Sheriff Obama is Gunnin' for Bush

Who is Auditing the United States?

Democratic presidential hopeful Sen. Barack Obama, D-Ill., speaks during a town hall meeting in Casper today, (AP | David Zalubowski)

Isn't the presidential race great this year! Obama defeated the Clinstones again with a decisive victory in Wyoming, moving 12 more delegates over to his side of the Democratic competition.

I know, for the nomination this is pretty insignificant, and it will probably come down to the super delegates, but what I like about the Wyoming visit is what happened just before the caucus, in the Casper town hall meeting.

After getting over the shock of a presidential candidate actually coming to the state of Wyoming, somebody in the audience voiced a concern about how the president of the United States may get the impression that they are somehow above the law. According to the Denver Post, Obama responded:

"... he would restore respect for law in the White House by reviewing every executive order issued by President George W. Bush and discarding any deemed unconstitutional."

Wow! Every executive order? How's that for an audit!

I think he's serious! This comment, an impending directive to his future attorney general, drew a standing ovation from the cowboy crowd:

"... review every executive order of the Bush administration. We are going to overturn those that were unconstitutional. We are going to overturn those that are unnecessary."

If this were Corporate America, I could just see the press release:

"We at USA, Inc. are deeply saddened at the recent decision by our dedicated, thoughtful and entertaining leader, CEO Bush, to explore personal interests. His illustrious 8-year tenure with our company has been filled with curious and provocative decisions, made during an extremely challenging point in history for our company.

As disappointed as we are at this turn of events, we must respect his decision, and move on to addressing the insurmountable financial and international challenges that have coincidentally surfaced over this 8 year period while he was CEO.

To address these challenges, we are pleased to announce that Barack Obama, Chief Imagination Officer will be succeeding Mr. Bush. Mr. Obama's first order of business will be a wide-scale audit of Mr. Bush's strategic direction, to further improve the more risky areas of his implementation."

The nation is in terrible shape right now. We've got a huge amount of debt that we never had, our global alliances are strained, the economy is in the toilet, and our kids are dying overseas for a really mysterious cause.

Imagine if you were on the Board of Directors of a company whose CEO moved your balance sheet from asset heavy to liability heavy, alienated your strategic partners, sent the stock price from $200 to $2, subjected your employees to hazardous conditions, and drove employee morale down so far that people were walking out of the company. How would your press release look?

Would you go after the CEO? Seems logical right?

In my view, Bush's execution was terrible, but he's an easy target. This is the reason why you have risk management. This is why you develop key controls.

It really shouldn't get this bad. The present state of our nation screams "bad key controls" to me. Who is auditing the United States? What key controls ( if any exist ) are failing right now? These are the questions that should be asked, if you want a permanent fix to the nations problems.

Where's the Control on Auditing Standard 5?

What happens when the dog guards the dog food?

Objective: Reduce the fees for smaller companies' SOX compliance by relaxing the rules a bit.

Risk: Audit companies will act in their own self interest, and recommend that AS5 not be followed, in favor of their own more expensive procedures.

Control: ( Oops! )

Auditing Standard 5 ( AS5 ) has come under scrutiny quite a bit lately. What was supposed to be a "saving grace" for the non-accelerated filers of Sarbanes Oxley, has turned out to be a bust. I don't think anybody outside of the SEC is optimistic that this new "revelation" is going to fulfill its prophecy of saving money for the smaller companies.

Here's what cracks me up.

It's up to the auditors' discretion as to whether or not AS5 should be employed at a client company!

Isn't that like asking an employee to self-evaluate whether or not they should get a raise? Is it me, or does this not sound exactly like a segregation of duties violation?

I think this is pretty ironic. A compliance standard issued by the SEC that has an obvious and uncontrolled risk.

I'm not suggesting that audit firms will knowingly take advantage of this situation. That would be like assuming employees will steal from a company.

When my brother was a teenager, he had a job at a gas station inside the booth. A lot of times he was there late at night, by himself with the cash register at his disposal. This wasn't unusual at the time ( I don't know about now ). There were no cameras, no supervisors. He could have easily stolen money out of the till, but he never did because he is an honest person.

