Sarbanes-Oxley: fight it or accept it? Page 1 of 2
Wednesday 5. Oct 2005
Home Sarbanes-Oxley: fight it or accept it?
CEO Services In the USA, the recent raft of regulations associated with the Sarbanes-
Oxley Act is deeply unpopular. But can anything be done? Dwayne
Useful Links Jorgensen of Computer Task Group, Inc and Tim Leech, chief methodology
Subscribe officer for Paisley Consulting, think so.
The well-known Serenity Prayer urges: 'God grant me the serenity to accept the
things I cannot change, courage to change the things I can, and wisdom to know the
The Sarbanes-Oxley (SOX) issue is a classic example of a situation that requires such
CEO Solutions wisdom on the part of executives directly or indirectly affeted by these rules.
showcases the most
innovative solutions to The Sarbanes-Oxley Act effectively makes senior management responsible for making
ensuring that its financial statements are reliable, but it has also brought with it
regulation that has increased the costs and difficulties of doing business. So should
Corporate Strategy executives escalate the battle for change or accept the rules as they are and move
Some believe that publicly fighting SOX is dangerous. Others passionately believe that
Outsourcing not continuing the fight condemns companies to unnecessary costs and sub-optimal
Lifestyle returns. Non-US listed companies are not immune to the dangers of the SOX regime.
Even private companies may be caught in the SOX web, as major credit agencies
increasingly view SOX-generated financial statements as superior to current Grade C
private company and European financial statements.
The Securities and Exchange Commission (SEC) invited comments in early 2005. They
received hundreds of angry submissions. Unfortunately, the vast majority of senior
executives continue to maintain a silence on SOX. Those who do speak up often focus
on the high costs and severe disruption SOX causes to their businesses. But few of
the comments filed with the SEC contain concrete, practical suggestions on what
should be done to fix the problems with current regulations.
In response to the complaints, the SEC and the new auditor oversight agency, the
Public Company Accounting Oversight Board (PCAOB), offered 'clarification'
statements on the existing SOX rules on 16 May 2005. In reality, these policy
statements have clarified little and fixed almost nothing. So can and will the SOX rules
be changed to reduce the pain, or should the rules be accepted with serenity as they
stand by investors, boards and senior executives?
The need for change
The Computer Task Group, Inc (CTG) feels that the battle for practical changes to the
SOX implementation rules should be escalated, more resources dedicated to the fight
and better and more thoughtful strategies developed to force major revisions to the
rules. If the rules must be accepted in their current form, businesses should do
everything possible to minimise the costs and disruption to their operations and
generate as many tangible benefits as possible.
SOX the law is not the problem. It calls for what many would readily accept: that
Sarbanes-Oxley: fight it or accept it? Page 2 of 2
senior management should have a responsibility of care and that they must make
sure that its financial statements are reliable. It is the regulations enacted by the SEC
and, to a greater extent, the PCAOB that have caused the massive costs, now
estimated in the tens of billions of dollars. The PCAOB, through Audit Standard 2,
assigned primary responsibility for deciding the type and number of controls
companies should have with external auditors - the same auditors who will be sued if
they issue wrong audit opinions.
The way forward
CTG believes that boards and senior executives should continue to lobby to have the
SOX implementation rules revised and the power imbalance between management
and external auditors corrected. They should also call on the SEC to establish an
independent agency to develop and expose for comment more practical guidance for
management on how to assess and report on control effectiveness. And they can
exploit the leverage provided by the SEC in its 16 May Staff Statement calling for
management to play a bigger role in deciding what a 'reasonable approach' that
provides 'reasonable assurance' should look like. The external auditors have driven
the agenda thus far.
Finally, they should reduce their reliance on costly, ineffective manual control
assessment and deploy enterprise-wide automated risk and control monitoring tools
that efficiently identify the real risk exposure areas.