You spent 2004 tearing out your hair over the Sarbanes-Oxley Act. Your compliance budget ballooned to several millions of dollars. The enterprise resource project you launched ground to a halt. Now you're alone in the elevator with the newly nominated chairman of the Securities and Exchange Commission, taking the proverbial two-minute ride to the top. Your plea to Christopher Cox?
"Please try and create some semblance of best practices and a repeatable process that everyone can follow," said Scott Hicar, CIO for Maxtor Corp., a computer storage device manufacturer in Milpitas, Calif.
Hicar, who survived his first year of SOX compliance, expects the process to be easier next year, no matter who heads the federal agency. But, like other CIOs polled in recent days, he said he believes the SEC has long way to go before the financial compliance required by SOX becomes standard practice. "Much more education is needed," he said.
The news last week that William H. Donaldson is stepping down as chairman of the SEC and will be replaced, pending approval, by California Rep. Christopher Cox hit close to home for many CIOs.
Brought in by the Bush administration to restore public confidence in financial markets undermined by corporate scandals, Donaldson turned out to be an aggressive reformer. He often sided with the Democrats on the commission, raising the ire of Republican business groups, who complained that his hard line approach to issues -- including Section 404 of SOX -- was doing more bad than good.
The rule, which requires public companies to prove their financial controls are reliable and accurate, is aimed at preventing corporate fraud. But it has proved costly. Some experts estimate that SOX will cost corporate America an additional $35 billion this year, 20 times more than the SEC had predicted. On May 16, the SEC acknowledged the burden of those costs, rebuking the accounting industry for its robotic, "check-the-box" approach to the rule and urging company executives to use common sense in meeting its requirements.
In his resignation speech, Donaldson acknowledged that businesses, especially smaller public companies, had "legitimate concerns" about the high costs of compliance. By then, his critics had more ammunition. A General Accounting Office audit of the business practices of the SEC found ironically that the agency had failed to implement some of the very financial controls it was requiring other organizations to use.
Will nominee Christopher Cox, a champion of free markets and widely seen as a friend to big business, ease the burden of SOX compliance?
That depends on how closely he listens to industry-wide complaints about SOX confusion, said French Caldwell, a research vice president at Gartner Inc. Gartner found that 3.3% of IT budgets were dedicated to SOX in 2004, but in 2004 those budgets only went up by 1.4%. "That means a lot of this spending was taken out of IT's hide," Caldwell said. Many companies "over-scoped" their SOX efforts, he added, but that was because no one really understood what was required.
"More guidance is needed. If Cox is really business-friendly, he is not going to say we are going to repeal the regs, but he can work within the system to accelerate a good body of practice and not wait for case law and enforcement to do that," Caldwell said.
That will mean working with the Public Company Accounting Oversight Board and the major accounting firms proactively, Caldwell said. "I don't think they can cop out, and say, oh, every company is different so we can't do this. We're not talking about a Napoleonic code of conduct, but reasonable guidance on what comprises a Sarbanes-Oxley audit," he said.
With Cox on deck, some CIOs are optimistic that their complaints have been heard at the highest level.
"I think it's reasonable to expect they [the Bush administration] will do what they can and Cox will do what he can to come back to the middle on this," said Peter Milla, CIO for Harris Interactive Inc., a publicly traded polling and consulting firm based in Rochester, N.Y. Still, Milla said he doesn't expect anything to change overnight, and "all you need is one corporate scandal and it will swing the other way," he said.
Indeed, investor advocacy groups, such as the Council of Institutional Investors and Consumer Federation of America have expressed concern that Cox is so pro-business that the SEC will drop its vigilance of recent years and guarantee more scandals, prompting in turn another dose of strict regulation.
For Todd Thompson, CIO of Jet Blue, SOX was a "mixed blessing." The no-frills airline took flight in 2000. "As a young company without a lot of structure and process, it forced us to do things we really needed to do," Thompson said. "While we didn't like every bit of the legislation, I will say I'm glad we had to go through it, because it prepared us for the next stage of growth."
Even Hicar said life is looking up, with the first year of SOX behind him. "It should become less and less burdensome, regardless of who's running the SEC, where there's rules and best practices emerging," Hicar said. "It's definitely less painful this year -- only because everybody's been through it once."