Lights Dimming On The Sarbanes Oxley Act?

The Sarbanes Oxley Act of 2002 (SOX) has helped many solution providers develop healthy compliance businesses. But with recent rumblings from Washington that SOX may have gone too far and could eventually be scaled back, some VARs are wondering how much longer SOX solutions and services will continue to yield a reliable revenue stream.

Some solution providers told CRN they believe any softening of SOX could have a domino effect in which companies would rethink their compliance priorities. "The prospect of a SOX rollback is definitely of concern, certainly when it pertains to opportunities driven by compliance regulations," said Pat Edwards, vice president of sales at Alliance Technology Group, a Hanover, Md.-based solution provider.

SOX requires companies to identify areas in their networks where internal financial accounting and reporting controls need to be strengthened, and remediate areas of weakness. In addition to building and selling compliance solutions, VARs can perform assessment services to help a company find and fix problems and demonstrate how it has the proper controls in place. SOX requires third-party auditors to verify that the company's controls are working properly.

Some solution providers are contending that if SOX is somehow defanged, it could weaken demand for their compliance solutions and services.

Gary Cannon, president of Advanced Internet Security, Colorado Springs, Colo., has seen his compliance business double over the past year, but believes interest in compliance solutions could wane if the government were to tinker with certain provisions of SOX.

"I could envision people saying, 'We don't have to do this,' or taking a more minimalist approach to compliance," Cannon said.

Michael Mathews, CTO at Cynergistek, an Austin, Texas-based solution provider, has yet to see a spike in SOX-related business and expects any weakening of SOX to put a further dent in his compliance sales.

"If some of the SOX directives are rolled back, and if there aren't going to be consequences for non-compliance, are folks going to stop listening and spending? I'm thinking yes," Mathews said.

"We're not really selling straight off SOX we keep wondering when the floodgates are going to open, but the fact is, people are only going to start spending when they absolutely have to," said a solution provider who requested anonymity.

"The ROI of compliance just isn't worth it until a large enough hammer comes down, and that hasn't happened yet," the solution provider said.

Even if Congress leaves SOX alone, the perceived lack of government commitment to enforcing SOX is already causing many companies to drag their feet when it comes to spending the money to implement SOX controls, the source added. To illustrate this reluctance, the source tells the story of a customer whose company regularly deals with lawsuits that require it to provide e-mail records to external legal teams.

The company has dealt with six such lawsuits in the past year, and has been considering the purchase of an enterprise e-mail archiving solution that would streamline the discovery process. However, the company plans to wait until it is sued a seventh time before pulling the trigger on the deal, the source said. Beware The Hypesters
Some solution providers feel that auditors who do SOX assessments have contributed to the hype around compliance by making questionable recommendations that are based more on products than on solutions. They say if SOX is watered down at some point in the future, there could be retribution from companies that have spent considerable sums based on these recommendations.

"There have always been reactionary auditors and consultants who convince their clients to stay on the Sarbanes Oxley 'gerbil wheel' by buying the latest SOX product du jour," said Ken Phelan, CTO of Gotham Technology Group, a New York-based solution provider. From a VAR's perspective, this approach is dangerous because it can undermine trust and lead companies to question the advice they're getting, according to Phelan.

In what appears to be a clear conflict of interest, some auditors have even been recommending specific products, Phelan said. "It's always been highly suspect to have an auditor come in and tell you to implement a product rather than a control, but they have been doing that," he said.

Steve Snider, president of Cadre Information Security, a Cincinnati-based solution provider, said auditors have established what he calls a compliance "regulation by proxy" by pushing their own definition of SOX best practices that goes beyond what the legislation requires.

"They meet with a client and say that other firms are doing such and such, and advise the client that they need to do at least that," Snider said. "If the auditor can convince the client to do a little more than what others do, the net effect is that the SOX compliance bar has been raised."