This week, the U.S. Supreme Court considered a broad challenge to the Sarbanes-Oxley Act, and it chose to rule narrowly. The 5-4 opinion changed the way the members of the Public Company Accounting Oversight Board (PCAOB) can be removed from their posts. (Henceforth, the ax can fall for any reason at all, as opposed to “for cause.”) But the court did not alter the authority of this private regulatory board to oversee the U. S. accounting industry. And it steered clear of the constitutional challenge to the Sarbanes-Oxley Act raised by Free Enterprise Fund v. PCAOB. The SOX antifraud legislation that was passed in the wake of the corporate thievery at Enron and WorldCom was left intact — or as Chief Justice Roberts stated on behalf of the majority, “fully operative as a law.”
Put me in the camp of those who cheered.
And count me as one surprised by my reaction.
Sarbanes-Oxley compliance is a topic I’ve reported on practically since the day I started writing for SearchCIO.com in 2005. The stories have duly noted the soaring costs of becoming SOX compliant after the law went into effect; complaints about the notorious Section 404, which requires companies to prove the adequacy of their internal controls; the stop-and-go efforts of the U.S. Securities and Exchange Commission to make SOX compliance less excruciating for smaller companies; the contention that the Sarbanes-Oxley Act put U.S. public companies at a disadvantage on the world stage; and yes, the overzealousness of the PCAOB. In the absence of clear guidance from the PCAOB on how to comply with the law, many companies erred on the side of overkill. Critics complained that despite the SEC’s changes, the law did little to protect against fraud and had accountants laughing all the way to the bank.
Although they couldn’t have been laughing nearly as hard as the band of obscenely compensated bankers who helped propel the world into the worst economic slump in over 50 years.
But a funny thing did happen on the way to Sarbanes-Oxley compliance, at least from an IT perspective. CIOs and IT departments sweated through SOX compliance to preserve the good name of their CEOs and boards, who have to sign off on financial results as a result of the Sarbanes-Oxley Act. But many of the left-brain problem-solvers took SOX regulations as an opportunity — a starting point — for rationalizing the Hydra’s head of IT controls across the enterprise. Tommy Thompson’s journey from SOX chaos to risk-based compliance management is a good example.
Corporate greed will be always with us. Overspending on technology and resources to meet compliance requirements is still a problem. But IT — and I daresay, investors — are not less well off because of the Sarbanes-Oxley Act.