In yet more confusing evidence, Wired reports on the Boeing Audit Whistleblowing case:
The 9th U.S. Circuit Court of Appeals set aside the appeal of two former Boeing auditors who claimed their leaks to the media were protected by the Sarbanes-Oxley Act of 2002, adopted to protect shareholders against fraud. A three-judge panel of the San Francisco-based appeals court sided with Boeing, saying a provision in the act only protects those who notify the authorities, not the media, of alleged wrongdoing.
What appears to be the cause of this is that auditors, frustrated at trying to get attention in Boeing for Sarbanes-Oxley compliance, decided to leak some documents. Claiming immunity under Sarbanes-Oxley is novel, but leaking documents to the media in order to put pressure on the company is not novel - it's just not done. And, this is not a case of "should have known better." Auditors know better, they knew they are given the keys to the castle, so it is unclear why they were just fired.
The law protects employees from discrimination if they deliver the information to a federal regulatory or law enforcement agency, a member or committee of Congress or or a work supervisor.
“Members of the media are not included,” Judge Barry Silverman wrote for the unanimous court.
Anyway, that all aside, we benefit by a unique insight into the traumas of audit. Referring to the original article from Seattle-Post Intelligencer:
Sarbanes-Oxley is a wide-ranging law aimed at preventing stockholder rip-offs such as the Enron scandal from happening again. Among its requirements, it forced public companies such as Boeing to shine a light on their internal controls. It must show it has checks and balances on people and computer systems to guarantee accuracy of financial statements. ....
The federal guidelines for computer controls are unclear, and where the law is murky, auditors and company officials are left to fill in the gaps — facing criminal penalties if they are wrong. Companies are hungry for clarification on how to handle the information technology portion of Sarbanes-Oxley, according to The Institute of Internal Auditors, a leading professional association.
In step the Auditors, the cash-machine bells spinning in their eyes, and havoc reigns:
But Boeing’s information technology staff suffered. “They weren’t used to being involved in a finance-related audit,” McGee said in a June interview at Chicago headquarters. “We drove process discipline pretty hard.”
One person involved in the compliance effort, who asked not to be identified, told the P-I that information technology managers thought the new rules would blow over and that workers were “openly hostile” to the audits. The level of rigor — for example, documenting every single approval for a coding change — was foreign to the get-things-done culture of Boeing’s computer professionals.
The employee described the first two years as “pure hell” for the information technology staff. Colleagues agreed. Even auditors were unhappy, leading to infighting last year between consultants at PricewaterhouseCoopers and Jefferson Wells — the two firms contracted to help Boeing with internal audits.
Infighting in consultants is nothing special, as they defend their billings to the death. There's a huge incentive in replacing another contractor that turns them against each other. This sometimes ends up badly for a consultant, but it always ends up badly for the client:
Meanwhile, the experts at Jefferson Wells and PricewaterhouseCoopers spent hours — billed to Boeing — disputing each other’s findings.
What appears to be at the heart of this is that audit hasn't really served the corporation well. We know that Sarbanes-Oxley was a good effort at tightening up controls. But to what end? In this case, Boeing wasn't an Enron. It's easy to measure its progress. Planes come off the line at regular intervals, they are huge and easily countable, and if they don't work, it's spectacularly obvious.
So we have the possibility of over-measurement -- measuring something that costs more to measure than it delivers in benefits to the stockholder. What might be needed for the Enrons and the banks of the world, which deal in virtual product, isn't so clear for the physical sector.
“This sounds really, really messy,” Heriot Prentice, director of technology practices at the Institute of Internal Auditors, said upon hearing all of the charges and countercharges without knowing that he was speaking about Boeing, specifically. “This sounds like a big mess.”
Companies have been monitoring their computer systems for years — but under Sarbanes-Oxley, it was the first time that all public companies were required by law to do so as a part of a company’s “internal control over financial reporting.”
That control requirement, often nicknamed “404 compliance” after its corresponding part of the law, has been the most controversial and expensive aspect of Sarbanes-Oxley — and federal rules are now under review. Many executives bristled at the soaring costs of information technology compliance.
Control over financial reporting starts with control over financial transactions ... perhaps this was a simple case where they should have used SOX not SOx and triple entry accounting not double entry auditors?Posted by iang at May 6, 2011 01:22 AM | TrackBack