Sarbanes-Oxley & OMB Circular A-123: Continuous Transaction Inspection

Taking GL Analytics for a Test Drive -- Hard Way vs. Easy Way

2007-08-21T08:14:00.000-04:00

"Dell Inc. said it would restate more than four years of its financial results, after a massive internal investigation found that unidentified senior executives and other employees manipulated company accounts to hit quarterly performance goals."

"The company [Dell] said it found evidence that various reserve and accrued-liability accounts were created or improperly adjusted -- usually at the close of the quarter to give the appearance that quarterly financial goals were met. The adjustments sometimes followed reviews of account balances "at the request of or with knowledge of senior executives." Dell added that employees in some business units purposely gave incomplete or incorrect information about these activities to headquarters personnel or auditors."

"According to the filing, the law firm Willkie Farr & Gallagher LLP and the accounting firm KPMG LLP led an investigation, using special software, that evaluated more than five million documents. They conducted 233 interviews with 146 individuals, according to the filling."

Sophisticated software can be used to analyze journal entries for suspicious patterns and potentially fraudulent transactions. Examples might include entries near month-end that subsequently reverse early in the next period, or entries that are made to accounts that normally receive only manual entries. For Dell, they tested this software the hard way -- as part of an SEC investigation and under advice from counsel.

Other companies are beginning to test similar analytic software the easy way -- as part of a routine internal audit or management review of balance sheet and related journal entries.

I'm reminded of the old saying from my pharmaceutical days -- even though medicine is often much more expensive than vitamins, fewer people actually buy the vitamins. As solution providers that often help clients with the preventive medicine of financial controls, I hope this illness causes a few more people to talk to their doctor while their health is still good.

Why did the fraud numbers increase

2007-07-01T19:38:00.000-04:00

Oversight's 2007 fraud survey shows a double digit increase over the 2005 survey results despite the implementation of Sarbanes Oxley controls regimens. Is there any way to reduce the reported fraud numbers? Does that mean we have to implement even more controls?

Over the past few weeks I've had the chance to discuss these results with a number of experts and have developed a consensus view that we can reduce fraud further. And more surprisingly we can do it with fewer more "rationalized controls." Thankfully the "top down risk based approach" advocated in Audit Standard 5 (AS5) gives the opening to effect this change.

Many (if not most) of the first iterations of controls for Sarbanes Oxley compliance were created with a bottoms up approach that attempted to cover every possible contingency. Think of everything that could possibly result in financial reporting fraud and then design a way to prevent it. While most control activity will reduce risks there is a finite amount of time and effort available for all the activity. Covering every possible contingency dilutes the overall fraud reduction effort by spreading effort documenting low value activities.

For instance, the physical security of tapes used to back up the financial applications in the Sarbanes Oxley controls is an example of an activity that has a relatively low fraud reduction payback for the effort invested. In order to effect the fraud someone would have to manipulate the precise fields in the back up tape to change the financial numbers and then cause the financial applications to crash and then have the systems restored from the manipulated back up tapes. Frankly restoring from a back up tape is not always the most reliable process. A lot of things have to happen in this fraudulent financial reporting scenario - it's a low probability occurence.

When you compare the back up tape scenario with a manager or other privileged user overriding controls and posting a fraudulent entry in the General Ledger (GL) it is clear that the management override is much easier to effect. Both are possible, one is much more probable and very difficult to absolutely prevent. Finding the irregular GL posting requires diligent forensic evaluation of journal entries which takes time and expertise.

The top down risk based approach advocated by regulators in would devote more effort to the journal entry evaluation and reduce the time spent on low probability risks. By rationalizing the control activity according the the real risk there's more time for the high impact activities that materially affect fraudulent financial reporting. With AS5 we have the opportunity to adapt control investments towards activities with a real pay off in fraud reduction.

PwC Publishes 2007 Internal Audit Survey - "Continuous Auditing continues to generate interest"

2007-05-24T08:53:00.000-04:00

CFO Magazine published some of the results of PwC’s annual Internal Audit Survey, with the headline focusing on the fact that some internal audit functions do not comply with the IIA standard of performing an annual risk assessment. While interesting and potentially worrisome, I’m personally comfortable that some of those numbers could be overstated because Internal Audit may rely on other Company risk assessment activities (e.g. Enterprise Risk Management) as input for their annual audit plan.

