September 03, 2004

Sarbanes-Oxley - what the insiders already know

Sarbanes-Oxley is the act to lay down the law in financial reporting. It's causing a huge shakeup in compliance. On the face of it, better rules and more penalties should be good, but that's not the case here. Unfortunately, the original scams that brought about Sarbanes-Oxley, and its Basel-II cousin, were based on complexity - hiding stolen money in plain sight. The more complex things get the more scope there is to hide one stolen millions.

Insiders already know this. The worry-warts have pointed it out, and been ignored. Others are silently waiting, rubbing their hands in glee at the prospects to be opened up.

Here's another twist. In an article on how complexity and penalties will lead to more cover-ups and more rot, Paul Murphy points out that there's now an easy way to get the CFO fired - simply futz with the server and push the results around. The hapless CFO has two only two choices, cover-up or falling on his sword.

Of course, this is possible, unless one is using the strong accounting techniques of financial cryptography ... so if you do find yourself employing this rapid promotion strategy, make sure you fix it before it's done to you!

Sarbanes-Oxley: More Cause Than Cure?

By Paul Murphy LinuxInsider 07/29/04 6:00 AM PT

From a social perspective, legal consequences tend to be associated with being caught, not with committing the action and Sarbanes-Oxley may therefore "incent" more cover-ups than compliance. From a technical perspective, little can be done without fully integrating production and reporting -- something that can't be done in any practical way with Wintel's client-server architecture.

At a working lunch last week I had the misfortune of being seated next to some guy from Boston whining about the misery and risk introduced into his life by Sarbanes-Oxley. I kept wanting to ask him what he thought his job was as a CFO, since all Sarbanes-Oxley really does is establish a basis for legal penalties against financial executives who dishonor the job description by failing to understand, apply and maintain adequate internal financial controls.

I didn't. In the end I told him he could always get his CIO fired rather than take the heat himself because I've never seen a company in which the CFO didn't outrank the CIO. Now, in reality, that doesn't have anything to do with the central issues raised by Sarbanes-Oxley but the idea certainly seemed to cheer him up.

Sarbanes-Oxley provides the classic legislative response to a perceived abuse: legally defining responsibilities and setting forth penalties for failures to meet them. In doing that, however, it fails to address the underlying issue, which isn't why a few people lied, cheated and stole, but why a much larger number of people let them get away with it for so long.

Remember, few of what we now clearly see as abuses were secret: Enron's CFO won major financial management awards for what he was doing, most wall street players used personal IPO allocations to buy customer executives, and dozens of analysts wrote about the obvious mismatch between real revenues and the financial statements underlying market valuations at companies like Global Crossing and MCI/WorldCom.

Wider Context

Look at this in the wider context of overall financial market management and this becomes a chicken and egg type question. It's clear that the financial market failed to self-correct with the majority of the people involved closing both eyes to abuses while deriding or ignoring those who tried to uphold previously normal standards of personal and professional integrity.

But what made that mob response possible? Were financial market systems failures induced for personal gain, or did the players involved slide down the slippery slope to corruption because the checks and balances built into the system failed? How was it possible for some brokers to brag to literally hundreds of their colleagues about their actions without having those colleagues drum them out of the business?

My personal opinion is that a fish rots from the head down. In this case, that the Clintons' sleazy example in the White House combined with easy money from the dot dummies to create an atmosphere of greed and accommodation in which it became easy for otherwise responsible people to rationalize their own abdication of professional responsibilities in favor of personal advantage.

Bottom Line

Whether that's true or not, the bottom line on Sarbanes-Oxley is that it doesn't address the major public market abuses but is likely to have some serious, although counter-intuitive, consequences.
In establishing penalties ranging from fines to jail time and the public humiliation of the perp walk, Sarbanes-Oxley creates both incentives to cover up failures and opportunities for those with axes to grind, people to hurt, or shares to short.

The cover-up side of this is obvious. Imagine a CFO, popular with the other executives and the board, who discovers that the financial statements have been substantially misstated for some time. In this situation the threat posed both to the individual and the organization by Sarbanes-Oxley could easily tip a decision toward covering up, either through the intentional continuation of the erroneous reporting or through some longer run corrective process.

