The Dark Side of Compliance
- 15 June, 2006 11:32
It's all very well for politicians panicking about corporate misbehaviour to insist businesses play by their rules. But when compliance becomes a nightmare of red tape and murky metrics, or looks to overwhelm the smooth running of the business, some organizations are going to opt for evasion.
Mountains of orders, internal and external, threaten to bury today's corporations, turning compliance into a corporate obsession. Some savvy companies have learnt how to divert those rivers of ink to their own good ends by turning the "sunk cost" of compliance into real business advantage. But for others, red tape is a noose around the neck of fresh initiatives.
Ensuring compliance can be tough. It means adopting policies that might probe - at least tangentially - into every corner of the organization and colour every activity and process, all without losing focus on the true mission of the business. And it means proving it: you are not compliant until you can display that compliance to the satisfaction of company auditors, government agencies and regulatory bodies.
The result, not surprisingly, is that some organizations look at what it takes to be compliant and, dismayed, they hunt for alternatives. To some of these organizations, delisting takes on new appeal. Others try to slip under the radar by adopting a "See No Evil" approach to compliance audits. In these organizations, the weight of compliance obligations is threatening to erode the foundations of security in the enterprise.
Don't Ask, Don't Tell
The Sarbanes-Oxley Act, BASEL II and HIPAA might have been intended to improve governance and security and usher in a new era of formal reporting, but at some companies the effect seems to have been the opposite. When it comes to security - in particular, control assessments - the system is breaking down.
Recently several information security professionals have approached CSO claiming some of their clients are now specifically asking NOT to be told about any weaknesses in their control capabilities. And while "controls" is a general term that can encompass everything from digital security measures like firewalls and event monitoring to physical security measures like a lock on a door, that's just the tip of a larger iceberg, they say.
Neal Wise, a director with Melbourne-based security service provider Assurance.com.au, says in his direct experience, some organizations subject to Sarbox or other legislative requirements are adopting a superficially attractive, but finally self-defeating, "Don't Ask, Don't Tell" attitude to compliance.
"They're asking us to not inform them of the capability of technology to provide security event information," Wise says. "They have technology deployed that has the ability to detect misuse, and under Sarbanes-Oxley they are supposed to gather that information together periodically and report on exceptions to the controls in place. We have had situations where we have had clients who have asked us not to configure the technology to provide that information back to a central point because then they would have to report on it.
"They would prefer to not know about issues that occur and they would prefer to not know the capability of the technology that they have to report issues, just because it would create work for them in reporting to meet their Sarbanes-Oxley compliance requirement."
And that, says Wise, is incredibly dangerous. Put aside for a moment the question of their liability for avoiding their compliance obligations. Wise says organizations that adopt a "See No Evil" stance are in danger of blinding themselves to serious threats.
"My concern is that because there are so many different requirements for some of these organizations to meet, there is an attempt to try to put too many things in the one basket. They either try to meet all of their obligations by shortcutting, or by being wilfully unaware of some of the events that create some of the reporting requirements."
Deliberately making the organization blind to attacks against the network infrastructure because of a reluctance to record the events makes the organization incredibly vulnerable, Wise says.
"The reality is that issues could be occurring, their security could be breached, and they wouldn't know about it because they don't want to report on attempts."
Even its firmest supporters would admit it's difficult to gauge the extent of the compliance problem, not least because of the reflexive secrecy that typically surrounds security and compliance issues. Security expert Bruce Schneier, president of Minneapolis-based Counterpane Systems and author of Beyond Fear: Thinking Sensibly about Security in an Uncertain World, is another who has heard suggestions of organizations adopting this attitude, much to the detriment of security. And he points to other ways that an overemphasis on compliance can severely damage security efforts.
"The point of compliance is to improve security. It does this by raising the cost of bad security: in this case, being out of compliance. Companies are willing to spend more money on security, because they don't want to fail an audit. So instead of companies wanting to improve security, they want to do better at audits. This means they spend money on audit preparation instead of security, and they figure out ways to look better in audits. And sometimes that means deliberately not collecting data, out of fear the paper trail will make them look bad.
"This is backwards thinking. Just because you're not looking at something doesn't mean that it's not there. Security is always improved by auditing," he says.
On the other hand University of Illinois Law Professor Larry E Ribstein, a scholar in the areas of corporate and securities law, says he has seen no sign of organizations adopting a "don't ask, don't tell" policy on compliance. He also notes SOX 404 imposes a strong duty to know that would "cut against this sort of conduct". But then for Ribstein, the real problems with compliance lie elsewhere.
Enron, MCI, HIH, OneTel and Andersen may all be history, but as head of information security specialist ICT Risk Mark Ames notes, their failures and malfeasance are driving the future of every corporation and government instrumentality in the world. The Australian government may be less eager than our American cousins to legislate good corporate behaviour, but the pressure is on from ASIC, ASX, APRA, and CLERP 9, (not to mention Basel II for the banks). Even so, under the harshest rules of the Australian business regulatory regime, rogues are at worst likely to suffer public shame and have Board seats, retirement and super benefits stripped away.
