Slashdot Mirror
Sarbanes-Oxley Costs Exceed Benefits
coondoggie writes "Two years of compliance with the Sarbanes-Oxley Act (SOX) have shored up corporate accounting practices - but with lopsided costs compared to benefits gained.
Bill Gradison, acting chairman of the Public Company Accounting Oversight Board (PCAOB), said that guidance the SEC issued last year and PCAOB's latest auditing standard may not be enough to clarify the rules that govern the reporting and auditing of internal controls. 'Based on the information we already have, it would seem that some further changes may be in order,' Gradison said."
Here's the title of the article: "Execs tell regulators Sarbanes-Oxley costs exceed benefits". Here's the slashdot title: "Sarbanes-Oxley Costs Exceed Benefits". Notice the difference?
Sarbanes-Oxley is a *very good thing* - it exists to prevent another Enron. It makes CEOs criminally liable for when their companies cook the books. Amazingly, for some inexplicable reason, they don't seem to like it. Everyone reading this should go over to Netflix and add Enron: The Smartest Guys in the Room to their queues. It shows exactly how Enron was able to pull off the accounting shell-game that kept them afloat for years.
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
But laws like this wouldn't really be necessary if businesses had followed the laws in the first place, huh?
Too bad it only takes a few bad apples to ruin it for everyone.
SOX is a very heavy burden on small businesses that are public. The real winners under SOX are the auditing firms.
First, of course companies are saying this. Sarbanes-Oxley requires them to do things that they don't want to do, namely properly assess their controls and have the CEO and CFO officially sign off on financial reporting.
But the real issue is that proper external financial reports aren't for the business (though they do help it, as long as the business pays attention to what they say.) They're for external users. And I can tell you right now that while banks who are looking to loan money, analysts who are grading performance, and investors who are looking to invest in a company's stock or bonds wouldn't mind seeing any costs cut, they don't think that the benefits are outweighed by the costs. They'll take the best information they can get, no matter what has to be done (within some modicum of reason.) And that's the point of Sarbanes-Oxley.
In 2004, GE spent about $33 million on Section 404 compliance, and costs ran about the same in 2005, Ameen said.
According to a quick perusal of GE's 2004 10-K, they had $20 billion in pre-tax income. I don't think $33 million is remotely too much to insure that that 10-K is correct.
I have quite a bit of experience with Sarbanes-Oxley and UNIX compliance. One weak area is auditing root and shared account access. Generally the developers know the application account's password (like oracle or db2) and it's really hard to audit who did what. I created the tool Enterprise Audit Shell (EAS) which centrally logs shell access and sessions in an enterprise environment. Sessions can be snooped in real-time or played back at a later time. Each session is digitally signed and transmitted via OpenSSL. Project Site http://sourceforge.net/projects/eash Support Forum http://eas.strchr.net/
Government regulation always increases costs, because the regulation has costs of compliance.
Crooks don't comply, because they're crooks.
Customers, that's us, end up with higher prices for the things we buy, and higher taxes to pay for all the new auditors.
Martha Stewart goes to jail while the real criminals get away with what they've always gotten away with.
Politicians get reelected for having "done something".
To quote from the movie Spartacus, "I'll take a little republican [style of government, not party] corruption, along with republican freedom!"
Want to really put the screws to "corporate executive" crime? Then eliminate the government granted limited liability that a "corporation" represents. Allow thereby the officers of a company to be directly liable for their decisions, their accounting practices, their performance.
It's easy to follow the Big Lies handed down by the sensationalist press that don't want you looking at their own corporations and unions. S-O doesn't solve anything. It merely adds another layer of bureaucracy to the effort of getting anything accomplished.
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
"That's the general consensus of a wide range of business executives and auditors who gathered Wednesday in Washington, D.C., for an all-day roundtable hosted by the U.S. Securities and Exchange Commission and the Public Company Accounting Oversight Board (PCAOB)."
Uhhh, so who is networkworld.com, why should I believe what the regulated have to say to the regulators, and why did the article summary assert what they stated to congress as certain truth?
I appears Corporate America is viewing SOX as damage and attempting to route around it. The Charlie Rose Show had on a couple of the biggest private equity fund managers the other night and they were talking about companies which are moving headquarters and operations off-shore because of SOX. They hate it.
However well-intentioned SOX is/was, if this trend continues, we don't get the SOX purported benefits, and we lose the economic benefits of these companies on US soil.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
I think you have gotten the words "Everybody" and "Somebody" confused.
Because now, if there are *any* new features in an update to a program, the company who created it *must* charge for that upgrade. This totally changes how software is developed and marketed...
/dev/null. But if I were a software company, I sure-as-hell would be looking for an upside in the SO legislation, and I don't see any other "good" routes...
