No sooner do we begin to explore the concept of modularity than an example presents itself — in yesterday’s Wall Street Journal (subscription required), former SEC Chairman Harvey Pitt called for reform of the Sarbanes-Oxley Act (“Make SOX Fit,” by Harvey L. Pitt, The Wall Street Journal, April 13, 2006, page A12), and suggested that:
The first component of any solution is to amend SOX by making it part of the Securities Exchange Act of 1934. This would have the advantage of allowing the SEC to tailor SOX’s requirements to the size and economic burden imposed upon public companies — not to mention affording the SEC the opportunity to make distinctions between domestic and foreign registrants — without eradicating the protections served by the statute. It would also enable Congress and the administration to move quickly without raising concern that any substantive provision of the statute was being modified — so those who don’t want to be seen as pandering to corporate miscreants won’t be subject to that charge, while those who want to promote greater rationality in SOX won’t be tagged with loosening substantive protections afforded by the law. Finally, this reform would eliminate legal questions about the SEC’s ability to craft effective solutions.
The Journal’s Law Blog reports on the article and provides commentary here.
Without taking a stand on Pitt’s recommendation — which, as the Law Blog commentary suggests, is controversial — it’s worth noting that if adopted, the reforms would require exactly the modular approach to Sarbanes-Oxley compliance that we described. First of all, any revision of the act would demand a parallel revision of compliance procedures. New compliance procedures in the form of automated rule sets can be revised easily — updated sections are dropped into the Rules Library, to be called as needed, while existing procedures remain in place. Beyond that — Pitt calls for Sarbanes-Oxley requirements that “scale” with the size of the company, and that allow variance for foreign registrants. Here again, modularity is the answer — a set of scale- and company-specific procedures that fine-tune compliance for each particular situation. Finally, the ability to automate documentation — including the generation of automated audit trails — would help the SEC in its enforcement mandate even as the terms of compliance become more complex.
Whether or not Sarbanes-Oxley is revised — along these or other lines — the fact remains that regulatory requirements will only become more detailed and granular as regulators and companies alike grapple with the realities of global business. An automated, rules-based approach to compliance confers resilience — and modularity is an essential technique for maintaining that resilience in a dynamic regulatory environment.