It's not having great ideas so much as executing them that really counts, and unfortunately, for the Sarbanes- Oxley Act, the first three years of implementation did not distinguish the law. Quite the contrary, the regulatory instruction in the beginning came close to undoing it. Why this happened is probably understandable, given the climate following the meltdown of Enron, WorldCom, Adelphia and the like; why it persisted for two years after the first sets of guidance in 2004 is less so. But SOX turns five with what could be construed as a new lease on life, thanks to recent Securities and Exchange Commission guidance and the implementation of Auditing Standard 5. The ques- tion is whether companies are so jaded at this stage that they miss what in fact could be an opportunity? With risk assessment and control the essence of the new 404 audit, senior finance executives will never have better support for arguments to pursue enterprise risk management and integrated governance, risk and compliance agendas. Regardless of what one thinks of SOX, ERM and integrated GRC will inevitably become universally accepted best-practice standards over the next five years, and the reincarnation of SOX provides the impetus for companies to reinvigorate operations either through process overhauls or purchases of dashboards or other technologies that begin to link the concepts of GRC and ERM to performance and shareholder value. Admittedly, companies may feel burned by the cost and complications associated with the first rounds, but hopefully the potential strategic value of these efforts that are about so much more than compliance will convince them otherwise.
From the July-August 2007 issue of Treasury & Risk magazine