Critics maintain that the final version of the Sarbanes-Oxley Act has holes in it big enough to drive a truck through.
One hole is that while the act requires both a financial audit and an audit of the IT systems that generate financial information, these two groups of auditors rarely talk to each other and, according to Sharon O’Bryan, a former IT auditor at Arthur Andersen, chief information security officer with ABN Amro North America and now an independent consultant, nothing has changed.
“I recently worked with an organization that had every problem you could imagine,” O’Bryan says. Audit trails weren’t kept, people had access to systems that they weren’t supposed to, and the administrative passwords were never changed from the vendor presets. “Yet the audit was signed off [by the auditor],” she says incredulously.
All the auditors consulted for this article said that if they found violations, their first step would be to work with the CIO to fix the problem. While that might improve controls for the future, it wouldn’t do anything to certify the accuracy of the financial statements submitted under the compromised control environment.
And even if a company does submit fraudulent or inaccurate numbers, its odds of getting caught are small. While the SEC won’t say how it spots phony statements, Rob Seiden, director and president of Fortress Global Investigations, says that most of the time a miscreant is found thanks to whistle-blowers, as was the case last month when HealthSouth CEO Richard Scrushy was indicted on accounting fraud charges. Second most common, Seiden says, is by accident, when an SEC regulator trips over a floridly fraudulent document. One former auditor says that when the SEC does investigate, its research is usually limited to dinner with the company’s executives.
Eventually, everyone agrees, the SEC will make an example of someone for noncompliance. But if the first Sarbanes-Oxley case is any indication, that day may be a long time coming. Over the summer, the CEO and CFO of Rica Foods, a $131 million Miami-based importer, attested to the fact that the company’s auditor had approved its financial statement. In fact, the auditor had done no such thing. In an August settlement, Rica promised not to lie again, and the CEO paid a $25,000 civil penalty.
The Rica case, say critics, illustrates one of the weaknesses in Sarbanes-Oxley. “Internal controls do not prevent collusion,” says Joseph W. Hearington Jr., corporate director for internal auditing at Universal, a $2.6 billion tobacco company. “All the scandals, the Enrons and WorldComs, all had one thing in common?collusion. This will do nothing to prevent that. This is a feel-good piece of legislation.” -B.W.