I received an advertisement brochure recently. Prominently displayed on a front page was section was this eye-catching question: "Is compliance taking over your life?"
I responded (out loud, even): "Not anymore."
It occurred to me how less stressed my professional life is now that I am working for a private firm. The stress from my former Fortune 500 corporate experience was due in large part to Sarbanes-Oxley compliance - or rather the interpretation of Sarbanes-Oxley compliance.
Whether you agree with the legislation or not, most admit there was clearly a need to do something in response to the WorldCom and Enron scandals. So, something was done. Personally, I believe the legislation attacks the wrong side of the equation for this reason: there were already laws on the books to address the crimes committed at these corporations. If Congress truly wants to protect investors, educate them. And if Congress simply must pass a new law, pass legislation requiring investors become certified before being allowed to invest in publicly traded companies. (Step 1: A DVD of me pointing at the camera, screaming "YOU CAN LOSE ALL YOUR MONEY IF YOU PUT IT IN THE STOCK MARKET... ALL OF IT!!! DO YOU UNDERSTAND?!?" Step 2: Sign the document acknowledging you understand what you learned at Andy's School of Investing.)
But I digress...
While I was enduring the stresses placed upon a sole database administrator group manager by internal auditors, a colleague mused: "Those can, do. Those who cannot, teach. And those who cannot do or teach, audit." That was mean (...apologies to all my auditing readers out there...), but I think I understand the underlying sentiment.
Given the tools on hand, we were faced with unpleasant choices:
- Cease supporting business operations. It was simply not possible to comply and execute DBA tasks required to keep the business running. Without naming industries, companies, or names, ceasing support would have meant hardship to thousands of people already enduring enough hardship and economic loss to literally thousands of others.
- Refuse to comply. Which would have solved several stressful issues but created a few more - such as how to pay the bills, eat, etc.
- Lie. I could break my personal code of ethics and possibly the law of the land, and misrepresent the facts of the matter.
- Be honest. And take the ensuing whoopin'.
I chose to be honest. My reward was pressure from every imaginable angle.
From business, sales, and accounting, "Why can't you just comply and end all this?"
From auditors, "We will have to report this to _____. They will open an incident. It will be filed with the SEC. It will be made public."
From executives, "Make this go away."
It was ugly. And it all stems from an open season on business data. Heck, the auditors at my former employer were reaching into the personal development databases of developer workstations. I understand some of it, but not all.
I'm interested in your thoughts on the matter. Have any of you had similar experiences with SOx compliance?