SOX too burdensome for small companies?

Back when COSO (Committee of Sponsoring Organizations of the Treadway Commission) was developing their recommendations to decrease fraud in financial reporting, everyone knew that fraud was a problem, but it had yet to be quantified. COSO goes so far in their 1987 report as to call financial fraud an infrequent occurrence.

In order to better understand the magnitude of the issue, COSO sponsored an 11-year study to support their beliefs with some raw data. To keep the data relevant, the team focused on only the strongest, most-clear cut cases of fraud in financial reporting. Some surprising findings came from this study. Of particular interest is the size of a company which commits financial fraud.

Relative to public registrants, companies committing financial statement fraud were relatively small. The typical size of most of the sample companies ranged well below $100 million in total assets in the year preceding the fraud period. Most companies (78 percent of the sample) were not listed on the New York or American Stock Exchanges.

It has been smaller to medium size companies who have been making the most noise about the burdens imposed by Sarbanes-Oxley compliance. However, those are the companies which are most likely to be committing fraud, and using the lack of controls as a good way to hide unethical activities.

The national stock exchanges and regulators should evaluate the tradeoffs of designing policies that might exempt small companies, given the relatively small size of the companies involved in financial statement fraud. A regulatory focus on companies with market capitalization in excess of $200 million may fail to target companies with greater risk for financial statement fraud activities.

It's concerning when you see a company that doth protest too much. It's startling to hear the CFO of Outback state that SOX compliance is so burdensome that he can't perform day-to-day operations.

If SOX compliance is taking up too much of a chief executive's time, the company cannot be running an effective SOX compliance program.

Another potential implication of that much time being required at that senior a level is not that there is a lack of controls -- those can be fixed without his involvement. The suspicion that anyone would have is that there are activities that independent professional judgment would find questionable. In this particular case, accounting guidelines underwent a recent modification, but that shouldn't be a call for crisis and departure.

If he is leaving with the idea to go to another public company, he's not going to escape SOX compliance.

Somewhat less surprising in the COSO report was the data that in 83% of the cases, the CEO and/or the CFO were directly implicated in the fraud. As would follow such direction, the companies also had weak or no audit committees, and few outside directors. Frauds were generally not limited to one reporting period, as they continued on average for two years.

One last finding in the report offers a warning to those firms who believe that they only need to do what's needed to "pass the audit." In 56 of the 195 companies in the fraud study, the auditing firm was implicated, either for participating in the fraud, or for negligence in not uncovering the fraud. The goal for SOX should be increased transparency and controls -- doing just enough to get past the auditors is no longer a high enough bar. This is explicit evidence that performing the minimum needed to satisfy the auditors is not enough to significantly reduce opportunity for fraud in our organizations.

segregation of duties at the most senior level

I've been noticing increasing discussion over segregation of duties, as companies go further to reduce potential conflicts of interest.

Isn't our goal here increased transparency? Let's not lose sight that the simplest solution isn't necessarily to create more senior roles, which then must be extremely closely coordinated.

SB1386, and why does my head hurt?

So I'm reading UC Santa Barbara's guidelines for implementing SB1386 (answering the eternal question, "What do SOX compliance people do for fun?"), and I came across this sentence:

For the purpose of this guideline, if a system that houses a data store that contains personal information is accessed by unauthorized means, it can be presumed that the personal information stored there has not been compromised if reasonable technical evaluation and best practices leads to the conclusion that the data store was not compromised.

I just don't know where to begin. Why would you ever fail open? The document further states that, to detemine whether the data has been compromised, look for evidence of copying, or of nefarious intent, or similar factors. The implication is that if I can't find such evidence, then the data must not be compromised. This is such a critical, high visibility issue -- why would you ever err on the side of not isolating the system?