That doesn't mean it wasn't risky. The risk was still there, and in retrospect I feel it was pretty big, so it should have been controlled.

But that's nothing compared to this AS5 situation.

Although we know the Big 4 and other audit firms can be trusted ( cough ... Arthur Anderson ... cough ), don't you think we should put some control around this one? C' mon, read the objective again.

Compliance Tips for the Guilty

Using Culpability Scores to Reduce Risk

Lora Bently, who is responsible for the Sarbox Survival Guide blog, uncovered a real gem this month. In her entry, "What Do Sentencing Guidelines Have to Do with Compliance?" she discusses a conversation that she had with the CEO Brett Curran of Axentis, a GRC ( Governance, Risk, and Compliance ) software manufacturer.

In a recent product announcement for Axentis, the company referenced guidelines for compliance from the U.S. Sentencing Commission. This is the agency responsible for establishing Sentencing Guidelines for people found guilty of certain federal crimes.

Compliance guidelines for the guilty? Doesn't it seem a little late to be giving these people advice?

According to Mr. Curran, these guidelines are used to assess a culpability score, and this score will determine the sentence that's delivered.

This is great to know. Let's use these guidelines as requirements for a new Compliance Data System.

First let's take a look at what they are:

1. Define policies, procedures, and controls.
2. Designate high-level people to manage the program day-to-day
3. Communicate policies, procedures, standards, and training to people periodically.
4. Audit and monitor the program periodically.
5. Periodically promote the program, and enforce it consistently throughout the organization.
6. Take action to prevent future problem occurrences.
7. Periodically assess risks and modify controls and policies.

Okay, obviously for an article this size we'll need to make some assumptions, and leave out some details, but I wanted to give you the high level of how this is put together.

A Compliance Data System is built using audit intelligence ( a derivative of business intelligence ) techniques, and I just published an eBook on the proper way to get started called "A Racehorse Without a Jockey". So consistent with that book, we start off by building a charter, stakeholder assessment, preamble, and elevator speech.

From this exercise, let's clarify exactly what we're trying to do here. The Project Objective would read something like this:

Develop a Compliance Data System that clearly demonstrates that we are following all 7 of the suggested U.S. Sentencing Guidelines that were promulgated in 1991 by the U.S. Sentencing Commission. The system should be in place before the end if this fiscal year.

The key point of clarification here, is that we are not trying to fill gaps here. The assumption is that we are already doing all of these things, and the goal of the new Compliance Data System is to prove that we are doing these things.

So, with that done let's revisit the requirements, because I don't like some of the vague language. Here's some clarifications we will make to move these requirements closer to "operational definitions".

• For Number 2, let's call "high-level" anybody in the organization that is a "Vice President", or has one that reports to them.
• In general, the term "periodically" means every month.

The next thing to understand, is that the Compliance Data System looks and feels more like a data warehouse than a transactional system. Therefore, we will have sources, transformations, and the target will be our new Compliance Data System. We will call it SBCS ( Sentencing Based Compliance System ).

Next, let's take a look at our sources.

• For rule #1, let's assume that there are 7 business units, and each one has their own web-based repository where policies, procedures, and controls are stored.
• For rule # 2, the management assignment is done, but not automated. It goes something like this, "Okay, Mary? You're managing this now."
• For rule # 3, the communication effort is somewhat organized, but also not automated.
• For rule #4, internal audit has a transactional system called IASOR ( Internal Audit System of Record ) where it records the results of its audits.
• For rule #5, this is managed through their learning system TEACH, along with the rest of the corporate training classes.
• For rule #6, a system called REACT has been installed to track risk events, and their resolution.
• For rule # 7, an organized review is done monthly, but not automated.

To complete the architectural bridge from our existing source systems, to our target system, we will need to add the following components:

• A consolidation point for the 7 BU web repositories. We will use an SOA architecture to pull information out of each of the existing web repositories, and deposit data ( via web service ) into our collection point.
• A lightweight transactional system that ties into our existing HR database, to tie up the loose ends from the stuff that is not yet automated. It will formalize and record who is managing the program. It will also manage the communication plan, including who needs to be communicated to, what needs to be communicated, how it gets communicated, and when the communication happens. Finally, it will formalize the risk assessment and control improvements. This system will be called AuditLink.

