|
|
|
Features
< Back
Sarbanes Oxley : Governance : Documentation
Setting the Benchmark for Sarbanes-Oxley
Documentation for documentation's sake will not deter financial fraud.
By
Ian Black
|
|
Ian Black
Managing Director of Aungate
Aungate
|
On September 9, 2004, Douglas Flint Group Finance Director of HSBC and Arnold Hanish Chief Accounting Officer of Eli Lilly made presentations regarding the impact of Sarbanes-Oxley (SOX) to the U.S. Senate Committee of Banking, Housing and Urban Affairs. They were not alone in their submissions, and they are not alone in the fundamental concerns they raised about the potential negative effects of SOX inside the enterprise.
According to Flint, ?The way Sarbanes-Oxley is being implemented by the accounting profession following the PCAOB guidance has become meticulously prescriptive and detailed. The clear danger, increasingly evident, is that the process becomes the objective rather than the means to the end.?
Continuing this theme, Hanish added, ?Make no mistake about it, documentation for documentation's sake will not deter financial fraud?.
Several independent analysts predict that during 2005-2006, public firms will accelerate business and IT projects to ensure they are in compliance with SOX and a host of other regulatory edicts, consolidating in a corporate governance office. Firms will seek to optimize compliance processes through IT infrastructure (e.g., business applications, security), and many will also seek to improve business efficiency by using the compliance justification. Industry analyst firm Meta Group concludes a recent worldwide survey stating ?by 2007, global compliance will raise control expectations for all multinational firms.?
The evidence continues to mount as an entire new industry emerged, as Flint and Hanish point out, focused on potentially the wrong thing. Not that they are criticizing the objectives of SOX, and few do. SOX represents the most far-reaching securities regulation since the passage of the Securities Acts of 1933 and '34, following the economic boom of the 1920s, a boom that ended with the U.S. stock market crash of 1929.
But as William H. Donaldson, Chairman of the U.S. Securities and Exchange Commission (SEC) emphasizes in outlining the driver for the creation of SOX, ?not since then has there been such startling evidence of failure at corporate level with even the largest, most respected U.S. corporations, guided by leaders of fundamental integrity and high reputation, becoming infected with a perilous disease I call "short-term-it is?.
Donaldson further explains that the characteristics of the disease are manifested by a focus on making the numbers and managing earnings in a way that satisfies the ?Wall Street beast?. A beast that fed on the circular interdependence of a demand for increased earnings - even if achieved only by pennies per share - to satisfy management projections verified by investment research, which really is not true research at all. Another symptom is the demon of managements rewarded by stock options with no recognized accounting costs. Initiated in the 1990s and a dangerous mix by anyone?s standards, this created a perilous and destructive downward cycle.
?There were signs that this sort of unacceptable behavior was on the verge of becoming accepted practice even in good corporations. The cumulative effect of this breakdown was a crisis of investor confidence, which in turn led to a demand for corrective action. The need for such action was accelerated by the twin events of the dot-com bubble bursting and the startling revelations of corporate fraud,? said Donaldson. But as Donaldson describes, it is not these things in themselves that are wrong, but the unacceptable behaviors they fuel that gave rise to the creation of SOX.
And what of the salve that SOX is attempting to apply to the wound of unacceptable behavior? As the SEC?s five simple goals* describe, unacceptable behaviors are made possible and more ludicrously easy by lack of transparency.
* Five Simple SEC goals:
- ) Restore investor confidence,
- ) Hold accountable those who have violated the public trust,
- ) Make the securities markets more efficient and transparent by updating practices and requirements and taking advantage of modern technology,
- ) Implement structural change to the Commission organization that would help it become more anticipatory, and
- ) Promote responsible and independent corporate governance. These simple objectives will help restore confidence in our markets and strengthen the capital-raising mechanisms that have been the envy of the world.
Lack of transparency is not a new phenomenon. All the signs of the 1929 market crash were in evidence long before disaster struck, but the signals could not be translated fast enough to implement actions to avert the negative effects. Today, the speed of business change driven by factors such as making the numbers, demand for increased earnings, and poor research among others create significant lack of transparency and the commensurate bad behavior this portends.
