to release for profit, I would do the core features well, and add modules on around the side later, at extra cost. I might release interim patches for any bugs found in the field, and as a sweetener, upgrade some small functionality to get users affected by the bug back on "my side".
Now, I can't do that. The only time I can have a free interim release is to fix bugs - no new features are allowed. I'm no lawyer, but this is (expensive) legal opinion. So the dynamic changes - in order for me to have the most flexible release policy, I'm *far* better off releasing bug-ridden software that does *everything* - even if it only does it badly. Following this path, I get a choice of how to proceed later (I can add functionality *by* fixing "bugs" (ahem) by actually making a serious attempt to provide the functionality I promised in the first place). I can gauge the market and give it away free if that suits my needs at the time.
Now there's a downside to releasing bug-ridden software (and we're all aware of the arguments). The problem with this (responsible) attitude is that the collective consciousness of consumers today seems to not have a problem with buggy software - software crashes all the time, they're used to it, and it's a self-propogating meme of "what is normal". Responsibility don't pay.
So, when I release software (under the usual constraints of "good,cheap,fast - pick any two") I'm being pushed in the direction of "cheap and fast" because there's no real downside to me, and I get a lot more flexibility with dealing with the resulting debacle. I can balance my budget better ("cheap") and I get to market faster ("fast"). The fact that it doesn't work so well isn't really an issue.
That's what Sarbanes-Oxley has done for us.
For the record, I don't release software - please direct hate-mail to
Simon
Physicists get Hadrons!
I'm 100% in favor of bringing back the Glass-Steagall Act, a useful bit of post-Depression legislation that would probably have prevented Enron (or, at the very least, significantly reduced the overall damage). Glass-Steagall ruled that a company could not do both finincial analysis and investment banking, because it's a conflict of interest to be evalauting the same companies you have intestments in. Thanks to the Republicans, Glass-Steagall was repealed in 1999 (although, to be fair, Bill Clinton did sign the law repealing it).
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
you have to take into account unintended consequences.
And another Enron may not be as bad as the cost on the economy. Maybe not. But maybe so.
I've also heard people argue that rogues will be rogues no matter what law you implement. This just punishes corporations which are already ethical.
In other words, we have to think it through.
Except for ending slavery, the Nazis, communism, & securing American independence, war has never solved anything.
Just like mine safety.
Mining accident kills people.
Law makers pass laws to improve safety.
Time goes by.
Mining companies, on the basis of a much improved death rate, get rules changed/relaxed.
Repeat
is in spite of the complaining by companies in the Fortune 500, the relative costs of SOX are low for mega-corporations like General Electric compared to a medium-sized business looking to try and compete with the big guys. Just as many well-intentioned business regulations are designed to keep the biggest and the baddest companies from screwing the public, the biggest unintended consequence of most business regulations is that these same regulations stifle up and coming competition whose resources might be scarce and the difference between spending 33 million dollars on SOX compliance is the difference between being a viable competitor in some market and being bankrupt.
Of course SOX doesn't affect small businesses, but if you ever want to become grow and become a big business, then you are taking an extra risk once you reach the threshold of employees that forces you to effectively making paper log files of every single form of correspondence in the company. For the Fortune 500 guys, not having to worry about competition from new competition is a big win for them, and for any aspiring entrepreneur a big loss that makes you wonder if you would be better off expatriating to another country and starting your business offshore where the success or failure of your business is not tied exclusively to how efficient you are at dealing with government regulations.
GE's Section 404 controls cost: $33 million .09%
.1% to ensure I don't lose 100%.
GE's Market Cap: $365 billion
Percentage of Capital spent to make sure they're honest:
As a GE stockholder, I'm happy with that. I will always be willing to pay
http://www.accountkiller.com/removal-requested
The SEC and PCAOB arranged the roundtable to solicit feedback about Section 404 of the legislation, which Could Not Be Found...
-- lol pwned
IMHO it's a pretty sad day when a bare minimum of societal/public ethics needs to be legislated.
C|N>K
I've worked with sarbanes-oxley, it's a joke, and sadly the joke is on us. It really doesn't do anything good, it's just a knee jerk beauracratic response to increase the number of beauracrates.
Murderers say the costs of laws preventing murder exceed the benefits.
First off, there are no laws to prevent murder. There are laws to prosecute murder. There's a difference.
Secondly, the costs of laws to prosecute murder are often murderous, which is exactly why we let them plead to manslaughter.
KFG
I believe SOx was indeed well intended, however if you have ever dealt with these auditors you would quickly realize that in practice SOx ended up as a boondoggle to a few very large accounting firms. I have actually dealt with "auditors" who requested(upon me asking about where he was based and that I speak the language) I speak in spanish, as they were based in mexico city on contract...He then asked for a screenshot of /etc/passwd, not the file itself mind you a screenshot of a pwd at the path! Not that the file would do much good as my boxes are all trusted .