But then there's Sarbox. Under Sarbanes-Oxley, any misrepresentation to the US Securities and Exchange Commission (SEC) - even in error - could lead to hefty fines or imprisonment. Section 404 of Sarbanes-Oxley holds the CEO and CFO personally responsible for "establishing and maintaining an adequate internal control structure" - including IT controls - and requires them to sign off on the effectiveness of the control structure.
"The NAB has already been fined for breaches of Sarbanes-Oxley, and it has nothing to do with trading irregularities, though arguably if the NAB had the corporate governance components of Sarbanes-Oxley in place, the trading irregularities would have been caught in the course of normal management reviews and there would have a lot fewer juicy headlines in the business sections of the papers over the past several months," Ames notes.
NAB got caught out on audit impartiality, a sore point in the US after the Andersen-Enron affair. And Ames describes the offence as trivial: NAB's external auditor had provided a credit assessor to one of the bank's US offices through its professional services division. Yet any Australian company that operates US subsidiaries or raises funds on US debt or equity markets, or has a significant shareholding by US citizens is, or could be, subject to Sarbanes-Oxley.
Introduced in what Ribstein describes as a post-Enron "Code Red regulatory panic", Sarbox has been controversial since its inception. While opinion is divided about its worth, Ribstein calls it a "colossal failure, poorly conceived and hastily enacted".
According to the IT Compliance Institute, the most crucial parts of SOX for IT revolve around sections 302 and 404, which require organizations to disclose both their internal financial reporting controls and an assessment of the effectiveness of those controls. In recent years it has been hard to find a chief executive of a public company who does not complain vehemently about the burdens imposed by the dreaded SOX, The Economist recently noted. Indeed, rather than diminish as the initial shock wore off, the complaints have only got louder.
"The SOX-bashers have been joined by such luminaries as Alan Greenspan, the former head of the Federal Reserve and Bob Greifeld, the boss of the NASDAQ stock market. And the critics are not just American. Because of SOX, says Mr Greifeld, 'international business clearly perceives a 'problem' with US markets today'," The Economist says.
Litigation Time Bomb
Everyone now concedes that the direct compliance costs of Sarbox have been much greater than anticipated. While that alone should give any serious policy analyst pause, Sarbox defenders argue that Sarbox was worth it. Ribstein and economist Henry Butler of Chapman University vehemently disagree.
In a recent paper draft paper entitled "The Sarbanes-Oxley Debacle: What We've Learned; How to Fix It", the authors argue the costs of implementing SOX are far higher than expected. Not only are the direct costs substantial, they say (approximately $6 billion per year for US firms alone), they are only the tip of the iceberg. Even more of a burden are the indirect costs, including "diverting executives' attention from the hard work of maximizing shareholder value, distorting executives' and directors' incentives and investment decisions, criminalizing corporate agency costs and mistakes, reducing access to capital markets by the entrepreneurs our markets depend on, and crippling the dynamic federalism that has created the best corporate governance structure in the world".
Worse, Ribstein and Butler claim that managers have become more reluctant to take risks because of the new "climate of fear" in the boardroom, and Sarbox has led to missed opportunities of forgone investment. And perhaps reinforcing the instincts of some organizations to adopt a "don't ask, don't tell" stance, they point out a further source of indirect costs which has largely been ignored: its impact on litigation.
"SOX gives litigators the benefit of 20/20 hindsight to identify minor or technical reporting mistakes as the basis for lawsuits against corporations, officers and directors," they note. "While the first major market correction will be painful for investors, SOX will surely turn it into a festival for trial lawyers. Such litigation on this scale should not be confused with shareholder protection. SOX has created a ticking litigation time bomb."
Butler and Ribstein would ideally like SOX to be repealed. Failing that, they point to several changes could greatly reduce the burden, like an amendment to prohibit private lawsuits, thereby defusing the litigation time bomb, and another to exempt dual listed securities of foreign corporations.
In the meantime, it seems Australian companies may be hearing that ticking clearer than most. A recent survey by Serena Software found local companies had been slow in implementing IT corporate compliance. The survey of 100 Australian CIOs from medium and large sized companies found while 90 percent of companies agreed that there were business benefits in implementing compliance initiatives, only 35 percent already had plans in place.
"Australian CIOs face a dilemma," independent adviser on corporate governance of ICT Mark Toomey commented in announcing the results. "The survey confirms that too many CIOs lack support from their business colleagues. Yet they know that maximizing the beneficial impact of investing in IT compliance programs depends on alignment of business and technology change, in which the business leaders have a critical role."
And a recent Accenture survey of more than 300 companies with revenues of $1 billion or more revealed that senior executives' perception of the cost of complying with the Sarbanes-Oxley Act of 2002 was often substantially higher than the actual outlay. Indeed, although the survey respondents - information technology and finance managers from a broad range of industries - believed that their companies spend on average nearly seven percent of revenues on Sarbanes-Oxley compliance, the real cost ranges from one to three percent.
Overestimating a cost to this extent can lead companies to cut back on important market-facing initiatives or value-creating IT expenditures, Accenture notes. They may not invest in bringing a new product to market, for example, or in the technology required to launch a new capability. Or management might delay the development of necessary capabilities like sales force automation that could help improve the company's ability to penetrate customer accounts. Those decisions, of course, ultimately have an effect on the bottom line.