As solution providers for continuous auditing and continuous monitoring solutions, my partner and I focused more on the survey's status of Continuous Auditing (CA), also presented in this year’s PwC survey. Some highlights:

Significantly fewer companies (11% in 2007, down from 41% in 2006) reported that their CA programs were entirely manual. The acknowledgment that automation of some type is needed as an enabler for continuous auditing is noteworthy, and we are encouraged by market recognition that automation is essential as part of an effective CA program. Also noteworthy is that slightly fewer companies (11% in 2007, vs. 13% in 2006) reported having a fully implemented continuous auditing (CA) program in place.

Perhaps we can attribute that decline to better awareness of what a real CA program may entail.

Updating one's audit plan twice a year instead of annually may satisfy a textbook definition of continuous risk assessment and thus continuous auditing. But personally, I would suggest that a "real CA" program examine TRANSACTIONS at regular intervals that approach weekly or even daily, and identifies areas of risk and needed follow-up. We see confusion and clutter in the vocabulary that describes continuous auditing and contininous monitoring today, despite numerous companies having successful CA programs in place.

This year's PwC survey shows that the audit profession is beginning to understand CA better, so I'll see that as a glass half-full.

Oversight Systems Financial Executive Survey Finds More Than Half of Shared Services Centers Fall Short of Operational Goals

2007-04-17T13:35:00.000-04:00

ATLANTA (April, 2007): Shared service centers have yet to show their full potential for many companies according to the 2006 Oversight Systems Executive Report on Shared Service Centers. The national survey of financial executives found that more than half of respondents report their shared service centers (SSCs) are well short of achieving their operational goals. First implemented in the 1990s by many large enterprises, the SSC model allows companies to consolidate client-facing functions in an attempt to reduce costs. However, the report released today finds that 52 percent of executives report their SSC are only meeting half or fewer of their business goals. The free report is available to download at www.oversightsystems.com/survey. "Companies adopted shared service centers for the immediate cost savings, but executives are now struggling to continually improve their operations," said Patrick Taylor, CEO of Oversight Systems. "This survey shows that shared service centers must develop strategies and implement systems that support ongoing improvement."

Reflecting the recent development of most shared service centers, more than half of executives (59 percent) report that their SSCs have been in operation for less than five years. Regardless of the youth of the concept, companies are putting much stock into these centers. Most executives (85 percent) report their SSCs serve four or more business units with 40 percent reporting to serve 10 or more. Although the C-suite goals are clear, achieving them is often met with adversity.

The most prevalent challenges to ongoing SSC operations were maintaining continuous improvement (61 percent), skepticism from business units (59 percent), employee retention/turnover issues (43 percent), meeting customer service level agreements (26 percent) and threats of outsourcing business processes (13 percent).

The Real Measure of Performance When it comes to shared service centers there is no measure of performance more important than cost savings and that is the silver lining in this report. Nearly three-quarters of executives (73 percent) classify their SSC as “world class” or “average to above average.” As such it comes as no surprise that nearly the same number of respondents (71 percent) report having almost reached, reached or exceeded their cost savings expectations. In fact, the study found that 85 percent of executives were prompted to embrace the SSC model in an attempt to reduce and control operating costs. Although cost was the driving factor for implementing an SSC model it was not the only reason. Other reason included:

* Improve quality (69 percent)
* Improve their customer focus (63 percent)
* Free up resources for other purposes (49 percent) and
* Improve company focus and reduce risks (34 percent).

Goals for 2006 Beyond the central goal of reducing costs, executives do have other goals for their shared service centers. Topping the list of 2006 goals with 52 percent support is to improve on service level agreements or SLAs. Other popular goals include: re-engineer business processes (51 percent), increase transaction throughput and capacity (40 percent), expand business offerings (39 percent), and reduce aggregate error rates (35 percent). Less frequently cited goals include: increasing the percentage of one-touch transactions (30 percent), implementation of Six Sigma programs (23 percent), and automation of Sarbanes-Oxley compliance (20 percent).

