Vale SOX? Obligatory Sarbanes-Oxley Mention

I can’t let the current credit crunch / financial crisis / Wall St meltdown pass without mentioning the Sarbanes-Oxley Act, aka SOX.

I feel compelled to do so because I haven’t seen it mentioned once in the mainstream media during the past fortnight of turbulence, and yet it should have at least played some role in reducing the likelihood and impact of an event like this. Otherwise, it was a waste of effort.

Searching Google News for “Sarbanes-Oxley” just now yielded about a half-dozen results. One is from 2006, one is a letter, one is about Sarbanes’ son’s bailout vote. Not much. The only relevant article I found:

The pain felt in middle America was so intense that Congress enacted legislation to clamp down on such errant behaviour. The Sarbanes-Oxley Act of 2002 imposed stricter levels of disclosure on public company boards, management and accounting firms. It was hailed at the time as a breakthrough in regulating errant corporate behaviour. But it should come as no surprise that about a year ago, during the height of the most recent boom, US regulators were coming under intense pressure to dilute parts of the legislation. Sarbanes-Oxley, the argument went, had cost Wall Street its coveted position as the world’s financial hub. The high cost of compliance with the legislation had seen international focus shift to London.

The article goes on to explain why it might be not so relevant to the current situation, which is completely dominated by the banks:

The latest crisis has emerged from a different area – the lax prudential regulation of America’s banks. Housing loans were pushed on to people who had a history of default. That’s the definition of subprime.

So it’s not a case of “this is exactly the kind of thing SOX was meant to prevent”. It’s more subtle than that – SOX is only public companies, and not all banks are public; SOX covers all types of companies, not banks which have particularly complex financial characteristics; SOX is about control and reporting, and does not place specific constraints on levels and forms of credit risk.

Nevertheless, many banks are public companies and public companies must comply with SOX (even if the system is developed in the UK…as long as it operates in the USA, it must comply, that’s my legally dunce understanding of the matter). Sarbanes still applied in banks from around 2003. I was working on one project where “pulling up your SOX” was a constant non-functional force lurking in the background of many major design decisions. So, for example, if we were to choose an in-memory database, what would happen to the auditing facility in the event of a sudden crash, would this cause a violation of SOX?

Another system I was looking at working on involved the treasury operation of a prominent American bank, where SOX was a big driver for them to streamline the performance of the system that comes out with a single, very important number: the bank’s overall position.

It’s vastly beyond the scope of this blog to explain away the crisis or even SOX’s (non) effect on it. What I can say, though, from a software perspective is that it feels like yet another standard that’s complex enough, and enforced enough, to drive substantial effort, while being high-level enough to not necessarily be very useful, at least not in cases where the intent was already there.

Alistair Cockburn wrote to the effect, “show me the methodology, and I’ll show you the methodologist’s fears”. We might well apply this to standards and regulations too.

SOX can be very closely tied back to Enron and related collapses and the fear of a repeat incident. However well-intentioned, there are two problems with standards that emerge from fear: (a) forcing someone to not follow the same strategy as that which led to a collapse…is no way to guarantee a similar collapse won’t take place again, for there are many alternative strategies they may take; if you retrospectively try to do what would have prevented recent incidents, you can expect your standard to be gamed hard by those using alternative strategies; (b) even if you can prevent a repeat incident, at what cost? Many times, the constraints you place on creativity and the degree to which your standard crushes human spirit and consequently inhibits progress, these costs may well outweigh the benefits.

Whether these problems were causes by SOX is a topic for debate. But as the world readies itself for a whole new set of controls – many of which will affect your daily work and mine, dear software reader – one can only hope there is big ups on some fair dincum contemplation and ixnay on the knee jerk, eh.

3 thoughts on Vale SOX? Obligatory Sarbanes-Oxley Mention

  1. Actually, Newt Gingrich has been all over TV explaining that the SOX mark-to-market requirement has created this crisis as well as killed off our IPO market. Newt’s thesis, in the wake of the IPO’s desertion to London, US investment banks went to the Credit Default Derivatives market. In fact, right before the second bailout, there was a lot of talk about removing mark-to-market at least temporarily. Not sure what the outcome was yet.

  2. My understanding is that SOX establishes standard accounting practices for public companies, and ensures that the boards of said public companies take responsibility to ensure that those accounting practices are used correctly.

    I don’t think the current financial crisis has been caused by ‘dodgy’ accounting; but rather by ‘dodgy’ risk management.

    Assets were fundamentally overvalued, due to flawed risk ratings. Taking subprime mortgages, packaging them and on-selling them with higher ratings would be a prime example (pun intended). Add to that the massive growth in derivatives (especially Credit Default Swaps), and it was a recipe for disaster.

    I think that falls more under the Basel II accord (, which specifically deals with credit risk (as well as operation and market risk).

    I’ve had the pleasure of working at an Australian bank (corporate banking arm), and there was a lot of scope under Basel II to provide your own “model” for risk to enable companies to reduce capital requirements, and a big financial incentive for banks to take that option.

  3. Shows how little Newt knows about accounting–and apparently he doesn’t care to know the truth in this case, since it doesn’t support his viewpoint. I like the man, and he quite often gives good advice and analysis, but in this case, he is way, way off

    Mark-to-market as it affected the recent downturn was as a result of a new FASB Pronouncement (FASB 157) as issued by the Financial Standards Accounting Board starting for firms filing in 2007 and as applied by the SEC. It is a generally accepted accounting principle. It tells you how to do accounting.

    SOX was passed back in 2002 and its rules are run by the PCAOB (Public Company Accounting Oversight Board), and its rules (AS-1 through AS-5). It tells you how to make sure that your internal control over the financial statements is working correctly, and primarily tells you how to audit that the accounting controls are in place and working correctly. It doesn’t say anything about what accounting rules are or should be.

    One is entirely separate from the other–almost day versus night.

    For the real explanations on why mark-to-market (completely unrelated to SOX) may have caused the downturn to be fairly severe (and what Congress has done in 2009 to prevent it from happening again), go to wikipedia’s article on mark-to-market accounting where the explanation is quite clear.

Leave a Reply