Even so, executives broadly agreed the legislation will deliver multiple benefits by strengthening corporate governance and financial controls. In addition, the survey found that Sarbanes-Oxley has created unprecedented levels of cooperation between finance and IT executives.
The survey also found that IT managers and finance managers have divergent opinions on the effectiveness of their company's compliance efforts. For example, while 56 percent of IT managers consider their company's technology tools for Sarbanes-Oxley reporting to be extremely effective or very effective, that view is shared by only a third of finance managers.
This gap can be troublesome. When IT departments believe they are fulfilling their compliance duties but finance departments are not getting the reports and data they need, Accenture claims, the disconnect will inhibit compliance - and make compliance efforts more expensive than they need to be.
Corporate Paper Shuffling
When it comes to furthering that disconnect, Ribstein takes particular aim at Section 404, the so-called "internal controls" provision. SOX defenders argue its significant direct costs are worth the deterrence that internal controls reporting and certification provide against fraud, but Ribstein and his co-author Butler fear it just makes it harder to justify the significant long-term effects that internal controls reporting has on business.
"First, modern firms, unlike the small shops of the early 19th century, rely on specialization of functions, automation, delegation of authority, and complex hierarchies. Managers have to be able to trust their subordinates. SOX raises a serious question about whether this sort of trust is inconsistent with the need to have adequate 'controls'. Thus, SOX will surely provoke redundancies that detract from bureaucratic efficiency," they argue.
"Second, SOX clearly penalizes change and innovation. Any upgrades, new software, or acquisitions would have to be evaluated as 'significant changes in internal controls or in other factors that could significantly affect internal controls'. The safer course, when in doubt, is to do nothing."
And Ribstein and Butler point out that SOX increases monitoring duties of executives by requiring them to certify reports and internal controls. This forces corporate executives to immerse themselves in the minutiae of their firms, which may not be an efficient use of valuable managerial resources.
Worse, they say, imposing litigation risk on individual managers is likely to cause them to insist on precautions and paperwork that diversified shareholders would find excessively costly. And they believe the litigation risk inherent in the certification requirements may contribute to excessive timidity in corporate management. With potentially billions of dollars in liability at stake, the most profitable corporations subject to SOX will be the ones whose executives are well-trained to anticipate litigation difficulties, rather than business issues.
Further, SOX imposes complex new record-keeping obligations on corporations. "On the one hand, they have to document everything they do, creating a paper trail of explanations, Butler and Ribstein write. "On the other hand, if there is a fraud and an investigation, some email or other document that was innocuous at the time it was created might be crucial evidence for the plaintiff if, in hindsight, it indicated a problem that should have been pursued. SOX will necessitate the development of a new field of expertise in corporate paper-shuffling."
Dark Side vs Shining Light
To be fair, compliance - even with Sarbox - need not necessarily be a doom and gloom affair. On the plus side, Accenture's Outlook Journal reported in January that new research indicates SOX has created unprecedented levels of cooperation between finance and IT executives. It also points out that companies whose business and technology managements are aligned with respect to investment consistently deliver higher operating performance and return to shareholders.
Roy Brown, a Sarbanes Oxley compliance manager and officer with US-based RSA Security, says an organization's compliance processes will only succeed if backed by strong top-down leadership. For a company to achieve a strong entity control environment, Brown insists the CEO and CFO must set the tone by influencing the control consciousness of the people. That means endorsing, promoting and fostering compliance as the means to achieving business process improvements, security improvements and system improvements, such as more automated controls (preventive), business continuity planning, disaster recovery planning and so on.
"This is the foundation for all other compliance components that provide discipline, understanding and structure to an organization. When an organization or company consistently demonstrates these characteristics and they are embedded throughout it, the 'Dark Side of Compliance' becomes the 'Shining Light of Compliance'," Brown says.
SIDEBAR: Compliance at a CostAt Westpac, compliance obligations are all about business benefits
Theo Nassiokas, head of information security, strategy and governance, at the Westpac Banking Corporation, says compliance always comes at a cost. And if organizations have to invest in projects in order to achieve compliance, Nassiokas doesn't think that is necessarily a bad thing.
Nassiokas, who has worked at three of the four big banks, says compliance is inevitably a secondary objective of such projects. "The primary objectives are around business improvements, process improvements, speed to market, all of those sorts of things. So here at Westpac we always have a very positive view when it comes to doing this sort of stuff. We find we get to meet our obligations while also making our business better," he says.
The secret, Nassiokas claims, is never to approach compliance as a mere checklist but instead to consider the reasons that the requirement exists. "Ask yourself: what is it really trying to do? And how can I use this to help sustain any competitive advantage that I have?" he says.
"Most organizations don't change unless they have near death experiences, or they are threatened by their regulator. That's a very reactive approach," Nassiokas says.
"If you take a proactive approach, and try to work out where the regulator is coming from and how you can use this to help sustain your competitive advantage, you're then starting to talk about a situation where the projects are actually benefiting the business and adding trust," he says.