Thursday, June 30, 2005
Computer Associates Discloses Sarbanes Shortfall
Computer Associates (CA:NYSE - commentary - research) disclosed late Monday that it has two material weaknesses in its internal control over financial reporting, as governed by the Sarbanes-Oxley law.
The company said late Wednesday that it included the items involved a deficiency in internal control over financial reporting relating to the restatement of its financial results and a deficiency in maintaining an effective control environment in its Europe, Middle East and Africa operation.
"Upon identifying these control deficiencies, we have acted swiftly and decisively to implement the changes necessary to correct the problems," said Chief Financial Officer Bob Davis. "We have made substantial progress and will work diligently over the coming months to complete the task."
posted by Brian Moran @ 10:49 AM
Wednesday, June 29, 2005
Nearly Half the Nation's Largest Companies Say Their SOX Compliance Has Not Been Institutionalized
Resources Audit Solutions, the Enterprise Risk Management and Internal Audit service line of Resources Global Professionals (Parent Company), an international professional services firm, released survey results that indicate nearly half of the nation's largest companies have not institutionalized their Sarbanes-Oxley (SOX) compliance and their compliance management software is not yet enterprise-wide.
The results also show that while many of the companies are experiencing the impact of SOX at all levels of their business, they have not been quantitatively measuring the return on investment (ROI) of their significant SOX compliance efforts, including compliance management software. This is despite the fact that respondents have invested in an average of two or more external firms for SOX compliance support.
posted by Brian Moran @ 9:49 AM
Wednesday, June 22, 2005
Thank goodness William Donaldson is still chairman of the SEC. Otherwise, conspiracy theorists would be running wild at the Wall Street Journal's report (page C1) today that the commission is preparing for the possible demise of KPMG by, among other things, contemplating case-by-case waivers of Sarbanes-Oxley's auditor independence rules.
Talk about a way to rapidly swing the pendulum.
posted by Brian Moran @ 10:32 AM
Tuesday, June 21, 2005
SEC's Atkins: Back Off Company Fines
While senators gear up for the confirmation hearings of Rep. Christopher Cox (R-Calif.) — President Bush's nominee for chairman of the Securities and Exchange Commission — sitting commissioners are publicly staking out their agenda.
At a luncheon organized by the Association of Public Corporations held last Friday in Fort Lauderdale, Florida, commissioner Paul Atkins said the SEC should go after individual wrongdoers rather than levying heavy fines against the companies for which they work, according to The Sun-Sentinel. "Individuals commit fraud, corporations do not," he added.
Atkins reportedly said that even though the commission has been able to extract increasingly larger fines in recent years, he worries that the individual transgressors may try to settle with regulators using what he called "a pot of shareholders money." He also told the audience that individuals who fear being held personally responsible for wrongdoing are more likely to perform better.
Atkins conceded that for companies that have a long record of improper behavior, regulators would be wise to levy large corporate fines as well as individual charges. For example, he explained, fines should be levied on companies that have a history of dumping waste into waterways to save money, because shareholders of such companies profit from the offensive practices.
posted by Brian Moran @ 8:45 AM
Monday, June 20, 2005
Chief risk officer: A valuable addition to the C-suite
What would you do if 20 per cent of your work force left your company in one day? How about turn to your chief risk officer?
That's what Hydro One Inc. did in 2000, when 1,400 of its long-serving employees took an early-retirement offer all at once -- far more than the utility had expected.
"If you think of any organization where 20 per cent of your workers walk off the job, you've got plenty of risks of how to keep things going," Hydro One's CRO John Fraser says.
"The two main ones: things might collapse because of people leaving in critical areas and, secondly, managers might panic [over losing so many people], try to persuade the president to rehire and, before you know it, we'd have 1,400 people back on board."
Hoping to fend off those risks, Mr. Fraser was put to work. His mission: to figure out, department by department, how the loss of so many bodies would affect all of the utility's business objectives. His conclusion: With the addition of just 125 people and $4-million in consultants' costs, "we could mitigate the risk to an acceptable level."