Idiots driving idiots
The benefits those executives are counting don't include the cost of, say, Enron. Count a few dozen $BILLION collapses against the costs, and S-O looks pretty cheap. Not as cheap as ethics would make business, but there's no known way to inject that into capitalists.
--
make install -not war
Someone seems to disagree with this sentiment.
emt 377 emt 4
Very well said. I'm sure the buggy-whip and wooden-wheel manufacturers put out of business by these new-fangled automobiles are not enjoying your posting much.
Or the Hand Loom manufacturers! Entire industries put out of business by the WalMarts of their day.
The Ludwig von Mises Institute. The reasoning individuals economics
I didn't realize it was a profit-boosting initiative.
Please....would someone in Washington think of the corporations' bottom line for once??!!!
I have found there are just two ways to go.
It all comes down to livin' fast or dyin' slow. -REK, Jr.
That's a good thing.
I've had to follow after some of these consultants, since I work in a related industry. I've seen companies so scared to do anything that they're in process paralysis, because some SOX consultant was paid $250/hr to tell them they were going to jail in a handbasket if they didn't lock down everything that moved. Some listen when I tell them that all they have to have is good logging and a multiple-entity approval/decision tree, but some are just to shell-shocked. Unchecked Corporate greed has always been around, and does need to be regulated, but SOX is just another another example of something that government made worse.
Here's what I originally wrote:
So mom & pop running their little grocery on the corner should be forced into poverty because Wal-mart moved in next door and took all their customers away?
Here's what you took out of this:
the Mom and Pop were going out of business because WalMart moved in next door and undercut their prices.
Now let's look at my original post with some helpful reading comprehension assistance added:
So mom & pop running their little grocery on the corner should be forced into poverty because Wal-mart moved in next door and took all their customers away?
Notice that the base assumption was that Wal-mart would force the closing of the small business? That is a given. The main difference between saying something as straightforward and obvious as that and what I said was that anyone with any idea about corporations would have automatically picked up on the bolded statement whereas the average dumbfuck would have had a kneejerk "fr33 m4rk37 15 t3h r0x0r!" reaction.
I just saw your other post which admits ignorance about corporations, so I'm pretty sure which type of person I'm replying to.
I know far too many people who make excuses for Enron, saying they did nothing illegal, that California especially set itself up for disaster by deregulating only half the eletrical market.
But you know what? There are a zillion things any of us could do every day that are legal but immoral. Enron had no morals. They may have had great legal advice on how to skirt the edge, but their own admissions in email and memo, show they knew it was immoral. When the wholesale price of electricity jumps from 3 sents to 300 cents and stays there for exactly one hour before falling back down, something is wrong, whether legal or not.
Just as I have no respect for cops who complain about getting no respect when they won't turn in corrupt fellow cops, I shed no tears for business people who can't keep their own chicken coop clean.
This is the price you pay. You fuck with the public long enough, the public will fuck you back. Hell yes, it may be bad for business, but what they were doing was worse for society. So lump it, business boys and girls. You clean up your act, police yourselves, and earn the repeal or reform of SOX. Until then, I rejoice in what it does. Society is better off with the scoundrels roped in. Even if that small section of soceity call business is suffering a bit, society as a whole is better off.
Infuriate left and right
We need a governator. Davis was a girly-man.
This does not mean that U.S. businesses in aggregate benefited from Sarbox.
But it also doesn't mean that society as a whole did NOT benefit from roping in bad business practices.
Businesses aren't the sum total of society. They are a small part. If businesses suffer but society gains, who says that is a bad thing? Concentrating soley on the business part of the equation is misleading.
Infuriate left and right
The Act checks listed companies against accounting mal-practices. That the companies make noise against it is expected.
It makes the companies appear to be whining against a rule that allows them less freedom to do things the quick and dirty way.
Nobody knows what Sarbanes-Oxley means...
I've had a lot of managers say we have to do such and such for SOX compliance. When I inquire as to more detail... Like what exactly, so I can make sure the solution fits within the requirements. I get blank stares.
That's a large part of the cost. The law itself is not a bad idea. It's just nobody knows how to comply.
Because one company was run by a bunch of crooks
Don't forget the banks and accountants and regulators who gave a wink, wink here and a nudge, nudge there. It wasn't just one bad company, it was an antire corrupt business climate which thought the Enron cowboys were doing a great job, thought it was pretty damn hilarious how they gamed the stupid California regulators and wreaked such havoc in the economy.
Infuriate left and right
Maybe you should have called bullshit on your peers when they were busy hiding the fact that they really weren't capable of running a business.
Exactly my feelings. The people who knew what Enron was doing, the regulators and accountants and banks involved, all knew it was skirting the legal edge, and was way over the moral edge. Yet their attitude was that of a kid watching a rodeo, it was all entertainment and none of their business. Now that society has taken steps to prevent more of it, they cry foul.
