Sarbanes-Oxley & OMB Circular A-123: Continuous Transaction Inspection

Taking GL Analytics for a Test Drive -- Hard Way vs. Easy Way

2007-08-21T08:14:00.000-04:00

"Dell Inc. said it would restate more than four years of its financial results, after a massive internal investigation found that unidentified senior executives and other employees manipulated company accounts to hit quarterly performance goals."

"The company [Dell] said it found evidence that various reserve and accrued-liability accounts were created or improperly adjusted -- usually at the close of the quarter to give the appearance that quarterly financial goals were met. The adjustments sometimes followed reviews of account balances "at the request of or with knowledge of senior executives." Dell added that employees in some business units purposely gave incomplete or incorrect information about these activities to headquarters personnel or auditors."

"According to the filing, the law firm Willkie Farr & Gallagher LLP and the accounting firm KPMG LLP led an investigation, using special software, that evaluated more than five million documents. They conducted 233 interviews with 146 individuals, according to the filling."

Sophisticated software can be used to analyze journal entries for suspicious patterns and potentially fraudulent transactions. Examples might include entries near month-end that subsequently reverse early in the next period, or entries that are made to accounts that normally receive only manual entries. For Dell, they tested this software the hard way -- as part of an SEC investigation and under advice from counsel.

Other companies are beginning to test similar analytic software the easy way -- as part of a routine internal audit or management review of balance sheet and related journal entries.

I'm reminded of the old saying from my pharmaceutical days -- even though medicine is often much more expensive than vitamins, fewer people actually buy the vitamins. As solution providers that often help clients with the preventive medicine of financial controls, I hope this illness causes a few more people to talk to their doctor while their health is still good.

Why did the fraud numbers increase

2007-07-01T19:38:00.000-04:00

Oversight's 2007 fraud survey shows a double digit increase over the 2005 survey results despite the implementation of Sarbanes Oxley controls regimens. Is there any way to reduce the reported fraud numbers? Does that mean we have to implement even more controls?

Over the past few weeks I've had the chance to discuss these results with a number of experts and have developed a consensus view that we can reduce fraud further. And more surprisingly we can do it with fewer more "rationalized controls." Thankfully the "top down risk based approach" advocated in Audit Standard 5 (AS5) gives the opening to effect this change.

Many (if not most) of the first iterations of controls for Sarbanes Oxley compliance were created with a bottoms up approach that attempted to cover every possible contingency. Think of everything that could possibly result in financial reporting fraud and then design a way to prevent it. While most control activity will reduce risks there is a finite amount of time and effort available for all the activity. Covering every possible contingency dilutes the overall fraud reduction effort by spreading effort documenting low value activities.

For instance, the physical security of tapes used to back up the financial applications in the Sarbanes Oxley controls is an example of an activity that has a relatively low fraud reduction payback for the effort invested. In order to effect the fraud someone would have to manipulate the precise fields in the back up tape to change the financial numbers and then cause the financial applications to crash and then have the systems restored from the manipulated back up tapes. Frankly restoring from a back up tape is not always the most reliable process. A lot of things have to happen in this fraudulent financial reporting scenario - it's a low probability occurence.

When you compare the back up tape scenario with a manager or other privileged user overriding controls and posting a fraudulent entry in the General Ledger (GL) it is clear that the management override is much easier to effect. Both are possible, one is much more probable and very difficult to absolutely prevent. Finding the irregular GL posting requires diligent forensic evaluation of journal entries which takes time and expertise.

The top down risk based approach advocated by regulators in would devote more effort to the journal entry evaluation and reduce the time spent on low probability risks. By rationalizing the control activity according the the real risk there's more time for the high impact activities that materially affect fraudulent financial reporting. With AS5 we have the opportunity to adapt control investments towards activities with a real pay off in fraud reduction.

PwC Publishes 2007 Internal Audit Survey - "Continuous Auditing continues to generate interest"

2007-05-24T08:53:00.000-04:00

CFO Magazine published some of the results of PwC’s annual Internal Audit Survey, with the headline focusing on the fact that some internal audit functions do not comply with the IIA standard of performing an annual risk assessment. While interesting and potentially worrisome, I’m personally comfortable that some of those numbers could be overstated because Internal Audit may rely on other Company risk assessment activities (e.g. Enterprise Risk Management) as input for their annual audit plan.

As solution providers for continuous auditing and continuous monitoring solutions, my partner and I focused more on the survey's status of Continuous Auditing (CA), also presented in this year’s PwC survey. Some highlights:

Significantly fewer companies (11% in 2007, down from 41% in 2006) reported that their CA programs were entirely manual. The acknowledgment that automation of some type is needed as an enabler for continuous auditing is noteworthy, and we are encouraged by market recognition that automation is essential as part of an effective CA program. Also noteworthy is that slightly fewer companies (11% in 2007, vs. 13% in 2006) reported having a fully implemented continuous auditing (CA) program in place.

Perhaps we can attribute that decline to better awareness of what a real CA program may entail.

Updating one's audit plan twice a year instead of annually may satisfy a textbook definition of continuous risk assessment and thus continuous auditing. But personally, I would suggest that a "real CA" program examine TRANSACTIONS at regular intervals that approach weekly or even daily, and identifies areas of risk and needed follow-up. We see confusion and clutter in the vocabulary that describes continuous auditing and contininous monitoring today, despite numerous companies having successful CA programs in place.

This year's PwC survey shows that the audit profession is beginning to understand CA better, so I'll see that as a glass half-full.

Oversight Systems Financial Executive Survey Finds More Than Half of Shared Services Centers Fall Short of Operational Goals

2007-04-17T13:35:00.000-04:00

ATLANTA (April, 2007): Shared service centers have yet to show their full potential for many companies according to the 2006 Oversight Systems Executive Report on Shared Service Centers. The national survey of financial executives found that more than half of respondents report their shared service centers (SSCs) are well short of achieving their operational goals. First implemented in the 1990s by many large enterprises, the SSC model allows companies to consolidate client-facing functions in an attempt to reduce costs. However, the report released today finds that 52 percent of executives report their SSC are only meeting half or fewer of their business goals. The free report is available to download at www.oversightsystems.com/survey. "Companies adopted shared service centers for the immediate cost savings, but executives are now struggling to continually improve their operations," said Patrick Taylor, CEO of Oversight Systems. "This survey shows that shared service centers must develop strategies and implement systems that support ongoing improvement."

Reflecting the recent development of most shared service centers, more than half of executives (59 percent) report that their SSCs have been in operation for less than five years. Regardless of the youth of the concept, companies are putting much stock into these centers. Most executives (85 percent) report their SSCs serve four or more business units with 40 percent reporting to serve 10 or more. Although the C-suite goals are clear, achieving them is often met with adversity.

The most prevalent challenges to ongoing SSC operations were maintaining continuous improvement (61 percent), skepticism from business units (59 percent), employee retention/turnover issues (43 percent), meeting customer service level agreements (26 percent) and threats of outsourcing business processes (13 percent).

The Real Measure of Performance When it comes to shared service centers there is no measure of performance more important than cost savings and that is the silver lining in this report. Nearly three-quarters of executives (73 percent) classify their SSC as “world class” or “average to above average.” As such it comes as no surprise that nearly the same number of respondents (71 percent) report having almost reached, reached or exceeded their cost savings expectations. In fact, the study found that 85 percent of executives were prompted to embrace the SSC model in an attempt to reduce and control operating costs. Although cost was the driving factor for implementing an SSC model it was not the only reason. Other reason included:

* Improve quality (69 percent)
* Improve their customer focus (63 percent)
* Free up resources for other purposes (49 percent) and
* Improve company focus and reduce risks (34 percent).

Goals for 2006 Beyond the central goal of reducing costs, executives do have other goals for their shared service centers. Topping the list of 2006 goals with 52 percent support is to improve on service level agreements or SLAs. Other popular goals include: re-engineer business processes (51 percent), increase transaction throughput and capacity (40 percent), expand business offerings (39 percent), and reduce aggregate error rates (35 percent). Less frequently cited goals include: increasing the percentage of one-touch transactions (30 percent), implementation of Six Sigma programs (23 percent), and automation of Sarbanes-Oxley compliance (20 percent).

Regardless of the hurdles that are faced with implementation and operations of shared service centers, 97 percent of executive point to sustainable benefits of SSCs as opposed to traditional outsourcing of business processes. When compared to outsourcing, executives say SSCs offer benefits such as:

* Improved level of service and quality (81 percent)
* Better responsiveness to customer demands (68 percent)
* Greater flexibility in adapting to evolving business needs (62 percent)
* Lower aggregate costs of operations (51 percent).

Philadelphia Eagle Running Back Gets Paid $3M - Twice

2007-04-17T13:31:00.000-04:00

When most people receive an errant duplicate paycheck it means a couple thousand dollars - at most. Something that may or may not even be detected and something they may or may not report. But, when an NFL superstar gets paid twice the impact is a tad bit worse. According to an Associated Press article posted on the Fox Sport web site, titled "Eagles accidentally pay Westbrook twice," Brian Westbrook received an extra $3 million from the Philadelphia Eagles in an accounting error. The star running back intends to pay the team back after getting his roster bonus twice. However, the Eagles filed a grievance with the NFL against Westbrook because the money hasn't been repaid yet, a team spokesman said Saturday. Continuous monitoring of payroll transactions can detect potential duplicates BEFORE they leave the corporate boundaries. When you view duplicate payroll, duplicate vendor payments, unused discounts and unused credits in cummulative form, you're talking real money and real materiality.

Current Privileged User Monitoring Solutions Don't Leverage Lessons from the Past

2007-04-16T17:59:00.000-04:00

I just read a ComputerWorld blog entry written by Eric Ogren regarding the need to focus "Privileged User Monitoring" on transaction and business monitoring versus the old access management model.

I could not agree with him more. If there's one thing information security professionals can tell you with confidence... it's what does not work. Things change so frequently within the IT risk domain that it's often difficult to solve a problem with certainty. But, when it comes to dealing with "trusted" users in the real world, we all know what doesn't work. What does not work is printing out long monthly list of users with "excess privileges" and expecting this to significantly reduce the risk of fraud and misuse - at least at the material levels associated with SOX and A-123. In today's world access management and provisioning is a serious manpower drain. And, when you couple this with the need to provide periodic reports identifying the issues and progress, that just adds more manpower requirements... UNLESS you shift the focus to the highest risk issues and higher impact solutions.

Printing out these monthly excess-privilege list places a huge burden on our IT and InfoSec professionals but operational realities are operational realities. Key managers still receive conflicting privileges in order to support all areas under their control. And, key managers also receive powerful privileges such as those allowing them to actually "override" existing system-based control. 99% of the time used, they're probably just doing their job and ensuring the business keeps on functioning properly. But, it's that other 1% that can result in a major failures - e.g., a privileged user modifying quarterly revenue with a simple manual journal entry to conceal a bad quarter. In this case, the user is just using an "authorized" privilege for an "unauthorized" change.

And, what about when an AP Manager creates a vendor, purchase order, invoice, and voucher as part of an ellaborate procurement fraud scheme.

Or, when a database administrator uses their root access to make modifications to a payment record just before its released through the EFT system.

All of these are real examples of high risk conditions and real-world incidents concerning trusted insider - or privileged users.

So, lets stop using the 20/80 solution model and flip things around and do the 80/20 thing. Meaning, lets stop focusing on routine user access privilege conflicts and, instead, monitor and detect the use of privileges to misuse the system or conduct fraud.

Not Complying With the OFAC Can Impact Your D&O Policy

2007-04-12T23:13:00.000-04:00

Most organizations consider OFAC compliance to be just a routine issue but the Department of Treasury means business when it comes to doing any type of business with forbidden countries, business entities, and people. And, insurance carriers are beginning to translate this into policy and payout restrictions that could have a significant impact on an unsuspecting company or individual that just happens to stumble upon a long-term OFAC violation.

The Department of Treasury is quite clear that any delays in reporting any/all dealings with OFAC entities can result in serious consequences. Is a quarterly review of the OFAC list good enough... well, you be the judge. Here's what the Department of Treasury has to say within their FAQ:

DIRECTLY FROM THE U.S. TREASURY WEB SITE:

QUESTION: At what point must an insurer check to determine whether an applicant for a policy is an SDN?

ANSWER: If you receive an application from an SDN for a policy, you are under an obligation not to issue the policy. Remember that when you are insuring someone, you are providing a service to that person. You are not allowed to provide any services to an SDN. If the SDN sends a deposit along with the application, you must block the payment. [09-10-02]

QUESTION: What should an insurer do if it discovers that a policyholder is or becomes an SDN--cancel the policy, void the policy ab initio, non-renew the policy, refuse to pay claims under the policy? Should the claim be paid under a policy issued to an SDN if the payment is to an innocent third-party (for example, the injured party in an automobile accident)?

ANSWER: The first thing an insurance company should do upon discovery of such a policy is to contact OFAC Compliance. OFAC will work with you on the specifics of the case. It is possible a license could be issued to allow the receipt of premium payments to keep the policy in force. Although it is unlikely that a payment would be licensed to an SDN, it is possible that a payment would be allowed to an innocent third party. The important thing to remember is that the policy itself is a blocked contract and all dealings with it must involve OFAC. [09-10-02]

QUESTION: How frequently is an insurer expected to scrub its databases for OFAC compliance?

