Will Sarbox change ding IT vendors?

Will Sarbox change ding IT vendors?

Summary: The Securities and Exchange Commission tweaked its Sarbanes-Oxley requirements and that could be bad news for the technology companies, consultants and accountants on the Sarbox gravy train. The SEC said Wednesday that it was making changes to the Sarbanes-Oxley Act, known in some quarters as the accountant and consultant employment act, to reduce the regulatory burden on companies.

SHARE:
TOPICS: EMC
3

The Securities and Exchange Commission tweaked its Sarbanes-Oxley requirements and that could be bad news for the technology companies, consultants and accountants on the Sarbox gravy train.

The SEC said Wednesday that it was making changes to the Sarbanes-Oxley Act, known in some quarters as the accountant and consultant employment act, to reduce the regulatory burden on companies. Specifically, the SEC outlined guidance on how to read Section 404, which requires companies to attest annually that internal controls are up to snuff.

In its statement on the matter, the SEC said companies could keep their own internal controls as long as they could vouch for its financial results. Some excerpts:

The Commission’s interpretive guidance should reduce uncertainty about what constitutes a reasonable approach to management’s evaluation while maintaining flexibility for companies that have already developed their own assessment procedures and tools that serve the company and its investors well. Companies will be able to continue using their existing procedures if they choose, provided of course that those meet the standards of Section 404 and our rules.

And:

The Commission also approved rule amendments providing that a company that performs an evaluation of internal control in accordance with the interpretive guidance satisfies the annual evaluation required by Exchange Act Rules 13a-15 and 15d-15. The Commission also amended its rules to define the term “material weakness” as “a deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.” The Commission also voted to revise the requirements regarding the auditor’s attestation report on the effectiveness of internal control over financial reporting to more clearly convey that the auditor is not evaluating management’s evaluation process but is opining directly on internal control over financial reporting.

Those moves effectively lower the bar for companies and puts auditors on a tighter leash.

John Newton and Eric Savitz at Barrons have opined that the SEC guidance is good for companies and bad for technology vendors.

These opinions are largely based on a report from Gerald Hallaren, a technology analyst that runs a firm called JPRG.com. Hallaren argues that lower spending on Sarbox could add two percentage points to profits in 2008. Staffing firms such as Kforce, Robert Half and MPS Group would take a hit and companies such as EMC's Documentum, Cognos and Business Objects would also see lower demand. According to Savitz, Hallaren is projecting the $35 billion in Sarbox spending to disappear and corporate IT spending would fall 7 percent. I'm skeptical about those projections for the following reasons:

  • Sarbox spending is clearly an expense that doesn't go away. However, I think Hallaren overstates the impact Sarbox has had on IT spending in recent years. IT spending has been mediocre at best. If you completely buy that Sarbox has been the prop then in implies no one has been spending on any other technology.
  • It's early to project the impact of the rule tweak. On the surface it appears most companies will write Sarbox off as a bad dream. But the SEC hasn't published all the details on its guidance or rule change.
  • There are no pure Sarbox technology companies that would be crushed by the SEC changes. At last check, folks still needed the content management and business intelligence software that can also tackle Sarbox issues.

For folks that just can't get enough of Sarbanes-Oxley see all resources.

Topic: EMC

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • Integrated, not separate

    Any decent technology consultant incorporates SOX compliance into their solutions that they provide to customers. I often advise my customers on SOX as an additional benefit to whatever technology solution I am providing for them.

    While there are certainly SOX-dedicated consultants out there, most of us don't put our all our eggs in one basket. Additionally, SOX implementations have had the added benefit of being useful for other purposes as well. Such as disaster recovery, long-term archiving, etc. which benefits the customer's business stability. In the past, customers have been short-sighted on long term impact that technology may have on their company.

    So all in all, I see the tweaks only hurting those consultants who chose to be only SOX-oriented. It isn't going to hurt my work at all.

    Oh one other thing, even with tweaks to SOX, there's still alot of business out there for other regulatory matters, such as HIPAA, etc.
    yyuko@...
  • Much of the SOX-related purchasing has already taken place

    Great observations, Larry. Vendors have probably already wrung as much as they can from this golden goose since 2002-2003. There are other, industry specific compliance mandates that still need to be addressed, plus many vendors are just starting to get on the ITIL bandwagon.
    joemckendrick
  • You forgot ACL [nt]

    .
    Omch'Ar