Previously, if I had a program I wanted to release for profit, I would do the core features well, and add modules on around the side later, at extra cost. I might release interim patches for any bugs found in the field, and as a sweetener, upgrade some small functionality to get users affected by the bug back on "my side".
Now, I can't do that. The only time I can have a free interim release is to fix bugs - no new features are allowed. I'm no lawyer, but this is (expensive) legal opinion. So the dynamic changes - in order for me to have the most flexible release policy, I'm *far* better off releasing bug-ridden software that does *everything* - even if it only does it badly. Following this path, I get a choice of how to proceed later (I can add functionality *by* fixing "bugs" (ahem) by actually making a serious attempt to provide the functionality I promised in the first place). I can gauge the market and give it away free if that suits my needs at the time.
Now there's a downside to releasing bug-ridden software (and we're all aware of the arguments). The problem with this (responsible) attitude is that the collective consciousness of consumers today seems to not have a problem with buggy software - software crashes all the time, they're used to it, and it's a self-propogating meme of "what is normal". Responsibility don't pay.
So, when I release software (under the usual constraints of "good,cheap,fast - pick any two") I'm being pushed in the direction of "cheap and fast" because there's no real downside to me, and I get a lot more flexibility with dealing with the resulting debacle. I can balance my budget better ("cheap") and I get to market faster ("fast"). The fact that it doesn't work so well isn't really an issue.
That's what Sarbanes-Oxley has done for us.
For the record, I don't release software - please direct hate-mail to
Simon
Physicists get Hadrons!
I'm 100% in favor of bringing back the Glass-Steagall Act, a useful bit of post-Depression legislation that would probably have prevented Enron (or, at the very least, significantly reduced the overall damage). Glass-Steagall ruled that a company could not do both finincial analysis and investment banking, because it's a conflict of interest to be evalauting the same companies you have intestments in. Thanks to the Republicans, Glass-Steagall was repealed in 1999 (although, to be fair, Bill Clinton did sign the law repealing it).
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
is in spite of the complaining by companies in the Fortune 500, the relative costs of SOX are low for mega-corporations like General Electric compared to a medium-sized business looking to try and compete with the big guys. Just as many well-intentioned business regulations are designed to keep the biggest and the baddest companies from screwing the public, the biggest unintended consequence of most business regulations is that these same regulations stifle up and coming competition whose resources might be scarce and the difference between spending 33 million dollars on SOX compliance is the difference between being a viable competitor in some market and being bankrupt.
Of course SOX doesn't affect small businesses, but if you ever want to become grow and become a big business, then you are taking an extra risk once you reach the threshold of employees that forces you to effectively making paper log files of every single form of correspondence in the company. For the Fortune 500 guys, not having to worry about competition from new competition is a big win for them, and for any aspiring entrepreneur a big loss that makes you wonder if you would be better off expatriating to another country and starting your business offshore where the success or failure of your business is not tied exclusively to how efficient you are at dealing with government regulations.
GE's Section 404 controls cost: $33 million .09%
.1% to ensure I don't lose 100%.
GE's Market Cap: $365 billion
Percentage of Capital spent to make sure they're honest:
As a GE stockholder, I'm happy with that. I will always be willing to pay
http://www.accountkiller.com/removal-requested
The SEC and PCAOB arranged the roundtable to solicit feedback about Section 404 of the legislation, which Could Not Be Found...
-- lol pwned
I've worked with sarbanes-oxley, it's a joke, and sadly the joke is on us. It really doesn't do anything good, it's just a knee jerk beauracratic response to increase the number of beauracrates.
I believe SOx was indeed well intended, however if you have ever dealt with these auditors you would quickly realize that in practice SOx ended up as a boondoggle to a few very large accounting firms. I have actually dealt with "auditors" who requested(upon me asking about where he was based and that I speak the language) I speak in spanish, as they were based in mexico city on contract...He then asked for a screenshot of /etc/passwd, not the file itself mind you a screenshot of a pwd at the path! Not that the file would do much good as my boxes are all trusted .
Idiots driving idiots
I've had to follow after some of these consultants, since I work in a related industry. I've seen companies so scared to do anything that they're in process paralysis, because some SOX consultant was paid $250/hr to tell them they were going to jail in a handbasket if they didn't lock down everything that moved. Some listen when I tell them that all they have to have is good logging and a multiple-entity approval/decision tree, but some are just to shell-shocked. Unchecked Corporate greed has always been around, and does need to be regulated, but SOX is just another another example of something that government made worse.
I know far too many people who make excuses for Enron, saying they did nothing illegal, that California especially set itself up for disaster by deregulating only half the eletrical market.
But you know what? There are a zillion things any of us could do every day that are legal but immoral. Enron had no morals. They may have had great legal advice on how to skirt the edge, but their own admissions in email and memo, show they knew it was immoral. When the wholesale price of electricity jumps from 3 sents to 300 cents and stays there for exactly one hour before falling back down, something is wrong, whether legal or not.
