John (Jack) Potter, the Postmaster General, opened up last week’s Mailers’ Technical Advisory Committee meetings with a choice for the industry: improve address and barcode quality or lower expectations on service performance and measurement. A 30 percent tolerance for Intelligent Mail barcodes cannot support a 96% on-time delivery.

Jack also noted that for the third year in a row, the Business Mail Entry Units have been found non-compliant with Sarbanes Oxley (SOX), particularly in the area of postage statements and payments. In response, the USPS is tightening acceptance requirements, including use of the MERLIN devices.

On a brighter note, Jack reaffirmed that there will be no price increases for market dominant products in 2010. While the possibility had existed that rates might still be increased under an exigency case, Jack noted that it would be wrong to do so. Thus, the biggest issue facing USPS next year is not rates, but changing the law to correct the mistakes in over-funding the retiree health care benefits. The USPS is once again projecting a nearly $8 billion loss in 2010.

Intelligent Mail – The USPS will implement support for the Full-Service IM BC rates on November 29, 2009. Along with the price incentives ($0.001 and $0.003 per piece for Standard and First-Class Mail, respectively) comes a much tighter acceptance process.

The BMEU and DMUs now have hand-held scanning devices which can determine IM barcode quality, validate the Mailer ID, validate the Service Type Identifier, and ensure unique serial numbers for both the mailpiece barcode and the Intelligent Container Tag. A sampling of 10 pieces will be performed, taken from three bundles, out of five trays/sacks, on three containers. If two of the container tags fail, or if three pieces fail to pass the Full Service requirements, the entire mailing will lose its Full Service piece discounts as well as the Start The Clock information and the Full Service ACS information. As harsh as this sounds (and is), MTAC members were assured that the USPS will be willing to work with mailers through this process.

The readability tolerance for Intelligent Mail barcodes will increase to 80 percent on November 29, and rise again to a 90 percent threshhold on March 15, 2010. The USPS acknowledged that the industry still has concerns about MERLIN; thus, the USPS will post on RIBBS information about the MERLIN devices, including whether the devices are up and running and that the software is current. The USPS will begin to treat the MERLIN devices just like any of their automation equipment and work to achieve a 96% “up time.” The goal is to have this regularly updated information live on RIBBS (under the Intelligent Mail Latest News heading) by the end of this month.

Move Update – January 4, 2010 is when penalties for non-compliance with Move Update requirements will go into effect. First-Class or Standard mailings that are less than 70 percent compliant will have a 7-cent-per-piece penalty assessed to a prorated portion of the mailing. The prorated amount will be calculated as the sampling error minus the 30 percent threshold. For example, a 100,000 piece mailing with a failure of 40 percent will have 10 percent of the entire mailing (40 minus 30) assessed an additional 7 cents.

Tom Day, USPS Senior Vice President of Intelligent Mail and Address Quality, responded to industry raised concerns about the Inspection Service using Intelligent Mail data to determine non-compliance with Move Update. Tom stated that there were absolutely no direct ties between Move Update and Intelligent Mail. The Inspection Service is looking for patterns of mailing behavior over a long period of time and not a single mailing basis. 

If you are interested in MTAC, or better yet would like your industry association to consider joining MTAC as a contributing member, please check out the MTAC section on RIBBS (http://ribbs.usps.gov). MTAC is a great way to actively direct the future of the mailing industry.

A story published earlier this month on the Economist discussed the recent trend of companies preferring “anonymous” bosses to the “rock star” CEOs who were popular in previous decades. “The corporate world is increasingly rejecting imperial chief executives in favour of anonymous managers.”

We believe that this shift represents another stage in the ongoing evolution in the typical organizational structure – from a top-down, hierarchical system to a decentralized, democratic organizational model.

“The fashion for faceless chief executives is part of an understandable reaction against yesterday’s imperial bosses, many of whom were vivid characters. Some, such as Jeff Skilling of Enron and Tyco’s Dennis Kozlowski, broke the law and helped inspire a dramatic tightening of government regulation, in the form of the Sarbanes-Oxley legislation. Others, such as Home Depot’s Bob Nardelli and Hewlett-Packard’s Carly Fiorina, paid themselves like superstars but delivered dismal results.“

Talented, motivated, and innovative professionals are no longer willing to work for arrogant dictators in exchange for a sizeable paycheck.  Instead, employees are becoming more and more selective about the quality and type of work environment that their employers offer, and they are increasingly seeking award-winning employers that share decision-making powers and that do not tolerate workplace jerks.

————————

Show your support for Workplace Democracy on Facebook and Twitter!

On November 17, President Barack Obama issued an executive order, establishing a financial fraud task force. The interagency body includes the SEC, Treasury Department, Justice Department, Federal Bureau of Investigation, Internal Revenue Service, Secret Service, Federal Reserve, Department of Homeland Security, and other federal, state, and local prosecutors. The following quote was released as part of this announcement.

“Many financial frauds are complicated puzzles that require painstaking efforts to piece together,” said SEC Chairman Mary Schapiro, in a statement issued by the White House with the executive order. “By formally coordinating our efforts, we will be better able to identify the pieces, assemble the puzzle and put an end to the fraud.”

Efforts to reduce fraudulent financial reporting have been under way for years. The National Commission on Fraudulent Financial Reporting, more commonly referred to as the Treadway Commission, was formed in 1985 to inspect, analyze, and make recommendations in what appeared at that time an alarming increase in fraudulent corporate financial reporting.

The Committee of Sponsoring Organizations (COSO) of the Treadway Committee picked up the torch in 1987.  Sarbanes Oxley legislation and the creation of a new audit standard setting body, the PCAOB followed in 2002.

Is there any discernable evidence that financial fraud or catastrophic governance failures (with or without fraud) has improved over that time? No one in the GRC world seems to be counting, a telling revelation in itself. Anecdotally it is hard to make a case that things have improved.

SEC enforcement actions from 1987 through 1997, an 11 year period, covered financial statement fraud in 300 companies. In the 10 years ended in 2008, the total is 347 cases.

Is it humanly possible to reduce fraud and governance failures? Should they be considered random and unavoidable, just like the weather?

In a recent blog post, I compared airline safety statistics in the US over the same period to fraud and catastrophic governance failure. It was an unfair comparison. The (National Transportation Safety Board (NTSB) keeps detailed statistics on aviation incidents. But in the world of GRC there are no clear definitions, let alone statistics on fraud or what I will refer to as catastrophic governance failure. What is clear though is this: aviation is safe and getting safer, financial fraud and GRC failures appear to be bad and getting worse.

Whatever our professions and regulators come up with as a new regulatory framework, they should consider incorporating at least a few of the elements that work in improving aviation safety.

1. Mandatory Incident and Event Reporting: I recently sat beside a 747 pilot dead-heading to his destination. Reportable incidents are defined by his airline and he must log all such incidents. In other words, if he makes a mistake he must report it in writing. The only sanction he is subject to for a reported incident is the possibility of additional training. He would face much more severe sanctions for not reporting an incident. What is the value of this? Airlines learn from reported incidents. Knowing what can go wrong, understanding near misses prevents accidents. Incidents and events are not “deficiencies”. They are situations that have actually occurred.

Any regulatory framework seeking to drive down fraud and failure must define and incorporate mandatory incident and event reporting. Not just the Significant Deficiencies or Material Weaknesses that now get exposure through SOX, but all defined incidents and loss events. It is not possible to reduce the large failures without understanding the small ones.

