October 09, 2006

Audit Follies - Atlantic differences, branding UnTrust, thumbs on Sarbanes-Oxley, alternates...

Arthur spots a humourous post:

But it also illustrated a fundamental difference in the way audits are conducted on both continents. In the United States, audits are about ensuring that sufficient controls are in place to mitigate risks. Thus, the audit findings tend to emphasize lapses in application and network security. In Europe, audits tend to focus on following a predefined process, being transparent in the actions taken, precisely defining policies and procedures, and adhering to international standards.

The difference, I suggest, may depend on whether you thought audits were useful, and whether auditors could be trusted to provide checks that were useful instead of being perverted by any of a hundred tricks. For an example of "agenda" see the recent HP case where the ethics officer was apparantly quite happy to approve spying on board members.

Would an audit have picked that up? And more importantly, what do we want in a world where an audit won't pick up those things? Value for money, right?

A further problem is what is known as Audit Independence. Audits tend to suffer from exploitation by auditors. One sign of this is when they turn the process of governance into a branding exercise, such as eTrust or WebTrust. Is this a process to provide customer value or is it a process to earn fees?


Widely-used online "trust" authorities issue certifications without substantial verification of the actual trustworthiness of recipients. Their lax approach gives rise to adverse selection: The sites that seek and obtain trust certifications are actually significantly less trustworthy than those that forego certification. I demonstrate this adverse selection empirically via a new dataset on web site characteristics and safety. I find that TRUSTe-certified sites are more than twice as likely to be untrustworthy as uncertified sites, a difference which remains statistically and economically significant when restricted to "complex" commercial sites. I also present analogous results of adverse selection in search engine advertising - finding ads at leading search engines to be more than twice as likely to be untrustworthy as corresponding organic search results for the same search terms.

Either way, the *result* of the branding exercise is clear -- you tend to acquire better than your fair share of scams, which are willing to pay the price to hide behind the brand. The extent to which the process behind the brand adds value then becomes all-important. The brand makes it effectively more difficult, perhaps harkening back to the old days when the professions were not supposed to advertise.

One conclusion that is emerging out of the current spate of governance failures -- mostly from the US but sometimes in Europe -- is to ask why auditors aren't picking up the frauds?

In Enron's case (Enron's 30$bn), we know the Auditor was Arthur Andersen, and the reason they did not pick it up is that at the least, they were conflicted. More likely, they were "running cover" for the company. Bawag / Refco wasn't picked up until Refco went public, and even then it was lucky (the guy lost his job, a fitting reward for public service).

Switching across to the *long term response* to uncontrolled auditors and rampant audit practices, we have a critical mass against Sarbanes-Oxley building up. Sir Alan Greenspan reaches out and the thumb goes down!

The Sarbanes-Oxley Act is doing more harm than good and must be overhauled, Alan Greenspan told a technology audience here.

"One good thing: Sarbox requires the CEO to certify the financial statement. That's new and that's helpful. Having said that, the rest we could do without. Section 404 is a nightmare."

Sarbanes-Oxley was the legislation that approximately doubled the cost of audits in the US. Now the debate is on as to whether it is bad or good; does it deliver twice the value, or just twice the headaches? Does it deliver anything at all? Again, Sir Alan nails the key difference that likely counts above mere governance considerations:

He said the evidence is clear that *Sarbanes-Oxley strictures are driving initial public stock offerings away* from the New York Stock Exchange and to the London Stock Exchange. Increasingly, he said, people recognize that Sarbanes-Oxley must be changed. "The pressure on getting 404 significantly altered is rising and is taking on a critical mass." But he added, "You do not get a bill altered when the two names [Sarbanes and Oxley] are in the process of retiring. People are waiting until they are gone. Then, hopefully, changes will be made. Any bill that passes both houses almost unanimously, cannot be a good piece of legislation."

My emphasis. And don't miss that great quote at the end!

Not all agree. In a dramatic echo of the two posts on security training of last week, Sam E. Antar suggests that Sarbanes-Oxley is worth a partial raised thumb:

I say to you that the Sam E. Antar of twenty years ago (I am not a criminal today) would be just as successful in today’s environment.

Other than Sarbanes-Oxley and its limited reforms (which many misguided detractors are trying to weaken today), little progress has been made in the culture and attitude of the accounting profession (in private industry or government) regarding white collar crime.

Sam was the CFO for the Crazy Eddie fraud, so he is an expert in fraud. He now helps the other side (honest! His site was there last week, I swear!). He also bemoans the fact that accountants aren't trained enough in basic fraud. His more basic point:

Criminals always have the initiative and the professions approach to preventing fraud (whether as CPAs ay accounting firms, accountants in government, the private sector, and nonprofit sector) is “process oriented” rather than the criminal who approaches his work in a judgmental way.