Such is the work of Mr. Fraser as Hydro One's chief risk officer-- the latest title to join the C-suite, along with CEOs, COOs and CFOs.
It's a position growing in importance as companies, shaken awake by corporate scandals and the increasing complexities of business, pay closer attention to the many risks they face.
And they are relying on the CRO to be their chief watchdog -- charged with monitoring all of the risks that a company faces.
posted by Brian Moran @ 8:22 AM
Friday, June 17, 2005
Sarbanes-Oxley hits auditor relations
The soaring cost of complying with US regulation is poisoning relationships between companies and their auditors, according to the latest study on the impact of Sarbanes-Oxley legislation.
Research based on public filings and polling confirmed fears that the cost of maintaining a public listing continues to mushroom up 45 per cent on last year for large companies due mainly to rising audit fees.
But the third annual study by Chicago law firm Foley & Lardner also revealed another less-anticipated side-effect: growing resentment towards the accounting profession and falling levels of trust and co-operation.
Confidential responses from the 147 US companies which took part show anger and suspicion towards the independent accountants paid to check their books.
posted by Brian Moran @ 10:09 AM
Thursday, June 16, 2005
Facing up to fraud - The need for a risk-based approach
Fraud Risk Management
Times are changing fast. In October 2004 the Financial Services Authority (‘FSA’) unveiled its new regulatory approach to dealing with financial fraud. The FSA has now put financial fraud risk management on its agenda of ‘risk-based’ regulation through its existing supervisory regime it will seek to measure and evaluate the degree of compliance with expected best practice. Notwithstanding this announcement, the FSA also published a report in November 2004 highlighting concerns over poor IT security which may be exploited to commit financial fraud through internal or external attacks on firms’ IT infrastructure.
Equally publications such as ISA 240 and the Basel Committee on Banking Supervision’s paper number 96 on Operational Risk have underlined the critical nature of internal and external fraud risks and the need for institutions to have appropriate fraud risk management systems in place with appropriate management responsibility and oversight to manage these vulnerabilities.
It will therefore be increasingly important for management teams to operate in the knowledge that they have reviewed their fraud risk management strategies and methodologies to ensure that they are appropriate and will withstand regulatory scrutiny. Management will need to demonstrate a serious commitment to dealing with financial fraud risk and be able to talk in an informed fashion about their relevant systems and controls within the context of a ‘risk-based’ approach.
Any institution subject to the requirements of Sarbanes-Oxley will already need to be addressing such issues whether as a US listed company or as a ‘foreign-based issuer’.
Reducing the risk of fraud is an achievable corporate objective
Effective fraud risk management and the design and implementation of effective preventative and detective strategies requires a joined-up understanding of the risks associated with a firm’s operational cornerstones – people, process, and technology and a willingness on the part of all stakeholders to face up to the difficult questions of "could it, and might it happen to us – and how?" It also requires adopting measures that transform corporate culture, establish an effective control environment, and secure data assets.
posted by Brian Moran @ 11:22 AM
How Much Is It Really Costing To Comply With Sarbanes-Oxley?
Public companies have been complaining about the costs of complying with the Sarbanes-Oxley corporate-reform law since its passage in 2002. The outcry has intensified with the departure of Securities and Exchange Commission Chairman William Donaldson, as companies hope for new rules that might ease what they say is a financial burden.
Putting a dollar figure on how much Sarbanes-Oxley has cost corporate America is extremely difficult, though that hasn't stopped many from trying. Often-cited estimates range from $1.6 million to $4.4 million per company each year. Meanwhile, one researcher estimated $1.4 trillion in stock-market losses due to the bill's passage. But some of the estimates on Sarbanes-Oxley are as questionable as the cooked financial books that led to the measure's passage.
Alan Beller, director of the SEC's division of corporation finance, questioned some estimates in a speech last July in Boston.