2. Mandatory Root Cause Analysis: What happens after a plane crashes? Investigators virtually reconstruct it to find the cause of the accident. Mandatory root cause analysis is absent from most financial regulatory frameworks and professional standards. Without root cause analysis, improvement will not take place. In the world of fraudulent financial reporting and GRC failures, root cause analysis is almost totally absent. Virtually none of the reported deficiencies under SOX incorporate any kind of root cause analysis. No explanation is given or expected for the cause of failure.

3. Focus on Human Behavior: Existing audit and regulatory standards virtually ignore the role of human behavior in business. “Management override” of controls is considered a control failure, not unacceptable behavior. Few, if any reported SOX deficiencies have identified Boards, Audit Committees, CEO’s, CFO’s, internal auditors or any other individual or group as a reported deficiency. Automated controls are supposed to be more reliable and preferable to humans in the control environment. What’s missing in financial or regulatory frameworks is a clear, specific acknowledgement of the acceptable behaviors, specific accountabilities and skills required by key individuals and groups. Unacceptable behavior or insufficient skills get airline pilots grounded or fired immediately. Similar rules are needed for those that oversee our corporations. What are the behaviors, knowledge, and skills we need to be alert for in the world of business?

4. Robust Risk Assessments: Airline safety has improved because failure is considered to be systemic, predictable and avoidable. Airline accidents are seldom random events, and even random events can be predicted. Random birds might get randomly sucked into aircraft engines, but if individual bird incidents can’t be avoided, they can be predicted and managed. Robust risk assessment means assessing risk from at least three perspectives. Where can things go wrong and cause a serious incident? Identifying aircraft engines as critical and vulnerable is “context” risk assessment. What can go wrong? Identifying bird collisions as a cause of failure is “event” risk assessment. What, accountability, skills and knowledge do we need from our people? Identifying the skills and knowledge of the pilot to respond to engine failure cause by a bird collision is assessing “behavior” risk. PCAOB audit standards and guidance give us some “context” risk guidance. They help identify ‘significant” accounts. But they fall short on event and behavior risk and they leave a huge gap.

That’s why, once again, we see have new task force. It is true that financial fraud and catastrophic governance failure can be complicated. Are they more complicated than air disasters? You decide. My view is that if we approached fraud and governance failure as something that is predictable, systemic and avoidable, our regulatory frameworks and professional standard would look like what is used successfully by the airlines to drive down aviation failures.

Here’s one of those articles that would get my goat if I owned a goat.

It’s the typical rah-rah article about how wonderful ERM is and everyone should be doing it. (I am always  a proponent of those.) But the fact that it was published at a site called WebCPA should have tipped me off that I was going to be short one goat by the time I was finished.

After the author quotes the requisite parts from the COSO ERM framework – thus illustrating that she can copy and paste from the COSO ERM framework -  she recites a lot of the usual fluff about why ERM is so great. But what really sends my goat running, is how she tries to make the point that somehow internal auditors are the “meek who shall inherent the ERM” so to speak.

Accountants, including internal auditors, have been getting by for years with their control self-assessments and opinions. Thanks to a few financial frauds like Enron and WorldCom, the government passed the Sarbanes-Oxley Act and many internal auditors were kept busy for a while; recently they have IFRS conversions. I am tired of internal auditors trying to make ERM something for internal auditors to do. What’s more, it muddies the water, making it increasingly difficult for ERM practitioners to communicate that risk management is not the same thing as audit.

In the article, the author suggests ERM is the next great thing for internal auditors.  She writes: Organizations will also look to internal auditors to provide some non-traditional roles, including trainer, educator, and coordinator, or facilitator. As trainers or educators, auditors must understand that ERM is a process or methodology in the identification, assessment and management of risks enterprise-wide. This process provides for a structured and disciplined approach to implementing risk management.

To that I have to stay stick to your knitting (and auditing).

Perhaps try making internal auditors in charge of human resources or IT? Just please, stay away from risk management and leave ERM implementations to the professionals.

NOTE: The information in this post is the product of our own experiences in working as a technical project manager for a publicly-traded company, as well as our own open-source research.

We do feel, however, that the information will be of use to executives who are considering adopting a telecommuting model for some of their employees.

The reader is strongly encouraged to apply his or her own best judgment in using this information, remembering at all times that Thinking Long is not to be considered a source of accurate legal information, either in general or as it may apply to any specific set of circumstances. We have no attorneys on retainer.

Therefore, the following post should be taken as a strong and detailed recommendation that a publicly-traded company consult with specialized attorneys before a telecommuting model is adopted.

The first potential problem with telecommuting has to do with some of the provisions of the suite of regulations applying to public companies that are collectively referred to as “The Sarbanes-Oxley Act”¹ or “SOX”.

In particular, we are referring to the sections of SOX that obligates a company to establish and maintain policies to control access to proprietary financial data.

The relevant section is excerpted in full from the website of the U. S. Government Printing Office:

SEC. 404. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS ²

(a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall—

(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

(b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

For a real-world interpretation of this language I went to the website of Janco Associates³, a management consulting firm that focuses on MIS.

Janco markets a SOX Compliance Resource Kit⁴ with the observation that Section 404 requires that enterprises…

• have an enterprise wide security policy;
• have enterprise wide classification of data for security, risk, and business impact;
• have security related standards and procedures;
• have formal security based documentation, auditing, and testing in place;
• enforce separation of duties; and
• have policies and procedures in place for Change Management, Help Desk, Service Requests, and changes to applications, policies, and procedures.

Simply put, public companies are fully responsible for the reliability and integrity of their financial data; they must be in control of that data at every stage of its processing and so cannot allow it to be transferred to, or be processed using, equipment outside of its control.

Furthermore, remote access to a company’s network must be by means of a connection whose security meets specific standards of for security.

All of this means that, if a public company requires or allows employees to work from home, the company must provide the necessary equipment as well as a secure connection by which the remote employee can gain access to the company’s network.

In other words, it is not the case that a public company can simply require an employee to work from home and use their own computer, with the justification that “since every employee has a computer, phone, internet connection it is convenient to work from home”.⁵ In so doing, a company runs the risk of violating Federal law, as well as loses control of their data, increases the vulnerability of their local network to either viral infection or hacking.

As we noted at the start of this post, this information is not meant to be taken as a comprehensive review of the implications of telecommuting for a publicly traded company under the Sarbanes-Oxley Act, especially not as it applies to any specific situation.

This post is only to inform the reader that such implications exist and that corporate counsel should review the law and the circumstances under which telecommuting would be taking place.

Wikipedia article on Sarbanes-Oxley Act.
U.S. Government Printing Office - H.R. 3673
Janco Associates, Inc.
Sarbanes-Oxley Compliance Resource Kit
Syracuse Finance Class, Friday, November 13, 2009, Posted by: Scarlett Lu


 

Which business risk represents the greatest threat to shareholder value?

Natural disasters? Terrorism? Product defects? Piracy? Patent infringement? Lack of ethical boundaries?

If you answered anything but the last choice, think again. The massive collapse of market capitalization at Tyco, Worldcom, and Enron underscores the grave dangers posed to shareholder value when employees lack an ethical compass. The cumulative decline in market capitalization resulting from fraud at these three companies was $136 billion, according to Public Citizen’s Congress Watch.