Stuff it, I say. Learn the lesson and don't do it again and maybe you can earn enough respect to revise it. Otherwise, ha, the tabels have turned, and this is our game now, we get to watch you squirm as you try to find new ways to fuck us over.
Infuriate left and right
The problem being that business isn't a small part of society. It is a major portion of how people interact.
Most of my interactions with other people, from a subscription to the YMCA to where I stop for cigarettes to the people I work with to the decision to mow my own lawn or hire a gardener, are business related.
The moment I step out of my door, which I bought, the actual number of people I deal with on a purely social level as opposed to the number of farmers, butchers, bakers, candlestick makers that I deal with on a business basis is very close to vanishingly small.
What reason do I have to be able to type to you this message but the ISP who doesn't know me on a social level at all, the Tier1 IP provider that doesn't know I exist at all, the Slashdot administrators trying to make a living by advertisements for which I am merely one few bytes of data in their database?
If it weren't for business, the price of tea in China would be irrelevant. But the fact is that by means of business, the price of tea in China is directly related to the price I see on the box of Oolong on my grocers shelf (who otherwise would have no interaction with me what so ever).
I think you need to look up the word "praxeology".
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
My IT Consulting firm has a large client that hired a team of SOX Consultants to get them SOX compliant. Everytime they seemed to have checked off every item on the SOX Consulting team's list they were presented with a new list of items they must correct to be SOX compliant. Eventually they hired another SOX Consulting firm and had their suspicions confirmed that the first group was basically "inventing" reasons they were not SOX compliant to rack up a truly obscene number of billable hours.
It's my rough understanding that the bulk of SOX is to add a whole lot of layers to make sure the numbers balance and that you know who officially made what changes to numbers.
Enron was about fraud by management. Fraud will find a way to trump any set of rules to the contrary -- except maybe moral and ethical, but those are pretty hard to quantify.
Will SOX make it harder for another Enron to occur? Yeah, maybe. Will it prevent large scale corporate collapses from fraud? Not a chance. There will always be new and ingenious ways to break the system. Never mind the legal ways for management to line their pockets. Really, you'd think a couple million a year would be enough for anyone...
if this is hurting these companies so badly, let the ceos take paycuts. last i heard, they were increasing their compensation dramatically.
as long as they do that, i call "BS!" when they say doing busienss is too costly.
they want more, period. none of them was complaining when they were stretching numbers like rubber bands. there's no such thing as too much to these guys. it seems every tech ceo seems to believe s/he's cheated if they aren't worth 1,000 million dollars.
the greed is staggering. the callousness is beyond comprehension.
...no matter the costs to the company. They want to be absolutely safe by obtaining SOX compliance in a way that is simple for them, even if it complicates other people's job by a factor of 10. And the other people finally "delegate" this complication to IT people, like in "the program must verify that the interface transferred all the data to SAP correctly". And why doesn't the user check it himself? Or even define how the program should do the verification?
I find that most people have no idea what limited liability is. It's pretty sad. People think it's some sort of stay out of jail card when it has nothing to do with that. Movies like "The Corporation" try to imply this is the case. It's shameful.
:)
Personally, I like reminding people that neither Standard Oil or Carnegie Steel were corporations. It kinda takes the wind out of people's sails.
Almost all society has nothing to do with business. Do you have no friends or relatives? Even your friends where you work, do you only discuss business matters with them? Do you chat with store clerks?
Business is a small part of society. And when you talk about public businesses, which are the only ones affected by SOX, it becomes even smaller.
Infuriate left and right
Executive pay *is* too low and it is the source of many evils. The low pay is offset by performance based bonuses. This creates:
1) An incentive to cook the books, in both legal and illegal ways(*).
2) A short-term perspective.
3) Other bad things.
If you made the salaries large and the bonus' small then you might get more long term thinking and a little more honesty.
(*) An example of legally cooking the books: The Income Statement is going to fall a little short of expectations, that will hit me in the wallet via a smaller bonus. But wait, there's that piece of land we own that we may expand our oerations on. We've owned the land for a while, it's market value has appreciated, I can sell it and the gain will makeup for the shortfall elsewhere and the Income Statement will look good, my bonus will look good, mission accomplished. Oh, you say we'll have to spend even more money in the future to buy the land we'll eventually need, so it's a net loss. Not my problem, that's years off and I'll have moved on by then.
This is wrong on any number of levels.
First, realize that the majority of stock in the US isn't owned by rich individuals. It's owned mostly by mutual funds, which are in turn used as part of basically every retirement plan, investment account, college-savings plan, ad infinium. If you have a 401k, you probably are an indirect shareholder in Exxon-Mobil (and IBM, and Microsoft, and General Dynamics, and probably Halliburton). If any of the big oil companies were to sneeze, the whole economy would get a cold.
