Keep your SOX on

Thanks a bunch, Enron.

The past five years have seen a swell of high-profile stories in which some top corporate executives were found to be thieving jackasses. You got your Enron, your Tyco, your WorldCom. You got your revenue-cramming, your expense-hiding, your stock-dumping. You got, all in all, an ethical code that would embarrass a guy selling $10 Rolexes out of his trench coat.

The U.S. Congress reacted to this corruption predictably: It passed a massive, vague, loophole-ridden set of regulations that will add another expensive administrative burden on the backs of all U.S. businesses. I speak of the Sarbanes-Oxley Act of 2002, generally called SOX or Sarbox.

The appeal of SOX is that it seeks to make business accountability personal by threatening to throw corporate officers in the clink if their companies behave badly. This is pretty cool, I concede, but let’s face it: in practice, the CEO of Humongo Corp., who pulled down $12.5 million last year, won’t be bused to Rikers Island. Rather, he will fight a long, enervating court battle that will end in a fine or 90 days in a country-club prison.

You’ve been reading about SOX recently because an important compliance deadline for big companies has passed, and because at least one provision of the act is not vague: SOX states that all business records, including electronic records and electronic messages, must be saved for “not less than five years.”

Given this data-storage mandate, it’s no surprise that SOX has had a major effect on corporate IT departments – and less of a surprise that software vendors and consultants have built a mini-industry around SOX compliance.

But what about us? I keep reading that SOX is a big deal to small and midsize businesses, but that covers a lot of ground – a company with 50 employees is deemed an SMB, but that’s gargantuan by my standards. I haven’t seen persuasive evidence that SOX will be a big deal to one-man bands like my business or yours.

Don’t get me wrong: the basic tenet of SOX, and of its cousin  the Health Insurance Portability and Accountability Act (HIPAA) is that companies must do a better job of storing and safeguarding information, and I’m all for that.

But need you worry about SOX just yet? Doubtful. For starters, compliance is mandatory only for publicly held companies; for those that are privately held, it’s voluntary.

Section 404, one of SOX’s key areas, mandates that by April 15, 2005, the CEO, CFO and “outside auditors” of small and foreign-owned businesses attest to the effectiveness of internal controls (including computer systems) that affect their financial reporting process.

What that means for home-based businesses – in which the CEO and CFO are one and the same, and the nearest thing to an outside auditor is the UPS guy – is unclear, even to analysts specializing in SOX.

However, it never hurts to be prepared:

* Ask your clients. In the short term, you’re most likely to feel the effects of SOX if you have a publicly held company as a client; that company may “increasingly demand from private business partners accurate financial information,” according to the Yankee Group, a Boston research firm. Talk with your contact to see whether such a demand is in the pipeline and, if so, exactly what information they may need.

* Discard nothing. As I wrote in a recent Home Base, it’s worth considering a remote data-storage service; recent cases have shown that even the most trivial of e-mails may someday be demanded in a civil or regulatory proceeding.

* Stay tuned. As we speak, SOX is being defined on the fly by an army of bureaucrats. The act’s impact on home-based businesses will be far better defined in six months.