Is corporate governance all about the U.S. Sarbanes-Oxley Act (SOX)? The answer is, of course, "no," but you could be forgiven for wondering, given how often people say "SOX" when they're really talking about internal controls. I suppose it's not surprising, then, that many new pieces of audit-related legislation take on the "SOX" suffix. Japan's Financial Instruments and Exchange Law has come to be widely known as J-SOX, and now we're hearing all kinds of talk about something called "EuroSOX" — and that's a mistake.

We Europeans don't like to be seen as copying the U.S. - surprise, surprise! - especially when we aren't. There are at least as many differences as similarities between Sarbanes-Oxley and the various European Union (EU) directives on related topics. The simple fact is: Europe isn't the United States. The legislative processes are longer and more complex. Many variations remain between different countries and jurisdictions within Europe. Noncompliant enterprises will be asked to explain their actions, instead of their CEOs being sent straight to jail. The only people who'll really benefit from the "EuroSOX" hype, with its current Peak of Inflated Expectations, are vendors trying to sell compliance tools that may or may not be appropriate to European needs. The Trough of Disillusionment that will follow is likely to be long and deep and come at the worst possible time — that is, when enterprises really do need to make some adjustments to their internal controls.

Despite the differences I've identified here, Europe, like the U.S., is striving for improved corporate transparency and accountability. Specific guidance must, and will, be developed, and it will have an impact on IT — sooner in some countries, later in others. Europe can benefit from the experience of overly prescriptive U.S. legislation by ensuring that proper risk management is in place focusing on high-risk areas, enforcing segregation of duties and automating key controls. But learning, not copying, is the key here.

Submit a Comment | Permalink

Probably one of the more realistic views on EuroSox tendered in this frantic Kasbah of ready-to-go IT project leading to instant compliance. Thank you for that.

Wasn't there a time where one of the most valuable lessons learned was not to let IT be the driver of business requirements?

Nevertheless, the IT and consulting industry are touting there EuroSox message so loud, one may hardly get a sensible argument slipped into the discussion.

EuroSox really doesn't present companies with anything so drastic that it may drive entire SOA projects, or the implementation of entire application platforms.

I suggest that the challenge may be in retrieving relevant information by identifying and plugging into i.e. risk management procedures already supporting assessment of risk in the top floors of corporate management.

Surely, some companies will find it relevant along this process to evaluate opportunities to improve on their IT application portfolio supporting their current operation, i.e. contract management, records management, etc.

However, I urge companies to close examination and proof testing of the business cases submitted to them under the pretense that if not adopted, companies will fail to meet compliance requirements.

Afterall, there may be a reason why the word technology or even IT technology is so rarely made use of in the twenty-odd directives forming the basis for EuroSox.