Just about everybody I know in the business world thinks the Sarbanes-Oxley legislation of 20002 (referred to as Sarbox) is really bad — high cost and de-focusing of management. There is certainly a basis for a less than rosy view of Sarbox — the act contains 68 sections and is 66 pages in length. The principles behind the legislation are not the problem — no one would argue against transparent, honest, accurate reporting and ethical operations in every aspect of a public company. Shareholders expect and deserve that. The issue is the cost and complexity of compliance with the sixty-six pages of details.
The part that causes the most challenge for businesses is Section 404: Management Assessment Of Internal Controls. Among other things, "404" requires the annual report of a public company to contain an "internal control report" which states the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting and contains an assessment of the effectiveness of the company’s internal control structure and procedures for financial reporting.
Not only is this a mouthful, it is very hard to be able to attest to. In order to say that things are "under control" it is necessary to first gain an understanding of exactly how things work. The "things" are business processes — things like accounts receivable, tax calculations, invoicing, pension disbursements, credit card processing, etc. Companies have thousands of processes and sub-processes. Some of them are decades old, some are done by hand or with spreadsheets, faxes, forms, and antiquated procedures. Companies that have made acquisitions have even more processes because they have multiple processes for doing the same thing.
On the one hand, 404 is a giant headache, but on the other hand it is an opportunity. In fact according to a CIO Insight/Gartner survey, 51 percent of companies are attempting to "take advantage of Sarbanes-Oxley initiatives to achieve better business performance". This is the silver lining in the cloud. The requirement to analyze processes in order to certify that they are working presents the opportunity to automate them. Many IT companies are jumping on the opportunity and offering tools and services to insure compliance and also automate the manual reporting and certification steps that are now done manually. For example, IBM has been making a number of acquisitions of companies that provide linkage between the IT systems and the actual business processes themselves.
Inefficient processes are not only costly and prone to error, and thereby present a Sarbox exposure, but they also usually manifest themselves in poor customer satisfaction or inconvenience in some way. A search on "fax this form" results in 225,000,000 matches! We have a long way to go.