Just as I have no respect for cops who complain about getting no respect when they won't turn in corrupt fellow cops, I shed no tears for business people who can't keep their own chicken coop clean.
This is the price you pay. You fuck with the public long enough, the public will fuck you back. Hell yes, it may be bad for business, but what they were doing was worse for society. So lump it, business boys and girls. You clean up your act, police yourselves, and earn the repeal or reform of SOX. Until then, I rejoice in what it does. Society is better off with the scoundrels roped in. Even if that small section of soceity call business is suffering a bit, society as a whole is better off.
Infuriate left and right
Nobody knows what Sarbanes-Oxley means...
I've had a lot of managers say we have to do such and such for SOX compliance. When I inquire as to more detail... Like what exactly, so I can make sure the solution fits within the requirements. I get blank stares.
That's a large part of the cost. The law itself is not a bad idea. It's just nobody knows how to comply.
The problem being that business isn't a small part of society. It is a major portion of how people interact.
Most of my interactions with other people, from a subscription to the YMCA to where I stop for cigarettes to the people I work with to the decision to mow my own lawn or hire a gardener, are business related.
The moment I step out of my door, which I bought, the actual number of people I deal with on a purely social level as opposed to the number of farmers, butchers, bakers, candlestick makers that I deal with on a business basis is very close to vanishingly small.
What reason do I have to be able to type to you this message but the ISP who doesn't know me on a social level at all, the Tier1 IP provider that doesn't know I exist at all, the Slashdot administrators trying to make a living by advertisements for which I am merely one few bytes of data in their database?
If it weren't for business, the price of tea in China would be irrelevant. But the fact is that by means of business, the price of tea in China is directly related to the price I see on the box of Oolong on my grocers shelf (who otherwise would have no interaction with me what so ever).
I think you need to look up the word "praxeology".
Bob-
The Ludwig von Mises Institute. The reasoning individuals economics
My IT Consulting firm has a large client that hired a team of SOX Consultants to get them SOX compliant. Everytime they seemed to have checked off every item on the SOX Consulting team's list they were presented with a new list of items they must correct to be SOX compliant. Eventually they hired another SOX Consulting firm and had their suspicions confirmed that the first group was basically "inventing" reasons they were not SOX compliant to rack up a truly obscene number of billable hours.
This is wrong on any number of levels.
First, realize that the majority of stock in the US isn't owned by rich individuals. It's owned mostly by mutual funds, which are in turn used as part of basically every retirement plan, investment account, college-savings plan, ad infinium. If you have a 401k, you probably are an indirect shareholder in Exxon-Mobil (and IBM, and Microsoft, and General Dynamics, and probably Halliburton). If any of the big oil companies were to sneeze, the whole economy would get a cold.
Second, high-priced petroleum products, especially gasoline, is not necessarily a Bad Thing. I think it sucks as much as the next guy -- if I could click my shoes together and go back to the days of 98-cent per gallon gas forever, I'd be doing it and buying a Camaro before you could say "carbon dioxide." As much as Ma and Pa Jones of Pig's Knuckle, AR think that they want the Gubbermint to step in and 'do something' about the high price of gas, they really don't. Because keeping the price of gas low will only ensure that it gets used up faster, and that we don't do a damn thing to change our usage patterns or wean outselves off of it before it runs out completely.
In other words, cheap gasoline just makes us, as a nation, press the accelerator to the floor as we're heading towards the brick wall of No More Petroleum. Paying the real market price for gas is the fairest way to wean everybody off of petroleum products: and people are listening. Go down to a Toyota garage sometime and see how many people are looking at hybrids, versus a year or two ago. The difference is pretty impressive.
The oil companies will continue to charge what they think the market will bear for gasoline and other products; when the cost of transportation fuels starts to become a major source of pain to American families, they will modify their usage patterns. This is how things have to work: people have to understand that the era of cheap gasoline -- probably of cheap fuel in general -- is over. In the future, if you want to drive 300 miles to see Grandma instead of call her, you're going to have to factor in the $30-40 in fuel that it's going to cost you. That's reality; that's life.
I have no doubt that many politicians this election year will try to come up with all sorts of creative ways of basically subsidizing or otherwise artificially deflating the price of gas. But as they're doing their financial rabbits-from-hats routine, I think it's worth it for everyone to remember that "cheaper gas" doesn't equal "more gas." In fact, it really means 'less gas' for everyone in the future.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
...for the past 18 months, my biggest beef is that it does absolutely nothing to prevent any sort of catastrophe -- it just ensures that the catastrophy is logged in exquisite detail.
