As someone who had to deal a lot with SOX compliance throughout my career, I would love to see the regulations loosened. They are overly onerous and in many cases downright bad, because they are so broadly written. At the same time, enforcement is terrible, because of the same broadly written rules.
Basically, you and your auditor work together to come up with an overly complex set of rules that somewhat meets the requirements, then your auditor brings in a bunch of consultants to help you implement their rules, which usually just means checking a lot of boxes, and then everyone calls it a day.
So really all it does is create a lot of work for a lot of people for very little gain. In a lot of cases we were going to do some of that stuff anyway, but now we had to slow down and show the auditor all the work. An auditor who usually doesn't care -- all they want to do is be able to say "yep I watched their presentation on this".
So I was quite surprised by the headline, that the auditor firms would want to roll it back. It's basically just a huge money maker for them.
And then I saw what they want to change -- they want to make the rules looser on how the auditors are audited. Basically they want to be able to keep being lazy.
SOX had great intentions but was one of the most poorly implemented regulations ever.
I currently work in Tech Strategy at a Big 4 - the reason why Big 4s want to roll it back is because over the last few years, their revenue in audit is steadily decreasing. Especially with automated tools, outsourcing, RPA taking over and making a lot of the grunt work significantly cheaper. At the same time, the consulting revenues are significantly going up. SOX limits the scope of work the Big 4 can execute at firms they audit (nothing related to financially significant systems etc.). The best client relationships are with the firms the Big 4 audit! Hence, the push!
The good ol' "channel 1" versus "channel 2" conflict, or whatever it's called nowadays.
Basically Big 4 "have to" audit but what they really want is to offer consulting services. There's a huge conflict of interest regarding these two parts and every few decades the Big 4 are forced to spin off consulting divisions. Not that stops them from trying again :)
I've seen some very strange things done in the name of SOX compliance. I was involved in the potential acquisition in the UK of a subsidiary of a US public company and they used to print out their AD group memberships (as screenshots) and have someone sign (wet sign - with a pen!) the printouts every week/month.
When I asked whether SOX compliance really required this they basically said they didn't really know but had to play safe as the regulations were just so vague.
Reminds me a little of the medical device industry. We do a lot of things that from an engineering perspective result in worse products but since nobody understands the regulations fully we do them. Until a new guy comes in, re-reads the rules and says we can do it differently now.
I used to work in the ecommerce space.. along with PCI our security/compliance people made us do lots of vague things with our delivery pipeline with the broad excuse of "SOX compliance"
When asked for the specific rule we had to follow, there was never any response.
My first question is how much of a burden is it really? Are we hearing the squeaky wheels, or is it actually pretty bad?
My second question is how much does it help. It's fine to say that it codifies practices that companies mostly do anyways (and if so, how bad can it be), but it was also a response to some troubling behavior in the market. How many problems does it prevent for the burden it exacts?
> My first question is how much of a burden is it really? Are we hearing the squeaky wheels, or is it actually pretty bad?
It's pretty bad. It was bad enough that we had to hire multiple full time people on our side just to deal with the interactions, people with engineering backgrounds who basically just did paperwork, who could have been doing much more useful things given their knowledge and experience.
> My second question is how much does it help. It's fine to say that it codifies practices that companies mostly do anyways (and if so, how bad can it be), but it was also a response to some troubling behavior in the market. How many problems does it prevent for the burden it exacts?
It's important to remember that there are two aspects to SOX: Operational and financial. I don't have a lot of experience with the financial side, other than to say they have just as much overhead, but perhaps it prevented a lot of things.
But from the operational side, it made us do things in bad ways so that we could show the auditors, and also slowed us down. For example, production access to financial data must be limited so that it can't be modified in production after the transaction but before it gets to the financial systems. Sounds like a good idea, but then when you have an outage, you have to scramble to find multiple people to unlock the access keys and watch over your shoulder while you make fixes on production systems.
Or instead you rearchitect your entire system so that only a few machines are actually handling financial transactions and keeping the rest out of scope.
Either way, it's a huge burden.
Another great example is password rotation. The law demands you have a password rotation policy. It doesn't say what that policy should be. Most auditors have settled on 90 days. Most researchers have shown that forced password rotation is bad. Without SOX, I would just follow the recommendation of the people who actually used science to figure out that password managers are better than password rotation. But with SOX, I either just follow the auditor's redone checklist, or spend a whole bunch of time convincing them that my policy is better than rotation. Either way, a bunch of overhead either for me or for all my coworkers.