The incentives to attack have to be coupled with opportunities to mean anything. That's less obvious, but I admit I enjoyed my lunch rather more after imagining how little access to my tormentor's financial server Relevant Products/Services from Intel Enterprise Solutions Latest News about Servers would really be needed to send him all undeservedly to jail.

The key enabler here, besides inside access of the kind you get by infiltration, is the separation of financial reporting from production transactions. In his case, the financial statements are drawn from a data mart that gets its input at second hand from a bunch of divisional financial systems.

Faking business transactions is difficult and risky because there are lots of real-world correlates and you have to fake or modify a lot of them to have a material impact. That's not true, however, where the financial statements are drawn from a data warehouse disconnected from the actual transactions underlying the numbers.

Installing a Stored Procedure

In this situation, the external referents are difficult to track and all an attacker has to do is install a stored procedure that transfers small amounts from one of the imaginary accounts -- say, goodwill amortization -- to another every time one of the bulk updates runs.

Over time, this will have an effect like that of the butterfly flapping its wings in China to cause storms in California, slowly and invisibly undermining the integrity of the financial reports.

Eventually, of course, some external event will trigger an investigation. Then he's toast, and no amount of pointing at internal controls and auditors, public or otherwise, will make any difference. The system will have been turned on itself with the books balancing perfectly and all checks checking, even while the published profit and loss numbers have been getting "wronger" by the quarter.

Once that's discovered, the company's executive will face a choice -- cover-up or mea culpa -- and either way Sarbanes-Oxley's threat of legal process will be the biggest scarecrow on the playing field.

Integrity Guarantees

From a social perspective, legal consequences tend to be associated with being caught, not with committing the action. Sarbanes-Oxley might therefore "incent" more cover-ups than compliance. From a technical perspective, little can be done without fully integrating production and reporting -- something that can't be done in any practical way with Wintel's client-server architecture.

I'm really looking forward to the case law on this. After all, if a porn user can't be held responsible because Wintel's vulnerabilities mean that anyone could have put the incriminating materials on his PC, shouldn't a CFO with bad numbers have access to the same defense?

More interestingly, what happens when a prosecutor with a sense of irony puts some Microsoft (Nasdaq: MSFT) Latest News about Microsoft experts on the stand to testify against a CFO (or porn user) who tries this defense but doesn't have Wintel installed?

All joking aside, however, the real bottom line on Sarbanes-Oxley might well turn out to be that it weakens rather than strengthens integrity guarantees in public accounting by tilting judgment decisions toward cover-ups in the short term and may threaten Microsoft's client-server architecture in the long term.

Paul Murphy, a LinuxInsider columnist, wrote and published The Unix Guide to Defenestration. Murphy is a 20-year veteran of the IT consulting industry, specializing in Unix and Unix-related management issues.

Posted by iang at September 3, 2004 05:34 AM | TrackBack

One thing that a lot of people miss about Sarbanes-Oxley is its actual applicability in the "field" of it security, particularly bits like section 404, is that it's _extremely_ fuzzily-defined as to how it affects infosec--its concept of "controls" is so broadly laid out that every consultancy in sight is using it as the generic catch-all for companies worried about compliance.

As it's not (to my knowledge) been court-tested yet in specific IT-related instances (and won't be for a while, most management I know are so worried about it) I've seen projects aimed at almost ridiculously granular control of IT components just to make sure the law is followed, without really bothering to look into the whys of what's being done (viz. things like archiving of company internal IM text, etc.)

- -John

Posted by: John M S at September 6, 2004 12:54 PM

Since the passage of Sarbanes-Oxley I have had the pleasure of talking at some length with the CFOs of two public companies about the impact of compliance. In both cases they lamented that the new law caused CEOs and other senior management to be engaged to such a degree as to substantially remove them from their normal duties in running the corporations. If my sampling is indicative of Sarbanes-Oxley's effects then it may become one of the hidden reasons for a slow, but evnetual, decline in U.S. productivity that until now has been hidden by falling wages from outsourcing.


Posted by: Steve S at September 6, 2004 12:56 PM