Is SOX the mortal enemy of innovation?
by Rocco Tarasi
The Sarbanes-Oxley Act, commonly referred to as 'SOX', was enacted in 2002 as a response to Enron and the Enron-like financial scandals of the time. I'm in the enviable position of (1) being an ex-accountant and auditor, and (2) selling software that among other things is used to track compliance with SOX, which gives me some perspective on the impact SOX has had on companies.
Without getting into the boring details, SOX can (and has) be generalized as forcing companies to document their risks (i.e. "what can go wrong") and ensure that they have controls in place to prevent, or worst case detect, when something does go wrong. While it was a response to accounting abuse, SOX is sometimes interpreted by companies or their auditors more broadly to include virtually anything that could go wrong with the business. It can reach into the HR department, legal, IT, operations - everywhere.
What is the result? Overall, SOX seems to have put the fear of God in companies from doing anything out of the ordinary. It has resulted in stifling innovation in many companies. It may not seem like it from the outside - companies like Apple are still releasing new products after all - but behind the scenes, SOX has made innovation more difficult.
How? First, SOX brought the need to have written rules (policies, procedures, controls) for seemingly everything. More rules, less flexibility. Second, risks are now viewed more negatively than ever before. And not just accounting risks, but any business risk that could have a financial impact. Auditors don't like risks, and don't want their clients to have risks.
Innovation is often about doing something different, and it is much harder when there are more rules that govern what you are allowed to do. Innovation is also often times about taking risks, which is in conflict with how many organizations have adopted SOX.
I'm not saying rules are bad - I for one believe they are necessary, as long as they make sense. An area that they often don't make sense is in software selection. Some companies have, of their own initiative or through the scornful eye of their auditors, erected barriers for software selection so high that they prevent companies from buying cutting edge products that might still be in beta, or products sold by start-ups with no track record, or products delivered through the cloud. You guessed it - all too risky in the eyes of the auditor. Companies end up taking the safe route. You "never get fired for choosing IBM" - even if it costs ten times more than an innovative start-up product.
I recently received an I-kid-you-not 150-question IT checklist from a prospective customer that "needed it completed to comply with SOX." I have no problem answering good IT questions that help a customer determine which solution is right for them. In this case though, there wasn't a single useful question anywhere in the checklist. Literally, not one. "Does the vendor have password rules" and "Does the vendor use antivirus software" are frankly ridiculous questions that are not going to provide any reasonable information for system selection. Even if a vendor didn't have either of these - highly unlikely even for the smallest start-up - they would still answer yes. 150 questions later, the organization might have 'checked the box' on their due diligence procedure for SOX, but they have not in any way reduced their risks. In fact, they only thing they accomplished was tilting the selection in favor of the biggest vendors that employ armies of people to answer ridiculous questionnaires.
As companies grow they are forced under their own weight to institutionalize their processes, and that very action can limit their innovative potential. SOX has simply tripled that weight. According to the SEC, SOX compliance costs more than $2.3 million in direct costs at the average company. If those are the direct costs, it makes you shudder to think about what the indirect long-term costs will be.
Don't miss an article - Subscribe to our RSS feed and join our Continuous Innovation group!
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=89b53140-460a-4d2c-8848-f53096fc0274)
Rocco Tarasi was an accountant, investment banker, and CFO before becoming a technology entrepreneur. He writes about innovation at www.InnovationMinute.com with a focus on "everyday" innovations in business models, sales strategies, products and services.
The Sarbanes-Oxley Act, commonly referred to as 'SOX', was enacted in 2002 as a response to Enron and the Enron-like financial scandals of the time. I'm in the enviable position of (1) being an ex-accountant and auditor, and (2) selling software that among other things is used to track compliance with SOX, which gives me some perspective on the impact SOX has had on companies.Without getting into the boring details, SOX can (and has) be generalized as forcing companies to document their risks (i.e. "what can go wrong") and ensure that they have controls in place to prevent, or worst case detect, when something does go wrong. While it was a response to accounting abuse, SOX is sometimes interpreted by companies or their auditors more broadly to include virtually anything that could go wrong with the business. It can reach into the HR department, legal, IT, operations - everywhere.