Meticulously prescriptive and detailed accounting practices that focus on the objective rather than the means to the end, or documentation for documentation's sake will do little to increase transparency or curtail improper behavior. A specific piece of documentation may ultimately contain the evidence that dollars were moved into the wrong account but the ?documentation? of such behaviors only proves the behavior occurred, hardly deterring it in the first place. If the maxim that evidence serves as a sufficient deterrent, then a simple bank statement or basic evidence of wealth increase would be sufficient to change behaviors. But there is little evidence that such proof adequately changes, or even influences, behavior.
Indeed, it is argued that someone determined to perpetuate fraud is unlikely to have their conduct changed or influenced by any pre-empting set of safeguards or premonitions of detection, capture or doom. In which case, increasingly costly prescriptive and detailed accounting practices and extra documentation is akin to shutting the stable door well after the horse has bolted. In addition, much evidence suggests that while lack of transparency actually encourages improper conduct that can lead ultimately to fraud, most bad behaviour does not begin this way. Rather, they start as simple, non-malicious actions to expedite or bypass a process, or perhaps create a process that does not exist in the first place.
The collapse of Britain's Barings bank in February 1995 is perhaps the quintessential tale of lack of transparency, which gave opportunity for improper behavior, driven by a conflict of interest. The failure was completely unexpected, and over a course of days, the bank went from apparent strength to bankruptcy. Considered the Queen of England?s bank, Barings was Britain's oldest merchant bank having financed the Napoleonic wars, the Louisiana Purchase, and the construction of the Erie Canal.
The world's attention was drawn to the fact that the failure was caused by the actions of a single trader based at a small office in Singapore whose conflicts of interest enabled Leeson and his traders to perform ill-advised trading. No one started with an intention to defraud but the compromise degenerated over time into a breakdown of processes elsewhere that ultimately led to one of the twentieth centuries most spectacular corporate breakdowns.
On the surface, prescriptive and detailed accounting practices and extra documentation appear to be neat solutions. But closer inspection suggests otherwise. Any organization wishing to comply with SOX finds itself immediately confronted by a plethora of technologies and applications designed to ensure enterprise-wide compliance. For example, specific enterprise scale IS management tools were developed just to address sections 404 and 392 of the Act. And, while a range of ERP and financial management tools and portals sections tackle sections 302 and 906, sections 802 and 409 are dealt with through document/records management systems.
No single solution meets all the necessary SOX requirements and faced with the inevitable integration issues a wide spectrum of technologies presents, executives would do well to determine whether they will be any closer to having the right information to make good strategic decisions. Other considerations include the following:
- the use of standardized and integrated information systems are standardized and integrated
- the establishment of accurate and relevant performance measures
- a user-friendly format for the information made available to decision makers
- effective information access to allow for well-informed analysis and the flexibility/accessibility of the decision-making data
The critical success factors as well as the potential financial value of any mistakes may seem endless, which is little wonder that companies are choosing electronic systems more out of obligation rather than from an in-depth understanding.
Flints and Hanish recognized that the problem with most compliance technology systems, of the emphasis on a passive rather than pro-active approach. The reality is that most compliance monitoring systems focus on the 20 percent of enterprise digital information that is structured, such as the transactional information that drives financial and trading operations.
However, only recently was focus given to the remaining 80 percent of digital information that resides in unstructured information, such as email, instant messages (IM) and voice traffic. For instance, IM exists outside the bounds of most in-house compliance systems. So even though attempts are now being made to capture and archive these types of communications, this does little to improve the business process that is dependent on them. Regardless of whether a compliance system is in-house or outsourced makes no difference if the system remains fundamentally disengaged from the business. Compliance solutions need to focus on new areas of technology to address emerging loopholes. Otherwise, the organization risks paying a financial and legal price.
The rapidity of technological developments, such as IM has convinced many firms to outsource their compliance to specialists. This approach offers the organization with the necessary compliance experience at a lower cost.
