The awful truth about compliance

Corporate America is doing its best to understand and meet regulatory demands, but many companies are losing their way

At press time, Bloomberg reported that federal prosecutors charged Jonathan Nelson, former CFO of oil driller Patterson-UTI Energy, with violating U.S. securities laws by signing off on financial reports he knew were false. Nelson is likely to be charged under a provision of Sarbanes-Oxley, according to Bloomberg, citing Kathleen Colvin, a spokeswoman for the U.S. attorney's office in Dallas.

One reason prosecutions under Sarbanes-Oxley are few and far between is the lack of precedent, according to Gartner's Handler, who strongly advocates seeking out professional legal advice. "Prosecutors would rather go with more established fraud laws, so they're not betting as much on new interpretations on the part of the judge."

Nevertheless, there is still much fear and loathing surrounding Sarbanes-Oxley because there's no getting around it, notes Patrick McBride, vice president of Scalable Software, makers of the Command Center compliance automation suite used by the Securities and Exchange Commission.

"As far as SOX goes, it's part of the annual financial [auditing process], so it cannot be ignored. But it takes a lot to prove that you're implementing controls" in line with Section 404, which requires companies with valuations of more than $75 million to prove that their internal controls and audit trails are sound and that their processes are capable of producing certifiably correct data, McBride says. "And the auditors have their fangs out because they were complicit in 'Enronics' in the first place."

Those fangs account for the mild paranoia shared by financial officers far and wide, a mind-set that would undoubtedly please legislators whose initial goal was to restore investor confidence.

Count Belinda Wilson, Hewlett-Packard's executive director of business continuity services, among those officers who question the veracity of financial reports that cross their desk, at least those on which she is asked to sign off.

"Constantly running in the back of my mind is the question of whether or not the numbers are accurate, because I know I'm accountable," Wilson says. "You could even call this the era of accountability."

There appears to be a little more slack when it comes to falling in line with HIPAA, Scalable's McBride says.

"On one end, you've got a lot of the providers and small and midsize hospitals flying by the seat of their pants because within HIPAA there are provisions for financial penalties and jail time but no real enforcement mechanism," McBride says. The larger hospitals and health-care conglomerates are much further along in terms of securing confidential patient information, McBride says, but he adds that their progress is due only in part to HIPAA; the fear of class-action lawsuits still reigns supreme, wherein HIPAA might be invoked as a measurement of due care.

Nevertheless, "the world of 'I trust you' is gone," says Ted Frank, CEO of Axentis, producers of governance and compliance solutions. Frank is dismayed at the lack of "a good, clean definition of compliance" within the enterprise. At a recent symposium of approximately 100 potential customers, he asked for a show of hands of how many believed they had such a definition. Not a single hand went up.

"You can keep trying to whack the mole, or step back and put together a plan that says, 'We're going to effectively manage risk,' " Frank says.

Risk management 101