What We Learn from Sarbanes-Oxley


Nearly seven years after Sarbanes-Oxley was enacted, many are using the beginning of 2009 to look back and evaluate the much-maligned legislation. Did it work? Is the cost worth the benefit? What can we learn from it, good and bad?


NewsFactor Network's Mike Silverstein says the last question is particularly pertinent as we approach a new round of regulatory activity designed to help "fix" the economy:

As our present economic and financial woes make a wave of new government regulations likely... people are revisiting SOX for possible guidance about the effects of such an effort.

The lessons are varied, he says, depending on who's answering the question. For instance, Tom Basilio, CEO of Withum+Smith and Brown Global Assurance, points out that though costs and benefits of the legislation were "way out of line" at first because no one understood how implementation should work, the costs have decreased since the Securities and Exchange Commission and the Public Company Accounting Oversight Board jumped in to provide additional guidance. "[C]ompliance costs are less than half of what they were," Basilio told Silverstein.


Perhaps lesson number one is simply that the regulators should provide implementation guidelines for the coming regulations early on, and thus prevent much of the confusion that Sarbox brought about.


Anthony Zecca, a partner with Cohn Consulting Group, says companies with a market capitalization of less than $75 million that are keeping their fingers crossed for yet another delay in Sarbanes-Oxley 404(b) compliance deadlines are "putting themselves at risk." He doesn't believe compliance requirements for smaller companies will be put off again.


The lesson to be drawn from this observation? Again, maybe Congress and the regulators should decide from the beginning when the new requirements will apply to companies of different sizes and then stick to it, or decide from the beginning that the smallest companies should be exempt. Either would be better than endless delays and indecision.


A third lesson is perhaps best explained by Zecca, who also told Silverstein that Sarbanes-Oxley wasn't "inclusive enough" in terms of controls. "It didn't focus on management controls... over risk," he said. The new regulations will most likely do just that.