Enterprise Initiatives

Companies map many routes to compliance

Tue, 06 May 2008 06:59:59 -0400

When it comes to Sarbanes-Oxley compliance, no master template has emerged in the corporate world. A Compliance Week survey has found that companies still take a number of approaches, which strikes me as a good thing and a bad thing. Consider "ownership." Just over 30 percent of those who "own" compliance issues are compliance officers; 17.3 percent are financial executives-controllers, internal audit executives, even CFOs; and less than 13 percent are general counsel or lower on the legal ladder. Large companies tend to have a chief compliance officer. The good in all of this is that companies see the need to customize a compliance program to their specific situation. The bad news is that industry standard and "best practices" may be a bit harder to discern, which spells opportunities for the consultants.

For more:
- here's a recap of the survey

Sign of times: Chief Risk Officers in demand

Tue, 06 May 2008 06:59:59 -0400

Not too long ago, we were talking about companies installing more chief compliance officers. Now, more companies are considering adding chief risk officers, especially in financial services, notes Financial Week. Many just follow in the footsteps of UBS and set up risk committees. One issue is whether this movement will work against compliance objectives or for them. You could argue that they are distinct disciplines, but that they also are related in practice. Some audit committees, for example, took on risk responsibility, fairly or not. And the rise of GRC software serves to encourage people to think in terms of integrated solutions. You also could argue that manic focus on Sarbanes-Oxley really made it hard for executives to focus on risks. Still, it remains to be seen whether the risk movement will work out. At some places, it may be board PR.

For more:
- here's an article from Financial Week

Time to rethink your data retention policies

Tue, 01 Apr 2008 07:59:59 -0400

Data retention is an issue at the forefront of everybody's minds right now. Sarbanes-Oxley has a seven-year requirement. Gramm-Leach-Bliley, HIPAA and the new PCI requirements all require data retention in some form. In any case you need a policy. Some tips from practitioners: Understand your industry and the specific requirements; get a grip on email and instant messages and other communications; and consider automated solutions. Electronic content management systems seem like a luxury for a lot of companies, especially nonaccelerated or nonfilers. But you would be wise to consider the savings against the cost. It would be more wise to invest now rather than suffer later.

For more:
- here's an article from Business Review

Related Articles:
Corralling data retention may require major steps. Article
Is your reference data in shape? Article

Case study: Kodak and centralized contracts

Tue, 25 Mar 2008 07:59:59 -0400

Contract management is an issue easily overlooked. Who really cares if old contracts sit on the network? Well, your auditors will, at some point, take a look; we presume they are doing their job. At Eastman Kodak, the auditors told executives that old contracts threatened to undermine its Sarbanes-Oxley efforts. They ended up overhauling the process. Along the way, they realized the advantages of automation beyond compliance. They ended up with a centralized system with lots of meta-data, an audit trail, and a consistent approach to creating and managing all contracts.

For more,
- here's the Purchasing.com article

Profile: RoseRyan finds a niche

Tue, 29 Jan 2008 06:59:59 -0500

We've all heard about the incredible hiring frenzy underway at the Big Four, the soaring pay for audit talent, and Sarbanes Oxley as the "No auditor left behind act." There's a lot of opportunity out there. And the founders of RoseRyan, with 125 professionals, have found a lucrative niche to exploit--on their terms. They basically act as the consultant that get clients ready for audits; they are not auditors themselves. They have found a growing clientele that often retains them for audit--and Sarbanes Oxley--related advice after the audit is over. And they like being able to dictate their terms and work style. For them, it's all about life-work balance. Many of you will find this inspirational.

For more:
- here's a profile from MarinIJ.com

When execs post on the Internet...

