The Stakes Are High For Your SOx Dollars (And Loonies, Pesos, Euros, Pounds, Yen…)

In their 2004 Annual Report, Manpower, Inc., while touting the growth of their Jefferson Wells subsidiary, had to also point out one significant fact – “We provide services to a wide variety of customers, none of which individually comprise a significant portion of revenue for us as a whole and by segment,except for Jefferson Wells, in which approximately 19% of Jefferson Wells’ revenues (That’s 64.7 million!) for 2004 were generated from providing services to one customer.”

By 2005, that one-client concentration had gone down, perhaps because JWI’s revenues grew slightly, but more likely because their client had started to move away from using them…”except for Jefferson Wells, where approximately 13% (That’s 50.2 million!) of Jefferson Wells’ revenues for 2005 were generated from providing services to one customer.”

By 2006, that specific statement was gone from the Manpower Annual Report. “We provide services to a wide variety of customers, none of which individually comprises a significant portion of revenue for us as a whole or for any segment.” The JWI overall revenue was also down a few percentage points and profitability, already down 35% from 2005, suffered another 4% drop. Clearly, losing their hold on this significant client was taking its toll.

The stakes were also high for the firm that was moving in on their gravy train – PricewaterhouseCoopers. Until 2005, they had no real marquis client in their Chicago Internal Audit Services practice. The size of their practice was also significantly smaller than some of the staffing firms such as Jefferson Wells. With the new National Leader of the Internal Audit practice based in Chicago, (who served double duty as local Advisory Services Leader,) the pressure was on to show that the firm could reap the benefits from Sarbanes-Oxley in the Advisory Services such as Internal Audit and other consulting services as well as in traditional external audit services.

Slow steady pressure at this client by a local PwC Director led to a chance to replace Jefferson Wells in leading the client’s SOx Project Management Office and in supporting this client with large numbers of consultants for their Sarbanes-Oxley initiative. This same Director was the sole promotion to Partner for the National Internal Audit Services practice for PwC this past June, 2007, based on his success in building the relationship with this client.

The stakes are also high for the auditor, Deloitte. Having been auditor of this client for many years, through many ups and downs, including significant financial and corporate governance scandals, getting Sarbanes-Oxley right for this household name was critical.

Unfortunately, a recent article in the Seattle Post-Intelligencer does not paint a very pretty picture of this client nor of any of their advisors. It’s a case study of the backbiting, competitiveness, duplication of effort, ineptitude and waste that has been promoted by the Big 4 in so many companies but that’s being blamed on the law itself instead of on those charged with implementing it.

Computer security faults put Boeing at risk
Failings could leave it open to fraud, theft
For the past three years, The Boeing Co. has failed, in both internal and external audits, to prove it can properly protect its computer systems against manipulation, theft and fraud.

Internal documents and interviews conducted over the past six months detail the angst and turmoil within the auditing and information technology wings of the aerospace giant. They also provide a rare glimpse of how the company that builds the most complex flying machines in the world has been stymied for years by a few obscure paragraphs in the Sarbanes-Oxley Act, the federal law enacted in the wake of the Enron scandal.

It’s a view of the company that stockholders don’t get to see.

Top company executives insist that the company is compliant with Sarbanes-Oxley and that its financial information is sound. But they acknowledged, in response to Seattle P-I inquiries, that the failings forced Boeing to scramble at the end of each year to assure that its financial information had not been affected…

The continuing effort to fix the problem has cost millions of dollars. Boeing has had a full-time staff of dozens and, at times, up to 65 consultants charging from $115 to $500 per hour, engaged in testing the systems that affect financial reporting to prove it can lock its computer doors.

Boeing and its external auditors have rated the company’s inability to patch database and software development security holes as a “significant deficiency” with the computer infrastructure since 2004 — the first year it had to comply with the 2002 law. The failure has been deemed serious enough that for three years in a row, finance teams have spent the last 45 days of each year testing whether financial numbers are correct. Director of Financial Compliance Michael Zanoni said the “massive” effort in each case reassured the company that stockholders’ assets were safe.

The company says it is making progress.

“We are well ahead of schedule in our testing this year. We’re seeing significant improvement and are confident we will be able to close any outstanding issues later this year,” said Anne Eisele, Boeing director of finance communications.