These scandals originated in the executive suite and required an ecosystem of compliant people to execute. What about ethical problems that originate elsewhere? What happens when ethical violations spiral from what are euphemistically called “aggressive sales practices?” In 1998, ethical violations at Prudential Insurance became so pervasive that the company’s management eventually estimated its liability from the pending class-action lawsuit at $2 billion. Among the voluminous courtroom testimony from the case was this nugget: “Your judgment gets clouded out in the field when you are pressured to sell, sell, sell.”

Could ethical problems affect your company? No company is immune. How might your company’s reputation or your personal reputation be affected? How real are the ethical risks you face, and what, if anything, should you do about them? These are risk-related questions that one company should have asked—but didn’t. As a result, the indiscretions of a person I’ll call Travis Doe cost MegaCorp (not the company’s real name) more than $1 million.

Travis Doe was a reseller account manager for MegaCorp. He was affable and gregarious, and his compensation plan enabled him to earn a comfortable six-figure package. But Travis had a revenue scheme that would make his day-job earnings pale in comparison, and it paid him very well—before he was caught. When the dust began to settle a year later, the total estimated cost to MegaCorp was more than $1 million. That’s before adding the 40 percent revenue loss of the diverted direct sales. What about the greater cost of diminished employee morale and broken customer trust?

The loss was buried in the income statement of MegaCorp’s financial report, away from the eyes of investors. No mainstream publication or trade journal carried the story. What was Travis’s scheme? I’ll get to that in a moment.

Unethical
Any discussion of ethics involves drawing boundaries. But drawing boundaries for sales ethics is much easier said than done:

As author David Quammen writes in Wild Thoughts From Wild Places (Scribner, 1998), “Not every crisp line represents a triumph of ethical clarity.” What causes this obfuscation? Individual ethical interpretations are a function of a person’s current emotions, situation, values, experience, logic and personality. What do blurry interpretive boundaries mean for sales? They mean that ethical practices and behaviors are difficult to define.

Travis’s plan
Travis executed his plan by setting up a bogus reseller account. When prospective clients sent requests for quotes, Travis intercepted them and sent the requests to his bogus company, instead of sending them to a legitimate reseller. Because the bogus reseller purchased from MegaCorp at a 40 percent discount, Travis made a tidy personal profit on every order his bogus company processed. Only when an order administrator on the West Coast spotted a benign part number anomaly did Travis’s ruse begin to unravel. She phoned the “reseller” with a question, and the person who answered stated that “our vice president, Travis Doe, will contact you tomorrow with an answer.” The order administrator blew the whistle. An embarrassed MegaCorp quietly fired him about a week later.

Travis’s laptop contained evidence that exposed how far the ripples from the scam had traveled. There were copies of letters and proposals bearing the name, “Travis Doe, Vice President,” on fake letterhead. Under the guise of a legitimate reseller, Travis had created price lists, spreadsheets that tracked the status of quotes, customer lists, marketing material and more.

Surprised colleagues (and some not-so-surprised) came forward to describe how Travis had pressured them to send orders to his bogus reseller rather than place them directly with their employer. Betrayed customers who had unwittingly placed orders with the reseller loudly expressed their woes because Travis’s company had no capabilities to support them. Legitimate resellers were especially irate because they had been deprived of valuable orders.

No one else was terminated, but except for the alert order administrator, Travis’s indiscretion created no winners. Where were the boundaries of ethical responsibility? MegaCorp utterly failed by not having adequate controls to prevent Travis’s scheme. If Travis’s immediate boss knew about his dishonesty, why didn’t he stop him? If he didn’t know, why not? You know it’s a bad day at the office when any answer you provide isn’t a good one.

Ethical risk presents vexing challenges for organizations because ethical standards must first be defined, then documented, communicated and followed. In addition, the subjectivity of what constitutes good ethics, and resulting interpretive challenges, defy standard-setting. Senior managers should not avoid this problem. Instead, they should embrace it by creating an environment for open, candid discussion about ethical challenges that will encourage salespeople, and those who support their efforts, to identify issues and confront them before they spiral out of control.

Establishing an ethical culture requires strong leadership; expectations for ethical behavior must be visible and consistent throughout the enterprise. Similar to many operational risks, the likelihood of ethics problems is magnified when multiple risk conditions coexist. When high financial incentives for dishonesty, lax audit controls and non-integrated processes exist simultaneously in an organization, a shrill alarm should sound in the boardroom or executive suite indicating a condition ripe for exploitation. Ethical lapses can irreparably undermine the best business plans, corporate reputations, and brand building. There are too many opportunistic Travises in the world, and too much value at risk, to ignore the alert.

© 2007 Andrew Rudin

Out of control spending with no checks and balances!

The Federal Government is a mess. Could you imagine if a financial institution reported misleading and inaccurate numbers? Can you imagine if a publicly traded company provided gross inaccuracies on their SEC filings, and then explained it by saying some of the reporting mechanisms are unrealistic? The Executive Branch, Legislative Branch and Judicial Branch would be frothing about Sarbanes-Oxley. Executives would be going to prison. If we, the people, did this we would be called out and hung to dry.

Yet, gross inaccuracies were found on a government Web site that tracks jobs purportedly saved or created by the $787 BILLION stimulus plan. WHAT? Congress spent $787 BILLION and cannot accurately report where it went and what jobs it created or saved! If this was a Web site created by a Public Company, it would be all over the press and our elected officials would be frothing at the mouth demanding answers. Instead, we the People of the United States are asked to look at the big picture and not to focus on gross inaccuracies. In an interview, Rep. David Obey of Wisconsin called the inaccuracies on Recovery.gov “infuriating” and said the success of the government’s stimulus package has been “obscured by the silly mistakes.” “In my judgment, someone who doesn’t know which congressional district they’re in doesn’t have enough of a clue to receive taxpayer money in the first place,”

I wonder if Rep. Obey would say the same thing if this was a report on and from Google or GE. I’m sorry, “success obscured by silly mistakes” – REALLY Congress? This is our money you are spending; these are tax dollars we could not afford that you are spending!

Unknown Billions on Health Control, instead of Reform for Quality Health Care!

The Senate has the opportunity to pass the largest bill ever, on “Health Care Reform”, hailed to provide affordable, quality health care for all Americans and reduce the growth in health care spending. Yet, when you read the 1,990 page beast, there is no call to fix the national programs we have today and there is no clarity on how much this legislation will cost or save the American People. In fact, on October 29, 2009 a letter was sent to Representative Charles Rangel, from the Congressional Budget Office, saying they had completed a preliminary analysis of HR 3962, but the analysis did not constitute a final and comprehensive cost estimate for the bill, because there are so many programs and grants that would have to be further appropriated. In the letter there is a minimum of $53 BILLION in additional spending that would have to be spent to implement the bill. WHAT? How the hell are we Americans going to afford this health care option congress is proposing and exactly what quality care are we paying for? A TAX Credit does not pay the premium that will be due when the rest of our bills are due! WAKE UP Congress, you are spending what is not yours to spend.

Cost Cutting put in front of the value of a Mothers Life!

Could you imagine if Blue Cross Blue Shield released an opinion statement on mammograms based on new data from mammography studies in England and Sweden that said early detection procedures create unnecessary anxiety and follow-up procedures that cost too much money? Every media outlet and politician would be screaming “How dare they put cost cutting measures in front of the value of a mothers life!”