Regardless of the hurdles that are faced with implementation and operations of shared service centers, 97 percent of executive point to sustainable benefits of SSCs as opposed to traditional outsourcing of business processes. When compared to outsourcing, executives say SSCs offer benefits such as:

* Improved level of service and quality (81 percent)
* Better responsiveness to customer demands (68 percent)
* Greater flexibility in adapting to evolving business needs (62 percent)
* Lower aggregate costs of operations (51 percent).

Philadelphia Eagle Running Back Gets Paid $3M - Twice

2007-04-17T13:31:00.000-04:00

When most people receive an errant duplicate paycheck it means a couple thousand dollars - at most. Something that may or may not even be detected and something they may or may not report. But, when an NFL superstar gets paid twice the impact is a tad bit worse. According to an Associated Press article posted on the Fox Sport web site, titled "Eagles accidentally pay Westbrook twice," Brian Westbrook received an extra $3 million from the Philadelphia Eagles in an accounting error. The star running back intends to pay the team back after getting his roster bonus twice. However, the Eagles filed a grievance with the NFL against Westbrook because the money hasn't been repaid yet, a team spokesman said Saturday. Continuous monitoring of payroll transactions can detect potential duplicates BEFORE they leave the corporate boundaries. When you view duplicate payroll, duplicate vendor payments, unused discounts and unused credits in cummulative form, you're talking real money and real materiality.

Current Privileged User Monitoring Solutions Don't Leverage Lessons from the Past

2007-04-16T17:59:00.000-04:00

I just read a ComputerWorld blog entry written by Eric Ogren regarding the need to focus "Privileged User Monitoring" on transaction and business monitoring versus the old access management model.

I could not agree with him more. If there's one thing information security professionals can tell you with confidence... it's what does not work. Things change so frequently within the IT risk domain that it's often difficult to solve a problem with certainty. But, when it comes to dealing with "trusted" users in the real world, we all know what doesn't work. What does not work is printing out long monthly list of users with "excess privileges" and expecting this to significantly reduce the risk of fraud and misuse - at least at the material levels associated with SOX and A-123. In today's world access management and provisioning is a serious manpower drain. And, when you couple this with the need to provide periodic reports identifying the issues and progress, that just adds more manpower requirements... UNLESS you shift the focus to the highest risk issues and higher impact solutions.

Printing out these monthly excess-privilege list places a huge burden on our IT and InfoSec professionals but operational realities are operational realities. Key managers still receive conflicting privileges in order to support all areas under their control. And, key managers also receive powerful privileges such as those allowing them to actually "override" existing system-based control. 99% of the time used, they're probably just doing their job and ensuring the business keeps on functioning properly. But, it's that other 1% that can result in a major failures - e.g., a privileged user modifying quarterly revenue with a simple manual journal entry to conceal a bad quarter. In this case, the user is just using an "authorized" privilege for an "unauthorized" change.

And, what about when an AP Manager creates a vendor, purchase order, invoice, and voucher as part of an ellaborate procurement fraud scheme.

Or, when a database administrator uses their root access to make modifications to a payment record just before its released through the EFT system.

All of these are real examples of high risk conditions and real-world incidents concerning trusted insider - or privileged users.

So, lets stop using the 20/80 solution model and flip things around and do the 80/20 thing. Meaning, lets stop focusing on routine user access privilege conflicts and, instead, monitor and detect the use of privileges to misuse the system or conduct fraud.

Not Complying With the OFAC Can Impact Your D&O Policy

2007-04-12T23:13:00.000-04:00

Most organizations consider OFAC compliance to be just a routine issue but the Department of Treasury means business when it comes to doing any type of business with forbidden countries, business entities, and people. And, insurance carriers are beginning to translate this into policy and payout restrictions that could have a significant impact on an unsuspecting company or individual that just happens to stumble upon a long-term OFAC violation.

The Department of Treasury is quite clear that any delays in reporting any/all dealings with OFAC entities can result in serious consequences. Is a quarterly review of the OFAC list good enough... well, you be the judge. Here's what the Department of Treasury has to say within their FAQ:

DIRECTLY FROM THE U.S. TREASURY WEB SITE:

QUESTION: At what point must an insurer check to determine whether an applicant for a policy is an SDN?