Certainly, the increased auditing and record-keeping required by Sarbanes-Oxley has been costly for some companies, especially for small businesses. But few companies have disclosed how much compliance has cost them. Instead, most numbers in the debate come from surveys, where biases and methodology can skew the results.
posted by Brian Moran @ 8:58 AM
Wednesday, June 15, 2005
SOX: New rules for year two
AMR Research analyst John Hagerty has three words of advice for executives grappling with compliance with the Sarbanes-Oxley Act: repeatable, sustainable and cost-effective.
"SOX is not going to go away like Y2K. It's here to stay," Hagerty said.
About half of the companies Hagerty deals with still view SOX compliance as just another tactical project. "SOX is a process, not a project, and you have to plan for it."
The first line of attack -- making the process repeatable -- requires investing in technologies that will help automate testing of internal controls, Hagerty said. AMR Research Inc. estimates that of the $6.1 billion spent on SOX compliance in 2005, nearly two-thirds will go to internal labor and head count.
"People will always be involved in a compliance process like this, but you don't want to have it be intrusive or taking away from day-to-day work," Hagerty said.
posted by Brian Moran @ 12:47 PM
Monday, June 13, 2005
Have anti-fraud laws done a good job?
Three years after Congress responded to a wave of corporate fraud with a comprehensive new set of laws to prevent it, the so-called Sarbanes-Oxley Act is getting mixed reviews from companies, lawyers and shareholders.
While most agree the law has helped restore investor confidence in corporate accounting, companies have complained that the benefits of the new regulations are not worth the cost of complying with them. And one key provision — holding top executives personally accountable — has so far failed to win a conviction in the first high-profile criminal case under the new law.
That “certification” provision — requiring corporate CEOs to personally sign off on accounting statements — was supposed to make it tougher for top executives to claim they didn’t know that underlings were cooking the books.
But after four weeks of deliberations, the jury in the fraud trial of HealthSouth Corp. founder and ex-CEO Richard Scrushy remains deadlocked. Scrushy — the first chief executive accused of violating the Sarbanes-Oxley law — is accused of orchestrating a $2.7 billion earnings overstatement at the rehabilitation and medical services chain over seven years beginning in 1996. He is also accused of conspiracy, fraud, false reporting and money laundering.
posted by Brian Moran @ 8:49 AM
Friday, June 10, 2005
Corporate attitude change on governance is hard part
The work isn't done. In fact, the hardest task may still lie ahead.
That's the prediction of Isaac Hunt, a former member of the Securities and Exchange Commission who was in town Thursday discussing the outlook for corporate governance.
In 2002, Congress changed the law. Now, Hunt says, we have to change attitudes. Corporate cultures can't be legislated. Reforming them requires sending a persistent message that businesses must be vigilant in monitoring their corporate conduct.
Directors and auditors, in particular, need to realize that their roles have changed, says Hunt, who serves on the audit committee of the Philadelphia Stock Exchange.
Too few directors, he says, understand that shareholder interests are paramount.
"They are there to run the company for the shareholder. They are not there because they're friends of the chief executive," Hunt says. " That has always been the theory, but not necessarily the practice."
posted by Brian Moran @ 8:53 AM
Wednesday, June 08, 2005
Post-Enron Regulatory Changes Have Their Good and Bad Sides
Don't buy recent headlines declaring the post-Enron era of corporate regulation to be over. For better and worse, it isn't.
The proof can be found in Washington, where business lobbyists have decided not to push for even modest revisions in the Sarbanes-Oxley law. Why? Because they know public opinion is still against them. If new legislation is unleashed, there is no telling where politicians, with their fingers to the wind, might let it go. (Limits on executive compensation, anyone?)
Even at the Securities and Exchange Commission, the appointment of a staunchly free-market chairman will change less than business groups would like. President Bush's nominee, Rep. Chris Cox (R., Calif.), is a smart man who will be eager to avoid not only the mistakes of his predecessor, William Donaldson, but also those of Mr. Donaldson's predecessor, Harvey Pitt. It was Mr. Pitt's call for a "kinder, gentler" SEC that helped spark the criticisms that eventually led to his resignation.
