Internal Auditors Are Taking the Initiative on 404.

After four years of struggles with the Sarbanes-Oxley Section 404 assessment process, the Institute of Internal Auditors (IIA) stepped forward last week with a blueprint to make the IT audit process more manageable and predictable. The release, called the Guide to the Assessment of IT General Controls Scope Based on Risk (GAIT), provides guidance in the form of principles and methodology for executive management, internal audit staffs and external auditors, outlining what the IIA believes is a more efficient and less costly IT general controls assessment process.

Of course, the IIA is hardly alone trying to rationalize resource-intensive 404 audits. The Securities and Exchange Commission and Public Company Accounting Oversight Board have also turned their attention to providing better guidance to management and auditors—although far more broad than what the IIA has provided in GAIT.

The IIA document is designed for early stage IT scoping assessments—helping with decisions as to which areas of technology, down to specific applications and servers, pose the greatest risk to a company and should be the focus of 404 control reviews. In that way, it is meant to complement existing, frameworks such as COBIT. "GAIT is a structured reasoning process that can be tailored for an organization," says Heriot Prentice, director of technology practices at the IIA, who led the two-year process to establish new IT audit guidelines. "The business process risks and related key controls identified by the top-down and risk-based approach are its starting point." Prentice expects company executives that use GAIT to be able to challenge external auditor disagreements about scoping decisions for particular systems.

GAIT is based on a top-down, risk-based approach, based on four core principles involving identifying those risks and related controls in IT general controls processes. This is in line with the recommendations of both the PCAOB and SEC; in fact, both agencies were given access to GAIT drafts as the guidelines were being written. There is also a GAIT methodology and scenarios available that can be used as training tools.

The IIA enlisted the help of an advisory board made up of the leading audit firms and 16 Fortune 500 issuers, and on a pilot basis, several large companies, including Microsoft, Intel and General Motors, have begun using GAIT. "We hope people will come back to us and say ‘this part worked' or ‘this part did not,'" Prentice says.

According to at least one financial management and compliance consultant, GAIT shows promise but is still a work in progress. "This is not written for IT people, but for internal auditors and SOX directors," says James Clendenen, engagement director for the risk and consulting section at Chicago-based Parson Consulting. "How you would convert this to something IT people can use is where the big disconnect is." GAIT is written at too high a level, he argues, and not technical enough for use by IT staff, unless the intent is that internal audit or other compliance staff would translate its principles into a more useful framework for IT. Clendenen also points out there is no discussion of segregation of duty issues as they arise, something that many smaller companies struggle with, and that improvements could be made in some of the IT layer categories to make them work with all areas of technology.

Some practitioners take a different view. Brad Ames, internal audit director in charge of SOX testing at Hewlett-Packard Co., believes the IIA guidance is exactly what companies should be following. HP developed its own set of general controls guidelines several years ago and in many ways they are similar to the principles outlined in the GAIT guidance. "We're into our third year and I find that framework to be the most straightforward for persuading my external auditors that the controls we identify are key and they are operating effectively," says Ames, whose responsibilities include oversight of IT audits. "Our approach is very similar to the GAIT process." One strategic idea emphasized in GAIT that Ames finds especially important involves benchmarking controls, a process of monitoring automated controls that allows comparisons among different applications as a way to identify outliers or controls that may be faulty. "It's a way to compare applications and isolate those susceptible to emerging risk," he says.

Despite shareholders getting litigious again, D&O costs are under control.

Directors and officers liability insurance premiums more than doubled between 2000 and 2003 because of accounting scandals at Enron Corp. and WorldCom Inc. and the fallout from the dot-com meltdown. Finally over the last couple of years, they have declined 30% from their peak in 2003—and insurance professionals predict that fees will fall another 10% in 2007. But after all the good news of the past year, there is one disturbing blip on the radar that may not be causing problems now, but could prove to be troublesome, particularly for individual executives and directors, in the future.

That blip is the surge in shareholder lawsuits over backdating options. To date, there have been 144 derivative lawsuits filed against about three-quarters of the companies that have announced government investigations or internal investigations into backdating options, according to insurance research firm Advisen Ltd.—and observers believe more are on the way. "The monetary awards associated with these suits are usually small to non-existent," says Dave Bradford, the editor-in-chief at Advisen. "But the legal expenses can be very high."

That's one area in which directors and officers could face a threat since in cases where fraud is uncovered D&O policies often won't pick up attorney fees for the individual if that person is somehow connected with the fraudulent behavior. To get around this, companies have so far chosen to settle so that no fraud is ever proven. But in many of these cases, shareholders are not seeking compensation anyway; rather they seek changes in a company's governance code to put in place better controls against it.