ANSWER: If you receive an application from an SDN for a policy, you are under an obligation not to issue the policy. Remember that when you are insuring someone, you are providing a service to that person. You are not allowed to provide any services to an SDN. If the SDN sends a deposit along with the application, you must block the payment. [09-10-02]

QUESTION: What should an insurer do if it discovers that a policyholder is or becomes an SDN--cancel the policy, void the policy ab initio, non-renew the policy, refuse to pay claims under the policy? Should the claim be paid under a policy issued to an SDN if the payment is to an innocent third-party (for example, the injured party in an automobile accident)?

ANSWER: The first thing an insurance company should do upon discovery of such a policy is to contact OFAC Compliance. OFAC will work with you on the specifics of the case. It is possible a license could be issued to allow the receipt of premium payments to keep the policy in force. Although it is unlikely that a payment would be licensed to an SDN, it is possible that a payment would be allowed to an innocent third party. The important thing to remember is that the policy itself is a blocked contract and all dealings with it must involve OFAC. [09-10-02]

QUESTION: How frequently is an insurer expected to scrub its databases for OFAC compliance?

ANSWER: That is up to your firm and your regulator. Remember that a critical aspect of the designation of an SDN is that the SDN's assets must be frozen immediately, before they can be removed from U.S. jurisdiction. If a firm only scrubs its database quarterly, it could be 3 months too late in freezing targeted assets. The SDN list may be updated as frequently as a few times a week or as rarely as once in six months. [09-10-02]

Katrina Fraud: FEMA and Army Corps of Engineers Ripped Off

2007-04-11T23:57:00.000-04:00

Hurricane Katrina was truly one of the most horrific natural disasters to ever hit American soil. Thousands killed, injured, and left homeless. Unless you've experienced this type of loss first hand, it's probably meaningless to even try to fully understand the suffering these families went through.

And, during this time of emergency and national outreach to the victims, FEMA and the US Army Corps of Engineers rushed to open their wallets to the rightful victims. Billions of dollars of Federal Disaster relief funds poured into the region to help feed the hungry, put clothes on the homeless, and to shelter those without the capacity to shelter themselves. Regardless of all the stories written about either agency's preparedness levels or ability to actually respond to such a catastrophe, these agencies truly pushed the envelope of financial management and controls to put mission and operational necessity first - before bureaucracy. We applaud them for that.

But, take a look at the attached link to some of the recent stories related to the rampant fraud associated with these relief efforts. It's absolutely atrocious. And, if you want more insight, go to http://www.gao.gov/new.items/d06844t.pdf for the entire GAO report released this past summer.

What you will notice is that somewhere between $600M and $1.4B (yes, Billion) was lost just to improper payments associated with individual assistance. Think about this for a moment, $600M to $1.4B lost to just one category of risk. And, that’s not the only shocking finding. This loss represents between 10-20% of the total funds spent on individual assistance. Wow! 10-20% of all funds intended for people in need went to the lowliest types of fraudsters in the world... those that would steal from starving and homeless children so they might be able to enjoy a night at the strip club (actual case study info).

If you dig into the fraud then carried out associated with actual reconstruction and what the US Army Corps of Engineers may have been swindled out of, the cost is surely too staggering for most of us to really appreciate.

I do have one major recommendation though, in many many of the reported cases of fraud, simple continuous monitoring-based controls would have prevented the fraud.

For example: 16% of the fraud could have been prevented with a better individual assistance registration procedure. Simple monitoring-based controls that alerted FEMA of invalid social security numbers, bogus addresses, invalid registrant to address matches, and duplicative registration data amongst multiple recipients would have shut down the majority of this type of fraud.

If Oversight was in place, the impact would have been between $96M and $224M. What could FEMA have done with these funds if they had not made their way into the fraudsters hands?

Retired Congressman Michael Oxley blames the PCAOB for starting "all the problems" with the Sarbanes-Oxley Act

2007-04-11T23:29:00.000-04:00

Well it seems all the pain, agony, and expense we've all experienced while implementing the requirements of "Sarbanes-Oxley" was all just a big misunderstanding. The originating law makers actually intended the process to be much easier and much more focused on a risk-based approach. Somehow, the executing agencies and audit community just misunderstood the real intent- that is according to a recently published interview with Congressman Oxley in CFO Magazine.

According to the interview with CFO Magazine, Congressman Oxley says "It was Auditing Standard No. 2 [the standard for auditing internal controls over financial reporting], promulgated by the PCAOB, that started all the problems."