ANSWER: That is up to your firm and your regulator. Remember that a critical aspect of the designation of an SDN is that the SDN's assets must be frozen immediately, before they can be removed from U.S. jurisdiction. If a firm only scrubs its database quarterly, it could be 3 months too late in freezing targeted assets. The SDN list may be updated as frequently as a few times a week or as rarely as once in six months. [09-10-02]

Katrina Fraud: FEMA and Army Corps of Engineers Ripped Off

2007-04-11T23:57:00.000-04:00

Hurricane Katrina was truly one of the most horrific natural disasters to ever hit American soil. Thousands killed, injured, and left homeless. Unless you've experienced this type of loss first hand, it's probably meaningless to even try to fully understand the suffering these families went through.

And, during this time of emergency and national outreach to the victims, FEMA and the US Army Corps of Engineers rushed to open their wallets to the rightful victims. Billions of dollars of Federal Disaster relief funds poured into the region to help feed the hungry, put clothes on the homeless, and to shelter those without the capacity to shelter themselves. Regardless of all the stories written about either agency's preparedness levels or ability to actually respond to such a catastrophe, these agencies truly pushed the envelope of financial management and controls to put mission and operational necessity first - before bureaucracy. We applaud them for that.

But, take a look at the attached link to some of the recent stories related to the rampant fraud associated with these relief efforts. It's absolutely atrocious. And, if you want more insight, go to http://www.gao.gov/new.items/d06844t.pdf for the entire GAO report released this past summer.

What you will notice is that somewhere between $600M and $1.4B (yes, Billion) was lost just to improper payments associated with individual assistance. Think about this for a moment, $600M to $1.4B lost to just one category of risk. And, that’s not the only shocking finding. This loss represents between 10-20% of the total funds spent on individual assistance. Wow! 10-20% of all funds intended for people in need went to the lowliest types of fraudsters in the world... those that would steal from starving and homeless children so they might be able to enjoy a night at the strip club (actual case study info).

If you dig into the fraud then carried out associated with actual reconstruction and what the US Army Corps of Engineers may have been swindled out of, the cost is surely too staggering for most of us to really appreciate.

I do have one major recommendation though, in many many of the reported cases of fraud, simple continuous monitoring-based controls would have prevented the fraud.

For example: 16% of the fraud could have been prevented with a better individual assistance registration procedure. Simple monitoring-based controls that alerted FEMA of invalid social security numbers, bogus addresses, invalid registrant to address matches, and duplicative registration data amongst multiple recipients would have shut down the majority of this type of fraud.

If Oversight was in place, the impact would have been between $96M and $224M. What could FEMA have done with these funds if they had not made their way into the fraudsters hands?

Retired Congressman Michael Oxley blames the PCAOB for starting "all the problems" with the Sarbanes-Oxley Act

2007-04-11T23:29:00.000-04:00

Well it seems all the pain, agony, and expense we've all experienced while implementing the requirements of "Sarbanes-Oxley" was all just a big misunderstanding. The originating law makers actually intended the process to be much easier and much more focused on a risk-based approach. Somehow, the executing agencies and audit community just misunderstood the real intent- that is according to a recently published interview with Congressman Oxley in CFO Magazine.

According to the interview with CFO Magazine, Congressman Oxley says "It was Auditing Standard No. 2 [the standard for auditing internal controls over financial reporting], promulgated by the PCAOB, that started all the problems."

He further elaborates by stating "Of the complaints you hear [about Sarbox], 99.9 percent are about 404. It was two paragraphs long, but by the time the PCAOB was done, it was 330 pages of regulations. It was far too prescriptive and [more] expensive than anyone anticipated."

Take a quick look at the attached article. It's very enlightening.

Also, you'll be pleased to note that Congressman Oxley believes the true intent of the law is only now being realized. His most encouraging quote is a resounding call for a risk based approach to risk management. For example, he is quoted by CFO Magazine stating, "the Securities and Exchange Commission proposed a risk-based assessment to better define material weakness, with more emphasis on internal audit. It adds flexibility with smaller companies. Those are common-sense proposals that I am confident will be adopted this year with a 5-0 vote, which would be a ringing endorsement of [SEC chairman Christopher] Cox's leadership and reaffirmation that the SEC and PCAOB want it to work in a more efficient manner. It will protect the investor and make regulations work to everyone's satisfaction."

Personally, I like the use of Congressman Oxley's reference to "common sense." If we were all able to define, implement, and manage our risks based on common sense and traditional ROI principals, I think we would all find it easier to embrace the true benefits of quality and compliance programs. The emphasis would shift from "what do we have to do to comply" to "what do we need to do to optimize operations and returns." Herein lies the financial controls challenge of the this decade. How do we make the shift from "a world from an auditors perspective" to "a world from an operations perspective."

Audit Data Warehouse

2007-04-09T22:51:00.000-04:00

At MIS Training's Super Strategies conference in Las Vegas Oversight will present an early morning workshop (7:30 to 8:15am) on the characteristics of a robust audit data warehouse (ADW).

The audit data warehouse can provide the basis for continuous auditing (CA) and continuous monitoring (CM) solutions. There are considerable efficiencies that can be gained by leveraging a single data infrastructure for both programs. However there are a number of critical requirements that the ADW must meet to maintain the integrity for the regulatory compliance applications.

First and foremost the ADW must maintain an uncorrupted copy of the transaction data, then the subsequent analysis for CA and CM can occur without compromising compliance. In a sense the ADW is equivalent to the financial systems themselves and obviously both CA and CM can be applied to the same financial systems. The ADW is simply a mirror of the financial systems. Typically the ADW data structures follow a different organizational layout than the financial systems. Financial systems have an on-line transaction processing (OLTP) based data model. The OLTP model is designed to support a high transaction rate while the ADW is designed to support decision support queries. Ralph Kimball is often cited as one of the originators of specific data warehouse data models - see www.kimballgroup.com

See you early in the morning in Las Vegas.

Debunking Big Lies About Stock Options

2006-09-15T10:18:00.000-04:00

Powerful lobbies are trying to repeal stock option expensing. If you own almost any high-tech company, you'd better take five minutes to understand why--or you're likely to get fleeced.

Here are the three big lies upon which the opposition to stock options expensing is founded.

Big Lie Number One: There is no way to know the expense, if any, of stock option grants.

Big Lie Number Two: Stock options aren't an expense.

Big Lie Number Three: The cost of stock options is already reflected in diluted earnings per share.

New rules encourage battles in boardroom

2006-09-14T10:12:00.000-04:00

The spying scandal at Hewlett-Packard has provided a rare window into a normally private, august institution -- the corporate board of directors.

It revealed an HP board wracked by turmoil in recent years. There was the battle led by a board member to stop the firm's merger with Compaq Computer. Then came the board's ouster of Carly Fiorina as chief executive. And now the snooping debacle.

Some say the contentiousness of HP's board is emblematic of an era when boards are being held more accountable. Under the Sarbanes-Oxley Act of 2002, companies and boards have to comply with a host of new financial and governance rules. Companies also face more shareholder activism and a movement toward more independent, outside board members. In this new environment, board controversy and dissent are more likely -- and scrutiny of boards has become intense.

Well before the HP scandal erupted last week, directors had been under growing pressure to prove themselves worthy of the job or face shareholder wrath. The fallout from Enron and changes in laws affecting boards and companies have increased the pressure on boards.

GRC Emerges From the Shadow of Compliance

2006-09-07T08:35:00.000-04:00

Myriad compliance requirements, over the years, have caused most companies to initially jump through hoops when a new one comes along, with the most visible (and some might also say painful) concern being Sarbanes-Oxley (SOX) compliance. In time, panic was replaced with rational thought and a workable plan of how to meet the legal and regulatory requirements while streamlining business processes and mitigating risk.

With such intense focus on short-term concerns, companies sometimes miss the real long-range objective: a better-managed and optimally performing organization.

Emergence of GRC as discipline and software category

Governance, risk management, and compliance (GRC) as a term has been bandied about for a few years. AMR Research defines each component of GRC as follows:

* Governance is the oversight role and part and parcel of setting strategic objectives.
* Risk management evaluates all relevant business and regulatory risks and controls and monitors mitigation actions in a structured way.
* Compliance is the execution of these objectives, based on risk tolerance.

The Spring-loaded Options Trap

2006-09-06T11:48:00.000-04:00

Spring-loading vs. bullet dodging; why SAS-70 audits are so different; gauging your financial style; more bondholder backlash; the return of the travel agent; why companies still have so much cash; and more.

Options timing is clearly the cause du jour of federal regulators -- and the terror of executives. After announcing investigations into dozens of companies this past summer, the Securities and Exchange Commission and the Department of Justice filed charges against former executives at Brocade Communications Systems and Comverse Technology, sparking what most expect to be an ongoing volley (see On the Record).

While investigators continue to focus on backdated options, companies may well be nervous about regulators' interest in related practices known as spring-loading (timing grants to come ahead of good news) and bullet-dodging (offering them after bad news), both of which aim to capture presumed lows in stock prices for the options' strike prices. Last November, Analog Devices spent $3 million to settle spring-loading charges with the SEC. Cyberonics is still under investigation for issuing options to top officers following Food and Drug Administration approval of a new product but before the market opened. Many others, including Home Depot and Merrill Lynch, have been tainted by The Wall Street Journal' s recent revelations that abnormally large numbers of options were issued soon after the tragedies of September 11.

IT Veteran Keith Cooley Joins Oversight Systems as Vice President of Engineering

2006-08-31T13:39:00.000-04:00

ATLANTA (Aug. 31, 2006) - Oversight Systems Inc., the leading provider of automated continuous monitoring solutions, today announced that H. Keith Cooley has joined the company as Vice President of Engineering. As a key member of Oversight's executive team, Cooley will lead all product development and engineering for the company.

Cooley is an information technology veteran who was most recently Chief Customer Officer at Witness Systems, Inc. In previous leadership roles, Cooley served as executive vice president of product development for EzGov and vice president of engineering for Internet Security Systems where he was responsible for production of the company's award-winning product lines.

"Only with a growing list of customers could Oversight attract a proven IT leader like Keith Cooley," Oversight Systems CEO Patrick Taylor said. "Keith will build upon our strong reputation for providing innovative solutions and unequalled customer satisfaction."

Cooley's experience also includes executive positions at Dun & Bradstreet Software and Management Science America. Before Dun & Bradstreet acquired MSA, Cooley managed various support, engineering and marketing functions for MSA. After the acquisition, he served as Dun & Bradstreet’s vice president of information systems, vice president of worldwide client server support and vice president of European support and development.

"Oversight Systems faces a huge opportunity to provide the market with automated continuous monitoring solutions that both reduce Sarbanes-Oxley compliance costs and drive operational improvements in financial processes," Cooley said. "I look forward to building on the company's momentum and delivering easy-to-use software solutions that deliver immense value."

Sarbanes-Oxley: Lessons Learned

2006-08-29T10:24:00.000-04:00

Organizations that need to be SOX-compliant are just now realizing they need to get serious about using technology to monitor and test their internal controls.

By Therese Rutkowski

September 1, 2006 - Many publicly traded companies are in their third year of dealing with the Sarbanes-Oxley Act (SOX)--the law that makes corporate executives responsible for the accuracy of their financial statements and for the internal controls that minimize errors and reduce fraud.

After going through the rigorous process of documenting and testing those controls, such as the segregation of duties and appropriate access to financial systems, many of these companies-including insurers-spent far more on the effort than they ever imagined.

A full 70% of respondents to a 2005 Ernst & Young LLP cross-industry survey on trends in internal controls indicated SOX compliance costs were more than 50% higher than originally estimated. In fact, the average cost of SOX compliance was $4.4 million, according to a March 2005 survey by the Financial Executives International, a professional association based in Florham Park, N.J.

Backdating Causes Late Filings to Soar

2006-08-25T10:37:00.000-04:00

Forget Sarbanes-Oxley 404. A record number of companies filed their recent quarterly reports late, and the most commonly cited reason was the rapidly growing option backdating scandal.

According to shareholder advisory firm Glass, Lewis & Co., 138 companies with market capitalizations of at least $75 million submitted late-filing notices for the second quarter, up 52 percent from year-earlier levels. Forty-eight of those companies said they postponed their filings because they were conducting investigations into their historical stock-option grants, including such well-known names as Apple Computer Inc., UnitedHealth Group Inc., Monster Worldwide Inc., CA Inc., and Juniper Networks Inc. By contrast, only three companies cited incomplete internal-control assessments as the reason for their delay.

Defending Against Backdating Suits

2006-08-24T09:15:00.000-04:00

Companies will have to make improvements in their internal control procedures to deal with sloppy recordkeeping, poor controls, and improper options practices to satisfy shareholders. However, Conroy points out that, except in cases where there appears to have been deliberate manipulation, there is generally little significant price reaction to corporate backdating announcements.

That's because backdating does not directly affect future cash flow, a metric that investors value greatly, contends Conroy. And while backdating may produce a risk to a company's reputation, as shareholders don't usually like to see restatements, the economic effect remains in the past.

Webcast: Controls, Compliance & the Role of Continuous Monitoring

2006-08-16T15:35:00.000-04:00

Webcast with Controls Expert Anne Marchetti, author of Beyond Sarbanes-Oxley Compliance: Effective Enterprise Risk Management & The Sarbanes-Oxley Ongoing Compliance Guide

Date: Thursday Aug. 31
Time: 2 p.m. EST/ 11 a.m. PST
Duration: 45 minutes

The public outcry against Sarbanes-Oxley is largely based on the excessive costs and relatively few tangible benefits recognized. However, continuous monitoring of financial processes and the underlying transactions can reduce compliance cost as well as deliver tangible benefits to business operations. Continuous monitoring drives risk-based compliance and controls that allow an organization to maintain full compliance while reducing ongoing costs, strengthening the overall control environment and improving financial processes.

