Lessons learned on the road to compliance

Hindsight is a powerful lens when examining how to fall in line with the onslaught of federal regulations

It is only natural to want some guidance from your auditors on what should go into these reports, and experts agree you should seek it. Barry Cohen, vice president of applications management at Wells Real Estate Funds, says members of his team regularly met with auditors to receive help in navigating a maze of regulations that included Sarb-Ox, the Patriot Act, SEC 17a-4, and NASD 3110. “Your auditors can provide valuable guidance,” he says.

It is a distinctive feature of 21st century corporate governance, however, that your auditors can’t tell you what to do. In the ’90s, the big audit companies often played both sides of the fence, serving as technology consultants to the same companies they audited. Conflicts of interest forced auditors to shed their consulting businesses, and recent federal mandates strongly discourage auditors from acting as consultants.

That’s good for business ethics, but it can create major headaches. “It’s driving everyone batty,” AMR’s Hagerty says. “I hear so many IT executives complain that they can’t get any definitive answers from their auditors on what to do.”

“It’s a real gotcha,” says Irving Tyler, vice president and CIO of Quaker Chemical, which makes specialty chemical products for the steel, automotive, and aerospace industries. “You want to satisfy [external auditors’] requirements, but they can’t tell you how to satisfy their requirements.”

And what they do tell you may vary. “The big four audit firms all disagree on what is adequate for regulatory compliance,” Energen’s Wagner says. “In fact, there is often disagreement within the same firm.”

McDonald’s Jensen likens feedback from your auditor to listening to the oracle of the Federal Reserve, Alan Greenspan, for hints as to where the economy is headed. “He speaks and you try to interpret afterwards what he really meant,” Jensen says.

So, don’t expect definitive answers but keep asking anyway. “I know some IT executives who were afraid to talk to their auditors for fear of what they might hear,” AMR’s Hagerty says. “Avoidance is not a good strategy.”

There is no out-of-the-box solution

As was the case with Y2K, vendors are once again seeing a gold mine.

Sean Culbert, managing director at BearingPoint, heads that company’s global compliance consultancy team for the financial services industry. He says compliance tools can help, but warns against expecting too much from any one product. “I can’t walk into an organization and say, ‘Here it is, your ACME compliance kit that will solve all your problems.’ ”

Culbert points to the AML (Anti-Money Laundering) section of the Patriot Act, which requires financial institutions to review transactions for suspicious movements of cash. “I saw so many clients rush out and buy AML packages,” he explains. “Later … they realized they had one more piece of expensive software that didn’t fit into an overall compliance strategy.”

Click for larger view.