This week the Women of America were slapped in the face with a Health Care Cost measurement. Our Government has decided the anxiety and cost caused by doing mammograms in your 40’s, out ways the benefit of saving a woman’s life by early detection procedures. REALLY? This sounds exactly like BIG BUSINESS deciding how much profit can be made versus potential monies lost in lawsuits. Remember, the Ford Pinto? The Judicial Branch found that Ford knew the Pinto was dangerous and may cause the death of individuals in the car if rear-ended. Ford weighed potential costs against the value of life or how much they would loose in lawsuits.

Congress, notice the word “care” in Health Care. You are there to protect our rights, our pursuit to happiness, and our right to life. I don’t know how any Woman in America could vote for the congressmen who are in office today that support this administrations view on health care. I for one, have too many friends who have been saved by early detections and mammograms in their 30’s and 40’s, including my mother-in-law. If these fabulous women would have waited until their 50’s, they would no longer be alive today and I would not have had the opportunity to know them.

Join Me!

I’m a US Citizen who has been deeply impacted by this economy. I don’t live in an ivory tower that insulated my family from this recession. I am a citizen who is standing up and saying “NO MORE”, it is time for honest change, and it is time to create prosperity for all Americans, not just elected officials who have a demented view of reality. It’s time for accountability to the American People, in which we serve.

Lets stand up and say NO to our hard earned dollars being taxed and then being spent by BIG BUSINESS and BIG GOVERNMENT, instead of helping us, the American People.

Lets stand up and say NO to spending with no checks and balances and with no regard to accountability.

Lets stand up and say NO to spending for health control, instead of quality health care!

Lets stand up and say NO to cost cutting efforts that clearly put bureaucracy in front of a mothers life!

Lets stand up and say NO to government dependency, instead of opportunity!

Lets go to work with those in Congress who want to bring accountability and prosperity back to us, the People of the Unites States of America! I’m proud to be an American!

“It does not require a majority to prevail, but rather an irate, tireless minority keen to set brush fires in people’s minds.” Samuel Adams

by Mercedes B. Suleik, for Manila Bulletin, November 18, 2009.

“In the next century, a company will stand or fall on its values,” Robert Hass, CEO of Levi Strauss was quoted to have said. I have sometimes used this quote to begin one of my lectures on corporate governance, saying that this statement has been validated by the humongous scandals and failures in the West – Enron, the mother of all f…k-ups, Worldcom, Tyco, even one of the big 5 accounting firms, Andersen, etc. in 2000, and repeated in 2008 with Lehman Brothers, Bear Stearns, AIG, US housing giants Fannie Mae and Freddie Mac, not the mention the big banks…all of whom had to bailed out (with the exception of Lehman) with taxpayers money. What indeed were the values espoused by these companies?

In discussing what corporate governance is about, I usually short-cut it by taking each of the elements in a definition I found very useful, that given by former World Bank President, James D. Wolfensohn: “Corporate governance is about promoting fairness, transparency, and accountability.” Transposing the letters to make an easy acronym, FAT, I have also added another letter to make FATE, with E representing Ethics.

Of course it could be said that observing FAT really means that underlying it all is the observance of E. If a company observes fairness, accountability, and transparency, then underlying it all, it must be ethical. FAT after all means that a good company assures that its shareholders are treated equitably, promotes long term value, and balances its profit motive with prudentially protecting its investments. FAT also means that in the relationships among the three important groups in a company – the shareholders, directors and management – each is accountable to the other, with the Board being accountable to the shareholders who own the company, and the Board being responsible for the actions of management which it appoints to implement its strategic and policy decisions. FAT also means that the Board ensures timely and accurate disclosure of all material matters, including material foreseeable risks, and requires a system of monitoring and reporting based on accepted standards of adequate disclosure…(continue reading)

Sarbanes Oxley (Sarbox) is starving high technology start-ups for capital.  Mathew Bandyk, in US News and World Report, suggests that not only has Sarbanes Oxley hurt venture capital, and decreased the number of IPOs, it is imposing costs on small businesses.[1] The reason that Sarbox is increasing the costs for small business, according to Bandyk, is that accountants are applying Sarbox rules to small businesses out of habit or conservatism.  In order for a company to go public nowadays, a company needs somewhere near $1 billion in annual revenue.  For more information on the damaging effects and absurdity of Sarbox see Sarbanes Oxley – The Medicine is Worse Than the Disease.  Since it does not appear likely that Washington is going to fix Sarbox anytime, how can we mitigate its damage?

I suggest that states create public markets for equities in their own state.  These markets would only be available for in-state companies and investors would have to be residents of the state.  Under our system of federalism this would allow the state public market to avoid the federal securities laws.

These state public markets would provide an IPO (Initial Public Market) outlet for local companies, with many of the benefits of going public in the national market.  Clearly large companies would be constrained in state public market.  However, smaller companies could go public and be incubated until they are large enough to transition to a national public market.  Not only would a state public market provide much needed capital for start-up companies, it would encourage funding sources, such as venture capital firms to locate in the state.  A state public market would also encourage investment banks and entrepreneurs to locate in the state or create branches in the state.  This would help mitigate the damage caused by Sarbox.

Some people might suggest that a state, such as Colorado, does not have a large enough economy to create a state public stock market.  In 2006, Colorado had a GDP of $230.5 billion.[2] The Buttonwood Agreement that was the beginning of the New York Stock Exchange was signed in 1792.  The total GDP of the U.S. in 1792 was $220.0 million.[3] The population of Colorado is about 5.0 million people in 2008, while the total population of the U.S in 1792 was around 3.9 million people.  Clearly, a state the size of Colorado is big enough to have a vibrant public market.

In order to ensure a vibrant public market, it is important that state laws associated with trading stocks on the state public market not follow federal law.  Investors should receive a statutory warning about the risks associated with investing in stocks or bonds in the state public market.  Only if the company or its officers are guilty of fraud or breach of contract will investors have recourse against the company.  This would be similar to Colorado skiers law, that was necessary to shield ski resorts from frivolous lawsuits that threatened to destroy the ski industry.  State judges must be prohibited from looking to federal laws for guidance in cases related to the state public market.

Publicly traded companies would be required to provide complete financial reports quarterly.  There would be no other disclosure requirements, however a company could clearly disclose more information.  Financial reports would not have to conform to GAAP rules, however companies must point out the differences.  This would provide flexibility for the market to determine which accounting rules are important to the market, as opposed to those that are important to government officials.  This would also allow “pooling of interest” mergers, which were useful for high technology start-up companies.

Employees and officers of any company listed on the state public securities market, must report any purchase or sale of stock in their company.  The report would be posted as part of normal market reporting.  Insiders would then have to wait some period of time, for instance 2 hours, before purchasing or selling their company’s stock.  The other arcane rules on insider trading at the federal level would not be followed.  The SEC has refused to define what insider trading is.  This hurts the market and is violation of the rule of law.  The rule of law demands the government clearly define laws so that citizens are not subject to de facto ex post facto law (retroactive laws).

In summary, a state public stock market would mitigate the effects of Sarbanes Oxley and potentially force the federal government to rethink this law.  It would also attract entrepreneurs and investments dollars to the state.  States the size of Texas, California, and New York could easily support a state public market.

