Sarbanes-Oxley and Internal Markets
Something I've never commented on in the Blog before (though it appears in the MWT Book manuscript / notes) is the relationship between Sarbanes-Oxley and the technology-enabled markets which are one of the foundation pillars of the ManageWithoutThem Model. I'm not a lawyer. So nobody should take my opinions as legal advice. In fact, anybody trying to Google for legal advice should be very careful indeed...
Sarbanes-Oxley is all about the retention of records. It started because some audit company is supposed to have shredded the audit records of one of their clients. If you look at the Mises Blog I think you will find one of the few references to the fact that the charges against the audit company have seen been dropped (Is this right? Check Mises Blog). However the ruling still exists and organisations are scurrying to comply with it.
The thing is Sarbanes-Oxley doesn't just stop at retention of records. The intension of the ruling includes both retention of records and assurances that the records are accurate. This bit is important and interesting. It means that audits are required at some regular interval to ensure that the records are accurate.
Let's take a simple example of asset records. Just as most organisations are struggling to keep simple records of the assets that they own, the Sarbanes-Oxley ruling says you have to audit the records to make sure they are accurate. So every three years you have to collect all the information about your assets again.
I have to be clear here; you can't just download the information from your asset register. The purpose of the audit is to ensure that the asset register is correct. So you need something to compare the information in the asset register to. So every three years you have to ask everybody in your organisation what assets they have - even if you think you already know. This is the only way you can make sure and prove that you already know.
While the intension is arguably good this is clearly ineffective. I also think it's not sustainable. Also, I think the risk here is that organisations can still fudge the audit. To take an extreme example, the organisation could fake all of the collected records by writing a small script which takes the asset register and turns it into emails. The script could throw in some mismatches so it looks realistic, the mismatches could be resolved, and the organisation would have compliance.
So in a way the law doesn’t really guarantee real compliance. This menas that eventually one of three things will happen. The most unlikely is that the government will decide not to interfere anymore. Alternatively, the intent of the law will be made more clear and additional laws will be created to cover individual cases of fraud (the typical approach of law propagation). Or lastly, the courts might shift the focus from ‘reporting requirements’ (what you have to submit) to ‘operating requirements’ (how your organisation actually has to work).
I'm betting on the last scenario where 'operating requirements' are imposed. And this is where technology-enabled markets come in. The scenario I'm going to describe is 5 to 10 years into the future. Even though the technologies largely exist it will take that long for the law, and our transition from command-based management models to market-based management models, to catch up.
A technology-enabled market approach to enforcing impending 'operating requirements' with the same intent as Sarbanes-Oxley would look like this...
--- To be continued ---
Sarbanes-Oxley is all about the retention of records. It started because some audit company is supposed to have shredded the audit records of one of their clients. If you look at the Mises Blog I think you will find one of the few references to the fact that the charges against the audit company have seen been dropped (Is this right? Check Mises Blog). However the ruling still exists and organisations are scurrying to comply with it.
The thing is Sarbanes-Oxley doesn't just stop at retention of records. The intension of the ruling includes both retention of records and assurances that the records are accurate. This bit is important and interesting. It means that audits are required at some regular interval to ensure that the records are accurate.
Let's take a simple example of asset records. Just as most organisations are struggling to keep simple records of the assets that they own, the Sarbanes-Oxley ruling says you have to audit the records to make sure they are accurate. So every three years you have to collect all the information about your assets again.
I have to be clear here; you can't just download the information from your asset register. The purpose of the audit is to ensure that the asset register is correct. So you need something to compare the information in the asset register to. So every three years you have to ask everybody in your organisation what assets they have - even if you think you already know. This is the only way you can make sure and prove that you already know.
While the intension is arguably good this is clearly ineffective. I also think it's not sustainable. Also, I think the risk here is that organisations can still fudge the audit. To take an extreme example, the organisation could fake all of the collected records by writing a small script which takes the asset register and turns it into emails. The script could throw in some mismatches so it looks realistic, the mismatches could be resolved, and the organisation would have compliance.
So in a way the law doesn’t really guarantee real compliance. This menas that eventually one of three things will happen. The most unlikely is that the government will decide not to interfere anymore. Alternatively, the intent of the law will be made more clear and additional laws will be created to cover individual cases of fraud (the typical approach of law propagation). Or lastly, the courts might shift the focus from ‘reporting requirements’ (what you have to submit) to ‘operating requirements’ (how your organisation actually has to work).
I'm betting on the last scenario where 'operating requirements' are imposed. And this is where technology-enabled markets come in. The scenario I'm going to describe is 5 to 10 years into the future. Even though the technologies largely exist it will take that long for the law, and our transition from command-based management models to market-based management models, to catch up.
A technology-enabled market approach to enforcing impending 'operating requirements' with the same intent as Sarbanes-Oxley would look like this...
--- To be continued ---
posted by Matthew at
11:07 pm
0 Comments:
Post a Comment
<< Home