What is the result? Overall, SOX seems to have put the fear of God in companies from doing anything out of the ordinary. It has resulted in stifling innovation in many companies. It may not seem like it from the outside - companies like Apple are still releasing new products after all - but behind the scenes, SOX has made innovation more difficult.
How? First, SOX brought the need to have written rules (policies, procedures, controls) for seemingly everything. More rules, less flexibility. Second, risks are now viewed more negatively than ever before. And not just accounting risks, but any business risk that could have a financial impact. Auditors don't like risks, and don't want their clients to have risks.
Innovation is often about doing something different, and it is much harder when there are more rules that govern what you are allowed to do. Innovation is also often times about taking risks, which is in conflict with how many organizations have adopted SOX.
I'm not saying rules are bad - I for one believe they are necessary, as long as they make sense. An area that they often don't make sense is in software selection. Some companies have, of their own initiative or through the scornful eye of their auditors, erected barriers for software selection so high that they prevent companies from buying cutting edge products that might still be in beta, or products sold by start-ups with no track record, or products delivered through the cloud. You guessed it - all too risky in the eyes of the auditor. Companies end up taking the safe route. You "never get fired for choosing IBM" - even if it costs ten times more than an innovative start-up product.
I recently received an I-kid-you-not 150-question IT checklist from a prospective customer that "needed it completed to comply with SOX." I have no problem answering good IT questions that help a customer determine which solution is right for them. In this case though, there wasn't a single useful question anywhere in the checklist. Literally, not one. "Does the vendor have password rules" and "Does the vendor use antivirus software" are frankly ridiculous questions that are not going to provide any reasonable information for system selection. Even if a vendor didn't have either of these - highly unlikely even for the smallest start-up - they would still answer yes. 150 questions later, the organization might have 'checked the box' on their due diligence procedure for SOX, but they have not in any way reduced their risks. In fact, they only thing they accomplished was tilting the selection in favor of the biggest vendors that employ armies of people to answer ridiculous questionnaires.
As companies grow they are forced under their own weight to institutionalize their processes, and that very action can limit their innovative potential. SOX has simply tripled that weight. According to the SEC, SOX compliance costs more than $2.3 million in direct costs at the average company. If those are the direct costs, it makes you shudder to think about what the indirect long-term costs will be.
Don't miss an article - Subscribe to our RSS feed and join our Continuous Innovation group!
Rocco Tarasi was an accountant, investment banker, and CFO before becoming a technology entrepreneur. He writes about innovation at www.InnovationMinute.com with a focus on "everyday" innovations in business models, sales strategies, products and services.Labels: Innovation, Rocco Tarasi
posted by Blogging Innovation at 12:01 AM
2 Comments:
Rocco, I agree that SOX is one of those pieces of legislation that every company loves to complain about.
I've watched this over and over, as companies complain about the documentation, risk assessment and testing of their internal controls. The fact is, in many cases only by doing this have companies actually uncovered large gaps in their control frameworks, the processes that prevent them from fraud, or risks of errors that could cause them an avoidable need to restate their earnings in the future.
Many companies have got the idea that by paying attention to their business processes, automating where possible and streamlining them with software tools such as BPM, can be a huge benefit and lead to cost savings. Those that just choose to document and fix up the mess they have are obviously going to see only a cost in SOX compliance.
I helped a publicly traded company through some automation of the controls and documentation within their finance team, and frankly it was painful. It seems rare that any team reporting directly to the CFO has any money to invest on doing their jobs better, instead relying on the abilities of the team members to put in another few hours. This makes it significantly harder than it should be to make improvements to the way the operations run.
Investment in a tool to help manage compliance is important in large, complex organizations. Actually investing to make your business processes better is far more important in my opinion, and directly impacts SOX while also helping the bottom line.
Like many things, SOX has indicated a reluctance by organizations to work differently or work better, and so the inefficient and ineffective ways of the past will be retained.
And my company today? I wouldn't go for an IPO unless you paid me really well. SOX sucks! (oh the blatant hypocrisy...)
Cheers
Phil
As a follow-on to the article, Forrester has released a study showing that company security programs are driven more by compliance than by the actual desire to secure their data. As Phil points out, some companies actually "get it". Unfortunately many do not.
Here is the link to CNET's article. http://news.cnet.com/8301-13846_3-10472754-62.html?tag=mncol
Post a Comment
<< Home