Last week I was invited to a IT Audit conference in Sao Paulo to give an speech on risk assessment methodologies applied to IT. There I’ve the opportunity to speak with many professionals from Internal audit, public accountant firms and consultant services. Their most common concern was the compliance with SOX Act (Non U.S. companies and subsidiaries listed SEC regulated stock markets must comply this year) and the associated costs (not only money but also knowledge and human capital) they are incurring. As two years ago in the US the Audit and risk consultancy markets are heating and overwhelmed, all want to be ready for internal control attestation derived from the law. There are no way out , they must make it!
The last year I was involved in a SOX project and I must admit it, it was difficult to deal with some unclear and bureaucratic requisites of the Act. SOX implementation processes have many positive consequences(from IT’s point of view) but, of course, it is not perfect and satisfactory for all possible cases. Are the positive consequences of SOX more valuable than the negative? The answer is not straightforward in many aspects, and we haven’t sufficient historical data to measure the effects, and if we’d have it , it wouldn’t simple to do. The pertinent question is: What really this bill means?
Let suppose that I and some partners have a property in Hawaii, because we have not enough time to use it we decide to rent it. Taking care of the renting details (like dealing with tenants, maintenance, security…) requires time as well, so we decide to contract an administrator to manage the whole thing. The administrator contracts several services including a surveillance to ensure our(and tenants’s) assets are properly safe. Two year latter we visit the property and we discover that we were wrong. The property is devastated, the administrator in collusion with security services have bee stealing assets, the good tenants we have gone. The value we thought we’ve got, blew. Fraud was taking place. The case arises in the local media, the city major is concerned because the housing system of the city is based on properties like ours, and try to respond by creating a new local regulation to increase security (for example – buildings must have a 24h surveillance cameras, security teams, locks,…) free for the tenants. So we (and all other owners) must spend more money in security services to comply with the new regulations.
Economists who have researched this regulations conclude that the effect of them is the same as a tax. In this case, a tax, that transfers resources from property owners to security providers and tenants. The irony in this history is that the regulation set a premium for security firms who were involved in the fraud.
Enron and similar financial scandals are used to justify the issue of SOX Act by US Congress in order to protect stakeholders (an important part are owners). Like in the history above SOX is a tax imposed to owners and customers. Whether the tax is desirable or not is another question but the bottom-line is that we should be aware of the existence of it. Therefore, IT managers should consider the SOX tax as an additional cost when performing projects plans or estimating ROI drivers. Thus, avoiding or underestimating this cost could transform a profitable project into a unprofitable one. Actually the problem, is greater, Why the government (who ignores the real organization’s risks and strategy) has transform a profitable project into a unprofitable one?. But that’s is another history….