% fortune -ae paul murphy

404: not founded in reality?

Sarbanes-Oxley has proven itself to be a terrific money maker for the accounting and legal industries in the United States, but the evidence on its effectiveness as an information equaliser in the capital markets is ambiguous at best.

Here's the soxlaw.com section 404 summary:

Issuers are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement shall also assess the effectiveness of such internal controls and procedures.

The registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting.

In response Congressmen Meeks and Feeney along with Senator deMint have introduced measures aimed at making section 404 voluntary for smaller companies, while Congressman Flake has promised to re-introduce his earlier bill making compliance voluntary for all.

The point of this is simple: if investors value Sarbanes-Oxley 404 compliance over its cost, a voluntary program should produce a price differential between those companies which comply and those which don't that's more than sufficient to pay the cost of that compliance.

The impact on IT could be enormous: the single most important issue for every CIO in mid range and larger companies isn't Microsoft upgrades but the identity management component thought to be required for Sarbanes-Oxley compliance.

It is compliance requirements as (mis)interpreted by lawyers and accountants that prevents a lot of manpower redeployment and technological change in IT - right now, for example, most oversight committees would blanch in horror at the thought of letting the same person manage both systems and the databases run on those systems. Similarly, most demand extensive documentation on trivial projects, prevent user driven ad hoc IT budget re-allocation, and insist that only people trained in 1920s style data processing technologies have audit signoff on non data processing technology projects like Java server or SAMP/LAMP installations with respect to which everything they're sure of, is wrong.

Worse, I don't believe there's any evidence that compliance has done, on net, much good for IT project quality, for IT processing continuity, for the accuracy of financial reporting, or for market transperancy.

So what's the bottom line? it's that if you have any opportunity at all to influence this, you should strongly support making at least section 404 compliance voluntary - because that will let your company decide to save big bucks while increasing IT flexibility - and just incidently get the auditors off your back.

Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.