In a courtroom in Houston, Enron executives were grilled for months for their actions that ended up destroying the high-flying company. Along with Enron, disappeared its auditor, Arthur Andersen, and lots of investor and employee wealth.

Okay, so Enron got clever and unethical and their key executives were indicted. But it is also becoming apparent that there were plenty of opportunities for politicians and auditors to lasso the company over the years. We did not.

Instead, as a reaction, we enacted the Sarbanes-Oxley (SarbOx) Act in 2002. Section 404 of SarbOx is only 168 words long; but its impact has been dramatic. It makes executives responsible for maintaining an “adequate internal control structure and procedures for financial reporting.” This is in addition to the checks and balances to company management that we have auditors and the SEC for in the first place. SarbOx has escalated compliance to top priority in every boardroom. It dwarfs previous industry-specific compliance requirements such as FDA Validation in pharmaceuticals and HIPAA in health care. Three years ago, very few companies outside of banking had senior IT-compliance managers. Now just about every company has one, it seems.

Several technology vendors and systems-integration firms (and, of course, audit firms) have enjoyed a bonanza from this focus on compliance. Companies are investing in storage and content-management software to handle more stringent document security and retention policies. They are investing in systems-management tools and business-intelligence software to catch non-conforming system events and suspicious trends. SAP recently announced its large Governance, Risk and Compliance initiative after it bought a compliance software vendor, Virsa. Global service providers are re-positioning their quality and process-improvement practices to help in compliance initiatives.

The Cost of SarbOx

But it is time to stand back and pause. It looks like the seemingly innocent 168 words of section 404 may end up costing the U.S. economy billions for each of its words. Surely, I exaggerate? No — look at this growing stream of data that supports my statement.

The SEC has asked for and heard from several public companies, large and small, on the effects of SarbOx. You see feedback on its site from the CFO of Ball Corporation, a five-billion dollar packaging company, which says that their costs of seven-million dollar “far exceeds our realized benefits from Section 404.” He writes “The issues that surfaced at Enron, WorldCom and others were not based on routine transaction processing. Yet, we were required to test 30 or more transactions for each area in accounts payable, payroll, sales, etc., at each in-scope plant.” There are several similar letters, usually in polite language, but most suggesting they have been penalized for Enron’s excesses.

The FEI, an association of top financial executives, has surveyed its member companies for four years now. In its latest survey (released in April), the average cost for Section 404 compliance was $3.8 million (16% lower than in previous year; but members had budgeted a larger decline than actually delivered).