He further elaborates by stating "Of the complaints you hear [about Sarbox], 99.9 percent are about 404. It was two paragraphs long, but by the time the PCAOB was done, it was 330 pages of regulations. It was far too prescriptive and [more] expensive than anyone anticipated."

Take a quick look at the attached article. It's very enlightening.

Also, you'll be pleased to note that Congressman Oxley believes the true intent of the law is only now being realized. His most encouraging quote is a resounding call for a risk based approach to risk management. For example, he is quoted by CFO Magazine stating, "the Securities and Exchange Commission proposed a risk-based assessment to better define material weakness, with more emphasis on internal audit. It adds flexibility with smaller companies. Those are common-sense proposals that I am confident will be adopted this year with a 5-0 vote, which would be a ringing endorsement of [SEC chairman Christopher] Cox's leadership and reaffirmation that the SEC and PCAOB want it to work in a more efficient manner. It will protect the investor and make regulations work to everyone's satisfaction."

Personally, I like the use of Congressman Oxley's reference to "common sense." If we were all able to define, implement, and manage our risks based on common sense and traditional ROI principals, I think we would all find it easier to embrace the true benefits of quality and compliance programs. The emphasis would shift from "what do we have to do to comply" to "what do we need to do to optimize operations and returns." Herein lies the financial controls challenge of the this decade. How do we make the shift from "a world from an auditors perspective" to "a world from an operations perspective."

Audit Data Warehouse

2007-04-09T22:51:00.000-04:00

At MIS Training's Super Strategies conference in Las Vegas Oversight will present an early morning workshop (7:30 to 8:15am) on the characteristics of a robust audit data warehouse (ADW).

The audit data warehouse can provide the basis for continuous auditing (CA) and continuous monitoring (CM) solutions. There are considerable efficiencies that can be gained by leveraging a single data infrastructure for both programs. However there are a number of critical requirements that the ADW must meet to maintain the integrity for the regulatory compliance applications.

First and foremost the ADW must maintain an uncorrupted copy of the transaction data, then the subsequent analysis for CA and CM can occur without compromising compliance. In a sense the ADW is equivalent to the financial systems themselves and obviously both CA and CM can be applied to the same financial systems. The ADW is simply a mirror of the financial systems. Typically the ADW data structures follow a different organizational layout than the financial systems. Financial systems have an on-line transaction processing (OLTP) based data model. The OLTP model is designed to support a high transaction rate while the ADW is designed to support decision support queries. Ralph Kimball is often cited as one of the originators of specific data warehouse data models - see www.kimballgroup.com

See you early in the morning in Las Vegas.

Debunking Big Lies About Stock Options

2006-09-15T10:18:00.000-04:00

Powerful lobbies are trying to repeal stock option expensing. If you own almost any high-tech company, you'd better take five minutes to understand why--or you're likely to get fleeced.

Here are the three big lies upon which the opposition to stock options expensing is founded.

Big Lie Number One: There is no way to know the expense, if any, of stock option grants.

Big Lie Number Two: Stock options aren't an expense.

Big Lie Number Three: The cost of stock options is already reflected in diluted earnings per share.

New rules encourage battles in boardroom

2006-09-14T10:12:00.000-04:00

The spying scandal at Hewlett-Packard has provided a rare window into a normally private, august institution -- the corporate board of directors.

It revealed an HP board wracked by turmoil in recent years. There was the battle led by a board member to stop the firm's merger with Compaq Computer. Then came the board's ouster of Carly Fiorina as chief executive. And now the snooping debacle.

Some say the contentiousness of HP's board is emblematic of an era when boards are being held more accountable. Under the Sarbanes-Oxley Act of 2002, companies and boards have to comply with a host of new financial and governance rules. Companies also face more shareholder activism and a movement toward more independent, outside board members. In this new environment, board controversy and dissent are more likely -- and scrutiny of boards has become intense.

Well before the HP scandal erupted last week, directors had been under growing pressure to prove themselves worthy of the job or face shareholder wrath. The fallout from Enron and changes in laws affecting boards and companies have increased the pressure on boards.