[2] http://www.colorado.gov/cs/Satellite?blobcol=urldata&blobheader=application%2Fpdf&blobheadername1=Content-Disposition&blobheadername2=MDT-Type&blobheadervalue1=inline%3B+filename%3D253%2F609%2FDB2007-EcBase.pdf&blobheadervalue2=abinary%3B+charset%3DUTF-8&blobkey=id&blobtable=MungoBlobs&blobwhere=1191378404214&ssbinary=true

[3] http://www.usgovernmentspending.com/federal_debt_chart.html, while the website does not specifically say, it appears that the GDP is measured in 2000 chained dollars.

What has happened to the promise of transparency and accountability?  According to a recent article in the New York Times, it has become a real-world example of “doublethink” – a term coined by George Orwell, the author of the famous novel 1984.  On the heels of one of the most serious financial crises of the past 100 years, the U.S. Congress is working against providing greater transparency and accountability.  Here is what the Times reported.

It took just five weeks after the WorldCom accounting scandal erupted in 2002 for Congress to pass, and President George W. Bush to sign, the Sarbanes-Oxley Act. That law required public companies to make sure their internal controls against fraud were not full of holes. It took three more years for Bernard Ebbers, the man who built WorldCom into a giant, to be sentenced to 25 years in prison for his role in the fraud.

Mr. Ebbers will be 85 years old before he is eligible for release from prison. He may be freed, however, before the law is ever enforced on the vast majority of American companies. A Congressional committee voted this week to repeal a crucial part of the law. Other parts are also under attack. Sarbanes-Oxley was passed, almost unanimously, by a Republican-controlled House and a Democratic-controlled Senate. Now a Democratic Congress is gutting it with the apparent approval of the Obama administration.

The House Financial Services Committee this week approved an amendment to the Investor Protection Act of 2009 — a name George Orwell would appreciate — to allow most companies to never comply with the law, and mandating a study to see whether it would be a good idea to exempt additional ones as well. Some veterans of past reform efforts were left sputtering with rage. “That the Democratic Party is the vehicle for overturning the most pro-investor legislation in the past 25 years is deeply disturbing,” said Arthur Levitt, a Democrat who was chairman of the Securities and Exchange Commission under President Bill Clinton. “Anyone who votes for this will bear the investors’ mark of Cain.”

Restoring investor confidence in the financial system is the most effective path towards long-term economic recovery. These actions may remove a short-term burden from some companies, but the long-term impact to investor confidence will be severe – just ask the former stockholders of WorldCom.

According to the NYtimes the House Financial Services Committee approved an amendment to Sarbanes Oxley (Sarbox) that would allow some companies to be exempt from this legislation.  While the article implies that many companies would not be exempt under this amendment, the amendment only applies to companies worth less than $75 million and asks for a study of whether companies worth less than $250 million should be exempt.

Sarbanes Oxley has severely damaged the technology start-up market and the financial industry in the U.S.  Sarbox is very expensive: including enormous direct and indirect costs to our economy and to innovation.  It has not met its goals of improving the quality of auditing or preventing fraud.  The effects of this law include fewer public companies, fewer companies going public, more companies choosing to go public in foreign markets, absurdly high auditing expenses and a significant decrease in risk capital.

For More information see Sarbanes Oxley – Is the Medicine Worse Than the Disease – 1 and Sarbanes Oxley – Is the Medicine Worse Than the Disease – 2 .

A woman was attacked and seriously injured by a chimpanzee in CT.

The woman is suing the state of CT for $150M.

The injuries Charla Nash sustained are horrific but that is not the critical point.

The chimp was owned by a private citizen: Sandra Herold.  Herold asked Nash for help getting the chimp back inside Herold’s house.  Nash agreed.

Nash acted in accordance with her own free will.  Nobody coerced her into her actions.  She just as easily could have said no, or gone inside her house and made a phone call to the police or animal control.  Instead, Nash chose to put herself in the situation she did. 

Things went terribly wrong and that is unfortunate but if Nash is a victem of anything it is of her own poor judgment and that is OK.  People must be allowed to fail, that is part of the price of freedom and it is what makes it possible to succeed as well.  It is as simple as risk-reward; no risk, no reward.

Nash had nothing to gain economically if things went according to plan and it is not being suggested that she hoped for something to wrong to give cause for suit. However, this is indicative of the socialist philosophy that nobody is responsible for their own actions and that is a philosophy pervasive in government and this nation.  It is what is behind every entitlement program, the bailouts of banks and auto manufacturers, the Socialist Stimulus, Obamacare and just about everything the governemt does under the false pretense of “helping” people.

From the socialist perspective, now that Nash is not responsible someone must be.  Who is that someone?  Well this is a little sticky for the socialists because Nash wants the government of CT to be respnsible for her actions and the socialist government, as we have seen with Obama, doesn’t want to be held responsible or accountable for anything; they just want to tell you what to do.

It is particularly pathetic that Nash must ask permission from the government to sue the government.  Now does that make any sense at all?  If that is not the definition of conflict of interest perhaps Al Gore and his investment in companies that will make billions from “cap and tax” can explain why and give a better example?

Assuming for a moment that Nash does sue the state of CT and wins what is the net effect?  The state of CT creates no wealth, it relies upon Americans residing in CT to work and then seizes the wealth they have created from them.  Therefore, if CT loses the suit, every single one of the dollars awarded in the court decision will come out of the pockets of the citizens of CT who Nash never consulted and who had no say in whether or not she chose to deal with a dangerous, 200-pound chimpanzee.

Additionally, if there is a jury trial and the decision is that CT was in some way negligent, in what way are the state politicians and beureaucrats (management) made to be responsible?  The socialists in government demanded that CEOs be personally responsible when they passed SarbOx.  So what about now?  Are the governor and other bureaucrats of CT going to be held responsible?  Why are they not the ones liable for paying?  Skilling and Lay were made responsible at Enron.

Furthermore, what is Nash really worth?  If the position is that her hands, lips and other body parts that were destroyed are priceless then there is no point in the law suit because no decision can be reached.  If there is a price, how is it justified?  If Nash wants economic reparations then the only way to justify her suit is to estimate the value of what she lost economically.  In other words, what money could she have reasonably made before her decision that she now likely will not make?  Nash certainly would not have made $150M.  She probably would not have made $15M or $5M or even $1M over the remainder of her working life.  When on considers that law suit awards are tax free it is certain that she would not have made that in after-tax earnings.

This is all simply a symptom of the socialist, PC mentality that some people in the US have been indoctrinated with in which they are not responsible for their own actions and that when things go wrong someone else must be to blame and someone else must always be made to pay.  The bottom line here is that all of this is a consequence of the socialist philosophy that people are not responsible for their actions and must be taken care of by “the state”.

The only common sense approach to resolving this is to try and explain to Nash that although the rest of the citizens of CT may sympathize with here, she acted of her own free will and they are not interested in assuming the consequences of her actions.  She is welcome to invite charitable donations and Americans are without question the most charitable people on Earth but to coerce the Americans who had the misfortune to reside in CT to pay for her decisions cannot be allowed.

Amendmen IX states clearly that Nash’s rights, in this case to act as she did which included getting hurt, do not extend to the point where they infringe upon the rights of others, which in this case means trampling the property rights and right to pursue happiness of other Americans by taking their money via suing the state government of CT.

Last week, the U.S. House of Representatives proposed amendments to the Investor Protection Act of 2009 that will in essence seek to roll back some of the reforms implemented as a result of the Sarbanes-Oxley Act of 2002.  Specifically, Representatives Carolyn Maloney and Scott Garrett are seeking to exempt public companies with a market capitalization of less than $75 million from the requirement to have their internal controls audited by an external firm.