Continuous monitoring of financial processes and related transactions can help companies avoid the expensive compliance burden of reconfiguring financial systems to support compliance requirements. Public companies and their auditors should act now to better understand the role that technology and continuous monitoring can play as a mitigating control as well as in the automation of the reporting of control effectiveness.

Why options backdating is a big deal

2006-08-09T09:24:00.000-04:00

A debate over its nuances misses the point: Incentive-based compensation is broken.

By Adam Lashinsky, Fortune Magazine senior writer

If the subject is so complex, then why argue that the whole system is rotten? Consider this: Stock options were invented as a way to align the interests of employees with shareholders. The first time the system began to crack was in the 1990s, when companies with falling stock prices began to re-price their stock options in order to retain their employees. With a righteous fury, arrogant Silicon Valley executives in particular glared at anyone who suggested shareholders would benefit by ending a practice that would lead to losing valued employees. Shareholders, of course, didn't get the opportunity to re-price their shares. The practice halted when rules changes required shareholder approval for re-pricing.

Three cheers for Sarbanes-Oxley

2006-08-07T13:51:00.000-04:00

THE STOCK option re-pricing scandal has been perturbing corporate America for months but yesterday’s admissions by Apple thrust the issue right to the front of minds all across the globe. Not only is Apple a big name, it also projects an image of cleanliness and decency. If the top brass at Apple thought it was reasonable to re-price options retrospectively to maximise the financial rewards to executives, it suggests that the practice was widespread.

It also suggests that standards of behaviour among executives are woefully low. It simply cannot be right to issue options to buy shares at levels below the market price at the time of grant. If this is not appreciated, it raises questions about all manner of other judgments made by businessmen and women. Besides being intuitively wrong, it makes a mockery of the justification for the schemes. It is good for executives to have shares or share options, so the argument goes, because it aligns the financial interests of shareholders and executives. But if the starting price is revised downwards, directors are getting money for nothing. That does shareholders no good at all.

While stock option re-pricing paints corporate America in a dismally poor light, its discovery should leave observers grateful to Sarbanes-Oxley regulations. Sarbox is ritually abused for adding needless bureaucratic burdens on business. The Sarbox inspired obligations on senior executives to sign off accounts, however, seems to have led to the discovery of deplorable practice.

Making directors accountable for the books they keep may result in an extra administrative cost, but if it keeps the custodians of America’s publicly owned companies on the straight and narrow, it is a small price to pay. If it makes all executives re-examine practices blithely assumed to be justifiable, so much the better.

Stock options troubles: background

2006-08-04T15:20:00.000-04:00

Apple Computer may be the highest-profile but it is not the first company to admit that it would probably have to restate its earnings as a result of the widening stock options backdating scandal.

McAfee, the security software company, said last month that manipulation of the timing of options meant it would have to restate earnings going back to at least 2003, and the impact would be significant. It also fired its general counsel as a result of the episode.

Mercury Interactive, a business software company, was also forced to restate several years’ worth of earnings reports. Mercury’s shares were de-listed from the Nasdaq and its former chief executive resigned last November amid revelations that he and other executives had benefited from favourable backdating of stock options grants.

San Francisco-based CNET Networks also said last month that it expected to restate financial statements.

Last month, US authorities handed down the first criminal and civil charges in the scandal, charging three former executives of California technology company Brocade Communications Systems.

Oversight Systems Launches Continuous Monitoring for OFAC Compliance

2006-08-03T10:00:00.000-04:00

Oversight Systems Inc., the leading provider of continuous monitoring solutions, today announced the launch of OFAC compliance functionality into the Oversight solutions for procure-to-pay and order-to-cash.

As demanded by the Patriot Act and regulated by the Office of Foreign Asset Control, U.S. companies must not conduct business with individuals, companies, organizations and countries that support terrorism or drug trafficking or otherwise find themselves on the OFAC list of Specially Designated Nationals and Blocked Persons.

"The Patriot Act raises the bar for OFAC compliance, and financial executives must be on constant guard to monitor their vendors, contractors and customers -- or face stiff penalties and government scrutiny," Oversight Systems CEO Patrick Taylor said. "By integrating the SDN list with Oversight's advanced analysis, Oversight delivers precise results for a centralized and fully automated control that ensures OFAC compliance."

Oversight's continuous monitoring platform and real-time transaction inspection maintain all updates to OFAC's designated list and automates the analysis of every vendor, contractor, customer and -- more importantly -- your company's financial transactions for potential violations.

For businesses with decentralized order-to-cash and procure-to-pay processes, Oversight delivers centralized controls over all financial systems and disparate financial operations. Companies with centralized financial operations rely on Oversight to automate their controls for OFAC compliance.

Suits, Sarbanes linked to CEO stock sales -study

2006-08-01T13:58:00.000-04:00

Chief executives are more likely to sell large chunks of their stock holdings when their companies disclose new litigation or a violation of Sarbanes-Oxley internal controls requirements, according to a study released on Monday.

The report by The Corporate Library, which examined 120 chief executives who sold more than a third of their company shares in 2005, showed 30 percent sold stock when their company was involved in some sort of litigation. Twenty-four percent of the chief executives sold stock when there was a Sarbanes-Oxley violation at their firm.

"This would indicate a CEO's general lack of confidence in the company's stock price and should be cause for concern for shareholders."

Four years later, Sarbanes-Oxley still an adjustment

2006-07-31T08:49:00.000-04:00

Four years after the passage of the Sarbanes-Oxley corporate reforms, companies have begrudgingly adjusted to the law's hefty internal control requirements, but small companies are still worried about how much it will cost to comply with the law.

Companies of all sizes have complained that the law's internal control section, which requires companies' outside auditors to say publicly whether a company's controls are adequate, is too expensive.

Small companies, those with less than $75 million in market capitalization, will likely have to comply next year, SEC Chairman Christopher Cox has said.

That comes as a relief for some investors as fraud is often more likely to occur at smaller companies. But smaller companies are worried the law's onerous control requirements, known as section 404, will take a big chunk out of profits and their ability to invest in their businesses.

Oversight Systems Survey: Financial Executives Support SEC's New Ruling on the Reporting of Executive Compensation

2006-07-28T09:32:00.000-04:00

ATLANTA (July 28, 2006) - A majority of financial executives endorse the Securities and Exchange Commission's new requirements for the full disclosure of executive compensation, according to a survey from Oversight Systems.

According to the survey of 230 financial executives, 58 percent say public companies must explicitly report the dollar value of all non-cash and non-stock compensation and benefits greater than $10,000, and 56 percent say public companies must explicitly report the dollar value of stock grants and potential future stock grants.

The complete Oversight Systems Financial Executive Report on Risk Management is available for download at www.oversightsystems.com/survey.

"This SEC ruling is the equivalent of Sarbanes-Oxley for executive compensation and stock option grants," said Patrick Taylor, CEO of Oversight Systems. "With the recent headlines about options backdating scandals, financial executives clearly are in favor of full disclosure of executive compensation. The new requirements for reporting stock-option grant information will drive companies to closely monitor and scrutinize their controls over options-based compensation."

Time running out for Sarbanes-Oxley compliance

2006-07-26T10:34:00.000-04:00

Like it or not, the clock is ticking for non-US companies that need to be compliant to one of the most talked-about elements of the Sarbanes-Oxley (SOX) Act established in 2002.

With the passing of the critical 15 July milestone for foreign companies listed in the US to be compliant to Section 404 under SOX, they now have anything from a few weeks to nearly a year to meet the regulations or face the consequences. Under Section 404, publicly traded companies must have internal policies and controls in place to protect, document and process information for financial reporting.

The law requires affected businesses to comply by the end of their respective financial year after 15 July, 2006. The date is an extension of the original deadline of 15 July, 2005, set by the US Securities and Exchange Commission (SEC). Public US companies were required to be compliant in November 2004.

Backdating Charges Put Companies On Notice

2006-07-25T08:57:00.000-04:00

Options dating may not make the front page of the NY Times or appear on Dateline, but the Feds could easily make this into the next Sarbanes-Oxley. By that, I mean you're guilty (not compliant) until you can prove that you have effective controls over equity awards. This is from Compliance Week. You'll have to pay for the full article.

With the first criminal and civil charges now filed against executives accused of manipulating the timing of stock option grants, federal prosecutors and regulators have sent a stern message to companies ensnared in backdating investigations: Clean up your act, or we'll do it for you.

Last Thursday the Securities and Exchange Commission, the FBI and the U.S. attorney in San Francisco all filed charges against two former executives at Brocade Communications Systems, a data storage company in California that allegedly hid $750 million in compensation costs by altering the dates of stock option grants. Indicted were Gregory Reyes, Brocade's former chief executive, and Stephanie Jensen, the company’s former vice president of human resources, each on one count of criminal securities fraud. The two also face civil charges with the SEC, as does Brocade’s former chief financial officer, Antonio Canova.

Experts say the charges make clear that the backdating scandal will mushroom further still. Nearly 60 companies are under investigation by the SEC or federal prosecutors, or are managing their own internal probes. How many more companies might join the crowd is anyone’s guess.

“The Brocade action sends the loud and clear message that the SEC and Justice intend to follow through in their numerous options backdating investigations by prosecuting corporate executives who knowingly engaged in misleading backdating practices,” says Spencer Barasch, former associate director in the SEC’s Fort Worth, Texas, office, and now a partner at Andrews Kurth.

Oversight Systems Partners with Spectrum Oversight Advisors for the Healthcare Market

2006-07-24T08:56:00.000-04:00

Oversight's Continuous Monitoring Platform Automates Spectrum Oversight's Analysis to Correct & Eliminate Errors in Procurement & Contract Management

ATLANTA (July 24, 2006) – Oversight Systems Inc., the leading provider of continuous monitoring solutions, today announced it partnership with Spectrum Oversight Advisors, LLC to serve the healthcare market with continuous monitoring solutions that identify, correct and prevent transaction-level errors in financial processes.

"With blue chip healthcare clients and a track record of success, Spectrum Oversight Advisors is the perfect partner for us to introduce the benefits of continuous monitoring and real-time transaction inspection to the healthcare industry," Oversight Systems Vice President of Business Development Chris Rossie said.

Spectrum Oversight Advisors, a national management and services firm focused on healthcare providers, will incorporate the Oversight Systems continuous monitoring platform into its procurement and contract management service offerings. Spectrum's service offering now combines their healthcare expertise with Oversight's advanced reasoning engine to enhance the analysis of historical and real-time transactions to ensure contract compliance and eliminate transaction errors, such as incorrect invoicing, improper pricing and unrealized discounts and rebates.

"Spectrum Oversight Advisors conducted an intensive search to find the right technology partner that could compliment our service offering. We intend to jointly develop tools that will incorporate our methodology and industry expertise into a powerful application that will provide our clients with information that will continuously monitor and improve financial performance," said James K. Lawrence, Senior Partner and CEO of Spectrum Oversight Advisors. "Oversight Systems offered the most advanced platform for continuous monitoring that allows us to easily encode Spectrum’s proprietary analysis while also empowering non-technical finance managers to eliminate transaction-level errors from their day-to-day processes."

Next from Sarbox: Industry Exemptions

2006-07-21T10:36:00.000-04:00

Here's an interesting idea. Great for discussion, but not much of a reality.

Will the next round of public comment call for sector-specific immunity from Section 404?

Dig up evidence of document retention procedures for auditors, or work on a viable treatment for prostate cancer. Print out screen shots that support testing of general computer controls, or answer an important phone call from a high net worth client. The choice is obvious for biotech and community bank executives who contend that meeting the Sarbanes-Oxley Act's Section 404 requirements are diverting money and attention away from conducting business in a more efficient manner.

The evolution of the argument, at least for the next round of public comment on Section 404, may be a call for industry-specific exemptions. To be sure, if the neither the Securities and the Exchange Commission or Congress see clear to providing small company immunity, then industry lobbyist may take a different tack, this time aimed at convincing regulators and lawmakers that sector-specific 404 exceptions are needed.

Take off the SOX

2006-07-20T09:31:00.000-04:00

Corporate America largely regards the 2002 Sarbanes-Oxley accounting law as a settled matter. So, it's telling that the pressure keeps mounting to relieve smaller public companies of the evident burdens the law places upon them.

"I never intended to have these guys comply with what General Motors complies with," former Pennsylvania lawmaker and current head of the Biotechnology Industry Organization Jim Greenwood told us at an editorial board meeting this month as he motioned to two local biotech executives who accompanied him. Both men said the law's one-size-fits-all reporting requirements (the dreaded Section 404) unduly burden companies like their own. As a proportion of revenues, compliance costs smaller firms several times what it costs larger ones -- among whom the real targets lurked, not among the mom and pops.

One of them, Gary Lessing, chief financial officer of cancer-drug developer Avalon Pharmaceuticals of Germantown, reports that nearly 2 percent of his company's $30 million in expenditures last year were related to Sarbanes-Oxley. The company, founded in 1999, has no sales as it awaits its oncological discoveries. That's typical in biotech, where products take years to reach the market. "Every dollar comes out of spending for novel therapeutics on cancer," he said.