GRC Emerges From the Shadow of Compliance

2006-09-07T08:35:00.000-04:00

Myriad compliance requirements, over the years, have caused most companies to initially jump through hoops when a new one comes along, with the most visible (and some might also say painful) concern being Sarbanes-Oxley (SOX) compliance. In time, panic was replaced with rational thought and a workable plan of how to meet the legal and regulatory requirements while streamlining business processes and mitigating risk.

With such intense focus on short-term concerns, companies sometimes miss the real long-range objective: a better-managed and optimally performing organization.

Emergence of GRC as discipline and software category

Governance, risk management, and compliance (GRC) as a term has been bandied about for a few years. AMR Research defines each component of GRC as follows:

* Governance is the oversight role and part and parcel of setting strategic objectives.
* Risk management evaluates all relevant business and regulatory risks and controls and monitors mitigation actions in a structured way.
* Compliance is the execution of these objectives, based on risk tolerance.

The Spring-loaded Options Trap

2006-09-06T11:48:00.000-04:00

Spring-loading vs. bullet dodging; why SAS-70 audits are so different; gauging your financial style; more bondholder backlash; the return of the travel agent; why companies still have so much cash; and more.

Options timing is clearly the cause du jour of federal regulators -- and the terror of executives. After announcing investigations into dozens of companies this past summer, the Securities and Exchange Commission and the Department of Justice filed charges against former executives at Brocade Communications Systems and Comverse Technology, sparking what most expect to be an ongoing volley (see On the Record).

While investigators continue to focus on backdated options, companies may well be nervous about regulators' interest in related practices known as spring-loading (timing grants to come ahead of good news) and bullet-dodging (offering them after bad news), both of which aim to capture presumed lows in stock prices for the options' strike prices. Last November, Analog Devices spent $3 million to settle spring-loading charges with the SEC. Cyberonics is still under investigation for issuing options to top officers following Food and Drug Administration approval of a new product but before the market opened. Many others, including Home Depot and Merrill Lynch, have been tainted by The Wall Street Journal' s recent revelations that abnormally large numbers of options were issued soon after the tragedies of September 11.

IT Veteran Keith Cooley Joins Oversight Systems as Vice President of Engineering

2006-08-31T13:39:00.000-04:00

ATLANTA (Aug. 31, 2006) - Oversight Systems Inc., the leading provider of automated continuous monitoring solutions, today announced that H. Keith Cooley has joined the company as Vice President of Engineering. As a key member of Oversight's executive team, Cooley will lead all product development and engineering for the company.

Cooley is an information technology veteran who was most recently Chief Customer Officer at Witness Systems, Inc. In previous leadership roles, Cooley served as executive vice president of product development for EzGov and vice president of engineering for Internet Security Systems where he was responsible for production of the company's award-winning product lines.

"Only with a growing list of customers could Oversight attract a proven IT leader like Keith Cooley," Oversight Systems CEO Patrick Taylor said. "Keith will build upon our strong reputation for providing innovative solutions and unequalled customer satisfaction."

Cooley's experience also includes executive positions at Dun & Bradstreet Software and Management Science America. Before Dun & Bradstreet acquired MSA, Cooley managed various support, engineering and marketing functions for MSA. After the acquisition, he served as Dun & Bradstreet’s vice president of information systems, vice president of worldwide client server support and vice president of European support and development.

"Oversight Systems faces a huge opportunity to provide the market with automated continuous monitoring solutions that both reduce Sarbanes-Oxley compliance costs and drive operational improvements in financial processes," Cooley said. "I look forward to building on the company's momentum and delivering easy-to-use software solutions that deliver immense value."

Sarbanes-Oxley: Lessons Learned

2006-08-29T10:24:00.000-04:00

Organizations that need to be SOX-compliant are just now realizing they need to get serious about using technology to monitor and test their internal controls.

By Therese Rutkowski

September 1, 2006 - Many publicly traded companies are in their third year of dealing with the Sarbanes-Oxley Act (SOX)--the law that makes corporate executives responsible for the accuracy of their financial statements and for the internal controls that minimize errors and reduce fraud.

After going through the rigorous process of documenting and testing those controls, such as the segregation of duties and appropriate access to financial systems, many of these companies-including insurers-spent far more on the effort than they ever imagined.