As a developer, certain procedures and responsibilities have always rested on my shoulders. I'm used to it, and I rely on them to help me do a better job. However, with the advent of SOX compliance, so many layers of crap are added to my workflow that I end up spending 4 hours documenting a 20-second fix to correct a spelling error in a piece of code.
If these new procedures were to give me any sort of confidence that my fix not only addressed the problem, but didn't cause any new ones, then I would be more open to accept them as part of my job. As it stands, though, it only extends the amount of time that potentially Bad Stuff(TM) takes to make it into production.
Even with supposedly airtight SOX-compliant controls in place, any developer at my company can easily mangle production environments at any time. Here's why: one of the big things they started off with when implementing SOX controls was that if you were a developer, you shouldn't have direct access to production systems. So, they add a few layers in there. You, the developer, can't touch production, but you can write a script and give it to someone in a "responsible position", who can then run it in production. Problem is, the person who's supposedly responsible for the system often times has no clue what the script does -- even if they actually bothered to look at the script in the first place. They may ask you what it does, simply because they need to appear to be doing their job, but does it really matter what the answer is? They blindly run the script and send you the output. They don't know what the script does, so they don't know whether the output is valid. You tell them everything looks good. Everyone's happy.
Doesn't matter whether you update a single row, or drop a table with 70 million rows -- no one involved in the process is going to actually take the time to look at what you're doing in order to determine that it does what you say it does. As long as you've convinced people you know what you're doing, you have free reign. The addition of SOX hasn't changed this. The only benefit (if you wanna call it that) I can see is that now, you've got a pile of documentation showing that 4 people assisted you in wiping out data that will take days to retrieve from tape. The only way that controls are worthwhile is if they truly prevent this sort of thing.
I'm making these comments in virtually every subthread, so I thought I'd just bring them all to the front.
1) For those who are claiming that the implementation/specific requirements are too strict, could you give an example? I have had to do things required for SOX compliance (and I know of plenty of other things that my company, and others, have done), and I have to say, I have yet to see anything that I consider overly burdensome. And certainly not so overly burdensome that they outweigh the benefits of the intended effect of SOX: ensuring more accurate and honest reporting in filings by public companies, and ensuring that management is held responsible for what is in those filings.
2) For those who are claiming that the original intent of SOX is wrong, could you please explain why you think so in those parameters? There are certainly downsides to SOX, but a million posts saying "SOX sucks" or "I have to do a whole bunch of extra things so that my company is SOX compliant" doesn't mean anything. First, obviously it doesn't provide any kind of example. Second, there's no reasoned logic as to why these downsides are worse than the upsides. Which leads me to...
3) For those who are claiming that the original intent was good, but the implementation is faulty, again, could you provide examples? Personally, I feel that extra work for you (or your accounting department, or whoever) is worth it if it helps to ensure that 10-Ks and the like are as accurate as possible. There is certainly a point at which the expense to make them more accurate outweighs the benefit of that improved accuracy. But remember, as I pointed out upthread, these filings are not FOR the company, or even really FOR the government (nearly every company has two sets of books, one for tax purposes and one for annual reports); they're for you, me, and every other person (and institutional investors) trying to decide whether investing in that company, be it through stocks, bonds, or any other avenue, is a good investment. The purpose of these filings and the role of the government in ensuring the accuracy of those filings is to make sure that investors have as much (and as accurate) information as possible. This is a good thing. If you'd like to argue that it's not, I (and probably others) will be happy to do so. If you're simply trying to point out that SOX doesn't fulfill its intent, then please, please say WHY you think that, and please give some thought to how much more work you would be willing to put up with, and how much expense you think is acceptable for a company to incur, to help the markets get better information.
4) Finally, there is a very interesting argument against SOX that is getting ignored upthread. SOX is definitely a regressive expense. Small businesses are paying a higher percentage of their revenue (or pre-tax income, if you want to be pedantic) than larger companies. Is this fair? What, if anything, can be done to alleviate that problem? What slope of regression (I'm probably butchering this terminology-wise, but I think you know what I mean) is acceptable to you, assuming you believe that SOX is otherwise a net benefit?
On the whole, obviously I am in favor of SOX. I wholeheartedly agree with the thought process behind it, and in my experiences dealing with it, I haven't found anything to change my mind. If you disagree, let's talk about it. This is a very, very important issue. But let's talk about it rationally and logically. Throwing out "it sucks", "I hate SOX", and "It doesn't work" don't do anything to further the discussion.
And yes, I am a longtime Slashdot reader, and I know that it's sometimes hard to find real, thought-out discussion. But we can certainly try for it.
It's a big, bad issue and Congress must act...before the corrupt party gets thrown out of office and we have to start all over bribing a new set of lawmakers.
I think you're not being honest here. You should replace "bribing a new set of lawmakers" with "bribing the other corrupt party".