Sorbanes Oxley … Needless Overhead?

Enron and WorldCom … two members of the Evil Empire who triggered the Sarbanes-Oxley (SOX) Act of 2002. Ancient history, right?

In the past few sessions of Congress, exemptions from SOX regulations have been considered for greater and greater numbers of publicly traded companies. The 2012 JOBS Act removes the external audit requirement for “small and emerging” businesses (less than $1B revenue per year) for their first 5 years. After that time, the external audits are required. According to William A. Niskanen, the 2005 chairman of the Cato Institute, the current regulations and the accompanying external audits represent significant drain on corporate resources and should be significantly reduced or eliminated.

Others disagree. Former US Congressman Michael Oxley and former US Senator Paul Sarbanes, authors of the 2002 Act, feel that we’re still in trouble. In a 2008 interview,  Oxley and Sarbanes pointed to the subprime loan crisis as an example of how the “lack of transparency” in the secondary market made it impossible for investors to properly assess risk. They feel that the Sarbanes-Oxley Act is still needed.

The current president of the American Institute of Certified Public Accounts, Barry C. Melancon, agrees. In a March 2012 open letter to the members of the US Senate, Mr. Melancon, notes that,

consistency in applying accounting standards for all public companies is vital to investors, along with clear, objective and transparent financial information.

But the 2002 Sarbanes-Oxley Act is not just about financial audits and disclosures. It includes guidelines and audits of information technology (IT) applications and environments. Primarily, SOX is protecting “sensitive user information”, including:

  • Account number and identifiers
  • Customer numbers
  • User names
  • Credit card or bank information of any kind
  • Passwords
  • Private messages and blog posts
  • Wage information
  • Social security and driver’s license numbers
  • Birthdates

In spite of SOX regulations, we routinely hear of such information passing into “inappropriate” hands. Does that mean that SOX regulations and audits are ineffective and should be abandoned?

In many cities and towns, inspectors routinely check for fire code violations at businesses and high-rises, yet commercial fires still occur. Would you want those inspectors to abandon their efforts? I certainly wouldn’t.

Similarly, I wouldn’t want to see the removal of IT environment audits. While I have generally found external audits to be an annoyance, I have to admit that I appreciated it when an auditor did find something that my teams had missed.

It is much better to be proactively correcting a mistake than to be picking up the pieces after a security breach. Both businesses and their customers benefit from the Sarbanes-Oxley regulations.

Those of us, who must stop our other work to ensure compliance, may find SOX regulations irritating, but they do keep us vigilant. While you have added work to my task list, “Thank you, Senator Sarbanes and Congressman Oxley”.


References and Related Content

Public Law 107–204—JULY 30, 2002 [Sarbanes-Oxley Act],

Don’t let reduction of compliance regulations short-change governance“, by Scot Petersen, April 2012,

While this may reduce some paperwork and reduce costs, it wouldn’t be prudent to abandon compliance exercises merely because they are no longer law. … Reduction of regulation overhead is always a good thing, but don’t let JOBS become an excuse for avoiding or reducing corporate governance policies that add value to the business.

What the JOBS Act Means for SOX Compliance“, by  Bill Bockwoldt. April 2012,

Obama Signs JOBS Act to Boost Startups” by Chloe Albanesius, April 2012,,2817,2402657,00.asp

Companies already have two years to comply with certain Sarbanes-Oxley auditing requirements. The JOBS Act extends that to five years – or less if the company reaches $1 billion in gross revenue, $700 million in public float, or issues more than $1 billion in non-convertible debt in the previous three years.

Congress Should Repeal the Sarbanes-Oxley Act”, by William A. Niskanen, CATO Institute, appeared in the Baltimore Examiner on August 2, 2006.

Subprime’s parallels with Enron and WorldCom: Michael Oxley and Paul Sarbanes”, March 2008,

Open Letter to Members of the United States Senate, from Barry C. Melancon, President and CEO of AICPA, 19 March 2012,

Sarbanes-Oxley IT Security Compliance Checklist” by Jason Kolb, April 2006,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s