Mr. Cox "has been through the political wars," says Mr. Pitt, who has lost 95 pounds on the South Beach Diet since leaving the SEC more than two years ago. "He brings that additional skill to the process." Mr. Cox's political instincts will argue against a wholesale rollback of post-Enron initiatives.
Mr. Bush's nomination of Mr. Cox and the Supreme Court's overturning of the Arthur Andersen verdict do provide an opportunity to pause and take stock of the changes that have occurred since the Enron scandal broke. Some clearly have been good for the economy and business; others clearly haven't.
posted by Brian Moran @ 10:19 AM
Monday, June 06, 2005
Will COX cure SOX pain?
You spent 2004 tearing out your hair over Sarbanes-Oxley. Your compliance budget ballooned to many millions. The enterprise resource project you launched ground to a halt. Now you're alone in the elevator with the newly-nominated chairman of the Securities and Exchange Commission, taking the proverbial two-minute ride to the top. Your plea to Christopher Cox?
"Please try and create some semblance of best practices and a repeatable process that everyone can follow," offered Scott Hicar, chief information officer for Maxtor Corp., a computer storage device manufacturer in Milipitas, Calif.
Hicar, who survived his first year of SOX compliance, expects the process to be easier next year, no matter who heads the federal agency. But, like other CIOs polled in recent days, he believes the SEC has long way to go before the financial compliance required by the Sarbanes-Oxley Act becomes standard practice. "Much more education is needed," he said.
The news last week that William H. Donaldson is stepping down as chairman of the SEC and will be replaced, pending approval, by California Rep. Christopher Cox hit close to home for many CIOs.
posted by Brian Moran @ 9:19 AM
Thursday, June 02, 2005
So Much For Reform
U.S. Securities and Exchange Commission Chairman William Donaldson said on Wednesday he will resign on June 30, raising doubts about whether the agency's tougher post-Enron stance on corporate misconduct will be sustained.
President Bush must name a successor soon for Donaldson, who backed a strong enforcement agenda at the SEC and pushed through new rules affecting mutual fund governance, hedge fund advisers and stock market trading and pricing.
Several newspapers, including The New York Times and The Wall Street Journal, reported that Bush was expected to nominate Rep. Christopher Cox, a California Republican, to head the SEC.
Some of Donaldson's initiatives angered business executives and their allies in the Bush administration, who said they raised the costs of doing business and discouraged risk taking.
Business lobby groups wasted little time in calling for a change in tone at the top of the SEC.
The U.S. Chamber of Commerce, which is suing the agency over a mutual fund governance rule backed by the chairman, said his successor will have "a fundamentally different job than the one that Mr. Donaldson walked into, which was a job to focus on restoring confidence, transparency in our capital markets."
posted by Brian Moran @ 9:11 AM
Wednesday, June 01, 2005
Keeping Secrets: How five CFOs cooked the books at HealthSouth
It could be an episode of "The Sopranos." As revenues at $2.4 billion HealthSouth Corp. begin to falter, CEO Richard Scrushy in the role of Tony Soprano, browbeats "the family", a group of top lieutenants including five CFOs, into falsifying a wide range of financial reports. Despite the family's misgivings, their own greed and Scrushy's threats keep the scam in operation for at least six years, until the "holes" become too big to fill with "dirt" alone. Only when a last-ditch effort conceal the fraud by taking the company private fails does the last CFO left standing finally crack under the pressure, and agree to wear a wire for the FBI.
That, at least, is the scenario described by the 15 executives who testified again Scrushy. (As of press time, no verdict in the trial had been reached.) Scrushy and his "family" are charged with recording as much as $2.7 billion of fake revenues on the company's books over six years, and correspondingly adjusting the balance sheets and paper trails. Methods included overestimating insurance reimbursements, fiddling with fixed-asset accounts, improperly booking capital expenses, and overbooking reserve accounts.