Second, high-priced petroleum products, especially gasoline, is not necessarily a Bad Thing. I think it sucks as much as the next guy -- if I could click my shoes together and go back to the days of 98-cent per gallon gas forever, I'd be doing it and buying a Camaro before you could say "carbon dioxide." As much as Ma and Pa Jones of Pig's Knuckle, AR think that they want the Gubbermint to step in and 'do something' about the high price of gas, they really don't. Because keeping the price of gas low will only ensure that it gets used up faster, and that we don't do a damn thing to change our usage patterns or wean outselves off of it before it runs out completely.
In other words, cheap gasoline just makes us, as a nation, press the accelerator to the floor as we're heading towards the brick wall of No More Petroleum. Paying the real market price for gas is the fairest way to wean everybody off of petroleum products: and people are listening. Go down to a Toyota garage sometime and see how many people are looking at hybrids, versus a year or two ago. The difference is pretty impressive.
The oil companies will continue to charge what they think the market will bear for gasoline and other products; when the cost of transportation fuels starts to become a major source of pain to American families, they will modify their usage patterns. This is how things have to work: people have to understand that the era of cheap gasoline -- probably of cheap fuel in general -- is over. In the future, if you want to drive 300 miles to see Grandma instead of call her, you're going to have to factor in the $30-40 in fuel that it's going to cost you. That's reality; that's life.
I have no doubt that many politicians this election year will try to come up with all sorts of creative ways of basically subsidizing or otherwise artificially deflating the price of gas. But as they're doing their financial rabbits-from-hats routine, I think it's worth it for everyone to remember that "cheaper gas" doesn't equal "more gas." In fact, it really means 'less gas' for everyone in the future.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
The following article shows how a company can actually save money in the long run if they took SOX seriously enough.
1 ,00.asp
Kimberly-Clark: Benefitting From SOX
http://www.baselinemag.com/article2/0,1397,185807
...for the past 18 months, my biggest beef is that it does absolutely nothing to prevent any sort of catastrophe -- it just ensures that the catastrophy is logged in exquisite detail.
As a developer, certain procedures and responsibilities have always rested on my shoulders. I'm used to it, and I rely on them to help me do a better job. However, with the advent of SOX compliance, so many layers of crap are added to my workflow that I end up spending 4 hours documenting a 20-second fix to correct a spelling error in a piece of code.
If these new procedures were to give me any sort of confidence that my fix not only addressed the problem, but didn't cause any new ones, then I would be more open to accept them as part of my job. As it stands, though, it only extends the amount of time that potentially Bad Stuff(TM) takes to make it into production.
Even with supposedly airtight SOX-compliant controls in place, any developer at my company can easily mangle production environments at any time. Here's why: one of the big things they started off with when implementing SOX controls was that if you were a developer, you shouldn't have direct access to production systems. So, they add a few layers in there. You, the developer, can't touch production, but you can write a script and give it to someone in a "responsible position", who can then run it in production. Problem is, the person who's supposedly responsible for the system often times has no clue what the script does -- even if they actually bothered to look at the script in the first place. They may ask you what it does, simply because they need to appear to be doing their job, but does it really matter what the answer is? They blindly run the script and send you the output. They don't know what the script does, so they don't know whether the output is valid. You tell them everything looks good. Everyone's happy.
Doesn't matter whether you update a single row, or drop a table with 70 million rows -- no one involved in the process is going to actually take the time to look at what you're doing in order to determine that it does what you say it does. As long as you've convinced people you know what you're doing, you have free reign. The addition of SOX hasn't changed this. The only benefit (if you wanna call it that) I can see is that now, you've got a pile of documentation showing that 4 people assisted you in wiping out data that will take days to retrieve from tape. The only way that controls are worthwhile is if they truly prevent this sort of thing.
I'm making these comments in virtually every subthread, so I thought I'd just bring them all to the front.
1) For those who are claiming that the implementation/specific requirements are too strict, could you give an example? I have had to do things required for SOX compliance (and I know of plenty of other things that my company, and others, have done), and I have to say, I have yet to see anything that I consider overly burdensome. And certainly not so overly burdensome that they outweigh the benefits of the intended effect of SOX: ensuring more accurate and honest reporting in filings by public companies, and ensuring that management is held responsible for what is in those filings.
2) For those who are claiming that the original intent of SOX is wrong, could you please explain why you think so in those parameters? There are certainly downsides to SOX, but a million posts saying "SOX sucks" or "I have to do a whole bunch of extra things so that my company is SOX compliant" doesn't mean anything. First, obviously it doesn't provide any kind of example. Second, there's no reasoned logic as to why these downsides are worse than the upsides. Which leads me to...