It is pretty bad. The desire to avoid having to deal with SOX compliance has pushed a lot of companies to sell themselves privately rather than IPO. A lot of the restrictions that are imposed make debugging and fixing operational problems a lot harder. Many of the policies that are imposed are actively harmful.
And, sadly, SOX compliance is easily bypassed by bad actors. I'm not convinced that Enron would have been stopped by the regulation. And even if it would have been, after several rounds of regulatory capture like the above, the regulation will be nothing more than another marketing channel for auditing companies.
I would not want to know what my employer spends but I know it takes my team of five plus a director four to six days to get through it all.
the amount of seemingly useless documentation is what irks me . I am sure there is value there but the whole thing comes across as a pointless exercise in compliance with whatever whims they have this year added onto previous requirements
A lot of the additional requirements year on year are driven by mandates from the PCAOB. If the audit firms do not comply then they are hit hard during the PCAOB reviews of their audit files.
The primary issue with onerous regulation is that which is unseen. How many companies and entrepreneurs choose not to act or take risk when faced with a future full of ridiculous regulations. Or perhaps the regs simply codify the business model of the larger players, keeping out smaller competitors.
Some years back I was looking into forming a non-profit to do some donation-funded environmental cleanup (not huge - probably on the order of a few tens of thousands of dollars a year). What I learned is that while SOX doesn't apply to non-profits, there are similar SOX-inspired rules that do. The advice from everyone I talked to at various non-profits about how to get set up: Just drop it. The regs require so much paperwork and oversight that it would easily cost 10x that much in compliance and auditing. If you aren't making a BIG non-profit, it's not worth the trouble any more, the overhead will crush you.
SOX had great intentions but was one of the most poorly implemented regulations ever.
SOX was a law passed in a hurry after a big scandal. It's intention was to allow politicians to be seen to be doing something. The more painful that something is in practice, then the more they are seen to have done something.
SOX as implemented is therefore working just as intended. The trouble is that the intentions were bad in the first place.
I don't know enough to be sure of cause-and-effect but there hasn't been any major accounting fraud such as Enron and Worldcom since SOX passed, so that's one point in favor of the regulations.
I mean, this is hilarious if that's the approach you have been taking throughout your career but for anyone else reading this comment it's wholly inaccurate.
I've personally been part of it at two public companies, and my friends have been in many other public companies, and we've all had the same experience. So sure, maybe it's different elsewhere, but amongst the people I know, that's how it works.
What has your role and experience been upon which your opinion is based?
What I have seen of SOX compliance when it came in for multiple companies that I was involved. Every time what I saw matches the description pretty closely. The auditor comes in, sees what you are doing, reads the rules, negotiates with you a set of procedures that you can do and in their opinion will bring you in compliance with the rules, then you execute that.
The rules themselves are so vague that what they will be interpreted to mean varies widely by auditor. But the legal requirements for the company are met if the auditor signs off on it, so you do whatever your auditor says to do. Those involved knows that a lot of the created procedures are silly, but the legal problems if you don't go through the charade are quite real, so you have to do them anyways.
That is not to say that real problems aren't regularly uncovered. I'm sure that they are. But there is a tremendous amount of arbitrariness in, "Here is what you need to do to be compliant."
One of my good friends was an investment banker who specialized in IPO's from 2000 to 2011.
When ever I asked him about Sarbanes-Oxley chilling IPO's he would always say that the only people who claim the legislation slowed down IPO's were people on chat boards who had no relation to the process at all.
From an auditors perspective it might raise some complications but from a companies perspective, it just codified rules that almost all public companies were already doing.
I mean, even on hacker news, you'll find people parroting the sentiment that Sar-box slowed down IPO's but they never really seem to be able to identify just why, or what specific rule it is that is keeping companies private. n
Its always some non specific thing they point to, like more regulation or liability of C level executives. I mean the retort is probably what percentage of public companies have been brought private strictly because of this rule or how many executives have been sent to jail under this rule.
The below article is from 2012 but it lays out my point pretty well I think:
I think that this has consolidated the IPO market to only a few major banks that are capable of acting as underwriters.
Empirically, the number of IPOs in the USA has dropped, and the size has increased. So the data is consistent with there being a larger regulatory burden on businesses going public.