However, outsourcing comes with risks. As with many outsourcing projects, companies must clearly establish key performance indicators. More essential is that they must understand that outsourcing is the ultimate end to the compliance problem. Regardless of the systems in place, an uneducated staff will continue to threaten compliance. In other words, danger arises if the process of outsourcing becomes the objective. From a more pragmatic standpoint, outsourced compliance could potentially miss the 80 percent of unstructured enterprise information that does not reside in a structured database system.
Many companies aim and achieve best practice because they fundamentally believe in delivering on shareholder expectations. Their belief system drives a value inherent in the brand. Whether technology is labelled ?compliance,? ?best practice,? ?enterprise measurement? or anything else, really doesn?t matter.
What is important is that technology provides the ability for business leaders ? and indeed any authorized participant in the process ? to understand business dynamics in real time. This can only be realized by achieving transparency of 80 percent of the information involved in the organization's daily business decisions measured in real time. This capability allows for quick and accurate decisions to be taken about hierarchical structure, procurement efficiencies, training needs, customer satisfaction, sales focus and so on. The technology that enables this level of analysis may have initially been implemented for compliance purposes, but the business implications are much broader.
An example of the smarter compliance systems necessary in the future can be seen in transaction monitoring which focuses on the 20 percent of structured information that has received the lion?s share of the market?s investment and attention so far. By monitoring the trading activities of individuals, it is possible to calculate, for example, a legal share holding for the purpose of reporting or perhaps identify patterns of information that might highlight illicit activity. Identifying violations of trading standards or abnormal trading patterns represents only a fraction of the challenge. The act of making an illegal trade is simply the last stage in a longer process of activity that leads to the act itself. A trail of communications and actions prior or leading to making that trade will exist inside emails, telephone conversations or instant messages.
Outsourced communications monitoring plays an important role. Until now, monitoring operations has been invasive and manual, resulting in significant cost and, potentially, loss of trust between employer and employee. Today, if compliance officers can gain an insight into the flows of communications in a business automatically, they could potentially identify illegal activity before it occurs. By analyzing communications and conversations with colleagues to determine the possibility of intentional or unintentional regulation improprieties, the organization can take preventative action.
Additionally, communications monitoring can potentially identify non-compliant activity in areas where it does not directly impact on recorded transactions. Research analysts releasing false research, salesmen pushing the wrong stock, corporate brokers going along with corporate clients? breaches of listing rules or the leaking of sensitive information would not normally be picked up by transaction monitoring tools. However, they could be detected through communications monitoring.
Automated approaches to communications monitoring that provide better understanding of what is occurring inside the business at any given time with the ability to distinguish between acceptable and unacceptable behavior are the future of compliance. They extend beyond the pros and cons of any single system, and achieves transparency by analyzing a total corpus of information ? structured and unstructured - and alert the business to the gaps between processes or even exceptions that signal breakdowns in the process.
In the near term, SOX may have momentarily given rise to unbalanced focus on the financial process and its documentation, but ultimately this controversial law may well give rise to the enforced injection of the ?glue? that integrates and combines inside the enterprise all the disparate processes and technologies that have created lack of transparency and unacceptable practices in the first place.
Ian Black
Managing Director of Aungate
Aungate
Ian Black, joined Autonomy as Director of Corporate Communications from the world?s third largest defence company BAE Systems (formerly British Aerospace), where as Head of Corporate Communications, Ian launched and managed the company?s global Intranet, Internet, and Extranet operations.
Ian led Autonomy marketing and communications for three years before taking up the reigns last year of the company?s compliance litigation and risk application division, Aungate.
Aungate is now the investigative technology used by the world?s largest regulators including the US SEC, and NYSE as well as many international banks and financial institutions who use the technology to connect a wide range of back end technologies and monitor email, IM and voice traffic in real time.
The experiences gained from working with these organisations offers some profound insights into a world that makes up 80% of the information inside the enterprise (unstructured information) and that will ultimately be used for many more operations beyond those traditional described as ?compliance?.
|
|
|
|
|