Oversight Systems to Host Web Conference on Risk-Based Controls to Effectively Manage & Prove Segregation of Duties for Sarbanes-Oxley Compliance

2006-07-19T08:50:00.000-04:00

Automate Compliance & Avoid Redeploying Your ERP System with Risk-Based Controls

ATLANTA (June 19, 2006) – Oversight Systems Inc., the leading provider of automated continuous monitoring solutions for real-time transaction inspection, will host a web conference entitled Segregation of Duties and Risk-Based Controls. The webcast will be held Wednesday, Aug. 2, at 2 p.m. (EDT) and will feature Oversight Vice President of Business Development Chris Rossie.

The 45-minute webinar will highlight the challenges of managing segregation of duties, build a case for risk-based management of segregation of duties, and discuss automated solutions for continuous monitoring that deliver affordable and effective Sarbanes-Oxley compliance.

"Real-world compliance demands risk-based controls," Rossie said. "Rather than spending millions of dollars to address low-risk control weaknesses, risk-based segregation of duties management guides your company to ensure financial integrity and meet your auditor’s demands without adding to your already excessive compliance costs."

Join the controls experts at Oversight Systems to learn how continuous monitoring drives risk-based controls to:

* Identify SoD conflicts across heterogeneous financial systems
* Analyze all historical transactions to determine if SoDs were ever violated
* Prioritize corrective actions based on occurrences of SoD violations
* Automate mitigating controls for remaining SoD conflicts
* Continuously monitor privileged users
* Prove SoD compliance with automated documentation and case management.

To register for the webcast, please call 404.920.2030 or visit: www.oversightsystems.com/sox.

Disclosure Adds Shareholder Value: Lessons from Sarbanes-Oxley's Predecessor

2006-07-17T09:20:00.000-04:00

This opinion editorial appears in today's issue of Stanford Knowledgebase, the monthly electronic newsletter published by the Stanford Graduate School of Business, http://www.gsb.stanford.edu/news/knowledgebase.html.

The convictions of the late Kenneth Lay and Jeffrey Skilling on charges of fraud and conspiracy in the Enron trial are important reminders that corporate executives don't always operate in the best interests of shareholders. A natural impulse is to turn to government to devise regulations to force executives to operate the corporations they manage in the interests of shareholders and the employees. But what do we know about the success of these regulations?

o understand whether shareholders value government regulation in financial markets, we recently completed an analysis of the effects of the 1964 Securities Acts Amendments. The 1964 Amendments extended the disclosure requirements that have applied to firms traded on the New York and American Stock Exchanges (NYSE and AMEX) since 1934 to large over-the-counter (OTC, now known as NASDAQ) firms. The relatively lax disclosure requirements for OTC firms prior to 1964 meant that shareholders were generally on their own in obtaining reliable information on the functioning of their companies and in devising methods to penalize management for failures to maximize shareholder value.

The 1964 Amendments dramatically changed the disclosure requirements for large OTC firms. Specifically, large OTC firms were newly required to: (1) register with the Securities and Exchange Commission (SEC); (2) provide regular updates on their financial position, such as audited balance sheets and income statements; (3) issue detailed proxy statements to shareholders; and (4) report on insider holdings and trades. Our study tested how the 1964 Amendments affected the stock returns and operating performance of the newly covered OTC firms, relative to unaffected NYSE and AMEX firms.

We found that OTC firms that were newly required to begin complying with all four forms of mandatory disclosure had substantial one-time gains in stock value relative to comparable NYSE/AMEX firms that were unaffected by the legislation. Our estimates of the higher returns range from 11.5 percent to 22.1 percent and imply that the 1964 Amendments created $3.2 billion to $6.2 billion of value for shareholders of the OTC firms we studied.

Sarbanes-Oxley Goes Global

2006-07-14T09:43:00.000-04:00

Europe has been experiencing an outbreak of Sarbanes-Oxley panic. As exchanges merge and more trading moves online, it's not always clear who should have regulatory power. The head of Britain's Financial Services Authority, Callum McCarthy, ignited controversy in June when he suggested that British firms might be subject to U.S. regulation if Nasdaq acquired the London Stock Exchange.

The New York-based exchange has built a 25% ownership stake in its British rival. "That has just sent a shiver down the collective spine of Europe," says Jim Kim, editor of FierceSarbox.com. "European companies, especially, really are just chafing at the mere prospect that they will someday have to comply with Sarbanes-Oxley."

For those companies listed in the U.S., however, the threat is already real. Most foreign firms have fiscal years ending Dec. 31, and they don't have to submit their compliance reports for another six months after that. Nevertheless, preparation began two years ago at many companies, according to Robert Lipstein, a partner at auditing firm KPMG.

SEC seeks ideas on Sarbanes-Oxley controls

2006-07-13T14:41:00.000-04:00

WASHINGTON, July 11 (Reuters) - U.S. securities regulators on Tuesday moved forward with a promised review of controversial corporate reform accounting rules by asking investors, companies and others for ideas to guide public companies in complying with the law.

Companies of all sizes have complained about the costs of implementing some of the Sarbanes-Oxley law requirements, especially those related to internal controls over financial reporting, also known as Section 404. The stricter requirements were adopted by Congress after shareholders were hurt by high-profile corporate scandals involving Enron Corp. and Worldcom.

To reduce excessive audit procedures -- which many companies have blamed for higher costs -- the SEC said it plans to issue guidance that focuses on "identifying risks to reliable financial reporting." That might include such things as clearly defining the terms "material weakness" and "significant deficiency" and laying out some fraud controls, it said.

SEC Moves Forward on Sarbanes-Oxley 404 Improvements

2006-07-12T15:44:00.000-04:00

Washington, D.C., July 11, 2006 - The Securities and Exchange Commission, in another step toward improving the implementation of the Sarbanes-Oxley investor protection law, today published a Concept Release as a prelude to its forthcoming guidance for management in assessing a company's internal controls for financial reporting.

Following its May 10, 2006, Roundtable devoted to Sarbanes-Oxley Section 404 implementation issues, the Commission issued a roadmap for improvements entitled "Next Steps for Sarbanes-Oxley Implementation" (SEC Press Release 2006-75, May 17, 2006). Today's issuance of the Concept Release is one of the milestones on that roadmap, and it brings the SEC one step closer to issuing guidance for management that has been lacking since the law was enacted in 2002.

At the Roundtable, the Commission learned from participants that while Section 404 has produced benefits, its implementation has been unduly costly. The Commission also received specific feedback about issues that remain to be addressed, and actions that the SEC and the Public Company Accounting Oversight Board could take to make the internal control assessment and auditing more efficient and more effective. A separate Advisory Committee on Smaller Public Companies reported, following a year-long study, that companies which have not yet undertaken the process have special concerns with both costs and procedures. The planned guidance for management which is the subject of the Concept Release is intended to assist in dealing with all of these issues and concerns.

Risk-Based SoD Management with Continuous Monitoring Lowers Compliance Costs

2006-07-12T15:04:00.000-04:00

Like controls documentation and access provisioning in previous years, segregation of duties management is part of this year's initiative for auditors and their review of your internal controls.

Unfortunately, this can escalate the already excessive costs of Sarbanes-Oxley compliance if companies continue to manage and test their internal controls like they have in the first years under Section 404 of the Enron-inspired law. Segregation of duties in the real world demands top-down management that eliminates financial risk without adding overhead costs.

This article highlights the challenges to managing segregation of duties, builds a case for risk-based SoD management, and discusses technology solutions for continuous monitoring that deliver affordable and effective SOX compliance.

Nonprofits, Governement Enitities Wearing Their Own SOX

2006-07-07T12:05:00.000-04:00

AccountingWEB.com - July 07, 2006 - Four years after its enactment, the Sarbanes-Oxley (SOX) accounting reform law, designed primarily for public company reporting, is having major impact on the nonprofit sector and on state and local governments.

“Sarbanes-Oxley’s impact has been far broader than its supporters intended or envisioned,” James K. Gentry, a professor and former dean of the School of Journalism and Mass Communications at the University of Kansas, writes in a posting on the businessjournalism.org Web site. The impact has been especially pronounced on nonprofits.

His report notes that it is not unusual for nonprofits, particularly one with very large budgets, to be using “a number of practices that mirror those used by public companies,”

A Board With Its Back To The Wall

2006-07-06T13:42:00.000-04:00

Why does United-Health Group (UNH ) CEO William W. McGuire remain in his job? It's a question that has baffled corporate governance experts since The Wall Street Journal reported in March that UnitedHealth and other companies might have backdated options grants for officers to boost compensation. In the post-Sarbanes-Oxley world, boards are acting on the first whiffs of legal or ethical lapses. Already 15 executives and directors from the 50 or so companies under investigation for backdating have been forced out. Heck, Raytheon's board even docked CEO William H. Swanson a million bucks in May for plagiarizing passages of his book -- not even a criminal offense.

Yet despite shareholder suits, federal and state investigations, a possible earnings restatement, and the disappearance of some $17 billion in market value, UnitedHealth's McGuire remains in his post, sitting on unrealized options gains now worth around $1 billion.

Paul Hodgson, senior research associate at the Corporate Library, a governance tracker, blames a weak board that remains too deferential to its dynamic CEO. But directors have other reasons to let McGuire stay. For one, given his strong leadership -- shares soared from a split-adjusted $1 when he began in early 1991 to a high of $64 in December -- investors aren't pressing for his ouster. "No one wants to see him dismissed," says David Dreman, chairman and chief investment officer of Dreman Value Management, which recently bought 781,000 shares.

PwC Study: Continuous Auditing a Growing Trend

2006-06-29T09:29:00.000-04:00

More companies are using "continuous auditing" techniques, which are designed to use technology to accelerate the internal audit cycle and improve risk and control assurance, according to a new study from PricewaterhouseCoopers.

Conducted earlier this year, the survey includes responses from 444 audit managers -- half of whom said that they already use continuous auditing techniques, an increase from 35 percent in 2005. Of the companies without techniques in place, 31 percent said that they have plans in place to begin making changes.

PwC advisory partner Dick Anderson said that the shift is due in part to a dynamic risk environment that increasingly demands timeliness and reliable assurance. He said that continuous auditing also employs non-traditional approaches when it comes to strengthening reporting and communication with senior management and the audit committee.

Nasdaq CEO sees Sarbanes-Oxley changes in 2007

2006-06-28T09:39:00.000-04:00

Nasdaq Stock Market Inc. Chief Executive Robert Greifeld said on Tuesday he expects changes to the Sarbanes-Oxley corporate reform law in 2007.

The Nasdaq chief said he sees the changes will come within the law's stiff internal controls accounting mechanisms -- known as Section 404 -- and how it is applied and judged.

"I make the prediction that in 2007 we will see refinement of the Sarbanes-Oxley Act whether it comes directly from the legislature or Congress getting involved with the (U.S. Securities and Exchange Commission)," said Greifeld, speaking at Stanford University's Directors' College forum.

"When we look at what's wrong with Sarbanes-Oxley, we know we have to have a risk-based approach to the rule in general that will apply to the 404 section," he said, addressing an audience of corporate directors at publicly traded companies.

Oversight Systems' Financial Executive Survey Shows Enterprise Risk Plagues Corporate America, Despite Confidence in Risk Preparation

2006-06-27T09:40:00.000-04:00

Companies are embracing the concept of enterprise risk management but continue to struggle with implementation according to the findings in the 2006 Oversight Systems Report on Risk Management. The national survey of financial executives released today also found room for improvement in the way companies assess, manage and prevent risk.

The report (available free at www.oversightsystems.com/survey) indicates that nearly half of companies surveyed (43 percent) report having faced "significant operational surprises" during the last year.

Executives recognize the value of enterprise risk management with 58 percent of financial executives reporting that their company has an enterprise risk management approach and philosophy that considers various interactions among different types of risk. Identical to the 2005 findings, this year 68 percent of financial executives say their CEO is placing greater emphasis on holistic management of all types of risk. However, it appears many critical elements of enterprise risk management are still not in place in corporate America.

"Clearly, executives see a need for better risk management because companies are getting burned on a regular basis," said Dana Hermanson, Dinos Eminent Scholar Chair of Private Enterprise at Kennesaw State University. Hermanson is also an advisor to Oversight Systems. "We still see a gap between top management believing that their company employs enterprise risk management and the reality that they are not pushing ERM down through the organization with awareness and training."

Audit fees for Sarbanes-Oxley compliance keep rising

2006-06-22T08:31:00.000-04:00

(Crain's) — Despite predictions that audit fees associated with the Sarbanes-Oxley Act would fall, the cost of corporate governance compliance continues to get more expensive for public companies.

Since federal accounting reforms were enacted in 2002, public companies with less than $1 billion in annual revenue have seen audit fees nearly triple in the past four years, according to a recent study by law firm Foley & Lardner. Audit fees were more than $1.2 million for fiscal year 2005 compared to $332,000 before accounting reforms.

In 2004, public companies with less than $1 billion in revenue spent slightly more than $1 million on audit fees, the study showed.

Blackstone boss bashes Sarbanes-Oxley Act

2006-06-16T08:56:00.000-04:00

(Reuters) - The U.S. law aimed at tightening corporate governance rules is a "terrible" piece of legislation and needs to be fixed, Blackstone Group's [BG.UL] Chief Executive Stephen Schwarzman said on Thursday.

The law, known as the Sarbanes-Oxley Act of 2002, has come under fire before from executives who say it burdens companies with hefty compliance costs.

But the law is rarely criticized by buyout executives such as Schwarzman, who benefit from companies going private in response to the Act's requirements.

"It's a terrible thing for the U.S.," Schwarzman said, speaking at a mergers and acquisitions conference on Thursday hosted by media group The Deal and the International Bar Association. Schwarzman acknowledged his firm and industry benefit from Sarbanes-Oxley.