> Empirically, the number of IPOs in the USA has dropped, and the size has increased. So the data is consistent with there being a larger regulatory burden on businesses going public
I'll agree with the first sentence. However it is not anywhere near enough to imply the second sentence. And lots of smart people agree...
> The study also looked into the old argument that "regulatory and legal changes in the early 2000s, including Regulation Fair Disclosure ('Reg FD') and the Sarbanes-Oxley Act ('SOX'), made it more expensive" to list. These played little or no role because the decrease in new listings was "well on its way before these changes took place." At worst, the regulatory burden accounts for only a small portion of the decline.
So if you think it just "codified rules that almost all public companies were already doing." and there have been surprisingly few convictions using the law - then we might as well remove it then.
Reminds me of my good lawyer friend who says high legal fees don't impact startups at all. /s
Here in the real world Sarbanes-Oxley has a huge burden on actual auditors and accountants at public companies. It's not some afterthought, the burden on companies is huge.
You can hardly talk with a controller/auditor without hearing about it.
Why would anyone make that up? It's just a record keeping and reporting burden, it's just a nuisance. Nobody gets anything out of exaggerating that nuisance.
Instead of so much regulation, I think there should be more focus on incentivizing executives as if they were owners. Owners with most of their net worth tied up in a company usually act more in the long term best interests of the company. They care less about what Wall Street thinks and more about where the company will be in 5 years, 10 years, 20 years.
Instead of stock options they can cash in when they hit short term goals, how about actually buying stock and receiving stock that managers can only sell several years after they get it?
At the very least, rate companies on whether they do this or not. Or are actually managed by owners.
I believe audit firms are paid by the hour. I believe audit firms make more money when they work more hours. I believe audit firms make more money under Sarbanes-Oxley than not under it. If this is true, why would they lobby to have less revenue?
You say you read the article but I don't think you understood it. They want to loosen restrictions so they can sell additional work (that they are currently prohibited to provide) to public clients of which they provide audit services.
Readit News
Basically, you and your auditor work together to come up with an overly complex set of rules that somewhat meets the requirements, then your auditor brings in a bunch of consultants to help you implement their rules, which usually just means checking a lot of boxes, and then everyone calls it a day.
So really all it does is create a lot of work for a lot of people for very little gain. In a lot of cases we were going to do some of that stuff anyway, but now we had to slow down and show the auditor all the work. An auditor who usually doesn't care -- all they want to do is be able to say "yep I watched their presentation on this".
So I was quite surprised by the headline, that the auditor firms would want to roll it back. It's basically just a huge money maker for them.
And then I saw what they want to change -- they want to make the rules looser on how the auditors are audited. Basically they want to be able to keep being lazy.
SOX had great intentions but was one of the most poorly implemented regulations ever.
Basically Big 4 "have to" audit but what they really want is to offer consulting services. There's a huge conflict of interest regarding these two parts and every few decades the Big 4 are forced to spin off consulting divisions. Not that stops them from trying again :)
When I asked whether SOX compliance really required this they basically said they didn't really know but had to play safe as the regulations were just so vague.
When asked for the specific rule we had to follow, there was never any response.
My second question is how much does it help. It's fine to say that it codifies practices that companies mostly do anyways (and if so, how bad can it be), but it was also a response to some troubling behavior in the market. How many problems does it prevent for the burden it exacts?
It's pretty bad. It was bad enough that we had to hire multiple full time people on our side just to deal with the interactions, people with engineering backgrounds who basically just did paperwork, who could have been doing much more useful things given their knowledge and experience.
> My second question is how much does it help. It's fine to say that it codifies practices that companies mostly do anyways (and if so, how bad can it be), but it was also a response to some troubling behavior in the market. How many problems does it prevent for the burden it exacts?
It's important to remember that there are two aspects to SOX: Operational and financial. I don't have a lot of experience with the financial side, other than to say they have just as much overhead, but perhaps it prevented a lot of things.
But from the operational side, it made us do things in bad ways so that we could show the auditors, and also slowed us down. For example, production access to financial data must be limited so that it can't be modified in production after the transaction but before it gets to the financial systems. Sounds like a good idea, but then when you have an outage, you have to scramble to find multiple people to unlock the access keys and watch over your shoulder while you make fixes on production systems.
Or instead you rearchitect your entire system so that only a few machines are actually handling financial transactions and keeping the rest out of scope.
