This afternoon I read an interesting question on Quora (www.quora.com)…
Is there a documented case where a company believes its culture was materially changed because of restrictions imposed by Sarbanes-Oxley?
Theoretically, and this might sound a bit Pollyanna; anything that's done as part of an internal control environment should be done because it's the right thing to do for the business (public or private), and not because of a regulatory requirement like SOX. So if your organizational culture is that of business and process excellence; then your organizational culture won't materially change because of an implementation of internal controls. If your organization doesn't have the mindset of process management, then your organization is in for a harsh awakening.
For example, you stop at a red traffic light in a busy intersection because it's a good idea and you don't want an accident, not because the law tells you to.
In the same vein, we have a segregation of responsibilities between the person who can approve a payment to a supplier, and the person who writes the check because it's a good idea and we don't want to have someone paying themselves and defrauding the company (exaggerated for effect), not because SOX tells us to.
We control and document programming changes in an IT environment because it's a good idea, not because SOX tells us to.
What burdens an organization with a mindset of business excellence when it comes to regulatory compliance isn't the process change, or cultural shift, it's the shear weight of the audit function, and potentially overwhelming documentation required to support the audit function (but that's a tale for a different day).
Interestingly enough, Grant Thornton, did a survey in January 2013 of corporate general counsels for their clients; the survey, on the largest threats to organizational growth, showed the overwhelming response from the GCs… regulatory compliance. Go figure.
You can find the survey here.