3) For those who are claiming that the original intent was good, but the implementation is faulty, again, could you provide examples? Personally, I feel that extra work for you (or your accounting department, or whoever) is worth it if it helps to ensure that 10-Ks and the like are as accurate as possible. There is certainly a point at which the expense to make them more accurate outweighs the benefit of that improved accuracy. But remember, as I pointed out upthread, these filings are not FOR the company, or even really FOR the government (nearly every company has two sets of books, one for tax purposes and one for annual reports); they're for you, me, and every other person (and institutional investors) trying to decide whether investing in that company, be it through stocks, bonds, or any other avenue, is a good investment. The purpose of these filings and the role of the government in ensuring the accuracy of those filings is to make sure that investors have as much (and as accurate) information as possible. This is a good thing. If you'd like to argue that it's not, I (and probably others) will be happy to do so. If you're simply trying to point out that SOX doesn't fulfill its intent, then please, please say WHY you think that, and please give some thought to how much more work you would be willing to put up with, and how much expense you think is acceptable for a company to incur, to help the markets get better information.
4) Finally, there is a very interesting argument against SOX that is getting ignored upthread. SOX is definitely a regressive expense. Small businesses are paying a higher percentage of their revenue (or pre-tax income, if you want to be pedantic) than larger companies. Is this fair? What, if anything, can be done to alleviate that problem? What slope of regression (I'm probably butchering this terminology-wise, but I think you know what I mean) is acceptable to you, assuming you believe that SOX is otherwise a net benefit?
On the whole, obviously I am in favor of SOX. I wholeheartedly agree with the thought process behind it, and in my experiences dealing with it, I haven't found anything to change my mind. If you disagree, let's talk about it. This is a very, very important issue. But let's talk about it rationally and logically. Throwing out "it sucks", "I hate SOX", and "It doesn't work" don't do anything to further the discussion.
And yes, I am a longtime Slashdot reader, and I know that it's sometimes hard to find real, thought-out discussion. But we can certainly try for it.
I'd read messages in this forum if I saw any that started with "I am a CPA with NN years of experience as an auditor, and I am an authority on the Sarbanes-Oxley Act...." or "I am an attorney specializing in business finance law, and I have represented clients on Sarbanes-Oxley compliance matters"...
I'm not seeing that, even browsing at +5. Do I want an accountant's design for a minimal spanning tree or a blitter? (Actually, I wonder if an accountant might deliver a novel take on a problem...) But no. People seem to be commenting because the company has recently made obvious efforts for SOX compliance, some have had to do training that they consider a waste of time, there's much more paperwork involved in any transaction that concerns money or other assets, and these procedures are no doubt presented by PHB types as "do it or die." Then they notice that their company has more accountants than anything else. Couple that with the perception that IT is a lower caste, and the resentment brews.
Then somebody links to an article about SOX and suddenly every slashdotter chimes in with an opinion.
Including me. I'm now going to look through the +5's again, and see if we've heard from anyone who actually is qualified to speak on the subject.
-fb Everything not expressly forbidden is now mandatory.
Alex Epstein makes some good points in his article here.
In fact, I love the people who gripe about
Random Rants from an Airline Employee
You're wrong, SOX won't prevent another Enron.
Enron was a cluster of crooks. Crooks exist despite laws. There is no law whatsoever that will drive crooks away from their behavior. Enron's executives broke plenty of laws w/o SOX and they'll be convicted because of that.
Even with SOX there will be big financial scandals. To spot them beforehand, all you have to do is look for the money. Almost without exception, every business that displays exceptional profits is doing something illegal. Such firms include Walmart(labor violations, illegal labor, etc.) and Microsoft(convicted of monopoly behavior). If you've got stock in a firm that is exceptionally successful in some business sector, you probably should sell the stock now before the crooks drain it dry.
Bureaucracy is the problem. Hand anything to the government and they'll botch the job...sometimes in their buddy's favor. Evidence is all around; see also the $600 toilet seat.
So why do so many people, voting Democratic, think that turning everything over to the government is a good idea? It just boggles the mind.
(To be fair, the Republicans...the non-Conservative Republicans...have been just as bad at spending. Conservatism is about shrinking government, not growing it, and playing by the rules. Katrina was a good example of too much bureaucracy, for example- an extra level between services and people in need.)
Moving these issues to the state level and limiting liability would allow medical organizations to work out their details and keep things straight. Bringing the Fed in there means "billions" of dollars are available for a hangnail-case and a slick lawyer.
I sure wish term limits could ever be enforced; this group of clowns is inept.
--- For a good time mail uce@ftc.gov
This is another example of clueless politicians trying desperately to look like they are doing something useful and making a mess.
The idea behind Sarbanes-Oxley is a good one but the record keeping requirements are redundant. They are already covered by GAAP (Generally Accepted Accounting Principles), SEC regulations and various state and federal laws. Sarbanes-Oxley merely adds another layer.
If an ENRON or Worldcomm is cooking the books, another layer isn't going to help. In these cases the real actors in the conspiracy were a tight circle of executives using a set of books that their accountants never saw.