Their approach is to request the SEC to perform a study on the costs of compliance for these firms and then, determine the need for the requirement. While this may be a reasonable request, it has already been made and the SEC completed a similar study this year.  As a result, the SEC confirmed the need for the external audit and announced it will be required of all companies next year.  The Huffington Post reported that several investor advocate groups as well as a former SEC chairman were outraged by the proposed amendment.  Read more at: http://www.huffingtonpost.com/2009/10/27/house-democrats-john-adle_n_334876.html

According to WhatIs.com the definition of e-discovery is as follows:

Electronic discovery (also called e-discovery or ediscovery) refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. E-discovery can be carried out offline on a particular computer or it can be done in a network. Court-ordered or government sanctioned hacking for the purpose of obtaining critical evidence is also a type of e-discovery.

The nature of digital data makes it extremely well-suited to investigation. For one thing, digital data can be electronically searched with ease, whereas paper documents must be scrutinized manually. Furthermore, digital data is difficult or impossible to completely destroy, particularly if it gets into a network. This is because the data appears on multiple hard drives and because digital files, even if deleted, can be undeleted. In fact, the only reliable way to destroy a computer file is to physically destroy every hard drive where the file has been stored.

In the process of electronic discovery, data of all types can serve as evidence. This can include text, images, calendar files, databases, spreadsheets, audio files, animation, Web sites and computer programs. Even malware such as viruses, Trojans and spyware can be secured and investigated. Email can be an especially valuable source of evidence in civil or criminal litigation, because people are often less careful in these exchanges than in hard copy correspondence such as written memos and postal letters.

Computer forensics, also called cyberforensics, is a specialized form of e-discovery in which an investigation is carried out on the contents of the hard drive of a specific computer. After physically isolating the computer, investigators make a digital copy of the hard drive. Then the original computer is locked in a secure facility to maintain its pristine condition. All investigation is done on the digital copy.

E-discovery is an evolving field that goes far beyond mere technology. It gives rise to multiple legal, constitutional, political, security and personal privacy issues, many of which have yet to be resolved.

As a lawyer, you need a place to securely store any e-discovery data. Keeping a copy of files on a DVD or even a tape backup is risky. The evidence must remain encrypted and secure in order to protect your materials. Having two encrypted copies of your e-discovery data, one onsite and one offsite, ensures that you have access to the data WHEN YOU NEED IT. Having a web connection allows you access to your offsite data AT ANY TIME.

Put your backup plan in place. Store your ENCRYPTED data safely so that only you or those you authorize can access the encryption key and store multiple backup copies. Theft, fire, flood or other disasters can destroy your data onsite. Be prepared.

I am currently participating in on online debate under the auspices of the Federalist Society regarding a case hardly anyone has heard of that is now before the U.S. Supreme Court.  The case is called Free Enterprise Fund v. Public Company Accounting Oversight Board (PCAOB).  It poses the question whether Congress acted permissibly in structuring the PCAOB.  Its members are (a) appointed by the Securities and Exchange Commission, not by the President, and (b) removable only by the Securities and Exchange Commission – not by the President – and only for good cause.

The Federalist Society has asked its debaters to discuss whether these appointment and removal provisions are unconstitutional.  As my colleague Hal Bruff writes in a forthcoming essay, this is the kind of case only separation of powers cognoscenti typically follow, even though it has the potential – albeit, just slight potential – to revolutionize our separation of powers law.  That is because, if the Court overturns the removal provisions, it may well cast into doubt the great many statutes that create administrative agencies throughout the federal government, such as the Federal Trade Commission and the Federal Communications Commission.  It could instead vindicate so-called Unitary Executive Theory, which I try to refute in Madison’s Nightmare.

I have reprinted below my opening entry in the debate.  Anyone intrigued can follow the unfolding conversation here.  The other invited participants are Martin Flaherty, Andrew G. McBride, Gillian E. Metzger, Donna M. Nagy, Tuan Samahon, Christian G. Vergonis, and Christian J. Ward.

* * *

Appointments: There’s no real doubt that members of the PCAOB are “officers of the United States.” That is, they have duties regarding the implementation of public law that go beyond the tasks Congress could assign to one of its own committees. Hence, its members must be appointed pursuant to the Appointments Clause. And, under the Appointments Clause, they must be appointed by the President with the advice and consent of the Senate, unless they are “inferior officers,” in which case they may be appointed by the president alone, by the head of a department, or by a court of law.

This is the PCAOB’s greatest vulnerability. The members of the PCAOB may well not be “inferior” in the constitutional sense. Although members are removable for good cause by the SEC, their jurisdiction is far more wide-ranging than that of the independent counsel upheld in Morrison v. Olson. The Court could leave Morrison and its antecedents intact, and enjoin the enforcement operations of the PCAOB on noninferiority grounds. This is doctrinally the most modest way to overturn the PCAOB, and I predict this will be the result, with hardly any greater implications for separation of powers law.

If PCAOB members are deemed “inferior,” then I do not see any other vulnerability on the appointments side. As the Court observed in Morrison, Congress’s discretion in choosing among the designated modes of appointing inferior officers is not limited by the text. There would not be anything constitutionally anomalous in giving the SEC power to appoint people with expertise in corporate accounting.

Removal: The more controversial question involves the limitation on direct removals by the President. It is not controversial under Morrison v. Olson. Morrison said that limitations on presidential removal powers are permissible unless they interfere with the President’s capacity to discharge his constitutionally assigned functions. The President, of course, is constitutionally obligated to take care that the laws be faithfully executed. If a PCAOB member is derelict in this regard, the President must be able to instigate that member’s discharge. Under Sarbanes-Oxley, he cannot do so directly – which was also true in Morrison v. Olson – but the failure of the SEC to correct any such dereliction would presumably be good cause for the dismissal of any recalcitrant SEC Commissioner. Under Morrison, this holds up.

The rub, of course, is that there may well be five members of the Court who would now like to overrule Morrison – Roberts, Alito, Scalia, and Thomas, almost certainly, and quite possibly, Kennedy, who recused himself in Morrison. Reaching out to limit or reverse Morrison, however, would be a conspicuous piece of judicial immodesty, especially since the PCAOB can be invalidated on the less controversial ground of noninferiority.

I thus predict the Court will not attack Morrison – but this may be wishful thinking on my part because (a) I agree with Morrison and (b) modesty on the Roberts Court is, at best, an occasional virtue.

I few months ago I joined the Board of a non-profit health care organization. We have a budget of over $100 million a year. Like health care organizations everywhere we are fighting rising costs. Like the auditing profession, many of our costs are guided by old, unproven or totally false beliefs. Our organization provides in-home care in order to relieve the pressure on hospitals. We send medical professionals to the homes of recovering patients. One of the common services required is wound care. That involves changing the dressing on patients wounds, either surgical wounds or in some cases bed sores resulting from being bedridden for long periods.

The standard medical practice for years had been to apply a “wet” or medicated dressing and to rip it off and change it every 2 hours. Medical science has proven that this practice actually slows the healing process. Applying dry dressings and changing them less frequently can actually heal the wounds up to 10 times faster. This is not insignificant. Some patients have wounds that are very difficult to heal. Some wounds never heal. Some patients die. I have yet to meet a health care professional in my organization who is not utterly dedicated to and passionate about the services they provide and about healing. They would be appalled if they believed they were causing harm. Good , kind, professional people can be guided by false beliefs.  Yet the change from “wet” to dry dressings was difficult to achieve. In fact it was resisted. It is rather common for change to be resisted, even when the change is known and accepted to be beneficial, even when the change is not difficult to make, even when the change involves stopping something rather than adding something.