The other problem associated with these shareholder derivative suits is the fact that they can tie up management and resources until they are settled or go away. In fact, as many of half of the suits get dismissed without any settlement associated. "The bigger issue here is the drain on management time, resources and energy that these suits cause," says Bradford. "Theoretically, there's no monetary damage to the company. The company should be the beneficiary of any monetary awards, but it does certainly cause a distraction."

None of this, however, should affect D&O costs. "While the options scandal is constantly expanding, it's not clear what the damage is," says Robert Hartwick, president and chief economist for the Insurance Information Institute. "In the case of Enron, we had the total collapse of one of the largest companies in America, with countless shareholders, employees [and] vendors left in the lurch. [The options backdating scandals] certainly smell bad, [but] the reality of it is that there do not appear to be significant economic losses suffered by shareholders."

Finally, D&O is currently flush with capacity from insurers, still smarting from the losses connected to Katrina and 2005's tumultuous hurricane season, exiting the property coverage market. But more importantly, even after recent price cuts, D&O insurance remains very profitable, notes LouAnn Layton, managing director of Marsh. "In 2006, most [D&O] underwriters made a profit," says Layton. She adds: "As an underwriter, it's a good place to be—as a client, it's a very good place to be."

Everest Re Group Ltd. named Craig Eisenbacher CFO and executive vice president of the $4.6 billion reinsurer, which is based in Bermuda. Eisenbacher, 59, replaces Stephen L. Limauro, who is retiring. Eisenbacher joins Everest from Bristol West Holdings Inc., where he was senior vice president and CFO.

Sunoco Logistics Partners L.P. appointed Daniel D. Lewis controller and chief accounting officer of the $4.5 billion energy partnership, which is based in Philadelphia. Lewis most recently served as CFO and executive vice president of Liberty Group Publishing. Prior to that, he was a management consultant with PricewaterhouseCoopers. Sunoco Logistics is a master limited partnership set up to acquire and operate refined product and crude oil pipelines and terminal facilities.

Luby's Inc. named Scott Gray CFO of the $324.6 million restaurant operator, which is based in Houston. Gray, who will move to his new job April 20, will succeed Ernie Pekmezaris, who will remain an advisor to Luby's. Gray joined Luby's in 2001 and has served in positions of increasing responsibility, including director of finance, director of planning and director of internal audit. Prior to joining Luby's, Gray was an external auditor at Arthur Andersen.

Chunghwa Telecom Co. Ltd. named Joseph C.P. Shieh CFO and senior vice president of the $5.6 billion telecom service provider, which is based in Taipei. He joins the company from Mega Financial Holding Co., where he was CFO and senior vice president. Shieh has an MBA from the University of Missouri-Columbia and a PhD in finance from Kent State University.

CNX Gas Corp. named Mark D. Gibbons senior vice president and CFO of the $613.4 million natural gas exploration company, which is based in Pittsburgh. Gibbons, 48, replaces Gary J. Bench, the current CFO and vice president, who will move to the position of director of tax and treasury, effective Feb. 28. Gibbons is currently a director of the international risk consulting firm Protiviti, where he provides Sarbanes-Oxley consulting advice to clients of the firm. He was vice president of finance for MARC USA, a marketing and communications company, from 1999 to 2004.

Health Care Property Investors Inc. named Matthew A. Brill vice president of treasury services of the $477.3 million real estate investment trust, which is based in Long Beach, Calif. Brill joins the REIT from General Motors Corp., where he worked in the treasury office for six years. Prior to that, he worked as a senior consultant, National Real Estate for KPMG Peat Marwick LLP. In separate news, Patrick J. Stangle joins Health Care Property Investors as vice president for risk management. Most recently, Stangle was director of risk management at Goodman Global Holdings Inc., a privately held air conditioning and heating manufacturer based in Houston, which was acquired by Apollo Management LP.

Inverness Medical Innovations Inc. promoted David Teitel to CFO from vice president of finance of the $421.9 million diagnostic devices company, which is based in Waltham, Mass. Teitel succeeds Christopher Lindop, who resigned. Teitel joined the company in 2003 as director of financial operations and assumed the title of vice president of finance in December 2004. Teitel, 43, has 20 years of finance experience in both public and private companies, including nine years of audit experience at Arthur Andersen. Jon Russell was named vice president of finance to replace Teitel. Previously, Russell was CFO of Inverness' Wampole unit.