Is that a SCSI connector or are you just glad to see me?
How can I possibly take seriously the views of someone who smokes and drinks Oolong? You might as well stick to the floor sweepings they put in teabags, since you've taken the decision to wipe out your taste buds followed by your epithelial cells and possibly uncontrolled cell division of your lung tissue.
It's almost as bad as people who think they are sophisticated and smoke cigars while drinking port - which should be at least a capital offence in any truly civilised society.
Pining for the fjords
The problem being that business isn't a small part of society. It is a major portion of how people interact.
Which is precisely why it's important that businesses are run in a circumspect and ethical manner.
Sarbox may not be the specific answer, but the reason it exists is fairly sound: internal controls weren't working. They often don't work.
This makes sense if you're willing to accept the negative side of the profite motive along with its positive power.
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
I work with a couple of regs on a daily basis; SOX and 820 (FDA). The ideas behind these regs are great - protect the public from evil companies. The reality is that a 'good' company will do the right thing more often than not just because that's how they work and a 'bad' company will find a way to work around the regs. Good companies will incur extra overhead while bad companies will not.
I guess the upside is that these regs do help the economy (at least one part of it) by keeping consultants alive. As I recall, SOX has totally revitalized the small and medium size accountant space and the bigger firms are rolling in dough now. Sweet!
I'm from the government and I'm here to help - still true today.
Seriously, when have you ever seen Govt. regulations improving cost to benefit ratios ?
...that the /. header is entirely MISleading.
RTFA. The header says "Costs Exceed Benefits" implying a fact.
The article is about industry execs telling the SEC that they don't think it's worth it.
That's about as opposite as you can get.
But this is slashdot, this is like -1, eternally redundant.
-Styopa
The store clerk you chat to would still be there if the economy was less productive, and so everyone had lower wages, so for the intended purpose of the example (the importance of production), it doesn't count.
Specific examples, where you meet other like-minded engineers (for example) do count, as engineers design new things, so less growth means fewer engineers, so that the network effects would be weaker (more of your interactions would be with those with whom you have less in common).
I agree that business transactions are social, but that is far from the whole transaction; you also need to look to the opportunity cost of business. Is the person that you're talking to the individual that you would really most want to talk to right now? Business restricts, as well as enabling social interaction.
On the other side of the coin, maybe necessity aids society: easier travel through wealth has meant that we interact with more people every day. This has got to be a factor in increasing divorce rates (say). By encouraging us to be open to new social encounters, it will weaken existing commitments (on both sides), as well as bringing new opportunities. Similarly with commitment to friends.
I'm not arguing both sides to appear stupid: I'm positing that there's no reason why the balance is optimal when the criterion is productivity rather than the state of society. You get what you optimise for.
Unless you're government, of course, and this is the crunch. Politicians and bureaucrats neglect the intrinsic value of concepts such as freedom, but although freedom is important to business, substituting productivity for freedom is to distort what freedom is. Look at the latest batch of anti-terrorism laws, or the DMCA to see this. Because freedom can come into conflict with (eg. 'intellectual') property, taking the side of business is too unsubtle.
Wikileaks, no DNS
Why does imdb say:
Recommendations
If you like this title, we also recommend...
Titanic (1997)
Sarbanes-Oxley Act creates jobs! My small company had to add more staff members to the finance department to deal all the new forms and paperwork. But we lost a client, and revenue isn't going up, so we now have a freeze on development hiring.
But the finance department sure is busy.
Software Wars
Heretic!
Wikileaks, no DNS
Lots of chicken little stuff going on around here. I think people have to stop assigning blame to a part or system, saying the system is wrong, when it is the people who are wrong.
People kill people, people make companies go from $80 to $0.60.
Do not downmod posts "overrated" simply because you disagree with them.
Same strategy Bellsouth is using with the net neutrality innitiative and before that how RIAA and the MPAA managed to equate file sharing with stealing in the minds of the Great Unwashed Masses. MSFT also uses the same song and dance routine from time to time, more on the local level.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Just because some mental midget Senators, actually, their staffers, come up with a new regulation, does not mean it is the best or even if it works at all.
The shareholders who are going to get reamed?
My book, podcast
The requirements of Sarbanes-Oxley on a corporation are nothing but a huge expense that private companies don't have at all, putting them at a real disadvantage in the marketplace. The millions of dollars that are being spent by even medium-sized companies could be much better spent elsewhere.
-- Give me ambiguity or give me something else!
Corporate profits are up across the board. Companies are raking it in. I'm having a difficult time imagining these people going home crying because they just can't keep up with the costs of SOX.
My book, podcast
I'm just a sys admin from a Eurpoean country but I seriously believe SOX has got very positive impact on IT and it just started too be felt.
;-)
Identity management, that's what it is. How many times we struggled with heaps of "well known accounts" with no logging whatsoever ? Oracle, unixes, brain dead windows deployments... All of them with "impossible no track users activity" requirements.
