Slashdot Mirror
Sarbanes-Oxley Costs Exceed Benefits
coondoggie writes "Two years of compliance with the Sarbanes-Oxley Act (SOX) have shored up corporate accounting practices - but with lopsided costs compared to benefits gained.
Bill Gradison, acting chairman of the Public Company Accounting Oversight Board (PCAOB), said that guidance the SEC issued last year and PCAOB's latest auditing standard may not be enough to clarify the rules that govern the reporting and auditing of internal controls. 'Based on the information we already have, it would seem that some further changes may be in order,' Gradison said."
I have quite a bit of experience with Sarbanes-Oxley and UNIX compliance. One weak area is auditing root and shared account access. Generally the developers know the application account's password (like oracle or db2) and it's really hard to audit who did what. I created the tool Enterprise Audit Shell (EAS) which centrally logs shell access and sessions in an enterprise environment. Sessions can be snooped in real-time or played back at a later time. Each session is digitally signed and transmitted via OpenSSL. Project Site http://sourceforge.net/projects/eash Support Forum http://eas.strchr.net/
While slashdotters may derive a justified modicum of rightously deserved glee in this state of affairs - who here hasn't been given like orders - the economic waste on the national scale is so hideous that it needs airing. Never before has so much money been wasted on useless butt-plate.
The concept here is that corporate processes need to be audited independently to prevent fraud and malfeasance. Wonderful idea. What the SEC people had no clue about, however, was just how many processes there are churning away every day in a normal company. There are thousands! If you want to monitor the pain Sarbox is inflicting, subscribe to the alerts from CFO.com. For example, one company just found out it would have to pay its auditors - that's right, the people who failed to catch Enron's malfeaseance - $50,000 a year just to audit its employees vacations. That's not so much alone, but when you multiply it by everything going on in a company, the costs are absolutely humongous. And all of this money is going to the people who not only failed to prevent Enron but told them how to do it. Something is seriously wrong here.
Proportionately, the costs for smaller businesses are much higher (typically 20x). This has an anti-technology bias that hurts all of us in technology and eventually the whole economy. Because our start-ups are small and Sarbox denies us capital, we will not be able to hire and develop. This is bad Kool-Aid.
The supporters of Sarbox are: a) Big Labor - they are more successful unionizing big/old companies, fail miserably with high-tech startups, hate us, and actively seek to ruin us, b) Auditors - they make the money from this regulation, c) Regulators - from their perspective, regulation is always good and Sarbox means hiring many more of them.
The losers are everyone else, especially us in the tecnhology sector. I'm developing technology that could make corporate treasuries more efficient by increasing their control of liquid assets. I cannot sell it because of Sarbox and all its distractions. Ironically, corporate treasuries are so involved in dealing with the worthless regulatory minutia of Sarbox that they cannot invest the time to evaluate systems that would actually improve their control of corporate liquid assets.
I wish I could conclude this rant by recommending what we should do, but I am not as politically astute as our foes. All I can say is let's hope for the best and maybe someone out there in the political world will get a clue.