Sarbanes-Oxley, Cont'd
In response to my posts (here and here) on the waste and distortions created by Sarbanes-Oxley, Jay Manifold emails:
Yeah, it's a pain. The following excerpt from an internal document (with anything remotely sensitive redacted) gives a hint of just how much, but I can tell you from personal experience that there's nothing quite like dealing with this stuff for the first time, under the kind of deadline pressure characteristic of software release implementations, when obstacles have to be cleared in minutes or hours rather than days or weeks. The new de facto size threshold for publicly-traded companies is one thing, but the stress these requirements are placing on individuals is something else:
Passed in 2002, Sarbanes-Oxley requires Information Technology groups to test, evaluate, reconcile, document, publish, and monitor internal control procedures that directly impact financial information. As such, [deleted] has identified key financial applications that require compliance with Sarbanes-Oxley. Those impacted applications can be viewed on the [deleted] web site under [deleted].
Based on the Sarbanes-Oxley requirements and the compliance audit completed, [deleted] will be making changes to our policies and controls to ensure compliance with Sarbanes-Oxley. The following policy changes will be made effective on [deleted].
Category 4 change requests for Sarbanes-Oxley identified applications will no longer be accepted.
Any automated work order that is a code migration or affects batch scheduling (this includes temporary, permanent and adhoc executions) for Sarbanes-Oxley applications must be tied to a Change Request. These automated work order types will not be implemented to production without a corresponding approved Change Request.
Change Requests for Sarbanes-Oxley applications are required to have a business unit point of contact (name and phone number) for change request approval. The business unit point of contact is defined as a non-[deleted] associate who is authorized to make such a request.
Change Requests for Sarbanes-Oxley applications are required to have a business unit point of contact (name and phone number) to perform user acceptance testing of the change.
Business unit point of contact (name and phone number) must send an email to the implementer signifying formal User Acceptance prior to code being placed into production. This email will be documented in [deleted].
[deleted] infrastructure/maintenance activities will be reviewed by change type to determine if a business unit point of contact is also required. This list of change types will be published when complete.
As I write this, I am -- among other things -- pulling together a list of Sarbanes-Oxley related questions which now appear in our online ticketing systems, with typical answers, so that our people won't have to hack their way through a bureaucratic jungle on a daily basis. Your tech-writer correspondent is dead on -- there's definitely a market for people who can deal with this stuff.
Now for the good news. I expect things to get better with time, not because the regs will ease up, but because process developers like me will gnaw away at this stuff until it's (relatively) painless. The analogy is airport security, where a barrage of questionable (to say the least) requirements resulted, initially, in high costs and annoying delays; but three years on, the procedures -- at least in the airports I've been in -- have been significantly streamlined.
Recall our discussion about process improvements in general of a few months back; my intuitive guess (is there any other kind?) would be that with sufficient dedication, compliance costs could be halved every three years. See also the Kamm quote at the end of my sig. We're not marching toward dystopia; there is a deal of ruin in a nation, as I believe Adam Smith said. That multi-hundred-million-dollar revenue figure for the smallest possible public company may drop quite dramatically within this decade.
This is no defense of Sarbanes-Oxley, which I regard as a triumph of conspiracy theorists who think that all publicly-traded corporations -- well, all corporations, actually; these are just the ones they can get to easiest -- are up to no good and must be constrained with the present-day equivalent of the Nuremberg Laws. Fuckers.
Blogging is light this week, because I'm working not only on my Times column but on a feature for a special Times section on small business. In an interview today, the CFO of the company I'm profiling said in passing that it's no longer feasible for businesses its size ($68 million in sales) to be publicly held. Fortunately for these founders, the grand visions they had at age 26--15 years ago--didn't come true. They built the business steadily, using retained earnings, and never went public. But similarly sized public companies are now looking to go private. Somehow I don't think this particular distortion does much to protect the publi