The only step left is our transformation logic. Here are the highlights:

• Since we have the consolidation point for the 7 business units' policy repository already, the only thing we need to do is push this over to the target. You can either store the whole policy in SBCS ( the new data system ), or a link to where it can be found.
• Since we are building AuditLink from scratch, we have the advantage of knowing that it will be downstreamed by SBCS. The transformations will consolidate who is managing what, with appropriate titles.
• Communication events are transferred to SBCS as they happen through AuditLink. SBCS consolidates the what, when, and who.
• Data from IASOR is transferred directly to SBCS as audit results are recorded there.
• The TEACH system is polled for select audit related classes, and pushed down to the SBCS. Changes are monitored and recorded as they happen.
• The entire REACT database is polled and incidents are transferred to SBCS as they happen.
• Risk assessment and control enhancement is sent to SBCS once the monthly audit is recorded in AuditLink.
• The SBCS is updated with this information on a daily basis, and all the change history is stored. "Tiny steps" are made so that there is a clear audit trail, and all evidence is captured to support the transformation logic.

Once the Compliance Data System transformations are complete, a set of batch reports are built to run against the new system. These batch reports resolve the objective of clearly demonstrating our compliance.

I hope this gives you a sense for the role of the Compliance Data System, and how you go about making it happen. Using our sentencing guidelines and this architecture greatly reduces your chances that any sentencing happens at all.

Criminal Crime-Fighter Gets Crucified

A Superhero's Demise

New York State Gov. Eliot Spitzer is joined by his wife Silda as he makes a statement to reporters during a news conference Monday, March 10, 2008 in New York. (AP Photo/Mary Altaffer)

Oh, Eliot, what have you gotten yourself into now.

Mr. Spitzer is definitely in the soup. The 48-year old Batman of Wall Street seems to have fumbled fatally flirting with a femme fatal.

Will the Guilty Governor Get-off, ... again?

Can the Past Public Prosecutor Prevent Pandemonium?

You don't have to tune in next week to figure this one out.

Client # 9 is done. His case is closed.

For those of you living under a rock, Governor Eliot Spitzer was just nabbed for his involvement in a prostitution ring. He allegedly gave some Jane named "Kristen" $4300 to settle up his account, and put a down payment on future services.

I guess the subprime mess is overflowing into the prostitution business, as pimps are tightening up their credit terms. Collecting their money up front is a smart move that will surely improve their DSO ( Days Sales Outstanding ). I digress...

The call-girl business, known as the Emperors Club VIP, was obviously a very high-end joint, with fees as high as $5,500 an hour for the "7-Diamond" girls. Wow!

There's a very important compliance lesson we can extract here, so pay attention. Eliot spent his time as Attorney General crusading against this very type of situation, making it his personal mission to send the wrong-doers away, and restore justice to the American public. In doing so, he got very intimate with these types of operations.

As you explore risks in your quest for total compliance, you too will become very familiar with the system -- more familiar than most. It can become very tempting to flip your morals around, and exploit a set of risks instead of trying to control them. I hope these thoughts never enter you head, but if they do, I hope the story of Eliot Spitzer comes to mind.

If I'm Eliot, I'm not worried about the New York villagers coming after me with torches lit. I'm not even worried about the Wicked Witch of the Democrats hexing me with the Clinton Spell of Doom.

If I'm Eliot, I'm more worried about falling asleep next to Silda. As if things weren't bad enough, all this "Kristen" business happened the day before Valentine's day!

Can you imagine?

If I show up with the wrong Valentine's Day card, I'm in the soup. This guy gets caught handing a prostitute $4300 cash!

The picture above tells all. I can just see Silda's wheels turning on the perfect way to inflict the most amount of pain over the most amount of time.

"Holy Wiretap, Batman. Looks like jig is up!"

Global Controls Can Be Misleading

Understanding the Un-Control

Here's what happens when you have controls that people can't read or understand.

It's hard enough to get everybody on the same page with a local or national company, but if your company is global your problems have just increased exponentially.

If people can't read or understand your controls, they're not controls. Make sure this doesn't happen in your company.