A full 70% of respondents to a 2005 Ernst & Young LLP cross-industry survey on trends in internal controls indicated SOX compliance costs were more than 50% higher than originally estimated. In fact, the average cost of SOX compliance was $4.4 million, according to a March 2005 survey by the Financial Executives International, a professional association based in Florham Park, N.J.

Backdating Causes Late Filings to Soar

2006-08-25T10:37:00.000-04:00

Forget Sarbanes-Oxley 404. A record number of companies filed their recent quarterly reports late, and the most commonly cited reason was the rapidly growing option backdating scandal.

According to shareholder advisory firm Glass, Lewis & Co., 138 companies with market capitalizations of at least $75 million submitted late-filing notices for the second quarter, up 52 percent from year-earlier levels. Forty-eight of those companies said they postponed their filings because they were conducting investigations into their historical stock-option grants, including such well-known names as Apple Computer Inc., UnitedHealth Group Inc., Monster Worldwide Inc., CA Inc., and Juniper Networks Inc. By contrast, only three companies cited incomplete internal-control assessments as the reason for their delay.

Defending Against Backdating Suits

2006-08-24T09:15:00.000-04:00

Companies will have to make improvements in their internal control procedures to deal with sloppy recordkeeping, poor controls, and improper options practices to satisfy shareholders. However, Conroy points out that, except in cases where there appears to have been deliberate manipulation, there is generally little significant price reaction to corporate backdating announcements.

That's because backdating does not directly affect future cash flow, a metric that investors value greatly, contends Conroy. And while backdating may produce a risk to a company's reputation, as shareholders don't usually like to see restatements, the economic effect remains in the past.

Webcast: Controls, Compliance & the Role of Continuous Monitoring

2006-08-16T15:35:00.000-04:00

Webcast with Controls Expert Anne Marchetti, author of Beyond Sarbanes-Oxley Compliance: Effective Enterprise Risk Management & The Sarbanes-Oxley Ongoing Compliance Guide

Date: Thursday Aug. 31
Time: 2 p.m. EST/ 11 a.m. PST
Duration: 45 minutes

The public outcry against Sarbanes-Oxley is largely based on the excessive costs and relatively few tangible benefits recognized. However, continuous monitoring of financial processes and the underlying transactions can reduce compliance cost as well as deliver tangible benefits to business operations. Continuous monitoring drives risk-based compliance and controls that allow an organization to maintain full compliance while reducing ongoing costs, strengthening the overall control environment and improving financial processes.

Continuous monitoring of financial processes and related transactions can help companies avoid the expensive compliance burden of reconfiguring financial systems to support compliance requirements. Public companies and their auditors should act now to better understand the role that technology and continuous monitoring can play as a mitigating control as well as in the automation of the reporting of control effectiveness.

Why options backdating is a big deal

2006-08-09T09:24:00.000-04:00

A debate over its nuances misses the point: Incentive-based compensation is broken.

By Adam Lashinsky, Fortune Magazine senior writer

If the subject is so complex, then why argue that the whole system is rotten? Consider this: Stock options were invented as a way to align the interests of employees with shareholders. The first time the system began to crack was in the 1990s, when companies with falling stock prices began to re-price their stock options in order to retain their employees. With a righteous fury, arrogant Silicon Valley executives in particular glared at anyone who suggested shareholders would benefit by ending a practice that would lead to losing valued employees. Shareholders, of course, didn't get the opportunity to re-price their shares. The practice halted when rules changes required shareholder approval for re-pricing.

Three cheers for Sarbanes-Oxley

2006-08-07T13:51:00.000-04:00

THE STOCK option re-pricing scandal has been perturbing corporate America for months but yesterday’s admissions by Apple thrust the issue right to the front of minds all across the globe. Not only is Apple a big name, it also projects an image of cleanliness and decency. If the top brass at Apple thought it was reasonable to re-price options retrospectively to maximise the financial rewards to executives, it suggests that the practice was widespread.

It also suggests that standards of behaviour among executives are woefully low. It simply cannot be right to issue options to buy shares at levels below the market price at the time of grant. If this is not appreciated, it raises questions about all manner of other judgments made by businessmen and women. Besides being intuitively wrong, it makes a mockery of the justification for the schemes. It is good for executives to have shares or share options, so the argument goes, because it aligns the financial interests of shareholders and executives. But if the starting price is revised downwards, directors are getting money for nothing. That does shareholders no good at all.