Problems persist. Interviews and about 5,000 internal documents examined by the P-I show in detail the struggles created for Boeing — and perhaps for many corporations — by the post-Enron, Sarbanes-Oxley requirements, often referred to as “SOx.”

Among the problems the P-I found:

-Boeing’s internal audit findings were so poor — meaning that so many computer system controls were failing or evidence was missing — that external auditor Deloitte & Touche decided not to rely on the results for three consecutive years.

-Boeing exposed sensitive information about computer systems’ holes to employees who did not need access to all of the data, according to e-mails and interviews.

-An internal complaint was filed with the company’s ethics board that audit results had been manipulated. The company decided last September that the allegation was unsubstantiated.

-Some employees involved in the compliance process perceived a threatening culture. A late 2006 internal report said that employees felt they were being told that their jobs and salaries were “on the line,” and they were being pressured to produce evidence for audits “ahead of events occurring normally.”…

The employee described the first two years as “pure hell” for the information technology staff. Colleagues agreed. Even auditors were unhappy, leading to infighting last year between consultants at PricewaterhouseCoopers and Jefferson Wells — the two firms contracted to help Boeing with internal audits.
By the time 2006 arrived, Boeing was eager to eliminate its significant deficiency. But it didn’t.

In testing its computer controls, the company missed most of its important internal benchmarks last year, for the third year in a row, documents show. Auditor Deloitte decided it would do its own tests to come to its own conclusion about control effectiveness and decide whether to “close” the significant deficiency.

The result wasn’t good. An internal briefing document stated the company’s information technology division “has not demonstrated a robust control environment.”

In late 2006, Chief Financial Officer James Bell sent an e-mail to employees on the compliance effort telling them that “this performance is unacceptable.”

Chief Information Officer Scott Griffin, who led the information technology division through the Sarbanes-Oxley compliance effort, retired at age 52 on July 1. He declined to comment on the problems.

In its official response to the P-I, Boeing said that what matters most in Sarbanes-Oxley compliance is where the company stands at year’s end, and that “while a project may have internal ‘benchmarks’ or schedules designed to organize efforts, there is no direct correlation between meeting internal schedule milestones and classification of deficiency or weakness as of the closing date.”
Boeing officials say they are confident that its problems with general computer controls will be solved soon and they are happy with their progress, despite the inability for three years to resolve it.
“For the complexity of the stuff we do and the number of things we look at, it’s a strong system of internal control,” McGee said. “We’re working to try to optimize it.”

He firmly denied that the company has manipulated any results of its internal audits, as some employees have charged.
“Absolutely not,” he said. “I honestly believe there’s no fraud on this. Nothing.”…

“Having them at the moment is a bit of a surprise, to be honest with you,” said Christopher Fox, a technology audit consultant who has co-written industry guidelines on the topic. “How did they get into this situation? I don’t know. I’m surprised they’re in it, this many years in.”…

Senior managers said that compliance was always a top priority. But junior managers said they didn’t have enough resources. Auditors said that the information technology department was too resistant to change. IT workers said that auditors kept changing their minds about what they wanted and were too eager to fail controls.

Meanwhile, the experts at Jefferson Wells and PricewaterhouseCoopers spent hours — billed to Boeing — disputing each other’s findings.
“I’m sick of all this and I will be retiring as soon as I can process the paperwork,” wrote Michael DuPas, an IT worker, in a June 2006 message to managers and directors. “None of the core team, (corporate audit), or Deloitte folks view anything the same so everything is a nightmare of explanations, discussions. That is why SOx is failing in Boeing.”…

This year, Boeing has overhauled its strategy so that it focuses more on potential risks. It is relying on the work of 33 auditors from Pricewaterhouse, 10 Boeing auditors and one from Jefferson Wells, though numbers fluctuate…”

2 replies

Trackbacks & Pingbacks

  1. […] The auditors have taken the most advantage of the formalization, under the force of law, of what companies should have been doing all along and what good, well run companies have done as a matter of course. It’s also the standards auditors should have been auditing against all along… […]

  2. […] wrote a follow-up to a recent article in the Seattle Post-Intelligencer on Boeing’s experiences with […]

Comments are closed.