I believe it is happening to internal auditors today. The fundamental frameworks and practices that guide internal auditors are largely belief based. They are institutionalized. They blind even the best, most proactive progressive practitioners to progress. Much of what we have come to believe is false. Some of our practices perpetuate harm.

Here is my interpretation of why the change in wound care practice was difficult. First consider the patients and their families. They have been trained to expect a change in the wound dressings every two hours and demand it if it is late. The professional standards of the health care professions, to the extent they are written, are slow to change. Job descriptions and service agreements specify the old practices. Stock rooms are managed so that when the “wet” dressings run low, they are replenished from the supplier. procurement has negotiated contracts with the lowest bidders and they have factories and warehouses devoted to keeping the supply chain of wet dressings replenished. Ordering new dry dressings takes time, requires one or more RFP’s, contracts, additional storage space etc. etc. And life goes on. Or in some cases, in the health care business, it ends.

The most insidious problem though, is not that change is slow. That in itself is bad but is not the worst problem. The worst problem is that institutionalized bad practices, however well intentioned, drive good practices out. Bad practices, especially belief based bad practices, those which do not and never di have any evidence behind them, form an almost impenetrable barrier to progress. Belief based practices are emotionally charged. Facts won’t change them.

There is very little fact based evidence to support belief that the control based approach adopted by COSO, AS5 and the auditing profession generally has been effective. Every 10 years or so COSO publishes research on the incidence of fraudulent financial reporting. The most recent report, soon to be released, analyzes 347 SEC Accounting and Auditing Enforcement Releases (AAERs) dealing with fraudulent financial reporting in the period. The previous report, covering the 11 year period ending in December 1998 covered 300 AAERs. Incidents of fraudulent financial reporting were up, not down. Clear evidence exists from these and other studies that the roots of fraudulent financial reporting lie in smaller companies and lies at the top of those companies. Sarbanes Oxley and AS5 has been implemented in a way that focuses on larger public companies and largely at a transactional level in those companies. Most frauds are related to senior executive integrity and weak board oversight. Most “control” documentation is related to computer controls and such things as segregation of duties at a transactional level. I would call them “wet dressings” in the fight for the cure to fraudulent financial reporting and other critical GRC failures.

In a blog post I wrote last week, I made a not so facetious comparison of the stellar safety record of commercial aviation in the US and reporting on internal control over financial reporting. It generated calls and comments from commercial airline pilots. I asked them what they thought was the most important single thing that caused the persistent decline in air safety incidents despite the dramatic increase in aircraft complexity and air traffic generally. Did they attribute air safety to increased inspections and audits by the FAA? Did they claim the increased automation of aircraft made them safer? Was it better aircraft design? None of the above. The factor that came up repeatedly was advances in flight simulation and increased use of flight simulators. In other words, pilots are better trained to deal with flight risks and better trained to control the aircraft in a variety of emergencies.

Who is training Boards, CEO’s senior managers and staff in better risk and control management in business today? Is it happening in business schools? Not that I can see. In my blog I went on the identify several other significant practices in the commercial aviation regulatory framework that are absent or under emphasized in traditional audit based approaches. Among them were standardized incident reporting, performance statistics and root cause analysis. Trends can be analyzed and reported. We can track and monitor airlines safety incidents and their root causes. We simply do not track, analyze or do root cause analysis in the world of GRC.

The principles that will vastly improve the track records of GRC failures are well known. Their effectiveness has been proven. They are not difficult to implement. All the required tools, technology and frameworks exist today. I believe the logical group to lead the change is internal audit. I’d be happy to speak to any auditors, or others for that matter, on what specific things can be done within the IIA Standards to make this happen. I’ll be expanding on these ideas in an upcoming Webcast with Compliance Week.

by Carolyn Moskowitz, for Pom Talk, Ocotber 20, 2009.

The September/October issue of The Pomerantz Monitor reports on the first “clawback” action brought by the SEC for violation of Section 304 of the Sarbanes-Oxley Act. Section 304 of SOX provides that if a company is required to restate its financial results because of “misconduct,” the CEO and the CFO “shall reimburse” the company for any bonus or other incentive-based compensation received during the year following the issuance of the erroneous financial statement. This provision was obviously designed to deprive the two principal officers of any benefit they derived from reporting inflated financial results, such as achieving a certain level of earnings or revenues. If those benchmarks were not really achieved, the two chief officers should not keep benefits that they received under false pretenses.

Frustratingly, courts have held that there is no private right of action for shareholders to “claw back” these overpayments. Because companies are typically loath to invoke this remedy and the SEC has done nothing to enforce it, Section 304 has been a right without a remedy. Making matters worse, without any caselaw, no one really knows whether the misconduct that must occur in order to trigger the clawback has to be committed personally by the CEO or CFO…(continue reading)

The SEC announced that smaller public companies must begin reporting on effectiveness of internal controls in 2010.  The SEC has granted several extensions to non-accelerated filers (smaller public companies – those with less than $75 million public float) for complying with Section 404(b) of Sarbanes-Oxley, which requires auditors to attest to the effectiveness of a public company’s design and implementation of accounting controls.  The previous extension gave small public companies until December 15, 2009 to begin reporting, so that the SEC’s Office of Economic Analysis could complete a study of whether additional guidance provided to company managers and auditors in 2007 was effective in reducing the costs of compliance.  However, that study was only recently published and the SEC believed it would be fair to grant additional time for small companies to get up-to-date on the study and guidance.

Small public companies whose fiscal years end on or after June 15, 2010 must include reporting on Sarbanes Section 404(b) compliance.  Although this is the sixth delay on implementation of 404(b) for smaller public companies, the SEC Chairman said that there will no more extensions.

Click here for the press release on 10/2/09 issued by SEC.

The small public companies (with less than $75 million market cap) are required to file both the management report (Sarbox 404a) and external auditor’s report (Sarbox 404b) on internal control for their fiscal years ending on or after June 15, 2010.

Recently I gave a presentation to a group of risk management professionals. I began my preparation by compiling a slide full of logos of various serious or catastrophic corporate failures. Some of these companies survived. Others are no longer around. It was depressingly easy to put the slide together. In fact I, or anyone else, could probably compile a dozen different versions of slide illustrating infamous logos of companies who had experienced catastrophic failure in an hour or less. I nwon’t bore you with my version. Send me yours if you wish

The question I asked myself was this: Is catastrophic failure, governance, financial or other, inevitable? Is it just part of the human condition we should learn to accept? Is it present in other complex systems? Are other management systems and regulators more or less effective in preventing catastrophic events?

One startling example was easy to find and document. In spite of dramatic increases in air travel, the size of aircraft, distances flown and vast increases in air traffic and system complexity, air accidents are down. Not just down, but down dramatically. The curve has not been smooth, but where catastrophic governance failure has been persistent pervasive in growing corporations, airline safety incidents have been consistently declining over time.

I acknowledge the comparison is unfair. Airline safety statistics are readily available on the web.

