CFOs and CIOs are working hard on Sarbanes-Oxley (SOX) compliance these days. In every public company I visit, there are projects underway to audit, design, and test internal controls that back up corporate financial reporting, as required by SOX Section 404. IT departments play a large part in these projects because, in practice, many of these internal controls are implemented in software. The effort is huge, but it’s worth the cost if it makes public companies more transparent and accountable to investors.
But according to Ira Solomon and Mark Peecher at the University of Illinois, the investment is largely being wasted. In a Wall Street Journal article (Nov. 9), they write, “There’s not a shred of evidence that the stringent new rules will help protect the investing public.”
According to Solomon and Peecher, there are two problems. First, most of the focus on internal controls is at lower levels of the organization. But the “lootings” that took place at companies such as Enron and WorldCom didn’t happen down in the trenches but took place at the executive level, where controls “can be stealthily overridden by C-suite members.”
I pointed out this issue over two years ago in a post entitled, “Memo to Forrester,” where I criticized the analyst firm, in part, for promoting sophisticated technology solutions for preventing corporate fraud precisely because they wouldn’t address cheating by top management.
The second problem, which to me is even more significant, is that too many internal controls are focused on historical events rather than forward-looking early-warning signals. Solomon and Peecher write:
Decreased production quality, for example, can result in unprecedented returns that go unnoticed in the accounting system until many customers begin requesting return authorizations.
The narrowness of SOX 404 controls also is evident when one reads complaints in major lawsuits against public companies and their auditors. Therein, one often finds allegations that management’s business-controls, i.e., their dashboards of key performance indicators, had signaled dangerous changes in their operations. But, management did not publicly disclose these warning lights: a number of key stores were about to close, a home-run drug was about to be excluded from Medicaid formularies, major customers had just walked away, and so on.
From an IT perspective, I like the authors’ focus on controls over the business, rather than just controls over financial reporting. In IT departments that I visit, much of the effort in SOX compliance appears to be narrowly focused on documentation and ensuring that there are adequate policies and procedures around IT security and disaster recovery.
These areas are important, of course. But I’d like to see more energy spent asking questions like, “What systems can we implement to give management the performance metrics they need to spot problems before they impact the business?” If just a portion of the millions of dollars spent on SOX compliance was directed toward forward-looking performance reporting, the investment would pay off enormously. Shareholders would receive not only better financial reporting, but better business performance and return on investment.