Enforcement

People whine about Sarbanes-Oxley as if it were government accountants with a sense of neither humor nor proportion watching everything an executive does, 24/7. Thing is, much of the actual regulation is courtesy of the Public Company Accounting Oversight Board, a private corporation. My hat is off to the accounting profession, which successfully met an enormous reputational crisis born of bone-deep malfeasance and conflicts of interest, by deepening the “self-regulation” which is a hallmark of the field.
If these guys are doing a lax enforcement job, you sure can’t tell by the volume of whining coming from boardrooms.
Meanwhile, we have what seems to be the poster-child for ineffective regulation, the Payment Card Industry data security standard. This is the set of requirements laid out by Visa and MasterCard, which is due for revision in a month or two. The last year has seen compliance rise from 10% to about 20%. Meanwhile, the revision will reportedly eliminate the requirement for data at rest to be encrypted, and will, in a year or two, require attention to application-level issues such as SQL injection.

One of the biggest technology challenges is PCI’s requirement for encryption, [industry analyst Avivah] Litan said. Some companies are uncertain whether they’re required to encrypt data or can implement other compensating controls, she said.
Another factor in the slow pace of adoption is the perception that PCI, unlike government mandates, is a private standard lacking enforcement teeth, said Nigel Tranter, a PCI auditor at Payment Software Co., an auditing firm in San Jose.

Wrong. The standard does have teeth, but using them would be to kill goose that laid the golden eggs. Unlike the PCAOB, whose industry makes more money the harder it is for firms to clear the bar it sets, Visa and MC face a hard choice. If they drive too many CardSystems into the ground, they shut off their own revenue stream. Every consumer they frighten into using cash at Sam’s Club or OfficeMax, they can count in their own loss column.
It isn’t the fact that PCI/DSS is non-governmental that matters, as the PCAOB proves in spades. It’s the incentives facing the folks doing the enforcing.

2 thoughts on “Enforcement

  1. “My hat is off to the accounting profession, which successfully met an enormous reputational crisis born of bone-deep malfeasance and conflicts of interest, by deepening the “self-regulation” which is a hallmark of the field.”
    That’s an interesting spin on the situation 🙂
    From Wikipedia:
    “Prior to the creation of the PCAOB, the audit industry was essentially self-regulated through the Public Oversight Board, a private organization whose members were appointed by the auditing industry. The Public Oversight Board was formally dissolved on March 31, 2002, though its members had resigned en masse in January 2002 to protest then-SEC Chairman Harvey Pitt’s proposal for a new private auditor oversight body to regulate the industry (a proposal which would evolve into the PCAOB).”
    That’s hardly a feet forward mentality on the part of the account profession, is it?

  2. A fair point.
    s/deepening/continuing/g
    The idea is that in the face of calls for government regulation, the profession still regulates itself. My comments were focussing on the endpoint (probably excessively so). You are right to point out that the journey to that destination was not a smooth one, so my praise of the driver may have been a tad too effusive!

Comments are closed.