What does Sarbanes-Oxley have to do with donuts?

I had lunch with a friend of mine yesterday who is an officer with a public technology company.  As we started discussing his business, one of the topics of conversation was Sarbanes Oxley.  His company just went through an expensive Sarbox audit to get into compliance and while his company passed with flying colors on most of the important issues, his company failed the audit.  Why?  Here is the short story.  One of his sales reps was hosting a client meeting and bought $15 worth of donuts.  The rep got a signature and approval from the CFO on the purchase.  Why did they fail?  The accountants said that the rep needed to get 2 signatures, one from the VP Sales and one from the CFO.  If the rep could buy $15 worth of donuts with only one signature, then think about what else he could buy.  That too me is quite inane and ridiculous.  There has to be some threshold, for example, on when 2 signatures are necessary for an expense report.  This is a perfect example of why Sarbox is expensive for public companies.  While I believe that Sarbox is a good thing and better and more stringent accounting is necessary, I also think that there is alot of waste ineherent in the regulations and that it needs to be reexamined.

This brings me to another point.  I had the opportunity to speak on a panel the other day hosted by Venture Scene New York.  The panel focused on exits or liquidity events and how VCs thought about them.  The clear trend that I am seeing is that companies really have second thoughts about going public these days due to the costs and requirements of Sarbox.  That obviously is not the sole reason many companies that can go public choose to be acquired but it is one of the top few.  In addition, it is no surprise that you see many public companies, particularly smaller ones, looking to go private as well.  Something has to be done to make Sarbox more relevant and less onerous, particularly for smaller companies.

Published by Ed Sim

founder boldstart ventures, over 20 years experience seeding and leading first rounds in enterprise startups, @boldstartvc, googlization of IT, SaaS 3.0, security, smart data; cherish family time + enjoy lacrosse + hockey

10 comments on “What does Sarbanes-Oxley have to do with donuts?”

  1. One has to wonder about a world in which $15 worth of donuts would require signatures from two senior executives. (And I thought needing five managers’ approvals for travel to a conference was bad.)

  2. “While I believe that Sarbox is a good thing…”

    Why? This piece of legislation is nothing more than retribution for the acts of a small band of unsavory characters. Unfortunately, it casts a shadow (pall?) over the other 99.9% of the folks who play by the rules, roll their sleeves up, do business and make America great everyday. The wellspring of that greatness bears no resemblance to Washington.

    And to say this protects investors is garbage. Bad people will find ways to do bad things period, regardless of the amount of oversight thrown at them.

    At the end of the day this was a kneejerk response to a tiny group of high profile blowups ocurring against the backdrop of our public markets experiencing an historically significant bear market.

    It’s unfortunate our public markets/public companies had to take the fall. In today’s global economy capital will flow to where it is most free, and things like SarbOx only hurt the US on that score.

    It goes without saying I wouldn’t leave a comment of this length if I didn’t enjoy the blog. I appreciate that, as a VC blogger, you’ve focused on what’s happening with your managment teams out on the frontlines. That’s where all the action is.

  3. I am a business analyst/tech. architect doing at an assessment at a client – a small but fast growing private company. Having been a project manager, I see horrendous project management and internal IT processes. There seem to be no actions to fix that but they have a Sarbox consultant onsite and a “VP of Sarbox compliance” (a real title). Of course the company wants to go public, but the wrong patient seems to be getting the medicine.

  4. Maybe Congress or the SEC should make SOX 404 compliance voluntary. Companies that choose not to spend millions per year on internal controls micromanagement and documentation can disclose their choice and be hammered (or rewarded) by the market. It would be interesting to see how the two classes of companies then perform over time. The non-compliant would lower their expense, and probably improve their flexibility and nimbleness. Maybe they’d attract more risk-takers and fewer rules followers over time.

  5. First, full disclosure – my company sells software products that benefit from Sarbox.

    Having said that, my experience is that Sarbox is a good thing. It is only onerous to companies that dont have their act together in the first place.

    Here is an example. One of our prospects in the valley sells product through the channel (Arrow, Ingram etc.). Revenue is recognized on a sell-through basis.

    They receive 600 Excel worksheets from the channel with sales, returns, inventory etc. data weekly for sales operations, and monthly for revenue recognition and financial reporting. This data is then “fed” (manually sorted, pivot tables, cut/paste) into 87 internal worksheets to come up with sales commissions, promotion and rebates credits, deferred revenue etc.

    What are chances any of the numbers they are reporting are right? ZERO.

    Timely? ZERO.

    Auditable? ZERO.

    Not only are their revenue #’s wrong (we uploaded a year of channel data from them and did an analysis in our product as part of the sales cycle), they also pay too much in sales commissions to their sales people and in promotion and rebate credits to the channel. That’s for starters.

    An isolated case you say?

    Not at all.

    Check with your dearest well meaning CFO, Controller or Manager of Sales Operations. “Spreadsheet Raj” is the norm in most small to mid-size ($50M-$5B) public companies.

    And auditors have been signing off on all of this for years!

    It is only now, with Sabox Section 404 (internal controls) to contend with that these auditors are demanding a better (no spreadsheets and manual processes) system that is automated, auditable, with access controls etc.

    I could go on, and on.

    So perhaps there are some things in Sarbox that need changing and improvement. But on the whole it is a very good thing.

  6. Funny,
    I know someone in senior mgmt that just buys the donuts (or lunch ) out of his own pocket……..and forgets about it.

  7. It seems to be the nature of things for the government to over-regulate in response to a disaster. (I can only imagine the amount of TPS-reporting that will be required at FEMA now post Katrina).

    Is the cure worse than the disease when it comes to SOX reporting? It might very well be so. While we sell software to help streamline SOX compliance, for the sake of American Productivity I look forward to the pendulum swinging back towards the middle here.

    Martin Tibbitts

  8. Pingback: VentureChoice Blog
  9. Anytime there is a crisis, the government, management, etc, over-reacts in the name of CYA. Then, over time, the dust settles. Logical, cooler heads come out of the woodwork and are allowed to analyze the situation and correct the chicken-little solution and bring everyone back down off the ledge. There will be a grand example made of some high-profile CEO, the government will show the taxpayers that their dollars are hard at work and then we can get back to a more reasonable state and a donut will again just be a donut.

  10. I have been trying to find out just what in the hell is that an auditor does in testing for 404 compliance that is any different that what has always been done to test and evaluate internal controls. Everything I find address only the top of the pyramid. Is there someone out there who can give me some “Down In The Dirt” level information?

Comments are closed.