Either way, it's a huge burden.
Another great example is password rotation. The law demands you have a password rotation policy. It doesn't say what that policy should be. Most auditors have settled on 90 days. Most researchers have shown that forced password rotation is bad. Without SOX, I would just follow the recommendation of the people who actually used science to figure out that password managers are better than password rotation. But with SOX, I either just follow the auditor's redone checklist, or spend a whole bunch of time convincing them that my policy is better than rotation. Either way, a bunch of overhead either for me or for all my coworkers.
And, sadly, SOX compliance is easily bypassed by bad actors. I'm not convinced that Enron would have been stopped by the regulation. And even if it would have been, after several rounds of regulatory capture like the above, the regulation will be nothing more than another marketing channel for auditing companies.
the amount of seemingly useless documentation is what irks me . I am sure there is value there but the whole thing comes across as a pointless exercise in compliance with whatever whims they have this year added onto previous requirements
SOX was a law passed in a hurry after a big scandal. It's intention was to allow politicians to be seen to be doing something. The more painful that something is in practice, then the more they are seen to have done something.
SOX as implemented is therefore working just as intended. The trouble is that the intentions were bad in the first place.
What has your role and experience been upon which your opinion is based?
What I have seen of SOX compliance when it came in for multiple companies that I was involved. Every time what I saw matches the description pretty closely. The auditor comes in, sees what you are doing, reads the rules, negotiates with you a set of procedures that you can do and in their opinion will bring you in compliance with the rules, then you execute that.
The rules themselves are so vague that what they will be interpreted to mean varies widely by auditor. But the legal requirements for the company are met if the auditor signs off on it, so you do whatever your auditor says to do. Those involved knows that a lot of the created procedures are silly, but the legal problems if you don't go through the charade are quite real, so you have to do them anyways.
That is not to say that real problems aren't regularly uncovered. I'm sure that they are. But there is a tremendous amount of arbitrariness in, "Here is what you need to do to be compliant."
When ever I asked him about Sarbanes-Oxley chilling IPO's he would always say that the only people who claim the legislation slowed down IPO's were people on chat boards who had no relation to the process at all.
From an auditors perspective it might raise some complications but from a companies perspective, it just codified rules that almost all public companies were already doing.
I mean, even on hacker news, you'll find people parroting the sentiment that Sar-box slowed down IPO's but they never really seem to be able to identify just why, or what specific rule it is that is keeping companies private. n
Its always some non specific thing they point to, like more regulation or liability of C level executives. I mean the retort is probably what percentage of public companies have been brought private strictly because of this rule or how many executives have been sent to jail under this rule.
The below article is from 2012 but it lays out my point pretty well I think:
http://blogs.reuters.com/alison-frankel/2012/07/27/sarbanes-...
I think that this has consolidated the IPO market to only a few major banks that are capable of acting as underwriters.
Empirically, the number of IPOs in the USA has dropped, and the size has increased. So the data is consistent with there being a larger regulatory burden on businesses going public.
I'll agree with the first sentence. However it is not anywhere near enough to imply the second sentence. And lots of smart people agree...
https://www.bloomberg.com/view/articles/2015-06-24/where-hav...
> The study also looked into the old argument that "regulatory and legal changes in the early 2000s, including Regulation Fair Disclosure ('Reg FD') and the Sarbanes-Oxley Act ('SOX'), made it more expensive" to list. These played little or no role because the decrease in new listings was "well on its way before these changes took place." At worst, the regulatory burden accounts for only a small portion of the decline.
The empirical evidence could also be explained by other factors such as increases in availability of venture funding.
(I do believe that SOX is an unnecessary burden)
Here in the real world Sarbanes-Oxley has a huge burden on actual auditors and accountants at public companies. It's not some afterthought, the burden on companies is huge.
You can hardly talk with a controller/auditor without hearing about it.
Why would anyone make that up? It's just a record keeping and reporting burden, it's just a nuisance. Nobody gets anything out of exaggerating that nuisance.
SOX, and more recently Dodd-Frank, has been a cash cow for those groups.
Instead of stock options they can cash in when they hit short term goals, how about actually buying stock and receiving stock that managers can only sell several years after they get it?
At the very least, rate companies on whether they do this or not. Or are actually managed by owners.
under the yeobot description: it's -> its* ("run on it's own")
Cheers :)
Deleted Comment
I need more coffee and a shower.