Avoiding another Enron

2006-06-13T08:51:00.000-04:00

Guilty verdicts against two former Enron chiefs last month closed the books on the biggest case of corporate chicanery in recent history. But the fallout from that era of excess continues to blanket U.S. companies.

Are auditors more responsible, or are they just worried about liability?
I would guess they're more concerned with liability, survival, reputation. They're a lot tougher on clients and their clients' accounting. I know of several instances where they've decided that previous accounting was wrong and they are making their clients restate financial statements for things they have become more conservative about.

Fraud Detection Software: Shutting the Door on Scam Artists

2006-06-09T10:33:00.000-04:00

For Mark Van Holsbeck, director of enterprise security at Avery Dennison, relying on a person to find fraud risks was daunting. "There's too much human error, potentially," he says. About three years ago, the Pasadena, Calif.-based office supply maker went with Oversight Systems, an Atlanta company with roots in intrusion-detection software.

Oversight's product provides continuous monitoring of Avery Dennison's accounts payable, general ledger, action request and human-resources systems. The software cross-references hundreds of reports covering vendor pay and employee activity. Previously, those same tasks were done by staff, without any software to help.

Oversight Systems: Nonstop Cop

2006-06-08T08:33:00.000-04:00

Like taking care of kids, keeping transactional systems in check requires full-time attention, and customers say Oversight Systems is the kind of babysitter everyone should have.

Mark Van Holsbeck, director of enterprise security at office supplies maker Avery Dennison, knows all about it. Executives at the company didn't think internal fraud was a problem—but they knew it was something they needed to address.

"And we knew we could never catch it, unless somebody in the operation told us," Van Holsbeck says. "Otherwise, there was nothing we could do."

Cashing in on the value of compliance

2006-06-06T09:24:00.000-04:00

"Compliance is making people think at a higher level and forcing them to do things that are good for the business. Estimates on the cost of compliance vary, but whichever way you look at it, it is a lot of money and smart companies see they can use the investment to improve their business," says John Napoli, global director of financial services at BEA Software.

"At its simplest, compliance is about bringing data together to create reports for the regulatory bodies and getting them in on time. But if you approach it properly - look at the similarities across different regulations and draw the efforts together - you can keep the costs down," he says.

Real-Life Challenges and Recommendations

2006-06-05T08:56:00.000-04:00

Editor's note: This is from a May 31, 2006 RFG Research Brief entitled "Sustainable Compliance 101: Continuous Controls Monitoring" by lead analysts John Van Decker and Sara Braunstein

Client Challenge: As firms move into the third year of the Sarbanes-Oxley (SOX) compliance era, senior executives in finance, IT and other lines of business (LOBs) are focusing on sustainable and affordable effectiveness in internal controls surrounding critical business processes. RFG received an inquiry from a client that is challenged with making processes compliant, for fewer dollars and more quickly. The company is trying to determine what to prioritize in terms of making business processes and applications compliance-proof, and wonders if there are any low-hanging fruit that can provide significant business value without major investment. RFG recommended continuous controls monitoring (CCM) solutions to this client, to aid it in meeting The Committee of Sponsoring Organizations of the Treadway Commission (COSO) requirements for financial transactions.

A recent applications space referred to as continuous controls monitoring (CCM) provides a means of ensuring effective 404-related controls. In addition, CCM supports management in mitigating operational inefficiencies, pinpointing fraud, and reducing financial errors. Although CCM is similar to audit software, it addresses the compliance problem as an enterprise solution, rather than software specifically for the audit department.

Segregating Duties: How software can help to address one of the bugaboos of compliance

2006-05-23T16:15:00.000-04:00

One of the big themes in Sarbanes-Oxley (SOX) and other regulations is segregation of duties. The basic idea behind this is that no one person can gain the ability to perpetrate fraud or, for that matter, make sweeping mistakes; if many people are involved in a process, with each person responsible for a certain segment of it, this kind of risk can be mitigated.

Segregation of duties in a large enterprise can be a pretty complicated issue in practice because of the many possible violations. "We had a customer for whom we identified 8,000 conflicts," says Chris Rossie, VP of Business Development for Oversight Systems, by way of example.

H.B. Fuller lauds Sarbanes-Oxley

2006-05-22T09:01:00.000-04:00

Here's an interesting case study of a company that says its a stronger company after complying with SOX.

Many businesses have complained long and loudly that the costs of complying with the Sarbanes-Oxley Act exceed the benefits.

Might the reverse be true for their shareholders? Could these investors be faring better because of the stronger controls that the act requires businesses to put in place?

That's how it looks to the folks who run H.B. Fuller, theVadnaisHeights-basedadhesivesandspecialtychemicalsmaker.Theirshareholdersmightagree.And a study released early this month by the Lord & Benoit research and compliance firm suggests similar situations could prevail at many other publicly held companies.

Since January 2005, when Fuller first disclosed accounting irregularities in its Chilean operations, the company's stock has risen about 80 percent.

John Feenan, Fuller's chief financial officer, says the controls it installed to comply with the act helped the company deal with the trouble in Chile.

"At the end of the day, Sarbanes has been good for us," says Feenan. "It has definitely made us a stronger and better company."

Piling on the pressure as Sarbanes costs bite

2006-05-22T08:59:00.000-04:00

In Tom Brandt's office there are piles of ring binders, each about three inches thick. For Mr Brandt, chief financial officer of Nasdaq-listed TeleCommunications Systems, they are a laugh-able sign of the cost of complying with Section 404 of Sarbanes-Oxley (SOX).

The binders contain paperwork designed to prove that a mass of accounting, management and control procedures have been complied with – even down to descriptions of basic clerical procedures such as filling in vendor invoices.

Lowering SOX Costs Through Scope Reduction

2006-05-19T14:51:00.000-04:00

Here's a great piece from AMR Research on the changing methods for attaining SOX compliance.

Compliance costs for the Sarbanes-Oxley Act (SOX) remain in the $6B range for this year, decreasing ever so slightly from the prior year (see the AMR Research Alert article "SOX Spending for 2006 To Exceed $6B"). The appropriate use of technology can automate a lot of the activities done manually today, saving precious time and money. But there is another route to keeping a lid on expenses: reducing the scope of SOX-related work.

Taking a risk-based approach

Just about a year ago, the Public Company Accounting Oversight Board (PCAOB) issued advice to public companies that many have taken to heart: a risk-based approach should be used to determine the breadth and depth of any internal control work to support the constructs of SOX. The result has been that many companies have continuously streamlined their control frameworks to reflect this risk approach. This has, however, been an intellectual exercise, not one driven by technology.

The Sarbanes-Oxley Debacle

2006-05-16T11:47:00.000-04:00

In The Sarbanes-Oxley Debacle: What We've Learned; How to Fix It (AEI Press, 2006), Henry N. Butler and Larry E. Ribstein argue that the Sarbanes-Oxley Act of 2002 (SOX) has been a colossal failure. Enacted after the collapse of the Enron Corporation, the authors argue that Congress panicked and rushed into passing legislation that has had huge direct and indirect costs to the firms which must comply with the reporting rules.

The direct cost to companies complying with SOX's reporting rules has been widely estimated at $6 billion per year. Butler and Ribstein, however, argue that the indirect costs of SOX are in fact far greater: diversion of executives' attention from maximizing shareholder value; increased risk aversion by managers; distortion of executives' and directors' incentives and investment decisions; criminalization of corporate agency costs and mistakes; reduction of access to capital markets by entrepreneurs; and the crippling of the dynamic federalism that has created the best corporate governance structure in the world. Indeed, the best evidence to date indicates SOX imposes additional net losses totaling $1.1 trillion to the financial markets.

Oversight for Segregation of Duties

2006-05-11T09:28:00.000-04:00

Risk-based Prevention & Automated Mitigating Controls

Real world compliance demands a complete, closed-loop control system that identifies segregation of duties conflicts across multiple systems, quantifies control risk based on how (and if) a control weakness is exploited, monitors known risks where segregation of duties conflicts cannot be eliminated and provides documented proof of control effectiveness.

Oversight Systems takes continuous controls monitoring to the next level by combining user access rights testing with its patented real-time transaction inspection. Preventive controls combine with real-time detective controls to provide best practices in corporate governance, compliance and risk management. Finally, a solution for segregation of duties in the real world.

Until Oversight, companies had to choose between controls software that either tested a single ERP system for segregation of duties conflicts or analyzed historical transactions for control violations. However, our patented software builds upon each of these first generation technologies to:

* Identify segregation of duties conflicts across heterogeneous financial systems
* Analyze all historical transactions to determine if segregation of duties were ever violated
* Prioritize corrective actions based on actual risk of where segregation of duties violations have occurred
* Automate mitigating controls where segregation of duties conflicts cannot be eliminated

SEC to hear complaints over Sarbanes-Oxley law

2006-05-08T09:20:00.000-04:00

Wedenesday will be the day for executives to vent their frustrations about SOX. However, I don't think we'll see any huge breaks for smaller public companies.

WASHINGTON (Reuters) - U.S. securities regulators will hear the business community's passionately held views this week on how to fix or kill post-Enron corporate reforms that many believe are hurting American competitiveness.

The landmark Sarbanes-Oxley law, approved by Congress in 2002 to restore investor confidence after a string of accounting scandals, is already under attack.

A challenge is pending in federal court and House Republicans are expected to introduce a bill this week that would roll back part of the law.

On Wednesday, the Securities and Exchange Commission and the Public Company Accounting Oversight Board will hold a meeting to hear company complaints that the costs of complying with the law far outweigh any benefits.

SOX should be adapted for smaller cos-SEC accountant

2006-05-04T17:25:00.000-04:00

A few weeks ago it seemed like smaller companies would see some relief, but it looks like that was just a dream. Besides, smaller companies pose greater investment risk, so internal controls are just as important for them

NEW YORK, May 4 (Reuters) - Investors are seeing real benefits from the implementation of Sarbanes-Oxley corporate reforms, and small companies should not necessarily be exempted from the rules, the U.S. Security and Exchange Commission's top accountant said on Thursday.

Speaking at a financial reporting conference in New York, Scott Taub, acting chief accountant at the SEC, said that contrary to a recommendation from an SEC advisory committee that microcap and smaller companies should be exempted from certain parts of the law, Sarbanes-Oxley should be made to work for smaller companies.

SEC Chief Accountant Defends 404

2006-05-04T15:18:00.000-04:00

Here's an interesting article from CFO where the SEC is promoting more a "risk-based" approach to 404 and controls testing. For a year now, we've been hearing about this risk-based approach. I think it's finally starting to sink in, but we'll need the auditors carry this out ... and reduce their manual testing.

Admits SEC's cost estimates were "way off," but says companies are likely testing too many controls. He also says the concept of different rules for smaller companies is "difficult."
Ronald Fink, CFO.com

The Securities and Exchange Commission's acting chief accountant, Scott Taub, defended the SEC's implementation of Sarbanes-Oxley 404 today, suggesting soaring costs were due to overly detailed controls testing. Taub also threw more cold water on industry hopes that 404 might be modified for smaller companies.

"If you think 404 does nothing for fraud, you're doing it wrong," Taub told an audience Thursday morning at the Fifth Annual Financial Reporting Conference at the Zicklin School of business at Baruch College. In fact, he said, companies may indeed be missing implementing 404 incorrectly by failing to focus on those controls that pose "substantial risk."

Non-US companies struggle to make Sarbanes-Oxley compliance sustainable in the longer term

2006-05-04T09:53:00.000-04:00

Non-US companies that are required to comply with Section 404 of the Sarbanes-Oxley legislation for the first time this year, are so focused on the year one deadline that they are struggling to make the process sustainable for the future, according to a new survey from PricewaterhouseCoopers.

The survey 'Looking forward: evaluating early experiences with Sarbanes-Oxley' of some 36 Sarbanes-Oxley project leaders from large foreign private issuers (FPIs) suggests that the experiences of companies in the US, which struggled to embed compliance in year one, risk being repeated by FPIs.

There is a real danger that the excessive costs of compliance in year one will recur in following years unless companies take steps now to stand back and review the robustness of their controls and compliance structures.

Well over a third (44%) of respondents view their Section 404 compliance efforts as an entirely discrete piece of work, unconnected to other compliance activities and processes happening within the business. Although creating 'controls consciousness' is considered to be a medium-to-high priority for 86% of those surveyed, 31% state that this has not to date been gauged within the company. Similarly only 19% of respondents say that a formal mechanism exists for knowledge transfer from their Section 404 project team to management.

Survey Shows Alarming Drop in CEO Transparency Since Enron Bankruptcy

2006-05-03T10:44:00.000-04:00

CEO transparency in shareholder letters, a key indicator of CEO integrity, has substantially declined since the Enron bankruptcy and the passage of Sarbanes-Oxley legislation, according to an annual survey of investor communications. The 2005 Rittenhouse Candor Rankings(SM) survey found an increasing number of companies use more jargon, spin more information and make more confusing statements in shareholder letters than before the exposure of widespread corporate fraud in 2002.

L.J. Rittenhouse, President of andBEYOND Communications said, "The passage of Sarbanes-Oxley legislation in 2002 was intended to promote clear and transparent disclosure, but only 24 percent of the companies in our 2005 survey were awarded top marks in candor down from 57 percent in the 2002 survey. While many executives are certifying their results to comply with Sarbanes-Oxley, they are also publishing virtually unintelligible shareholder letters. If they cannot candidly articulate their goals and results, then how can they credibly walk their talk?"

