Trust. That's the point of the Sarbanes-Oxley Act: making sure investors can trust our financial statements. Of course, for anyone involved in Sarb-Ox compliance projects, it feels more like trust has been hanged, drawn, quartered, electrocuted, run over by a steamroller, then stood up against a wall and shot, just for good measure. With Sarb-Ox, it seems as if nobody in the corporate world will ever be allowed to trust anyone ever again.
So there may not seem to be much comfort in the revised Sarb-Ox guidelines issued last week by the SEC. The agency's staff now says we can trust each other -- just a little bit.
That means not every single piece of financial data has to be rigorously controlled at every step in its life cycle; corporate management is allowed to use a little discretion. And auditors don't have to be grim, silent inquisitors; they're allowed to tell management what's wrong, explain why it's wrong and even suggest ways of fixing problems.
It's only a little ray of trust in what's become a very dark Sarb-Ox world. But right now, we can use all the hopeful signs we can get. If you're not doing Sarb-Ox work, you're probably wondering what the big deal is. Why are top management and IT staffers all so bitter about it? Sure, it's a huge project -- documenting and testing all the controls on financial information and putting controls in place where they're missing. But isn't that really a lot like Y2K was -- a huge project that won't add value at most businesses but still has to be done?
Answer: No. With Y2K, we were saving the world. With Sarb-Ox, we're agents of the inquisition. Y2K was a heroic sprint for an immovable finish line. More than a year into our Sarb-Ox work, it feels like a death march that will last forever.
And for what? Trust. But it seems as if for every drip of trust that investors will gain, we drain away gallons. Users can no longer be trusted. Neither can managers, or even our own IT people. Every access to data has to be logged, every spreadsheet checked, every number crunch verified.
In an uncomplicated, smoothly professional world, that would be a simple, one-time chore. In the very messy real world of business IT, it's immensely complex and never-ending. And it's overlaid by that "trust no one" ethos. We've always depended on trust to get through crises, meltdowns, glitches and ordinary momentary stupidity. We've trusted one another to reach in and fix the problems.
But now that's forbidden. No reaching in. No out-of-process fixes. No trust. The job of Sarb-Ox implementers is to institutionalize paranoia. No wonder they're bitter.
Worst of all, we know it's not our fault. IT faces the lion's share of Sarb-Ox "deficiencies" because we're in charge of the data that will make up those trustworthy financial statements. Our "deficient" systems worked fine for years. Now, because crooked executives at a few companies played fast and loose with their numbers, we're the ones who have to rebuild trust we never deserved to lose.
That's why those new SEC guidelines truly are good news. They're the first sign that Sarb-Ox won't be an ever-expanding spiral of paranoia. The focus, the SEC now sensibly says, should be on the greatest risks of financial misstatement. It's time to start replacing endless inventories and mindless checklists with informed management judgment about where those risks lie.
And in IT, we can start to think again about the best ways of protecting business data integrity -- controls that are effective, not just exhaustive. And then maybe we'll begin to remember once more that investors want to trust not just the numbers, but also the people behind them.
Frank Hayes, US Computerworld's senior news columnist, has covered IT for more than 20 years