Mark Schmidtberger, a 19-year veteran at Payless ShoeSource Inc., went over to the dark side, as he calls it, and couldn't be happier. Until recently a database manager for Payless, he has carved out a niche at the $2.6 billion discount shoe chain as an IT manager specializing in SOX.
Payless' Schmidtberger said his opportunity reared its head last year when the company, which has 4,600 locations, was spending big bucks on external auditors to prepare for its first SOX audit. "I was in a lot of meetings that were just extremely frustrating," he recalled. The by-the-book approach used by external and internal auditors turned up stuff that, in his view, did not pose much risk or had mitigating controls. "You had financial folks talking to financial folks who didn't understand the business," he said. IT was guilty of its own mistakes and misunderstandings, realizing that many of the functions it had identified as controls were really processes. "So we're doing a lot of re-writing of controls," he said. And whittling. The company's roughly 1,300 controls are down to 900 and will go lower. That's a good thing, according to many industry experts whose clients put in too many controls that information auditors didn't need or want.Far from bad-mouthing Sarbanes-Oxley, Schmidtberger is a believer in the law, applauding its intended purpose and its effect on IT. A product of the mainframe environment, with its emphasis on structured processes and controls, he sees SOX as a vehicle for bringing much-needed discipline to the distributed computing environment. "People complain about the cost of SOX. But in the long run, this is not a project but a methodology of how you implement things. It's a change in mindset that in my view is long overdue," he said. After the session, Schmidtberger drew a small crowd wanting to know more about his job. For the record, three panelists said they're finding the auditors easier to deal with, while Coleman expects no leeway from regulators. "Last year SOX was a moving target. This year is for real. They're saying, 'You've had a year, you know the rules, now fix it, and if you don't, we're going to get you.'"