According to the testimony of CFOs Aaron Beam Jr., Michael D. Martin, William T. Owens, Weston Smith, and Malcolm "Tadd" McVay, each one realized the error of his ways, but most felt helpless to blow the whistle or even leave the company. Scrushy "managed greatly by fear and intimidation," according to Owens, who served as HealthSouth's third CFO from 2000 to 2001 (and again for part of 2003). Second CFO Martin testified that he tried to quit at least three times during his 1997 to 2000 tenure. "[Scrushy] said, 'Martin, you can't quit. You'll be the fall guy.'" The remark "petrified" him.
Now, facing federal criminal charges and possible jail time, all five CFOs have pleaded guilty and turned state's evidence, hoping to put Scrushy in jail for the rest of his life — and reduce their own sentences.
A Sunny Surface
From the outside, HealthSouth looked like a normal company. The revenues and cash-flow figures the company disclosed seemed reasonable, according to Gimme Credit analyst Carol Levenson and others. A constant stream of acquisitions, along with HealthSouth's unique mix of inpatient and outpatient facilities, made it hard to compare the company with others or even itself. And even after analysts like Levenson, Merrill Lynch's A. J. Rice (a witness for the prosecution), and Jefferies & Co.'s Frank Morgan (a witness for the defense) began to question the quality of the numbers in late 2002, they overwhelmingly said they never suspected the massive fraud.
posted by Brian Moran @ 9:12 AM
Companies Face System Attacks From Inside, Too
EACH YEAR, COMPANIES invest billions of dollars to protect their computer systems from virus intrusions and hackers from the outside.
But another problem can render many of those defenses useless: internal abuse from employees, contractors and others with legitimate system access. A January survey from Mazu Networks, a network security firm in Cambridge, Mass., found that 23% of 229 U.S. organizations with more than 1,000 employees had at least one internal security breach in 2004, while another 27% didn't know whether or not their networks had ever been compromised -- from inside or outside.
In February, a former Time Warner Inc. employee pleaded guilty to federal charges that he conspired to steal 92 million user names and passwords from its subscriber list and sold them to a spammer for $28,000.
Last month, eight former employees of Bank of America Corp., Wachovia Corp. and other major banks were arrested in New Jersey for illegally selling account information of an estimated 500,000 customers for $10 a name. The buyer subsequently sold the information to law firms and collection agencies, according to police in Hackensack, N.J., who are investigating the theft ring.
The bank scheme is believed to be the biggest security breach to hit the banking industry, although there is no evidence any of the information has been used for further criminal activity such as identity theft.
Experts say the breach could have been avoided if the banks had detected abnormal activities on their computer systems early on. The employees involved would normally have accessed 30 to 40 customer records in a normal business day, according to police. As the theft occurred the employees were sometimes accessing 300 to 400 customer records a day -- an anomaly that could have been spotted had the right protections been in place.
Spokespersons for both banks said employees are only given access to information they need to provide service to customers. Neither would verify the number of accounts the associates are authorized to access in a normal business day. They also declined to discuss specific security procedures, saying it would compromise their effectiveness.
The incidence of such internal snafus is rising. In a survey of 600 companies in North America and Western Europe, Yankee Group found that in 2004, 50% of security problems originated from internal sources, up from 30% in 2003. "The trend has been moving away from external threat to internal threat," says Yankee Group analyst James Slaby.
Yet, awareness of internal threats -- and willingness to spend money to guard against them -- still is much lower than that for better known external threats. Of the $12 billion spent on security products worldwide in 2003, $8 billion was spent on enhancing perimeter security -- such as firewalls and intrusion detection systems -- to keep outsiders at bay. Only about $1 billion was spent on enhancing network capability to monitor and prevent threats posed by insiders, according to Enterprise Strategy Group.
Corporate information and data are vulnerable to inside attacks in numerous ways. In addition to ill-intentioned employees, external contractors and outsourcing partners have access to information systems. Trouble can happen inside a company's walls, right under managers' noses, or remotely -- say, if an employee logs on from home or a coffee shop. Breaches can be deliberate or accidental. Some threats can come from authorized users who unwittingly spread viruses and worms via their infected laptop computers.
