2008-04-03 11:41:37 by Posted By: Carsten Casper, Research Director in IT Leaders - Security and Risk Management
Is corporate governance all about the U.S. Sarbanes-Oxley Act (SOX)? The answer is, of course, "no," but you could be forgiven for wondering, given how often people say "SOX" when they're really talking about internal controls. I suppose it's not surprising, then, that many new pieces of audit-related legislation take on the "SOX" suffix. Japan's Financial Instruments and Exchange Law has come to be widely known as J-SOX, and now we're hearing all kinds of talk about something called "EuroSOX" and that's a mistake.
We Europeans don't like to be seen as copying the U.S. - surprise, surprise! - especially when we aren't. There are at least as many differences as similarities between Sarbanes-Oxley and the various European Union (EU) directives on related topics. The simple fact is: Europe isn't the United States. The legislative processes are longer and more complex. Many variations remain between different countries and jurisdictions within Europe. Noncompliant enterprises will be asked to explain their actions, instead of their CEOs being sent straight to jail. The only people who'll really benefit from the "EuroSOX" hype, with its current Peak of Inflated Expectations, are vendors trying to sell compliance tools that may or may not be appropriate to European needs. The Trough of Disillusionment that will follow is likely to be long and deep and come at the worst possible time that is, when enterprises really do need to make some adjustments to their internal controls.
Despite the differences I've identified here, Europe, like the U.S., is striving for improved corporate transparency and accountability. Specific guidance must, and will, be developed, and it will have an impact on IT sooner in some countries, later in others. Europe can benefit from the experience of overly prescriptive U.S. legislation by ensuring that proper risk management is in place focusing on high-risk areas, enforcing segregation of duties and automating key controls. But learning, not copying, is the key here.
We Europeans don't like to be seen as copying the U.S. - surprise, surprise! - especially when we aren't. There are at least as many differences as similarities between Sarbanes-Oxley and the various European Union (EU) directives on related topics. The simple fact is: Europe isn't the United States. The legislative processes are longer and more complex. Many variations remain between different countries and jurisdictions within Europe. Noncompliant enterprises will be asked to explain their actions, instead of their CEOs being sent straight to jail. The only people who'll really benefit from the "EuroSOX" hype, with its current Peak of Inflated Expectations, are vendors trying to sell compliance tools that may or may not be appropriate to European needs. The Trough of Disillusionment that will follow is likely to be long and deep and come at the worst possible time that is, when enterprises really do need to make some adjustments to their internal controls.
Despite the differences I've identified here, Europe, like the U.S., is striving for improved corporate transparency and accountability. Specific guidance must, and will, be developed, and it will have an impact on IT sooner in some countries, later in others. Europe can benefit from the experience of overly prescriptive U.S. legislation by ensuring that proper risk management is in place focusing on high-risk areas, enforcing segregation of duties and automating key controls. But learning, not copying, is the key here.
