When Good Ideas Go Bad

Did you catch this from The Washington Post? It is a list of the worst ideas of the decade. Work your way down the list and notice that seventh item. Yep, the article listed the U.S. Sarbanes-Oxley Act of 2002 as one of the worst ideas of the decade. There is an entire write-up on Sarbanes-Oxley that I invite you to read. It is very instructional. 

The article asks a question that should have been on all our lips from the very beginning — “…how (can) more accounting and reporting regulations…squelch fraud?” There is a history of regulatory knee-jerk reactions to significant business fraud, meltdowns, and problems (think all the way back to the U.S. Foreign Corrupt Practices Act), each and every one of them the accounting version of the war to end all wars. Yet the fraud goes on. What could Sarbanes-Oxley have possibly brought to the table that those other legislations didn’t? And what made any of us think additional legislation would solve the financial problems of the world?

Let’s ask it a different way. Did any of us truly believe one more legislative act, one more regulation, would work, would make a difference? And this is where we really have to look ourselves in the mirror and ask, “What hath Auditing wrought?” (I recognize we were not the only ones building this bandwagon, but that is no excuse.) We all became so enamored with the idea that the word “control” was suddenly a part of regulatory requirements that we ignored the practicality, we ignored the complications, we ignored the need for common sense. We then happily poured the Kool-Aid.

The Washington Post article is just one example of how reality is walking up to smack us upside the spreadsheet. You see, the only way that Sarbanes-Oxley efforts were really going to succeed was the same way auditors have succeeded in the past — by helping executive management understand how controls, properly planned and executed, can help in the overall achievement of objectives. In other words, explaining and educating in such a way that executive management bought into the basic premise. But, apparently, many of us forgot that basic premise and believed that regulations alone would make management care. There is nothing magical about a regulation. And management chose not to care about controls. Rather, the only thing most executives cared about was getting the documentation done and approved so they could move on with business as usual. 

There is a reason Sarbanes-Oxley has been called the full employment act for auditors; we were called on to do the work that should have been owned by management. And there was a lot of work to do. Management didn’t want to do it (again, all they wanted to do was get it out of the way), so we played our best Sally Field and were so excited that they liked us (they really liked us) that we jumped in to fill the void. In the process of taking over — whether that takeover was explicit or implicit — we invalidated the value that might have come from a Sarbanes-Oxley effort that was sold to management in such a way that management understood the benefits that might be possible. So, at the end of the day, a lot of money was spent, auditors had a lot of work, lots of documentation was completed, and meltdowns and fraud still occurred.  

I want to quickly add that I have painted with a broad brush here.  I have not done any Sarbanes-Oxley-related work myself, so my experiences and understanding of what has occurred are all second hand. And I have worked and talked with people who had very successful Sarbanes-Oxley efforts — ones where executives and management were right there in the trenches. But those examples are few and far between. They are greatly outnumbered by the people I’ve talked with whose audit departments did most of the Sarbanes-Oxley work, where management looked at it as being more of “that control stuff that Auditing does,” where nothing has changed. And I have also talked with people whose audit departments have done nothing but Sarbanes-Oxley work for the last few years. Explain this one to me — how can it be a good thing for any company when an audit department ignores the full range of assurance work for that long?

And here is why this is so important; this is why we have to learn our lessons and watch for these same pitfalls in the future. There is a lot of work going on by people who believe there should be legislation related to internal audit requirements. I agree that it is an important point. However, if in achieving that landmark we wind up with “one of the worst ideas of the decade,” we will have destroyed the progress we have made over the years. It is imperative that any work towards legislation related to internal auditing always have the full value of the company in mind, not just the wellbeing of internal auditing as a profession nor the sound and fury that signify nothing (which is about all most legislation achieves.)

The Washington Post article has its own slant, and I’m not going to comment on that. My comments have their own slant, and I’ll let you comment on that. But, in general, as one who watched from the sidelines, I am hard-pressed to think this law did much more than leave a bad taste in most auditees’ mouths. Yes, there are exceptions — the ones who acquired the taste necessary to enjoy the power of quality controls — but most were force-fed the medicine and now have no desire for anything that smacks of that particular brand of cod liver oil. We have a lot of ground to make back up, and a lot of work ahead of us.

 

Posted on Jan 4, 2010 by Mike Jacka

Share This Article:    

  1. Mike,

    I would like to say that I disagree with your comments, however I can't. In general much of the SOX work has yielded silly processes where people are clicking checkboxes that all the controls are working as intended, when in fact they generally are only doing the most minimal level of review. It reminds me of change control within system development. Many times I would review this and find that either no system was in place, or it was a check box where the manager would click a box saying that yes they had reviewed the change. Of course upon further review, one could see that the manager who arrived at 8:15 AM, had completed all reviews of the several emergency changes put in place over the previous evening by 8:20 AM. But we had change control. Likewise, we have SOX.

Leave a Reply