Take advertising company ADVO Inc., which in January had part of its computer system attacked when an external contractor plugged his laptop into its network. Half an hour later, the company's security monitoring system detected abnormal traffic patterns in the server system of a production branch in California and 40 PCs in its Connecticut headquarters.
The accidental attack didn't cause any real monetary damage, but it took three network security engineers a whole day to clean up and repair the infected server and PCs.
This happened after ADVO invested more than $1 million on its network security to guard against threats -- from outside as well as inside. "No one is immune to this once you are connected to the Internet," says Phil McMurray, information-technology security director of the company, based in Windsor, Conn. Bank of America says it invests about $250 million a year in information security technology, personnel and assessment.
Security glitches can cause huge losses not only because they can paralyze the entire computer system, halting business operations -- but also because some hackers are creating them with the intent of stealing confidential information from a compromised computer. Once a computer is attacked, information such as email addresses, passwords, proprietary data and financial information may be accessed, disclosed or altered without authorization.
As more companies realize that high-risk, high-success rate attacks often are from people who have inside knowledge of the system, they have started using security products to protect their systems from inside. Often, they are surprised by what their employees are doing with corporate resources.
After deploying a product to detect abnormal computer behavior, a large public insurance company in the Midwest found a few employees running an illegal gambling Web site on computers hidden beneath the floor of its data center, says Paul Brady, chief executive of Mazu Networks in Cambridge, Mass.
A New Jersey utilities company with operations both in the U.S. and Canada found an employee siphoning confidential data from a corporate hard drive to a portable hard drive, says Tom Schuster, president of Arbor Networks in Lexington, Mass.
Analysts expect big security companies to make a big push into the internal security market through acquisitions in the next two years. Symantec invested $1 million dollars in Mazu last November while Cisco Systems Inc. was an original investor in Arbor Networks.
Company executives and analysts say the best defense may be as simple as training about the problem. "I do believe that an uneducated work force can create risks," says Kim Jones, director of information technology security at eFunds, a Scottsdale, Ariz., company that handles online funds transactions for financial institutions. "Even the most conscientious employees can bring in worms unintentionally." The company hasn't reported any internal security problems.
A new technology called endpoint security policy enforcement may be able to make security executives' lives a little bit easier.
The technology, being pioneered by such companies as Cisco Systems Inc. and Microsoft Corp., automatically enforces corporate security policies on both internal and external computers. Any laptop that doesn't have the most updated personal firewall software will have only limited access to the network and will be cleaned up and inoculated before it is granted access to the whole network.
It acts like a bouncer at a club, says Mr. Slaby of Yankee Group. "The idea is that sloppily dressed users will not be allowed into the club."
posted by Brian Moran @ 8:55 AM
Court reverses conviction of Enron auditor
The Supreme Court threw out the government's high-profile conviction against Arthur Andersen yesterday, saying in a unanimous and swift decision that jurors relied on flawed instructions in 2002 when they found that the accounting giant had obstructed justice by destroying reams of Enron-related files.
The ruling comes too late for the former Big Five accounting firm. Its indictment during the heat of the Enron scandal and its subsequent conviction amounted to what lawyers called a "corporate death sentence." The Chicago-based firm that once employed 28,000 is nearly defunct, with a skeleton staff of about 200.
But the case - the first of the recent corporate scandal prosecutions to reach the Supreme Court - was closely watched by corporate executives, in-house lawyers and defense attorneys who feared that it would set a dangerous precedent on routine matters of dispensing legal advice and disposing of sensitive business documents.
"Arthur Andersen is never going to come back. They're never going to be resurrected. But the conviction, when it came down, sent tremors or ripples throughout the legal community and certainly the in-house community," said Frederick J. Krebs, president of the American Corporate Counsel Association. "This sort of, 'There but for the grace of God go I,' sentiment was quite pronounced."
posted by Brian Moran @ 8:49 AM