Governance: Sox Technology's Second Wave

2006-05-01T11:41:00.000-04:00

By Laton McCartney, eWEEK
As companies seek to make Sarbanes-Oxley (Sox) compliance more efficient and sustainable, they are investing in a new wave of Sox-related software, says Paul Hamerman, vice president, enterprise applications at Forrester Research.

"During the first cycle of Sox 404 compliance, companies were under time constraints and weren't familiar with the new regulations," Hamerman says, referring to a requirement that publicly traded companies identify, test and document internal controls to prevent errors or fraudulent activities that affect the accuracy of financial statements. "As a result, they had to invent something on the fly or relied on in-house tools such as Excel spreadsheets or audit tools."

These makeshift tools weren't reusable. Moreover, while they captured the necessary data needed for compliance, that information couldn't be presented in a format that was useful from a management perspective, Hamerman says.

Former SEC Chair Harvey Pitt comments on how to make SOX 404 work for smaller companies without exempting them.

2006-04-28T09:45:00.000-04:00

Perhaps the most controversial topic facing the Securities and Exchange Commission today is the issue of applying the Sarbanes-Oxley Act — and specifically Section 404 of the Act — to smaller companies. The debate has drawn sharp response from several former SEC Chairmen, including William Donaldson, Arthur Levitt, and Richard Breeden. All three have publicly opposed proposals that would exempt smaller companies from rules requiring them to demonstrate effective internal controls over their financial reporting.

In testimony before the Senate Banking Committee earlier this week, SEC Chairman Christopher Cox appeared to walk a middle path in the debate, suggesting that 404 could work for such companies if a more appropriate framework could be developed for smaller companies. That view is not all that different from one recently proposed by another former SEC Chairman, Harvey Pitt, who headed the commission from 2001 to 2003. Now founder and chief executive officer of Kalorama Partners, Pitt talked with CFO.com this week about his perspective on smaller companies and section 404.

Oversight Systems to Address Institute of Internal Auditors May 1

2006-04-27T08:41:00.000-04:00

Co-Founder Chris Rossie to Discuss Closed-Loop Controls for Segregation of Duties

ATLANTA (April 26, 2006) - Oversight Systems Inc., the leading provider of independent, continuous monitoring solutions for real-time transaction inspection, today announced that co-founder and Vice President of Business Development Chris Rossie will present at the New Jersey Chapter of the Institute of Internal Auditors annual Internal Audit Software Expo.

Rossie is scheduled to speak Monday, May 1, at 2 p.m. on the topic "Segregation of Duties in the Real World: Closed-Loop Controls for Sarbanes-Oxley Compliance." Oversight Systems will also exhibit at the conference, which runs May 1 and 2 in Fairfield, N.J.

Designed for compliance executives and audit directors looking to optimize their controls and ensure efficient defect-free financial processes, Rossie’s presentation will cite case studies and best practices that demonstrate how companies can apply continuous monitoring software solutions to:

* Identify segregation of duties conflicts
* Recognize actual control violations corresponding to those conflicts
* Prioritize controls conflicts based on risk and dollar value of the violations
* Automate a mitigating control for SoD conflicts that cannot be eliminated.

"Real world business processes demand a risk-based approach to segregation of duties," Rossie said. "Finding a control conflict is just the beginning. Rather than redeploying an ERP system to eliminate low risk SoD conflicts, compliance executives and audit directors are now realizing the benefit of combining preventive controls with automated, mitigating controls."

Bridging the Sarbanes-Oxley Disclosure Control Gap

2006-04-26T10:27:00.000-04:00

This report compiles historical information that addresses both the likelihood of self reporting internal control deficiencies and the advancement of quality in financial reporting as it relates to the most recent recommendations of the Advisory Committee on Smaller Public Companies.

The SEC Subcommittee on Smaller Public Companies recently released a draft report containing recommendations that it believes will advance the goal of enhancing the quality of financial reporting while also reducing the cost of compliance to SmallCap and MicroCap public companies.

An important underpinning of these recommendations is that SmallCap and MicroCap companies, with the addition of several new corporate governance requirements, can be relied upon to self report material weaknesses in internal controls over financial reporting and maintain a high level of quality in financial reporting.

This report examines the historic relationship between Section 404 (internal control over financial reporting) and Section 302 (self reporting of disclosure controls and deficiencies in internal controls) reporting and compiles research about historical financial restatements.

Oversight 3.8 Introduces Open Knowledge for Customized Analysis & Testing

2006-04-24T09:19:00.000-04:00

Web-based interface allows users to create & modify Oversight's Integrity Checks

ATLANTA (April 24, 2006) - Oversight Systems Inc. today announced the launch of Oversight 3.8 which extends Oversight's continuous controls monitoring software by allowing users to easily customize their analysis and build upon Oversight's best practices in transaction inspection and continuous monitoring.

For more than two years, Fortune 500 companies have relied upon Oversight's real-time transaction inspection software to automate the analysis and testing of auditors and fraud examiners across their heterogeneous financial systems. With real-time inspection over every transaction, Oversight identifies all errors and control violations, drives defect-free financial processes, and sustains Sarbanes-Oxley compliance by providing a wide range of automated mitigating controls.

"Oversight continues to expand upon our library of Integrity Checks that encapsulate the best practices of auditors and our intuitive interface empowers non-technical users to apply Oversight’s advanced analysis engine to deliver precise results for their specific needs, processes and applications," Oversight Systems CEO Patrick Taylor said.

Oversight 3.8 provides a secure medium for authorized users to tune the configuration of Integrity Checks. Non-technical users can create new Integrity Checks for real-time transaction inspection that are customized for company-specific processes. Oversight partners are leveraging the capabilities to develop monitoring solutions for trade promotion, Basel II, license enforcement and OMB A-123.

"Grant Thornton recognized the emerging demand for continuous monitoring solutions to maintain financial integrity within ERP systems, so we've partnered with Oversight Systems to incorporate Oversight's real-time transaction inspection into the Grant Thornton Financial Integrity Workstream offering," said Rhoda Canter, Partner, Grant Thornton Global Public Sector.

About Oversight Systems, Inc.
Oversight Systems takes continuous controls monitoring to the next level with real-time transaction inspection for defect-free financial processes. Oversight's software provides a platform for continuous monitoring that automates the process of finding problems, fixing problems and proving problem resolution. By inspecting each step of individual transactions across all financial systems, Oversight identifies all errors and control violations, drives defect-free processes, and sustains Sarbanes-Oxley compliance.

Small firms would get audit relief under SEC plan

2006-04-21T09:36:00.000-04:00

WASHINGTON (MarketWatch) - Federal securities regulators should exempt small companies from certain sections of a controversial corporate-governance law, according to a draft of an advisory panel report scheduled to be released Monday.

Members of the Securities and Exchange Commission's Advisory Committee on Smaller Public Companies are recommending that firms with market capitalizations of less than $787 million get breaks on reporting their internal financial controls.
Small companies have complained that the costs of implementing Section 404 of the 2002 Sarbanes-Oxley Act are too high.

Committee members say the Securities and Exchange Commission should develop "scaled" or "proportional" regulation for two tiers of companies. The draft report says so-called "microcap" firms and "smallcap" companies should be subject to less-stringent regulations. Microcap companies are defined as having market capitalization of less than $128 million. The committee defines small cap companies as those with market capitalization of less than $787 million. A copy of the draft report was obtained by MarketWatch.

Webcast with AMR Research's John Hagerty -- 2006: The Year of Continuous Monitoring & SOX Optimization

2006-04-20T11:10:00.000-04:00

Date: Wednesday May 10
Time: 2 p.m. EDT/ 11 a.m. PDT
Duration: 1 hour

To sustain Sarbanes-Oxley compliance from year-to-year, businesses must now shift their compliance efforts from manual controls and testing to automated controls and processes. For this reason, 2006 is The Year of Continuous Monitoring & SOX Optimization. AMR Research analyst John Hagerty leads a 60-minute discussion on how forward-looking businesses are implementing continuous monitoring solutions to sustain compliance and deliver business benefits from their SOX efforts. John will draw upon his research to share strategies and best practices for compliance and continuous controls monitoring.

Oversight CEO Patrick Taylor and an Oversight customer will then build upon John's research by sharing case studies of how real-time transaction inspection takes continuous controls monitoring to the next level with complete enterprise controls management by:

* Identifying control conflicts across all ERP systems and many feeder systems
* Validating control risks by analyze historical transactions
* Prioritizing remediation based on dollar-quantified risk
* Providing an ongoing mitigating control for SoD conflicts that cannot be eliminated (Real-Time Transaction Inspection)
* Identifying transaction errors and process breakdowns wherever they occur.

Continuous Controls Monitoring

2006-04-19T10:20:00.000-04:00

Oversight Systems takes continuous controls monitoring to the next level with real-time transaction inspection for defect-free financial processes. First, Oversight provides preventive controls to identify segregation of duties conflicts across your many financial systems and prioritize the thousands of potential problems based on actual risk. Oversight then provides real-time detective controls that inspect each step of every financial transaction for errors and control violations, so companies can address these issues when they are less complex and less costly to correct.

CFOs Cash In on Stock-based Awards

2006-04-18T09:58:00.000-04:00

Yahoo chief financial officer Susan Decker took home nearly $41 million in 2005, roughly $31 million of it from exercising stock options and selling the underlying shares. She was also awarded more than $7 million in restricted stock, four times as much as in 2004.

Decker also received a salary of $500,000, the same as last year, and a bonus of $1 million, $100,000 more than in 2004.

Stock-related compensation also played a major role in the total earnings of several other finance executives, according to proxies recently filed with the Securities and Exchange Commission.

ESSENTIAL TECHNOLOGY: "CSI" for the Enterprise?

2006-04-17T09:21:00.000-04:00

Electronic data discovery tools help investigate fraud, breaches and other bad behavior. But CIOs should approach them with caution.

As the senior security manager at Kimberly-Clark, Osborne is evaluating a tool from Oversight Systems that analyzes accounting information from SAP and other financial systems to detect fraud and errors both in current transactions and in past transactions stored in the SAP system. He's recommended that Kimberly-Clark seriously consider adopting the technology.

Sarbanes-Oxley effect now wearing off for auditors

2006-04-13T08:59:00.000-04:00

When the Sarbanes-Oxley Act first reared its head in the wake of a rash of corporate scandals in the US, including Enron and WorldCom, it left many companies with quite a headache.

Auditors, however, must have been rubbing their hands with glee: more work in ensuring compliance with the new corporate governance laws meant higher fees after all.

The amount of non-audit work you could undertake with an audit client may have been restricted, but this loss of work could be picked up elsewhere, from other firms that also have to drop some services.

But the good times for auditors caused by the new rules now appear to be over, after a recent US study showed that audit fees have started to drop once again.

Top 10 Procure-to-Pay Control Violations and Process Breakdowns

2006-04-12T14:01:00.000-04:00

Top 10 Procure-to-Pay Control Violations and Process Breakdowns

Sarbanes-Oxley and global outsourcing have changed the game for finance executives. Control violations and process breakdowns use to be limited to the realm of Six Sigma black belts, but those days are gone.

Once just operational snags, procure-to-pay control violations and process breakdowns threaten a company’s Sarbanes-Oxley compliance and add extra expense to financial operations. Whether faulty segregation of duties or payment errors, both can land you in hot water with either your auditor or your cost-cutting, outsourcing-minded CFO.

With a broad base of Fortune 500 customers, Oversight Systems collected data to compile the 10 most common procure-to-pay control violations and process breakdowns.

1. Segregation of Duties
Companies are now devoting thousands of man hours to hunt down segregation of duties (SoD) conflicts within their financial systems and processes. However, they’re finding that the vast majority of these potential SoD risks have never actually been violated. Moreover, many of the SoD violations were executed to get relevant work accomplished – not fraud.

Some push the idea that every single SoD risk can be eliminated with better management of user access rights within your ERP systems. However, most financial processes don’t operate inside a vacuum of a single financial system or perfectly defined roles that eliminate all SoD conflicts. Real world compliance demands a complete closed-loop control system that identifies SoD conflicts across multiple systems, quantifies control risk based on how (and if) a control weakness is exploited, monitors known risks where SoD conflicts cannot be eliminated, and provides documented proof of control effectiveness.

2. Vendor File Management
Ask any accounts payable manager, and they’ll tell you about their headache maintaining clean and accurate master vendor files. Common errors pop up with duplicate vendor files for “IBM” and “International Business Machines”. Multiple billing addresses and delivery locations only magnify the issue. However, more troublesome problems arise when purchase orders are entered and approved for inactive or invalid vendors who lack proper credentials. This control weakness can easily lead to financial risk.

3. Payment Errors
As the final output of the procure-to-pay process, payments are the end product of a series of tasks and sub-processes. Erroneous payments are the final result of process breakdowns and control violations within those sub-processes – vendor maintenance, PO approvals, receipt of goods, vouching for the invoice, etc.

Duplicate payments often originate with duplicate vouchers. As companies process and vouch for incoming invoices, most financial systems are configured to prevent an exact duplicate from entering the system. However, most AP departments occasionally run into rush-job situations where it’s acceptable to circumvent the preventive system control by adding a simple dash or suffix to the end of a voucher number.

Besides duplicates, common payment errors also include misdirected payments where the name on the check or account number of a wire transfer does not match the corresponding fields in master vendor file.

4. Out of Sequence Transactions
Process breakdowns frequently occur from transactions that don’t follow the defined process flow. For example, an invoice “issued” date or voucher “created” date can predate the approval date of the corresponding purchase order. In this situation, authorization to pay the invoice is inferred from receipt of the invoice as opposed to approval of the purchase order.