Tue, 07 Aug 2007 06:59:59 -0400

Overstock.com CEO Patrick Byrne has been caught posting anonymously on an Internet chat group while he was conducting a conference call with analysts. This from erstwhile former Business Week editor Gary Weiss's blog. One might call this impressive multi-tasking, but it speaks to an issue that is cropping up more and more: executives posting anonymously on the Net. Whole Foods CEO John Mackey ended up in an embarrassing situation for posting about competitors. This is something that may strictly fall beyond the bounds of Sarbanes-Oxley, which is concerned primarily with financial integrity. But it raises the larger issue of ethics. How do you know what certain employees are saying anonymously and for that matter what kinds of information they are handing out. At the highest levels, this could well be a Reg FD issue. You may want to think about policies that govern Net posts, especially by people with access to material nonpublic information.

Case Study: NorthWestern Corp. and ERP

Tue, 31 Jul 2007 06:59:59 -0400

To hear Richard Fresia tell it, he was the man brought in to straighten out some thorny systems problems, only to end up charged with wrong-doing by the SEC. This is a cautionary tale with lots of messages about the need for rock solid systems that leave no doubt about Sarbanes-Oxley compliance. According to CFO.com, Fresia was grappling with a failed billing and accounting system that led to a lot of problems with receivables. The company eventually was forced to take a large write off but only after issuing bonds to investors. Fresia says he did everything right. He sent emails about the problems. He pressed executives for disclosure of the problems. But in the end he was charged. You do not want this to happen to you--but you could see how it could. There may be more to the story. But in this environment, the best answer is not to let your systems get to this point. Why play with fire.

For more:
- here's the article

Case study: Replacing tape

Mon, 02 Jul 2007 20:01:39 -0400

CitiStreet, a unit of State Street and Citigroup, has taken the plunge--the same one many companies are pondering. Pressured by compliance needs and escalating costs, it moved away from a tape-only system of data storage. It scrapped its physical tape backup system and replaced it with two Sepaton S2100-ES2 virtual tape library appliances. The result: the time needed to back up 700 gigs of data was cut from 24 to 30 hours to 4 hours. Plus, the firm no longer has to physically handle tapes or ship them. "We don't want our name on the front page of the Wall Street Journal,'' one executive was quoted. CitiStreet does continue to use tape drives for long-term archiving functions, however. There is a view that tape systems are obsolete. But the transition could be tough. Obviously, you want to plan carefully. At a minimum, you need to know how much longer your system can last and things like whether you are asking interns to deliver sensitive information.

For more:
- here's a profile from TechWorld
- data storage: disks or tapes? Commentary

Audit committees evolve, more focus on IT

Mon, 25 Jun 2007 20:01:39 -0400

It's not surprising that the top two priorities of audit committees are 404 compliance and oversight of earnings estimates and accounting. This from the 2006-2007 Public Company Audit Committee Member Survey from KPMG and the National Association of Corporate Directors (NACD). But audit committees are starting to evolve in significant ways. Information technology issues have become a big focus, in particular IT-related risk. Only 15 percent of the 282 audit committee members who participated in the survey were "very satisfied" with their oversight. About 20 percent said their company needed to improve. More than 90 percent felt that the committee needed to spend more time on IT risk issues. Unfortunately, while members acknowledge that the issue is paramount, they do appear to be spending the necessary time exploring these issues. Part of this is cultural, the financial side has traditionally never quite felt comfortable with the IT side. Still, forward-looking boards will find ways to ease the cultural rifts. Perhaps the CIO or CTO or chief compliance officer ought to be a part of meetings.

- here's the survey results

Sarbox making companies wimps?

Mon, 25 Jun 2007 20:01:39 -0400

What happened to the swashbuckling, risk-taking attitudes that defined American business for so long? One new study suggests that Sarbanes-Oxley is helping turn more companies into wimps: afraid of risk; more intent on saving up for rainy days; pandering to shareholders. Kenneth Lehn, of the University of Pittsburgh's Katz Graduate School of Business, has studied 4,000 U.S. companies and has concluded that companies complying with Sarbanes-Oxley have "significantly" reduced their investment in research and development while boosting their cash holdings compared with companies in the United Kingdom. Of course Sarbox is not the only reason. A critical reason might be the notion that stock buybacks work. Shareholder imperatives are forcing CEOs to investment in themselves, so to speak, and leave the frontier to startups and entrepreneurs.

- here's an article from the National Underwriter