Escaping the Pain?
by Jeff Bardin, The Brave New World of InfoSec
Thu, 2007-05-31 18:48
Topic(s): | | |

Many of the regulatory changes over the past several years benefit shareholders by making executives and directors more accountable. Many firms are going from public to private to avoid the scrutiny and added costs associated with being a public firm.  
 
President Bush signed the Sarbanes-Oxley Act into law in July 2002 with the hope that it would put an end to the mounting corporate scandals and accounting misdeeds in the U.S. Included in the Act are a slew of new rules regarding the structure and role of the audit committee, as well as stiff penalties for corporate wrongdoing. A public company's CEO and chief financial officer must certify that its 10-K and 10-Q filings with the Securities and Exchange Commission (SEC).
 
Other major provisions in the Act restrict the types of services audit firms can offer to public clients, require "independent" members on audit committees and require companies to disclose whether they have a "financial expert" on their audit committee.
 
Some of the benefits touted by going private are:

  • Avoid new regulatory burdens
  • Reduce public pressures to maintain growth
  • Avoid court time and fees
  • Concentrate control and make a profit
  • Explore possible tax benefits

It has come to my attention that a well known formerly public firm who is now private has dissolved their internal audit department, dismantled the information security organization, and forced out the information security officer who is a friend of mine.  The move from public to private appears to be for all the wrong reasons demonstrating a way to eliminate controls that do not provide for investor protections and surely do not execute due care and due diligence by corporate officers.  Who really benefits in the end?
 
What has really changed since all the SEC fraud charges against multiple corporate officers of multiple companies? There is no honor amongst thieves and they still reside at the top.  

» read more from Jeff Bardin | post a comment
Reader Feedback
Thu, 2007-05-31 21:24
Just goes to show us......
By Carl Herberger

Jeff -

Couldn't agree with you more, however I think the history is too young for a jury to draw final conclusions yet. In some ways the 'control' communities are (at least in part) to blame for some of the eagerness to move to a 'lower' regulatory base and avoid the costs associated with SOX 'compliance' b/c we've been hitting the executives of these companies over the head with (frequently) Cadillac solutions where Chevys will do and positioning it that if they don't caugh up the $ they're eating the risk. This "take-it-or-leave-it" internal approach to controls by some practitioners, followed by a completely unwarranted broad-based interpetration of sectoin 404 by external audit firms has lead (at least in some cases) executives to conclude that they are no longer in control of the decisions which need to be made. Afterall, executives are used to risk discussions - - this is the nature of business. I really don't think normal executives are interested in the lack of prudent controls, they are just reluctant to being held randsome for items which they don't have much control in.

Now, I understand the side which you've listed and I believe some businesses truly don't believe in controls and can't wait to get rid of them..........but I think these companies will pay the piper in the end.

On the other hand, I think other companies, quite rationally, have opted to 'retain' the capability to make a control decision optional - - based on their business models......and I can't argue with the reason behind those decisions.

Hopefully this makes sense to you too!!

Carl

» Reply | Report as spam
Fri, 2007-06-01 01:14
Rigas, Skilling, Kozlowski, & Lay (Dewey Cheatum & Howe)
By Jeffrey Bardin

I don't disagree on the issues of broad interpretation by external audit firms having been subjected for 3 plus years now to very subjective and many times ludicrous comments and findings. What I do have a problem with is the wanton and deliberate intent of this company to systematically dismantel the controls, governance models, safeguards and protection strategies instituted that are in fact, standard blocking and tackling activities that any corporate officer should understand is a baseline for exhibiting due care and diligence. This company was not being held ransom but in fact saw going private as an opportunity to extricate themselves from the regulations and statutory laws for the simple reason of increasing profits. Since they are not public anymore, the profits are not shared with stockholders but amongst those who run the firm.

I certainly do hope that your information is not on record at this company since the recourse you have now should a breach occur is non-existent. Then again, now that there is no one in the company to report a breach, no controls to detect or prevent it, no one will ever know. The executives now have their control back ...

» Reply | Report as spam

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
* Denotes a required field
E-GUIDE
Log Management in a Cyber World

ArcSight With so many potential cyber villains poking around the gates, enterprises must have strong protections and pristine visibility into what's happening on the network. Explore the increasing importance of log management as cybercrime and other malicious threats grow.

» Read this eGuide

WHITE PAPER
Comparing Research in Motion and Microsoft Mobile Solutions

Microsoft Organizations must look carefully at the requirements of mobile devices and accompanying middleware that can increase cost, complexity and administrative overhead. This white paper provides an independent analysis and detailed comparison of RIM and Microsoft's mobile solution.

» Read this White Paper