5. Bad Data Inputs
Efficient procure-to-pay processes rely on accurate data inputs to the accounts payable system from all internal and external sources – from corporate purchasing to vendor invoicing. Bad data inputs introduce errors into the process that typically rely on manual intervention to detect and correct. In some cases, the incoming invoice or purchase order includes more “lines” than what the production system can accept. Monitoring systems can automate much of that work by analyzing the source data systems and the accounts payable production system.

6. Unvouchered Receipts
Breakdowns in the procure-to-pay process often accumulate in a company’s suspense account for “unvouchered receipts” – also known as GRNI or “goods received but not invoiced”. While companies must accurately accrue for available resources that have not been invoiced, this suspense account often grows over time as invoices don’t exactly match up against the original journal entry to the GRNI account. Errors in reconciling this account often lead to over booking of liabilities.

7. Procurement Card Policy Violations
Procurement cards – a.k.a. purchase cards or simply P-cards – provide a convenient solution for authorized employees to buy low value goods and services with a company “credit card.” While P-cards reduce the work and costs of the accounts payable department, policy violations can occur where employees circumvent their purchase limits by splitting a single purchase into multiple P-card transactions. However, more common mistakes and process breakdowns occur where a purchase order is issued for an item purchased with a P-card. Other common control policy violations occur when an employee mistakenly submits a receipt on an expense report for goods purchased with the company P-card.

8. Freight Accruals
Similar to unvouchered receipts, freight accruals must be accurately reconciled or will lead to misstating a liability. While also common in the order-to-cash process, errors in procure-to-pay freight accruals often arise when the projected freight costs are consistently overestimated or underestimated. Without matching the estimated freight costs with the actual costs of freight, companies have faced significant surprises when closing their books.

9. Unused Discounts & Credits
Purchasing departments and division heads work hard to secure discounts with their preferred vendors, and vendors often issue credits for returns and past mistakes. However, many companies never fully utilize their available discounts and credits. In many cases, business line managers issue and authorize purchase orders in a rush to get their projects accomplished without taking the time investigate the available discounts and credits. Accounts payable managers then execute on the approved POs without context of whether the company is overpaying its vendors.

10. Errors in Data Aggregation
With the end of every reporting period, accounts from the procure-to-pay process roll up into the general accounting systems. Depending on the company, this data aggregation includes multiple iterations of the same ERP system or integration of heterogeneous systems. In either case, errors and control violations occur in this data aggregation as information is formatted, manipulated in spreadsheets, reformatted and uploaded.

The Real Value in Sarbanes-Oxley

2006-04-11T15:09:00.000-04:00

Fear can be a powerful generator of upstanding conduct, say Stephen Wagner and Lee Dittmar. But business runs on discovering and creating value. In this month's Harvard Business Review, the co-authors discuss how smart companies are finding unexpected benefits in Sarbanes-Oxley compliance. Wagner, who is the managing partner of the U.S. Center for Corporate Governance at Deloitte & Touche, and Dittmar, who leads the enterprise governance consulting practice at Deloitte Consulting and co-leads its Sarbanes-Oxley practice, talked with Kathleen Melymuka about how your company can use compliance requirements to its advantage.

What were some of the big control gaps that early Sarbanes-Oxley compliance efforts uncovered?

WAGNER: One of requirements of internal controls is maintenance of records in reasonable detail that reflect transactions. We found [that] in many instances, control documentation was way behind or didn't exist. A second issue was "tone at the top" -- the communication that comes out of the boardroom and the CEO suite that sets the stage for the organization, including how it deals with ethical standards. We found that there was often very little communication across organizations around the importance of maintaining good controls. In some cases we found duplication of control activities that created inefficiency and less-than-effective controls. Lastly, we ran into the notion of unnecessary complexity in the extreme. Many companies are far more complicated than they need to be. In the IT area in particular, there was duplication of systems, multiple instances of ERP -- one division of a company had 200 financial accounting systems.

Fraud Law Spurs Backlash, Integrity

2006-04-10T09:19:00.000-04:00

When Carmen Requena's employer asked her to lead internal audits, she quickly learned that the job made her as popular as a meter maid.

Such audits had never been done at her midsize software company, and her team was formed in response to the demands of a stringent federal antifraud law known as the Sarbanes-Oxley Act.

"The very first meetings that I started to attend, people were sort of dragging their feet and not tremendously thrilled at what they had to do," she says.

But during the past 18 months, grudging reluctance has given way to acceptance and even the view that the rigorous new accounting standards entail benefits as well as costs for the company, Micros Systems in Columbia, Md.

It's a story that's been repeated in many corporations in the wake of the scandal at Enron Corp., which symbolized American dynamism until hidden losses forced it into sudden bankruptcy — and prompted Congress to enact the Sarbanes-Oxley legislation of 2002.

Survey: SOX Compliance Costs Dropping, Average $3.8M

2006-04-07T12:10:00.000-04:00

A new survey says that the average cost for the internal controls provisions of the Sarbanes-Oxley Act is $3.8 million, down 16.3 percent from last year and about halfway to the drop anticipated for the second year of compliance.

Financial Executives International polled 274 public companies with average revenues of $6 billion, 238 of which are accelerated filers. It was the fourth SOX compliance survey FEI has conducted since 2004.

According to the survey, many of the cost reductions can be attributed to fewer staff, less consultant time and reduced auditor fees from a year ago: internal staff time spent on the provisions decreased 11.8 percent; external costs, including software and consultant fees, but excluding primary auditor fees, fell 22.7 percent; and auditor attestation fees dropped 13 percent.

"There is still room for improvement. Based on the feedback from our members, it is clear that the degree of documentation is the No. 1 issue," said FEI president and chief executive Colleen Cunningham, in a statement.

The survey also found that 85 percent of the surveyed companies do not believe that the benefits of compliance with Section 404 have exceeded the costs. Top recommendations from executives on how the implementation of Section 404 could be made more efficient included reducing the degree of documentation required (67 percent of respondents) and allowing for greater reliance on internal audit data and resources (66 percent of respondents).

Segregation of Duties

2006-04-06T11:01:00.000-04:00

Most financial processes don’t operate inside a vacuum of a single financial system or perfectly defined roles that eliminate all segregation of duties conflicts. Real world compliance demands a complete, closed-loop control system that identifies SoD conflicts across multiple systems, quantifies control risk based on how (and if) a control weakness is exploited, monitors known risks where SoD conflicts cannot be eliminated and provides documented proof of control effectiveness.

Oversight Systems takes continuous controls monitoring to the next level by combining user access rights testing with its patented real-time transaction inspection. Preventive controls combine with real-time detective controls to provide best practices in corporate governance, compliance and risk management.

Until Oversight, companies had to choose between controls software that either tested a single ERP system for SoD conflicts or analyzed historical transactions for control violations. However, our patented software builds upon each of these first generation technologies to:
* Identify SoD conflicts across heterogeneous financial systems
* Analyze all historical transactions to determine if SoDs were ever violated
* Prioritize corrective actions based on actual risk of where SoD violations have occurred
* Implement automated mitigating controls where SoD conflicts cannot be eliminated

WEBINAR: Real-Time Transaction Inspection for Defect-Free Financial Processes

2006-04-06T09:24:00.000-04:00

Date: Wednesday April 19
Time: 2 p.m. EST/ 11 a.m. PST
Duration: 45 minutes

Errors in day-to-day financial transactions consistently result in adjustments, reversals and rework. Real-Time Transaction Inspection takes continuous controls monitoring to the next level by automating the analysis of auditors across every transaction to deliver Defect-Free Financial Processes. While these errors originate from human errors, data roll-ups from multiple systems or process breakdowns, Real-Time Transaction Inspection analyzes each step of every financial transaction in real time for errors and control violations, so companies can address these issues when they are less complex and less costly to correct.

Oversight CEO Patrick Taylor leads a 45-minute discussion on the benefits of Real-Time Transaction Inspection for solving the process and compliance pains for:

* Segregation of Duties
* Unvouchered Receipts (Goods Received, Not Invoiced)
* Payment Errors
* Freight Accruals
* Discounts & Promotions

Audit costs drop in US

2006-04-05T09:24:00.000-04:00

Audit fees in the US, which rose sharply following the implementation of the 2002 Sarbanes-Oxley Act, have begun to fall, a report published in Compliance Week has revealed.

Large public companies (revenue of more than $5bn) in their second year of Sarbanes-Oxley compliance saw audit fees fall 0.6% in 2005, while overall, fees paid to external auditors fell by 7.4%.

The drop in audit costs contradicted reports in the Wall Street Journal which said that audit fees were still rising, albeit moderately.

SEC rejects exemptions demand

2006-04-04T09:15:00.000-04:00

Small companies in the US have failed to secure exemption from parts of the Sarbanes- Oxley Act which requires auditors to certify their compliance with federal laws.

An SEC panel had advised that only the largest 20% of public companies be subject to the checks, which would see auditors verifying systems for protecting assets, reporting financial information and complying with regulations.

But the Chicago Tribune reported today that SEC chairman Christopher Cox has now ruled out any exemption.

The move will disappoint lobbyists, including the US Chambers of Commerce, which had been campaigning for changes.

Audit fees, SOX still socking companies

2006-04-03T16:48:00.000-04:00

The pain was supposed to subside for companies after the first year of the Sarbanes-Oxley Act, as business pundits predicted that investments in pricey technologies and accounting infrastructure would peter out after taking a big, one-time bite out of Corporate America's bottom line.

The pundits were wrong. A Boston Business Journal analysis of 27 public companies in Massachusetts shows their auditing costs spiked 26 percent last year, bringing their total increase to 103 percent since SOX became effective in 2004. In total, the group spent $56.6 million on SOX and related auditing costs last year, or around 2 percent of their 2005 operating income.

IPOs head for Europe as Sarbox hits US markets

2006-03-31T09:06:00.000-05:00

The true cost of the Sarbanes-Oxley Act for the capital markets in the US has emerged, as Europe raised more new funds from initial public offerings than the US for the first time in four years.

In its latest review of the European IPO market, the capital markets team at PricewaterhouseCoopers found that both the volume and value of European IPOs had grown substantially in 2005 and outstripped the US exchanges.

The number of IPOs in Europe last year grew 39% from 433 to 603 and the sums of new money raised almost doubled from 28bn euros (£19.3bn) to 51bn euros as international companies flooded into the European markets to avoid the onerous regulatory requirements imposed on the US exchanges by Sarbanes-Oxley.

Webinar: Segregation of Duties in the Real World

2006-03-30T14:52:00.000-05:00

Webinar: Segregation of Duties in the Real World
Real world compliance demands a complete closed-loop control system that identifies SoD conflicts across multiple systems, quantifies control risks, monitors SoD risks and documents compliance.

Make the rules work for you

2006-03-30T08:54:00.000-05:00

It is almost 20 years since the Big Bang liberated the finance sector by sweeping away what were then considered outdated regulations. Since then, regulation - both at national and at international levels - has slowly crept back and threatens to create a mountain of bureaucracy.

A succession of scandals across the world from the Barings bank debacle to Enron and Worldcom have caused the regulatory pendulum to swing towards tighter rules. The growing list of rules includes the US Sarbanes-Oxley Act, the Basel II risk management rules for financial institutions and the Market in Financial Instruments Directive (MiFID).

The theory is that rules and regulations make for order and stability. But they are also a burden on business and add significantly to costs. Organisations are, therefore, looking for ways to mitigate the cost of compliance and squeeze out some real business benefits from what is a mandatory investment.

A recent survey of 261 US financial executives on the impact of Sarbanes-Oxley, conducted by financial software specialist Oversight Systems, suggests that companies are able to derive benefits from compliance. Improvements in the accuracy of financial reports were cited in 47 per cent of responses. Other perceived benefits included a reduction in errors in financial operations (48 per cent) and empowerment of the board's audit committee through better information.

Sarbanes Counters Critics of 2002 Law

2006-03-24T09:27:00.000-05:00

Sen. Paul Sarbanes, D-Md., offered his most sweeping defense of a law he co-authored following the collapse of Enron Corp. and suggested that current efforts to roll back the law are on shaky legal footing.

"We need to remind those who complain that Congress overreacted or overreached in passing Sarbanes-Oxley of several crucial points," he said Thursday in remarks to the Consumer Federation of America.

"It's asserted by some that the law was enacted in haste," Sarbanes said. "I think this is an affront to the hard work and the common sense of the members of Congress who shaped the legislation, moved it through their respective houses, and voted for it. We had an extremely thorough, careful set of hearings."

How Nortel, auditor became joined at hip

2006-03-17T10:35:00.000-05:00

Nortel Networks Corp. has faced years of financial statement restatements, accounting crises, a roller-coaster stock price, and changes to executive management, but throughout it all, Deloitte and Touche LLP has been a constant.

Deloitte, the world's biggest accounting services firm, has held on to the Nortel account even in the company's darkest times.

During Nortel's restatement years, Deloitte was paid $57 million in 2004 and $72.7 million in 2003 -- for what amounts to the largest fees in those years for audit, tax and related services paid by any Canadian company.

But after Nortel's decision last week to restate its accounts for the third time in as many years, the issue that's puzzling many is how Deloitte has held on to the Nortel account.

"It's a question we've been asking since last year at the [Nortel] annual meeting," said Bill Mackenzie, president of governance watchdog Fairvest Corp.

