The Stakes Are High For Your SOx Dollars (And Loonies, Pesos, Euros, Pounds, Yen…)

It’s a view of the company that stockholders don’t get to see.

Top company executives insist that the company is compliant with Sarbanes-Oxley and that its financial information is sound. But they acknowledged, in response to Seattle P-I inquiries, that the failings forced Boeing to scramble at the end of each year to assure that its financial information had not been affected…

The continuing effort to fix the problem has cost millions of dollars. Boeing has had a full-time staff of dozens and, at times, up to 65 consultants charging from $115 to $500 per hour, engaged in testing the systems that affect financial reporting to prove it can lock its computer doors.

Boeing and its external auditors have rated the company’s inability to patch database and software development security holes as a “significant deficiency” with the computer infrastructure since 2004 — the first year it had to comply with the 2002 law. The failure has been deemed serious enough that for three years in a row, finance teams have spent the last 45 days of each year testing whether financial numbers are correct. Director of Financial Compliance Michael Zanoni said the “massive” effort in each case reassured the company that stockholders’ assets were safe.

The company says it is making progress.

“We are well ahead of schedule in our testing this year. We’re seeing significant improvement and are confident we will be able to close any outstanding issues later this year,” said Anne Eisele, Boeing director of finance communications.

Problems persist. Interviews and about 5,000 internal documents examined by the P-I show in detail the struggles created for Boeing — and perhaps for many corporations — by the post-Enron, Sarbanes-Oxley requirements, often referred to as “SOx.”

Among the problems the P-I found:

-Boeing’s internal audit findings were so poor — meaning that so many computer system controls were failing or evidence was missing — that external auditor Deloitte & Touche decided not to rely on the results for three consecutive years.

-Boeing exposed sensitive information about computer systems’ holes to employees who did not need access to all of the data, according to e-mails and interviews.

-An internal complaint was filed with the company’s ethics board that audit results had been manipulated. The company decided last September that the allegation was unsubstantiated.

-Some employees involved in the compliance process perceived a threatening culture. A late 2006 internal report said that employees felt they were being told that their jobs and salaries were “on the line,” and they were being pressured to produce evidence for audits “ahead of events occurring normally.”…

The employee described the first two years as “pure hell” for the information technology staff. Colleagues agreed. Even auditors were unhappy, leading to infighting last year between consultants at PricewaterhouseCoopers and Jefferson Wells — the two firms contracted to help Boeing with internal audits.
By the time 2006 arrived, Boeing was eager to eliminate its significant deficiency. But it didn’t.

In testing its computer controls, the company missed most of its important internal benchmarks last year, for the third year in a row, documents show. Auditor Deloitte decided it would do its own tests to come to its own conclusion about control effectiveness and decide whether to “close” the significant deficiency.

The result wasn’t good. An internal briefing document stated the company’s information technology division “has not demonstrated a robust control environment.”

In late 2006, Chief Financial Officer James Bell sent an e-mail to employees on the compliance effort telling them that “this performance is unacceptable.”

Chief Information Officer Scott Griffin, who led the information technology division through the Sarbanes-Oxley compliance effort, retired at age 52 on July 1. He declined to comment on the problems.

In its official response to the P-I, Boeing said that what matters most in Sarbanes-Oxley compliance is where the company stands at year’s end, and that “while a project may have internal ‘benchmarks’ or schedules designed to organize efforts, there is no direct correlation between meeting internal schedule milestones and classification of deficiency or weakness as of the closing date.”
Boeing officials say they are confident that its problems with general computer controls will be solved soon and they are happy with their progress, despite the inability for three years to resolve it.
“For the complexity of the stuff we do and the number of things we look at, it’s a strong system of internal control,” McGee said. “We’re working to try to optimize it.”

He firmly denied that the company has manipulated any results of its internal audits, as some employees have charged.
“Absolutely not,” he said. “I honestly believe there’s no fraud on this. Nothing.”…

“Having them at the moment is a bit of a surprise, to be honest with you,” said Christopher Fox, a technology audit consultant who has co-written industry guidelines on the topic. “How did they get into this situation? I don’t know. I’m surprised they’re in it, this many years in.”…

Senior managers said that compliance was always a top priority. But junior managers said they didn’t have enough resources. Auditors said that the information technology department was too resistant to change. IT workers said that auditors kept changing their minds about what they wanted and were too eager to fail controls.

Meanwhile, the experts at Jefferson Wells and PricewaterhouseCoopers spent hours — billed to Boeing — disputing each other’s findings.
“I’m sick of all this and I will be retiring as soon as I can process the paperwork,” wrote Michael DuPas, an IT worker, in a June 2006 message to managers and directors. “None of the core team, (corporate audit), or Deloitte folks view anything the same so everything is a nightmare of explanations, discussions. That is why SOx is failing in Boeing.”…