Last week I attended the MIS Training Institute's Governance, Risk, and Compliance 2011 Conference. I thought the sessions were very informative. Chief Audit Executives, Risk Officers and other experts from all over the U.S. and abroad, presented and shared their experiences (the good, the bad, and the ugly) as well as their progress in developing a GRC program in their organizations. A topic of discussion was the recent CBS 60 Minutes story on "Prosecuting Wall Street". (If you didn't see the show, which aired on December 4, 2011, here is the link: 60 Minutes - Prosecuting Wall Street
In the piece, two whistleblowers from Countrywide Financial and Citigroup offered their insights into the root causes of the subprime mortgage meltdown. What was most surprising from the piece is that as of yet, the Justice Department has not utilized one of its "most powerful legal weapons", Sarbanes Oxley Act of 2002, to prosecute any of the executives from big banks including Countrywide or Citibank. The Securities and Exchange Commission did go after Countrywide's CEO, Angelo Mozilo, but settled out of court with what can be considered just a "slap on the wrist".
In addition to presenting at the GRC, I also sat on a panel to answer questions on GRC Best Practices2012. The following question was posed to the panel: Based on the 60 Minutes broadcast on "Prosecuting Wall Street", Sarbanes Oxley appears to be toothless. If the Sarbanes Oxley Act (SOX) went away, what impact would this have on the controls of organizations? To say the least, there were various and conflicting views on this question.
My personal view is organizations will maintain only those controls, which they implemented for SOX compliance purposes that add value greater than their costs. In general, if an individual does not understand how a control will help make them successful in achieving their business objectives, although they may implement it they will not maintain the control over time unless they are under duress from the internal or external audit teams or loss of their job. According to Protiviti's 2011 Sarbanes-Oxley Compliance Survey, most companies think the cost of SOX outweighs the benefits during the first year of compliance. However, after the initial compliance period the companies view the benefits as outweighing the costs. The primary benefits achieved by organizations "include an enhanced understanding of control design and control operating effectiveness, increased effectiveness and efficiency of operations, and internal audit being able to perform more traditional and valuable audits in areas other than financial report processes."[1] If this is true, then I believe these would continue to exist even if the Act was reversed.
I am curious to know your thoughts on the panel question. If the Sarbanes Oxley Act (SOX) went away, what impact would this have on the controls of organizations? Send me your thoughts at [email protected].
I look forward to hearing from you!