One answer is that other auditors are not in a position to do a better job than Deloitte, and might not be willing or able to tackle Nortel, Mr. Mackenzie said.

Nortel's sprawling business is "so complex," that it's difficult for any auditor to understand, he said. In fact, Deloitte's experience means the firm has the best knowledge of Nortel of any of the audit firms, Mr. Mackenzie said. And while it could seem like a sensible option to have another set of eyes look at the accounts, there have already been "a lot of fresh eyes on the Nortel accounts," he said.

Director liability should be capped: PwC CEO

2006-03-16T10:32:00.000-05:00

PricewaterhouseCoopers' chief executive said the pendulum has swung too far against company directors after a string of accounting scandals and that now the risk of legal action threatens board recruitment.

CEO Samuel DiPiazza told Reuters in a telephone interview, "(We need) some type of financial cap around their (director) liability, so that you can't put a board member in the position of losing everything he's ever worked for in his whole life because he was misled by management."

In the aftermath of scandals in the past five years at Enron, Worldcom, Global Crossing, Parmalat and others, countries have tightened corporate governance rules.

In the U.S., Sarbanes-Oxley rules hold directors accountable for internal reporting checks and balances.

Cross-Exam of Ex-Enron CFO Fastow Continues

2006-03-09T08:35:00.000-05:00

The former chief financial officer of Enron Corp. is facing a brutal cross-examination by a defense lawyer suggesting he is setting up his former bosses to save himself a life prison term.

The aggressive questioning by Daniel Petrocelli, lawyer for former Enron chief executive Kenneth Lay, is the first time ex-CFO Andrew Fastow has been grilled in public about his role in the Enron fraud. He pleaded the Fifth Amendment before Congress.

In a tense exchange Wednesday, Petrocelli, in a tone of disbelief, said Fastow watched his own wife go to prison rather than come clean to federal investigators about the his crimes.

Lea Fastow served a year in prison for submitting a tax return that failed to classify as income kickbacks intended for Fastow — some of which were sent in the form of checks to his two young sons.

Executives who use accounting-motivated transactions to prop up financial results are among the obstacles to a principles-based approach, says Robert

2006-03-08T08:58:00.000-05:00

The Financial Accounting Standards Board is conceding that its push for a principles-based accounting system could run smack into some powerfully entrenched interests.

FASB laid out the challenges it faces in a February 16 reply to a Securities and Exchange Commission report on improving the transparency of off-balance-sheet arrangements, which was issued eight months ago. Largely agreeing with the SEC, the board threw down the gauntlet against complexity, essentially calling for the U.S. accounting industry to move away from its traditional rules-based model to a more principles-based system.

In its letter, FASB agreed to revisit everything the SEC suggested: the accounting treatment of leases, defined-benefit pensions, and financial instruments, as well as consolidation policies. But the standards board also issued a broader critique, noting that form was surpassing function in financial reporting and that complexity was clouding transparency.

The response, however, reiterated the obstacles to change that FASB chairman Robert Herz hit on in a December speech to the American Institute of Certified Public Accountants (AICPA). "Fundamental structural, institutional, cultural, and behavioral forces have caused, and continue to cause, complexity in the system and impede transparent financial reporting," he said then.

Enron: It's Fastow's turn on the stand

2006-03-07T08:42:00.000-05:00

Former Enron chief financial officer Andrew Fastow -- one of the key figures in the collapse of the energy trader -- is poised to take the stand Tuesday in the trial of the failed energy trader's ex-CEOs.

Fastow would be the most senior executive to testify so far and is considered crucial in the case against Enron founder Kenneth Lay and former chief executive Jeffrey Skilling. Fastow is expected to provide critical details implicating his former bosses in the massive fraud that brought down Enron -- once the seventh largest company in the U.S.

His close ties to the defendants are expected to provide government prosecutors with damning evidence that Lay and Skilling were willing participants in the accounting scandal that pushed the company into bankruptcy in December 2001. But Fastow's own shady dealings and notoriously quick temper have been cause for concern for the prosecution -- and fuel for defense attorneys who hope to discredit him on the stand.

Fastow was the mastermind behind the fraudulent LJM partnerships -- the acronym actually stands for the first letters of his wife and two sons' names -- that were created to make complex deals to bolster Enron's profits and hide losses.

Restatements Surged in 2005, Says Study

2006-03-06T10:39:00.000-05:00

Restatements are busting out all over. The number of revisions of financial reports by publicly traded companies surged to a record 1,295 in 2005, nearly double the previous year's mark of 650, according to a new study by Glass, Lewis and Co., a corporate-governance research firm. The tally is also more than triple the total in 2002, the year the Sarbanes-Oxley Act (Sarbox) was passed.

According to the study, 1,195 companies — or 8.5 percent of all U.S. corporations — filed a restatement. That compares with 4.5 percent the previous year. From 1997 through 2005, public U.S. companies filed 3,642 restatements to correct accounting errors. That's about 30 percent of all public U.S. companies during the past nine years.

F&A Outsourcing Providers Discover Competitive Advantage with Real-Time Transaction Inspection

2006-03-03T08:47:00.000-05:00

Business Process Outsourcing (BPO) service providers specializing in finance and accounting (F&A) see a growing market opportunity but already face increasing price pressures. Advisory firms are commoditizing engagements and defining what service level guarantees should be. In addition, costs keep escalating in offshore locations, diminishing some benefits of labor arbitrage.

These market forces are creating immediate cost pressures on providers in the first year of outsourcing relationships. At the same time, providers need to focus on additional ways to increase their margins with existing clients. Due to innovative exploitation of existing technology, Oversight Systems provides a software-based solution that enables providers to meet these objectives with real-time transaction inspection.

Can Sarbanes-Oxley influence investors' trust?

2006-03-02T08:48:00.000-05:00

What is a 'fair' price for fairness? New research from Washington University's Olin School of Business reveals that a just system of governance may not enhance trust when returns do not meet investors' expectations. This is sobering news for businesses that have spent countless hours and large amounts of money complying with the Sarbanes-Oxley Act (SOX) in the hopes of building stronger corporate governance.

Ron King, the Myron Northrop Professor of Accounting in the Olin School of Business conducted research on how trust is created under different combinations of procedural justice and payout fairness. King makes the following observations based on his research:

Fairness might be a trade-off for smaller returns.

• SOX proponents argue that the extra compliance costs can be justified because these costs are offset by the benefits of increased investors' trust and reduced investors' skittishness. "The central question raised by this policy issue relates to how people make tradeoffs between a fairer system and a smaller pool of resources (because the fairer system is costly)," King says. "That is, this is an issue of procedural and distributive justice."

Investors like the pie big

• The most critical case that demonstrates the benefits of better corporate governance occurs when returns are low - which can happen even with good governance. King finds that when returns are below expectations, investors do not have more trust in a firm with better governance. Rather, it appears that good outcomes trumps good process.

• "If people have high expectations, they turn a blind eye to procedural justice when returns are low," King says. "The takeaway for policy makers is that they should take care to balance the costs of a fairer system with the expenditure of resources to achieve the fairer system."

Webinar: Segregation of Duties in the Real World

2006-03-01T08:45:00.000-05:00

Date: Wednesday March 15
Time: 2 p.m. EST/ 11 a.m. PST
Duration: 45 minutes

Most financial processes don’t operate inside a vacuum of a single financial system or perfectly defined roles that eliminate all segregation of duties conflicts. Real world compliance demands a complete closed-loop control system that identifies SoD conflicts across multiple systems, quantifies control risk based on how (and if) a control weakness is exploited, monitors known risks where SoD conflicts cannot be eliminated, and provides documented proof of control effectiveness.

Join the controls experts at Oversight Systems for a 45-minute webinar to learn how real-time transaction inspection takes continuous controls monitoring to the next level with complete enterprise controls management:

* Continuous application and database configuration assessment
* Monitor & analyze transaction artifacts (data) as they are posted
* Analyze multi-application and multi-site environments
* Detect human and system errors and misuse
* Transaction-based anti-fraud control

New calls on SEC to relax rules

2006-02-27T11:41:00.000-05:00

A coalition of European business associations is preparing to tell the US market regulator that it has not gone far enough with proposals to make it easier to "deregister" from the SEC and thus avoid US reporting requirements.

Deregistration rules came to prominence after the Sarbanes-Oxley Act imposed new compliance costs on companies and led some to reconsider the merits of trading on US exchanges.

A requirement for foreign companies to refile financial statements under US accounting standards has also reduced the attractiveness of US markets. But a new push to harmonise accounting standards announced today is likely to help bring that to an end.

Executive Survey: Growing Benefits to Sarbanes-Oxley

2006-02-27T10:19:00.000-05:00

Despite its cost, The Sarbanes-Oxley Act continues to achieve its objective: bolster corporate integrity and investor confidence in U.S. public markets. The 2006 Oversight Systems Financial Executive Report on Sarbanes-Oxley surveyed 261 financial executives and identified growing benefits of SOX compliance.

The findings show an across-the-board increase in the benefits that respondents experienced in 2005 from SOX compliance as compared to those reported in 2004. The greatest increases were found in SOX’s ability to improve financial report accuracy, up to 47 percent from 27 percent in 2004, and the ensured individual accountability in financial reports resulting from SOX, up to 65 percent from 46 percent in 2004.

When familiarity fails to find fraud

2006-02-24T09:00:00.000-05:00

Just how independent should auditors be from their clients? Should they do only audits, or is it acceptable for them to perform other services for audit clients or for related companies?

Those are issues that have divided auditors from regulators for years. Auditors in the United States lost some, but not nearly all, of their other activities under the Sarbanes-Oxley law, passed in 2002 in response to the Enron fraud, but that reflected their decreased political influence more than it did a careful analysis of real- world results.

One argument that auditors have long advanced is that the closer they are to their clients, the more they know. A chief executive of a major accounting firm once presented to me a graph, reproduced here, that looked suspiciously like the curve invented by Arthur Laffer.

For those without fond memories of the Reagan years, Laffer argued that governments would collect the most money from moderate tax rates, and that there was a point at which receipts would fall if rates were raised, presumably because people did less work at their jobs and more work to evade taxes.

The auditor's version of the curve argued that an auditor with no independence would produce a bad audit, but so would one who was so independent that he did not understand the company and its industry. Consulting services, he argued, provided badly needed knowledge.

Former SEC Chairmen Soundoff

2006-02-23T08:37:00.000-05:00

The Sarbanes-Oxley Act also stirred up considerable debate. Levitt said he opposes plans that would indefinitely impose different Sarbanes-Oxley standards on companies, depending on their size. "These are public companies that passed a threshold," he asserted, adding that investors in a small company that fails should enjoy the same protections as large-company investors.

Donaldson noted that while Sarbox's benefits are substantial, initial compliance with the law was flawed. "We told Corporate America, you do not have to count paper clips," he noted, adding that he expects compliance costs to decline and companies to start applying the law more intelligently.

Breeden amused the audience when he took note of the corporate whining about the costs of implementing Sarbanes-Oxley, particularly the section concerning internal control over financial reporting. "The problem is not the law, but the application of it," he said. "The cost of Section 404 is one ten-millionth of executive compensation, but I do not hear people saying, get rid of executive compensation."

Group Opposes Sarbanes Exception

2006-02-22T08:21:00.000-05:00

A proposal to exempt 80% of public companies from having auditors certify their internal controls "simply goes too far," former Federal Reserve Chairman Paul Volcker and former Securities and Exchange Commission Chairman Arthur Levitt told regulators.

In a Feb. 13 letter to the SEC, a group including Volcker and Levitt said the proposal would undercut the 2002 Sarbanes-Oxley Act by failing to safeguard against future accounting and company fraud. The letter was sent to SEC Chairman Christopher Cox and to William Gradison, acting chairman of the Public Company Accounting Oversight Board.

"In passing the Sarbanes-Oxley legislation, the Congress adopted a reasonable approach to achieve real reform, not just the appearance of reform," the letter said. "It would be unfortunate now if the SEC and [the accounting oversight board] undercut the effectiveness of congressional legislation through misguided regulatory action."

Reporting for Separation of Duties, Sir!

2006-02-21T08:58:00.000-05:00

To help ensure that current and former employees can't wreak havoc with finance and IT systems, "companies need to prove to auditors that only the right people have the right access."

Divvying up the work appropriately, however, is especially challenging at smaller companies, according to Nelli, because members of the finance team often back up each other, and some staffers work in both the general ledger and accounts payable. "On the face of it," he says, "it may be a conflict in terms of segregation of duties; but in small organizations, that is just how life is."

To guarantee that current and former workers don't have access to parts of the company that they shouldn't, an employer must update access rights regularly, experts say. One example that's commonly overlooked: E-mail addresses that often continue to function after employees have left the company, granting at least some degree of continued access.

Sharp end of Sarbanes-Oxley shows it means business as agent for change

2006-02-20T08:55:00.000-05:00

Log on to the careers website of the US audit regulator and it seems you are not dealing with a shrinking violet - an impression UK accountants will soon be able to test.

"The Public Company Accounting Oversight Board is aggressively seeking accountants . . . to perform on-site inspections of registered accounting firms," it says. "Professionals who join [us] will . . . become focal points of systemic, defining change in the public accounting profession."

And some are crossing the Atlantic to do just that.

The board is putting auditors under the microscope to raise audit quality and bolster investor confidence.

Its mandate extends beyond the US, encompassing any auditor that works for companies traded on the US stock market, including several UK accountancy firms. Those firms held the latest in a series of closed-door meetings in London last Friday to discuss how they dealt with the process.