While stock option re-pricing paints corporate America in a dismally poor light, its discovery should leave observers grateful to Sarbanes-Oxley regulations. Sarbox is ritually abused for adding needless bureaucratic burdens on business. The Sarbox inspired obligations on senior executives to sign off accounts, however, seems to have led to the discovery of deplorable practice.

Making directors accountable for the books they keep may result in an extra administrative cost, but if it keeps the custodians of America’s publicly owned companies on the straight and narrow, it is a small price to pay. If it makes all executives re-examine practices blithely assumed to be justifiable, so much the better.

Stock options troubles: background

2006-08-04T15:20:00.000-04:00

Apple Computer may be the highest-profile but it is not the first company to admit that it would probably have to restate its earnings as a result of the widening stock options backdating scandal.

McAfee, the security software company, said last month that manipulation of the timing of options meant it would have to restate earnings going back to at least 2003, and the impact would be significant. It also fired its general counsel as a result of the episode.

Mercury Interactive, a business software company, was also forced to restate several years’ worth of earnings reports. Mercury’s shares were de-listed from the Nasdaq and its former chief executive resigned last November amid revelations that he and other executives had benefited from favourable backdating of stock options grants.

San Francisco-based CNET Networks also said last month that it expected to restate financial statements.

Last month, US authorities handed down the first criminal and civil charges in the scandal, charging three former executives of California technology company Brocade Communications Systems.

Oversight Systems Launches Continuous Monitoring for OFAC Compliance

2006-08-03T10:00:00.000-04:00

Oversight Systems Inc., the leading provider of continuous monitoring solutions, today announced the launch of OFAC compliance functionality into the Oversight solutions for procure-to-pay and order-to-cash.

As demanded by the Patriot Act and regulated by the Office of Foreign Asset Control, U.S. companies must not conduct business with individuals, companies, organizations and countries that support terrorism or drug trafficking or otherwise find themselves on the OFAC list of Specially Designated Nationals and Blocked Persons.

"The Patriot Act raises the bar for OFAC compliance, and financial executives must be on constant guard to monitor their vendors, contractors and customers -- or face stiff penalties and government scrutiny," Oversight Systems CEO Patrick Taylor said. "By integrating the SDN list with Oversight's advanced analysis, Oversight delivers precise results for a centralized and fully automated control that ensures OFAC compliance."

Oversight's continuous monitoring platform and real-time transaction inspection maintain all updates to OFAC's designated list and automates the analysis of every vendor, contractor, customer and -- more importantly -- your company's financial transactions for potential violations.

For businesses with decentralized order-to-cash and procure-to-pay processes, Oversight delivers centralized controls over all financial systems and disparate financial operations. Companies with centralized financial operations rely on Oversight to automate their controls for OFAC compliance.

Suits, Sarbanes linked to CEO stock sales -study

2006-08-01T13:58:00.000-04:00

Chief executives are more likely to sell large chunks of their stock holdings when their companies disclose new litigation or a violation of Sarbanes-Oxley internal controls requirements, according to a study released on Monday.

The report by The Corporate Library, which examined 120 chief executives who sold more than a third of their company shares in 2005, showed 30 percent sold stock when their company was involved in some sort of litigation. Twenty-four percent of the chief executives sold stock when there was a Sarbanes-Oxley violation at their firm.

"This would indicate a CEO's general lack of confidence in the company's stock price and should be cause for concern for shareholders."

Four years later, Sarbanes-Oxley still an adjustment

2006-07-31T08:49:00.000-04:00

Four years after the passage of the Sarbanes-Oxley corporate reforms, companies have begrudgingly adjusted to the law's hefty internal control requirements, but small companies are still worried about how much it will cost to comply with the law.

Companies of all sizes have complained that the law's internal control section, which requires companies' outside auditors to say publicly whether a company's controls are adequate, is too expensive.

Small companies, those with less than $75 million in market capitalization, will likely have to comply next year, SEC Chairman Christopher Cox has said.

That comes as a relief for some investors as fraud is often more likely to occur at smaller companies. But smaller companies are worried the law's onerous control requirements, known as section 404, will take a big chunk out of profits and their ability to invest in their businesses.