Wind River Systems Inc. named Ian Halifax senior vice president of finance and administration, CFO and secretary of the $266.3 million software company, which is based in Alameda, Calif. Halifax, 46, joins Wind River from Micromuse Inc., where he was CFO of the telecommunications services provider until it was acquired by IBM Corp. in February 2006. Prior to that, he was CFO of Macrovision Corp. for five years. He replaces Michael Zellner, who is leaving the company for other opportunities. Halifax assumes his position on Feb. 27. Wind River also named Jane Bone chief accounting officer, a newly created position. Bone, 41, has been controller of the company since 2000 and vice president of finance since 2005.

Deltic Timber Corp. named Kenneth D. Mann CFO, treasurer and vice president of the El Dorado, Ark.-based lumber company. Mann, 48, who is currently the controller, succeeds Clefton D. Vaughan, who is retiring from the company, which had sales of $168.3 million last year. Mann has been with the company since 1991.

American Vanguard Corp. appointed Brett R. Meinsen vice president and director of corporate finance of the $189.8 million agricultural products company, which is based in Newport Beach, Calif. The position is a newly created one at the company. Meinsen joins American Vanguard from Reinhold Industries Inc., where he served as vice president of finance and administration. Reinhold Industries, a manufacturer of composite products for the military and aerospace market, is being acquired by The Jordan Co. LP, an investment group.

SafeNet Inc. promoted John W. Frederick to CFO of the $263.1 million information security provider, which is based in Baltimore. Frederick, 42, joined SafeNet in June 2006 as vice president and controller and was promoted to chief accounting officer and interim CFO in October 2006. Before joining SafeNet, Frederick served as vice president and controller for Arby's Restaurant Group. SafeNet is in the process of restating its earnings for the years 2000 through March 2006 because of options grants made between 2000 and 2005.

First Niagara Financial Group Inc. named Michael W. Harrington CFO of the Lockport, N.Y.-based bank, which has $8.0 billion in assets. Harrington, 43, succeeds John R. Koelmel, who was promoted to president and COO. Harrington joined First Niagara in 2003 as senior vice president and treasurer. Prior to joining First Niagara, he was senior vice president and CFO at Equity Bank, a community bank, which is located in Marlton, N.J.

National Atlantic Holdings Corp. promoted Mark Heid to controller of the $187.3 million insurer, which is based in Freehold, N.J. Heid previously served as director of GAAP accounting. He began consulting services to National Atlantic in 2004. From 1999 to 2003, Heid served as assistant vice president of finance of Shipowners Claims Bureau, managers for the specialty insurer, American Steamship Owners Mutual Protection and Indemnity Association Inc.

First Charter Corp. named Sheila Stoke senior vice president, principal accounting officer and controller of the $4.9 billion in assets financial-services company, which is based in Charlotte, N.C. Stoke, 57, has been senior vice president and controller of First Charter Bank, the company's principal subsidiary since November 2006. Prior to that time, she served in senior finance positions at Stock Yards Bank in Louisville, Ky., Integra Bank in Evansville, Ind., Republic Bank and Trust Co. in Louisville, Ky., and Bank of Louisville in Louisville, Ky.

Article found in People on the Move

Trintech puts some teeth into GL reconciliations. Trintech Group Plc, a provider of financial reconciliation workflow and risk management solutions, released AssureNET Express, an on-demand process management and internal control system for general ledger reconciliations at midsize organizations. The new offering takes many of the best reconciliation and compliance-oriented GL workflow features from Trintech's earlier offerings and makes them available in a more affordable, streamlined offering. "We're trying to have a more out-of-the-box solution for smaller companies who need an automated reconciliation tool, but one that is easy to deploy, with no IT costs in a SAS 70 Type II environment," says Darrren Heffernan, vice president of the on-demand subscriptions services unit at Trintech. AssureNet Expess is hosted in a state-of-the-art, secure facility to protect client data.

Wondering what might change the course of the economy today? Xignite Inc., a provider of Web-based financial services, will redistribute economic calendar information on U.S. Treasury and economic events through a new partnership with resource provider Econoday. Xignite will repackage Econoday information for on-demand delivery of financial information to its customers. New services will include access to global economic calendar events including consensus data prior to the event and actuals, as well as analytical content on U.S. Federal Reserve Board policies and decisions. Customers can customize what information they want delivered and where they want it delivered. "We want to deliver as much financial information that a business can integrate with their business processes, to where it is applicable and at the right time," says Stephane Dubois, CEO of Xignite. "We allow people to take this data as an interface and integrate it themselves." The data can be delivered to a treasury workstation, a handheld device or other platform.

Article found in Tools