A warning:  This post is going to get revised a lot over the next few days, weeks, and months.  A few reasons:  First, it is an EXTREMELY important topic for publically traded  American companies.  Second, it is sucking the life out of publically traded American companies.  The fine folks at Wikipedia have been working on this topic since late November 2004 (I think) and have a pretty good entry on what the Sarbanes-Oxley Act of 2002 (SOX) is.  The only topic that does not seem to be addressed in the article, and one of the most painful and frustrating results of living under SOX, is “separation of duties.”  As this article is not complete (there are still disputes), perhaps more information on the separation of duties aspect of this act will be covered.

From a political standpoint, SOX was an overwhelmingly popular piece of legislation.  Out of 530 congressmen, 3 Representatives voted “No” and 8 Congressman just didn’t show up.  As is typical with Congress, they reacted to a few bad apples (Enron, WorldCom, etc.).  As it typical with Congress, they wrote more unnecessary laws.  Were Kenneth Lay or Jeffrey Skilling indicted on July 7, 2004, for violation of the Sarbanes-Oxley Act of 2002?  No, they were indicted on various security fraud violations, laws that have been laws for many, many years.  The law was written to appease the American public.  Has this fine piece of legislation lead to an increase in prosecuting white collar crime, according to Nera, no.  A search of the web reveals a few, notably, Penthouse.

So why does it matter anyway?  Besides that amazing tangible cost of complying with SOX (external auditors, special software) there is an intangible cost caused by the inefficiency that SOX seems to force, especially for smaller businesses or smaller sites within larger businesses.  For example, lets say that you belong to company that has 1500 employees.  It would seem that you could easily separate duties so that one person cannot create themselves as a vendor (e.g. Bob’s Widgets), create a Purchase Order to Bob’s Widgets, receive ficticious material from Bob’s Widgets, and then pay Bob’s Widgets (really themselves) for this ficticious material.  However, what if you are a small site, lets say 30 people, of which the only two people share the duties listed above.  One person creates vendors, purchase orders, and pays the vendor, while a second person receives material in the receiving department.  Because of SOX, one person having the ability to perform multiple steps within the “req to check” process would fail the separation of duties requirements of internal control.

This issue gets very difficult for those employees that support the companies Business System Help Desk.  The access to transactions that allow a Help Desk resource to quickly determine and resolve a Help Desk issue would almost certainly fail the separation of duties test.  In our company, this access is limited in not only the “productive” environment (where the company runs it business), but access is also limited in the quality assurance environment (which changes to the business system are tested).  Many Help Desk support calls are hampered by the need to request access to required transactions and then wait for the review and approval process.  Often, access granted to resolve a users issue has an end date of a few days.  If the user’s issue resurfaces, there is a need to complete the request, review, and approval process again, to help the frustrated employee.

This post is already getting to long, so I am going to stop.  The bottom line is this:  Publically traded American businesses and the people that work for them are paying a high price (dollars and frustration, respectively) for a statistically insignificant number of corrupt people.  Are our competitors around the globe living under the same scrutiny?  I don’t think so.

What do you think?

Tags: No Comments