Now it can be seen ldap, rbac, database auditing technologies start to have a their warrant place in most of offers. Just look what Oracle, Sun, IBM are marketing to you. That's good.
It's still a long way to go for most companies, specially outside US I guess. Bit I still, I like the trend
What I can't understand about Sarbox is this: some CEOs and CFOs commit fraud, therefore a peon like me has to jump through a lot of extra hoops to do his job. Huh? I am in *no* position to embezzle money or otherwise ruin the company. The law should be concerned with high-level controls, but instead it reaches down into the lowest levels of a company. That's why the implementation costs are exhorbitant compared to the benefits.
Sincerely, Derek
A curious little blog
Like all such laws, nobody really understands what the regulations mean/don't mean, and require/don't require until a case is tried and some kind of common law precedence is set. So everybody is going WAY overboard to avoid getting snagged by this on some minor technicality. It's a typical government overreaction to some isolated bad practices. And yes, I work with a company that has to deal with SOX first-hand. Our compliance department makes us take SCREENSHOTS of source code in the repository for SOX compliance. Stupid. It proves nothing.
"I have never won a debate with an ignorant person." -Ali ibn Abi Talib
Thanks for the calm, rational post. I think the main argument against SOX is that you can't invest in Nigerian barges nearly as easily as you used to do. ;)
"people make companies go from $80 to $0.60."
People also make companies go from $0.60 to $80. But in order to do that they have to satisfy their customers better. The reverse certainly has little or nothing to do with satisfying customers.
The freer the market, the more fickle customers are allowed to be. Enron and Worldcom were punished quickly and decisively by going bankrupt, long before anyone was in jail.
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
The scary thing is that a typical pro-big-business Republican would agree wholeheartedly with my paragraph, without sensing its sarcasm.
No, the scary thing is that people who are reflexively anti-business think they have the intellectual market cornered.
You are a shill for Big Sarcasm and their academic cronies, who are illegally attempting to muscle out the use of irony and satire by anyone who also happens to like things like antibiotics, refrigerated meat, large airplanes, high-speed video cards, MRI machines, WiFi-enabled every-freakin'-thing, and the ability to be sitting, right now, in front of nice shiny computer connected over an incredible network of industrial networks to a discussion board that ain't operating just because Taco is feeling warm, fuzzy, and charitable.
That you think comparing a regressive regulatory regime that punishes the very small businesses you would appear to prefer with, say, child labor and asbestos-based face powders... well, that's proof of either your rhetorical shallowness or the contempt with which you regard your audience. But then, that's the hallmark of Big Sarcasm, and those of us not falling all the way off left side of the page need to make sure that such a valuable tool of communication doesn't completely come under the influence of a Convicted Idealogical Monopolist. So come on, you libertarians, business owners, investors, and other non-socialistas: stop being so literal, reasonable, and direct. Start swapping some Open Source Satire. Think of the left-handed children!
Don't disappoint your bird dog. Go to the range.
Enron/Andersen's shredding of the evidence was illegal already.
It's similar to the "tougher anti-immigration bills" floating around some state legislatures. It's merely posturing. We call them illegal immigrants for a reason.
The same applies to this whole SOX thing. It was a reactionary law (which history tells us are the worst laws) to the myriad of corporate corruption cases bubbling up then.
There's a more effective method than new laws, which would be enforcing our current laws appropriately, and punishing white collar criminals with a scale that reflects the massive societial damage their deviance causes. A convenience store armed robbery is often punished more severely than embezzlement. This shouldn't be the case, as someone like Ebbers or Lay wreak far more havoc than a crackhead looking for a score. But the crackhead is typically punished more harshly.
SOX didn't assist in preventing white collar crime, or "accounting irregularities" if you want a euphemism. All it did was make politicians look effectual and spawn a consulting racket.
You better watch out, there may be dogs about . .
I work for IBM Software Group, and we've sold a ton of Sarbanes-Oxley compliance solutions.
[Ha ha, only serious. Opinions mine, not IBM's, etc.]
GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
How does SOX apply to source control systems?
At a minimum what do we need in place?
Is it good enough to have RCS in place? Do we need to have a requirement tied to every change made to the source? What do we need at a minimum?
How long do we have to retain this information? 5 years? 20 years?
It sounds simple on paper, and I agree that at a minimum it does force you to be able to understand what you have where and how it got there. But it's the little specifics that cause all the problems.
Did you know that the SEC and the PCAOB are very aware of the cost of compliance. To this end the SEC exempts about 50% of smaller business (those with a market cap 70 mill) from the rigor required for 404 compliance. The article is based on an out of context quote. In addition, this is one small group complaining, not how the law is actually applied. You can refer to the PCAOB web site and read or view the discussions and advisory group meetings to have a greater understanding about the exemptions, from the source, not a disgruntled business owner.
