Sarbanes-Oxley: More Cause Than Cure?
Jul 29, 2004 6:00 AM PT
At a working lunch last week I had the misfortune of being seated next to some guy from Boston whining about the misery and risk introduced into his life by Sarbanes-Oxley. I kept wanting to ask him what he thought his job was as a CFO, since all Sarbanes-Oxley really does is establish a basis for legal penalties against financial executives who dishonor the job description by failing to understand, apply and maintain adequate internal financial controls.
I didn't. In the end I told him he could always get his CIO fired rather than take the heat himself because I've never seen a company in which the CFO didn't outrank the CIO. Now, in reality, that doesn't have anything to do with the central issues raised by Sarbanes-Oxley but the idea certainly seemed to cheer him up.
Sarbanes-Oxley provides the classic legislative response to a perceived abuse: legally defining responsibilities and setting forth penalties for failures to meet them. In doing that, however, it fails to address the underlying issue, which isn't why a few people lied, cheated and stole, but why a much larger number of people let them get away with it for so long.
Remember, few of what we now clearly see as abuses were secret: Enron's CFO won major financial management awards for what he was doing, most wall street players used personal IPO allocations to buy customer executives, and dozens of analysts wrote about the obvious mismatch between real revenues and the financial statements underlying market valuations at companies like Global Crossing and MCI/WorldCom.
Look at this in the wider context of overall financial market management and this becomes a chicken and egg type question. It's clear that the financial market failed to self-correct with the majority of the people involved closing both eyes to abuses while deriding or ignoring those who tried to uphold previously normal standards of personal and professional integrity.
But what made that mob response possible? Were financial market systems failures induced for personal gain, or did the players involved slide down the slippery slope to corruption because the checks and balances built into the system failed? How was it possible for some brokers to brag to literally hundreds of their colleagues about their actions without having those colleagues drum them out of the business?
My personal opinion is that a fish rots from the head down. In this case, that the Clintons' sleazy example in the White House combined with easy money from the dot dummies to create an atmosphere of greed and accommodation in which it became easy for otherwise responsible people to rationalize their own abdication of professional responsibilities in favor of personal advantage.
Whether that's true or not, the bottom line on Sarbanes-Oxley is that it doesn't address the major public market abuses but is likely to have some serious, although counter-intuitive, consequences.
In establishing penalties ranging from fines to jail time and the public humiliation of the perp walk, Sarbanes-Oxley creates both incentives to cover up failures and opportunities for those with axes to grind, people to hurt, or shares to short.
The cover-up side of this is obvious. Imagine a CFO, popular with the other executives and the board, who discovers that the financial statements have been substantially misstated for some time. In this situation the threat posed both to the individual and the organization by Sarbanes-Oxley could easily tip a decision toward covering up, either through the intentional continuation of the erroneous reporting or through some longer run corrective process.
The incentives to attack have to be coupled with opportunities to mean anything. That's less obvious, but I admit I enjoyed my lunch rather more after imagining how little access to my tormentor's financial server would really be needed to send him all undeservedly to jail.
The key enabler here, besides inside access of the kind you get by infiltration, is the separation of financial reporting from production transactions. In his case, the financial statements are drawn from a data mart that gets its input at second hand from a bunch of divisional financial systems.
Faking business transactions is difficult and risky because there are lots of real-world correlates and you have to fake or modify a lot of them to have a material impact. That's not true, however, where the financial statements are drawn from a data warehouse disconnected from the actual transactions underlying the numbers.
Installing a Stored Procedure
In this situation, the external referents are difficult to track and all an attacker has to do is install a stored procedure that transfers small amounts from one of the imaginary accounts -- say, goodwill amortization -- to another every time one of the bulk updates runs.
Over time, this will have an effect like that of the butterfly flapping its wings in China to cause storms in California, slowly and invisibly undermining the integrity of the financial reports.
Eventually, of course, some external event will trigger an investigation. Then he's toast, and no amount of pointing at internal controls and auditors, public or otherwise, will make any difference. The system will have been turned on itself with the books balancing perfectly and all checks checking, even while the published profit and loss numbers have been getting "wronger" by the quarter.
Once that's discovered, the company's executive will face a choice -- cover-up or mea culpa -- and either way Sarbanes-Oxley's threat of legal process will be the biggest scarecrow on the playing field.
From a social perspective, legal consequences tend to be associated with being caught, not with committing the action. Sarbanes-Oxley might therefore "incent" more cover-ups than compliance. From a technical perspective, little can be done without fully integrating production and reporting -- something that can't be done in any practical way with Wintel's client-server architecture.
I'm really looking forward to the case law on this. After all, if a porn user can't be held responsible because Wintel's vulnerabilities mean that anyone could have put the incriminating materials on his PC, shouldn't a CFO with bad numbers have access to the same defense?
More interestingly, what happens when a prosecutor with a sense of irony puts some Microsoft experts on the stand to testify against a CFO (or porn user) who tries this defense but doesn't have Wintel installed?
All joking aside, however, the real bottom line on Sarbanes-Oxley might well turn out to be that it weakens rather than strengthens integrity guarantees in public accounting by tilting judgment decisions toward cover-ups in the short term and may threaten Microsoft's client-server architecture in the long term.
Paul Murphy, a LinuxInsider columnist, wrote and published The Unix Guide to Defenestration. Murphy is a 20-year veteran of the IT consulting industry, specializing in Unix and Unix-related management issues.