The U.S. Supreme Court's decision Monday on the Sarbanes-Oxley Act is unlikely to affect the jobs of IT managers, who have already spent bundles of money on software and staff time to ensure compliance with this 2002 law.
Sarbanes-Oxley, or SOX as it's widely known, was created in the wake of Enron and other financial scandals to impose a new series of reporting and audit requirements on companies. The law prompted IT departments to build new risk compliance, records management and security systems.
The high court decision simply gives the U.S. Securities and Exchange Commission the power to remove members of the Public Company Accounting Oversight Board "at will" instead of "for cause." The five member oversight board is charged with overseeing auditing firms.
Since shortly after its passage, SOX has "had a very significant impact on IT operations spending," said French Caldwell, an analyst at Gartner Inc.
For instance, Gartner in a 2005 study estimated that SOX mandates had led to an average increase of 3.3% in corporate IT costs. And, Caldwell added, "If you consider all the people in IT that have to spend some time on preparing for audits, it's [still] a significant part of the IT budget."
The 5-4 decision released by the high court on Monday makes what amounts to an administrative change to SOX that's unlikely to impact IT managers for better or worse, according to analysts and legal experts.
As far as IT spending on compliance goes, "they still got to spend it," said Roger Dennis, dean of the Earle Mack School of Law at Drexel University in Philadelphia. "All the other provisions of SOX remain in full force and effect," he said, as a result of the court's decision.
Although it is possible that Congress could try to use the Supreme Court ruling as a way reopen SOX and produce a less strict 2.0 version of the law, lawmakers now appear headed in the opposite direction -- aiming to impose more financial regulation, not less, on firms.
Citing work now underway in Congress on financial reform legislation, Chris McClean, an analyst at Forrester Research Inc., noted that "there is still a big appetite for financial reform."
Nonetheless, John Berlau, director of the Center for Investors and Entrepreneurs at the Competitive Enterprise Institute, which was a party to the case, remains hopeful that the decision will lead to some changes sought by the group. For example, he said he expects that the ruling will open some of the actions of the oversight board to "a significant number of challenges" because they were made by a body he said was found to be unconstitutional.
McClean said that from a risk management perspective SOX "has had a good impact on the way companies look at risk management and consider risk management in a lot of their business decisions."
Caldwell says a survey he is assembling is showing that increased IT purchases of software for enterprise risk management, and not Sarbanes Oxley.
Moreover, Caldwell points out that in many ways SOX has become just one more compliance burden for IT managers. The new compliance requirements are burdening IT, he said, adding that that an earlier estimate made by Gartner - that the number of regulations is doubling every six years - is holding true.
The lawsuit challenging SOX was filed by a group called the Washington-based Free Enterprise Fund, which describes itself as a non-profit interested in limited government. In papers filed with the court, the group contended that U.S. businesses spent $35 billion in compliance costs during the first year the Sarbanes-Oxley regulations were in place.
In the suit challenging the accounting board, the Free Enterprise Fund said that In 2003, its chairman received "an exorbitant" salary of $556,000, while its other four members were paid "a similarly excessive" salary of $425,000.
Patrick Thibodeau covers SaaS and enterprise applications, outsourcing, government IT policies, data centers and IT workforce issues for Computerworld. Follow Patrick on Twitter at @DCgov, or subscribe to Patrick's RSS feed . His e-mail address is firstname.lastname@example.org.