BOFH, My model for being a sysadmin :)
Accounting companies commit crime, so let's pass legistation to reward them with more business. Unbelievable.
Seriously, in the last few decades, has Congress produced *any* legislation where the benefits exceeded the costs? It seems that the only thing they're capable of is making their friends richer and ensuring they keep their jobs. Since the system is built so that keeping their jobs == selling out to the highest bidder rather than actually *doing* their jobs (the whole representing the people thing), this won't be changing anytime soon, and I don't understand why there are still people who don't see this. Oh, I forgot, they also pander to the emotional voting blocks who want them to make good sound bites regarding issues the government shouldn't actually be involved in.
I'd like to actually be more optomistic or cheerful about this, so really, has there been *anything* they've done recently that was a net win for the people? Is this ever going to change?
"The oil companies will continue to charge what they think the market will bear for gasoline and other products; when the cost of transportation fuels starts to become a major source of pain to American families, they will modify their usage patterns. This is how things have to work: people have to understand that the era of cheap gasoline -- probably of cheap fuel in general -- is over. In the future, if you want to drive 300 miles to see Grandma instead of call her, you're going to have to factor in the $30-40 in fuel that it's going to cost you. That's reality; that's life."
Maybe telecommuting will make a comeback, and drive the need for broadband. It may even mean growth in those fields that more readily lend themselves towards it. Remember peapod? You may see growth in that kind of business model. The trickle effect will show up in some of the darndest places, but I see it as a win win in the long run.*
*As an example I'm looking at a well-paying job that requires broadband.
As someone who performs security auditing full-time for one of those big annoying auditing firms, here is our view on this.
By it's very nature, you can't measure the benefits of SOX.
Without SOX, we don't have enough information to even know how much corporate fraud is going on. So how the hell do you measure what the cost of that is?
WITH SOX, because of the reporting requirements, fraudsters have to change their behavior, perhaps even behave honestly. That's worth a great deal, because as you see recently, the DJIA has begun to creep back up after it's 4-year flatness, because people didn't trust the market, because after Enron, Worldcom, etc. they all knew that the market was rigged by scam artists. So they put their money into housing. Now it's commodities, especially precious metal and petroleum. But some of that's coming back to the DJIA, because at leeast a small sense of trust in the market has returned.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Fuel prices are kept high by government taxes and regulation. End the government meddling, and prices will fall by more than anything the oil companies could legally do on a continuing basis.
Contribute to civilization: ari.aynrand.org/donate
If the market is controlling prices, then big oil wouldn't be raking in ungodly earnings, they'd have a steady cash influx just like every other year.
Uh, well, yeah, it would. They're setting price $X, and the market is clearing. That's how the market works.
If people didn't want to pay $X for petroleum, they wouldn't pay it. Then the oil companies would be forced to lower prices. They can charge as much as they want -- if nobody wants to buy it at that price, they wouldn't earn a cent.
Go directly to ECON 101. Do not pass go, do not collect $200.
Paying the real market price for gas is the fairest way to wean everybody off of petroleum products: and people are listening. Go down to a Toyota garage sometime and see how many people are looking at hybrids, versus a year or two ago.
I was with you until here.
"Hybrid" is a technology -- a means, not an end. In case you didn't notice, every mass-produced hybrid you can buy today still runs on petroleum. And many don't even get great fuel economy. Here's a Toyota hybrid that gets 21.5 mpg. My car gets more than double that *for city driving* (and even better on the highway), and it's not a hybrid. (And I don't run it on petroleum.)
I'm all for high gas prices that force people to find alternatives, but getting SUV drivers to buy SUVs that get a couple more MPG, with a big "HYBRID" sticker, and think that's all they need to do, will not help us.
We need serious solutions to the energy problem. Even if everybody switched their gasoline car to a hybrid, population growth would wipe out the improvement in a year or two.
Anyway, when you write your functional requirements, it's your responsibility to prove to the business that your approach will meet the need. That's what validation is. It's not their job to tell you how to do it. I've been down that road, and you don't have to travel far on it before you encounter madness.
Get your teeth into a small slice: the cake of liberty
I read through Sarbanes-Oxley, with the focus of determining what the law requires in terms of archiving of emails/correspondence. It seems that this applies to financial records only, not day-to-day stuff. Am I correct? I have a great concern otherwise, if it's required by the SEC to archive ALL emails/correspondence. There are much larger implications with that. Sure, it's easy to do - and transparently so end users don't even know about it - but it's not necessarily the "right" thing to do, IMHO. Can someone clarify on that?
Income is a lousy metric to compare a very specific expense to. Section 404 is only one part of the regulation. Fundamentally, it the cost has to be evaluated by the benefit it delivers, and the evaluation needs to be at the margin, not the average.
----- Question authority, but not ours. Hate the man, but we're not him.
A fidgety guy on a street corner reports that police patrols are a waste of taxpayer money.