Therefore, the criminal has the fundamental advantage against the under informed, not very well trained accounting profession in regards to combating white collar crime.

That bears interesting comparison to the first quote above. It's worth stressing that criminals think differently, and thus always have the advantage over process; you won't hear that in white hat security classes, because it is very hard to say just how criminals think, without exposing ones hat to a certain greyness.

Finally, I have long predicted a private class action response to the phishing and security morass (but not seen it yet). Here's a paper spotted by Adam that suggests it has merit:

Public choice analysis suggests that a meaningful public law response to insecure databases is as unlikely now as it was in the early Industrial Age. The Industrial Age's experience can, however, help guide us to an appropriate private law remedy for the new risks and new types of harm of the early Information Age. Just as the Industrial Revolution's maturation tipped the balance in favor of early tort theorists arguing that America needed, and could afford, a Rylands solution, so too the Information Revolution's deep roots in American society and many strains of contemporary tort theory support strict liability for bursting cyber-reservoirs of personal data instead of a negligence regime overmatched by fast-changing technology.

So which audit approach is better? Process oriented? Risks mitigation? It is clear that the value for money is sorely missing. Here's a summary of *my* thoughts, including the wider question of alternates to audits:

  • audits -- not easily trustable
  • regulation (I) -- useless and expensive, and a non-trivial possibility that the result is worse through complexity
  • regulation (II) -- forced publicity on crimes such as SB1386 can result in a "win" but that was a "lucky win," most regulation is a lottery: some headline winners but the public as a whole loses out. Better then to discourage on principle, as the failures outweight the successes.
  • private litigation -- potentially valuable overall, as at least it has inbuilt negative feedback loops. Payback to the damaged parties is far less frequent than headlines would have it, but if the public benefit is positive then maybe it's all we've got?

We can do better by:

  • pushing systems and reporting out to reveal publically auditable information will engage the public as auditors (c.f., Enron, 5PM)
  • aggresively reducing the "secret" parts to as small as possible, and vigourously documenting those parts
  • conducting the audit process itself in as much public glare as we can stand.
  • inducting the public to audit the audit
  • pushing the liability for the risks out into the open
  • as a public principle, standing more on the voluntary release of information, less on the Kitty People approach of Sarbanes-Oxley and SB1386.

But don't expect anything soon.

Posted by iang at October 9, 2006 12:23 PM | TrackBack

There are lots of differences. One key difference is that US compliance goals have something to do with transparency (due to the markets insistence), we can argue about how well this works in practice, but this is not always the goal on other countries compliance efforts

For example Dan Blum notes:
"...it is impossible comply with the Sarbanes-Oxley Act (SOX) and French law at the same time. Following up with some security people later, I discovered this was a relatively well known problem that has nothing to do with technology, but does touch on different culture's positions on privacy.

There are two issues - one has to do with the prequalification of auditors, but the big one concerns the SOX requirement to provide an anonymous line for whistleblowers who might reveal financial skulduggery. Such a rule might raise eyebrows in the U.S. where the stigma around infoming on your colleagues is relatively mild, the rules raises hackles in France, which has a huge cultural stigma against informers, perhaps dating back to the time of Vichy government."


Posted by: Gunnar at October 9, 2006 09:47 PM

i was at a european financial conference last fall where i brought up various issues with the (in)ability of sox to identify/prevent corporate crime; this years conference was held last week and its theme was global risks and investor confidence, in part inspired by some of the sox discussions last year.

old posting mentioning conference and sox
http://www.garlic.com/~lynn/2006h.html#58 Sarbanes-Oxley

as well as some posts in thread here

http://www.garlic.com/~lynn/aadsm25.htm#12 Sarbanes-Oxley is what you get when you don't do FC
http://www.garlic.com/~lynn/aadsm25.htm#13 Sarbanes-Oxley is what you get when you don't do FC
http://www.garlic.com/~lynn/aadsm25.htm#14 Sarbanes-Oxley is what you get when you don't do FC
http://www.garlic.com/~lynn/aadsm25.htm#15 Sarbanes-Oxley is what you get when you don't do FC

Posted by: Lynn Wheeler at October 10, 2006 02:29 PM

Study Finds Sarbanes-Oxley Benefits Business (but does it find that SOX is doing what it was originally intended to do?)

Posted by: Lynngram at October 19, 2006 09:50 AM

a cross over postings mentioning sox
http://www.garlic.com/~lynn/2006u.html#22 AOS: The next big thing in data storage

and other recent items:
Cheney Expresses Doubts About Sarbanes-Oxley
Democrat Says Sarbanes-Oxley Already Being Thinned
NY leaders see city's financial position threatened
Sarbanes-Oxley overkill, bankers say
Lights Dimming On The Sarbanes Oxley Act?
Greenspan calls SarBox a nightmare

Posted by: Lynn Wheeler at November 13, 2006 11:00 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.