Happy birthday, Sarbanes-Oxley.
Really. As the 10th anniversary (late July) of the sweeping regulation approaches, let's focus on the positive impacts of the regulation.
"Although many have been critical of Sarbanes-Oxley, there has been a benefit," says Shellye Archambeau, CEO of MetricStream, a GRC solution-provider based in Palo Alto, Calif. "There is increased accountability as the CEO and CFO take individual responsibility to certify and approve their financial filings. It has forced more transparency and stronger financial controls."
Yes, Archambeau -- as the head of a company whose solutions help companies achieve greater transparency and stronger financial controls -- has some skin in the game. However, she is also candid about the law's shortcomings.
"While the intent of Sarbanes-Oxley was laudable, the policy makers crafting the legislation and the [Public Company Accounting Oversight Board], responsible for oversight of audits of public companies, weren't and aren't comprised of practitioners," she continues. "Therefore, the effort, time and cost of Sarbanes-Oxley compliance was much higher than it should have been. Over the past decade, steps have been taken to reduce these burdens."
That said, focusing on SOX's upside has its own benefits: doing so can help lubricate process and change-management gears by encouraging organizational buy-in and strengthening the sustainability of the ongoing compliance effort. There is a major difference between a corporate program that is undertaken because "regulators are making us do this" and one that is performed in an effort to increase internal communications, streamline overall GRC capability, inspire investors and perhaps even deliver competitive advantage.
Can Sarbanes-Oxley compliance help companies differentiate from competitors? Maybe. Consider the financial services companies (well, consider most of them) that survived the financial crisis in much better shape than their competitors.
"Those that weathered the storm in the best shape probably had stronger risk management systems in place," explains John Kocjan, a principal with Deloitte Consulting LLP who leads Deloitte Consulting's financial services practice globally. "They probably had stronger management and better technology. And they also had a much more 'risk-intelligent' orientation. They did not get as deep to the subprime lending businesses as some other companies."
Not only did these risk-intelligent companies weather the storm better, they are now better positioned to enlarge their competitive advantage in the storm's wake by having the resources, time and space to pursue organic growth (and, in some case, the financial resources to grow via acquisitions).
Should we celebrate Sarbanes-Oxley? Probably not; it would be better if the need for the legislation, regardless of its pros and cons, never arose in the first place. However, we might mark its birthday by reminding ourselves of the upside of possessing a strong and agile GRC capability.
"Companies should focus on the business benefits of the legislation," Archambeau adds, "by having strong financial controls as part of the company's standard operating procedures rather than looking at it solely as a government-imposed regulation."