Year Major US Accidents Millions of Hours Flown Accidents per million hours

1989 8 11.275 0.355
2008 3 19.351 0.052

I then said to myself, what is different about the regulatory environment between corporations and airlines in the US and elsewhere for that matter.

I am not an expert on airline regulation, but I have a close relationship with someone who has some significant experience in the area. I have a little more background with financial reporting and audit standards. Just to keep things on a higher plane, forgive the pun, I thought it would be interesting to predict what would happen if the SEC and FAA traded places. What would happen if the the SEC took over airline and air safety regulation and the SEC applied its regulatory philosophy to air safety.

Here is a summary of what I came up with.

First the FAA: I predict if they took over corporate financial reporting and PCAOB audit standards, here is a brief summary of what they would immediately require.

• FAA would:
Demand incident reporting
Near misses, actual accidents etc
Demand frequent QA reviews
Pilots must pass “check flights” annually
Demand specific knowledge and skills of auditors
Test the knowledge and skills of audit and financial annually
Demand root cause analysis for incidents
Understand cause of failure and demand process improvements
Demand testing before implementing recommendations
New systems, policies etc must get certified before implementation
Demand the use of Key Performance Indicators
E.g. refurbished aircraft expected to fly additional 120,000 cycles

I then began to consider what the SEC would do if they had responsibility for regulating airlines. What tried and true regulatory principles would improve air safety.

I predict the following would be their initial priorities.

SEC would mandate:
Aircraft must be COSO certified
Smaller aircraft would get exemption. Safety is too expensive.
SAS 70 certificates would be required from aircraft manufacturers
Certificates would be required reading in seat back pockets. Passengers will feel safe.
Safety defects would be publicly disclosed if they were “material”
“Materiality” would be decided by the airline
No real sanctions levied for not reporting
No requirement for performance standards or incident reporting
Root cause analysis not necessary – better controls are the solution
No flight crew certification – on the job training is OK.
Automated controls are far more reliable anyway
SEC would take over the largest aircraft
Some planes are just too big to fall.

I will confess to some frustration. But I would not fly if the SEC regulated the air. I believe there is far more that can be done to make our corporations as safe as the airline industry. I believe catastrophic corporateb failures are predictable and can be vastly reduced. I believe the tools, frameworks, technologies are all in available right now. It is not the entirely the responsibility of regulators. It is the primarily the responsibility of practitioners.

I recently read a short paper titled “The Germ Theory of Management” by Myron Tribus. It provides succinct examples of scenarios where managers and professionals in other disciplines resist change. I think it should be required reading for GRC professionals and their regulators. Please let me know what you think. I’d be happy to hear your comments.

The U.S. Securities and Exchange Commission (“SEC”) announced last week that the deadline for full compliance with Section 404 of Sarbanes-Oxley Act for small companies has been extended for an additional and final nine months.  The primary reason for this final extension is the delayed publication of the formal study on the impact of changes to the compliance requirements made in 2007.  Here is the formal release from the SEC.

This extension of time will expire beginning with the annual reports of companies with fiscal years ending on or after June 15, 2010. This expiration date previously had been for fiscal years ending on or after Dec. 15, 2009. The extension was granted so that the SEC’s Office of Economic Analysis could complete a study of whether additional guidance provided to company managers and auditors in 2007 was effective in reducing the costs of compliance. Because the study was published less than three months before the December 15 deadline, the Commission determined that additional time is appropriate and reasonable so that small public companies and their auditors can better plan for the required auditor attestation.

“Since there will be no further Commission extensions, it is important for all public companies and their auditors to act with deliberate speed to move toward full Section 404 compliance,” said SEC Chairman Mary L. Schapiro.

So, the final clock is ticking.  Does your company need help implementing a cost-effective compliance program?  If so, Wheelhouse Advisors can help.  Visit www.WheelhouseAdvisors.com to learn more.

Directors and Senior management of smaller public companies are now the front line of defense for reliable financial reporting. The SEC has stepped aside – possibly for good.

The SEC announced today (Oct. 2, 2009) that it was further delaying the effective date of SOX 404 (b) for smaller public companies. That requirement called for the Companies with market capitalization of $75 million or less to have an audit attestation on their internal control over financial reporting. Those companies now must comply for years ending after June 15, 2010. The previous deadline would have required smaller public companies with calendar year ends to file for the calendar year ending December 31, 2009.

The commission made the decision following the release of a study by the agencies economic analysis unit of the cost of SOX compliance. The decision was intended to allow smaller public companies to more cost effectively comply and to allow their auditors to incorporate the results of the study. Interpretive guidance issued in 2007 was found to have a significant effect on compliance costs for larger companies.

It is reasonable to wonder if, at this point, smaller public companies aren’t shrugging off the prospect of SOX 404 (b) ever coming into effect. In fact, some studies suggest that many smaller public companies are not complying with SOX 404 (a). According to a recent study by Lord and Benoit, nearly 20% of small companies did not comply with 404 (a). In other words, they did not file under 404 (a) or did not report a management ICFR opinion.

It is reasonable to presume that public investors bear significant risk of material weaknesses and restatements from smaller companies. Again, according to Lord and Benoit more than 1/3 of non-accelerated filers reported ineffective ICFR in year 1 of 404 (a). That was twice the rate of ineffective opinions reported by accelerated filers in Year 1 of SOX.

“Since there will be no further extensions, it is important for all public companies and their auditors to act with deliberate speed to move toward full Section 404 compliance” says SEC Chairman Mary Shapiro.

Will that happen? It hasn’t happened yet. If after all the resources and talent consumed by accelerated filers and their auditors we do not know how to efficiently and effectively document, audit and form an opinion on internal control over financial reporting for smaller public companies, will we ever know? What about those (probably few) smaller companies who took the SEC at its word and used previous extensions to prepare for SOX 404 (b)? Are they being rewarded or punished?

The fact is, we probably already know, and have known for some time, everything that’s necessary for designing, documenting and testing efficient, reliable systems of internal control over financial reporting. Technology has eveolved and is readily available. COSO has developed and published guidance for smaller public companies. The PCAOB, in January 2009 published sound guidance for auditors of smaller public companies. COSO has developed guidance on Monitoring, largely in response to accelerated filers problems with SOX costs.

Will we be smarter in December 2010 and have more tools, skills, and knowledge or better standards for SOX 404 (b)? That is highly improbable.

If the financial statements of smaller public companies are to become more reliable for investors, their Boards and executives need to take up the challenge. It looks like the SEC has given up.

For a position as important as CFO, the requirements of the job seem to change with astounding frequency, driven by the macro trends of the moment.

In the first years after Sarbanes-Oxley took effect, many companies wanted finance chiefs with technical accounting skills and backgrounds as controllers. When the credit crisis set in, CFOs with capital-raising skills were suddenly in demand. Now, with hope emerging that an economic recovery is on the way, having the strategic bent to identify and exploit opportunities is coming to the fore. The revolving job description is one of the reasons CFO turnover is so high, although the churn rate has moderated somewhat during the economic downturn.

Those topics, as well as what finance executives should do to enhance their job-search prospects, were up for discussion by a panel of executive recruiters at last week’s CFO Rising West conference in Las Vegas. Panelists E. Peter McLean, Michele Heid, and Christopher Langhoff lead the financial officers practices at Korn/Ferry International, Heidrick & Struggles, and Russell Reynolds, respectively. An edited version of their question-and-answer session with Lori Calabro, editorial director of CFO Conferences, follows.

Go to Article