The industry that developed compliance officers first was the defense industry. Back in the mid-1980s, a whole bunch of defense contractors got into trouble. There was fraud, waste and abuse in the news, and President Reagan, in order to stem the tide, asked Deputy Secretary of Defense David Packard to form a commission. The Packard Commission recommended that clean up its own house. I remember those overpriced toilet seats.
A funny aside, we had a vice president at United Technologies Corp., who was the first director of the office of federal procurement policy, but then went to work for us. He was asked to testify because of his prior position. They asked him what he thought about the $8,000 toilet seat, and his comment was, 'I don't want to take a position on that.' That's the only comment that made it into the news.
I would like to split out SOX [Sarbanes-Oxley Act] from general compliance. Prior to SOX, compliance programs consisted of things that were more than financial issues. Now along comes SOX, and what SOX says is your financials needs to be documented. How you handle your books and records needs to be documented. Some people might have said, 'Gee, weren't they documented before?' To a large extent they were, but over time some of those procedures changed, and the documentation wasn't changed. What became expensive was the interpretation of SOX, the testing, the requirement of having another set of auditors besides your independent auditors. So everybody is trying to do this thing completely right, and because this is a first-time effort, even companies that might have thought they were compliant prior to SOX, they are spending the money to make sure they are compliant. There's a code of ethics that is kind of built into the military, where you worked previously, but there doesn't seem to be anything quite like that in the business world.
You're absolutely right. The former CEO and other senior executives have been indicted on fraud charges. [CEO Sanjay Kumar and CA's former head of worldwide sales, Stephen Richards, have pleaded not guilty. Others have pleaded guilty to charges of securities fraud or obstruction of justice.] Do you think punishment is the only way to prevent misdeeds in business?
Wow. There are two answers. I don't know what else you can do with respect to misdeeds other than to punish. But I do know that if boards of directors and shareholders are not savvy to the fact that if there are individuals who have done the wrong thing, and the boards and shareholders haven't done the proper background checks in hiring those people later on, that is a huge mistake on the part of corporations -- to allow someone who has been punished for misdeeds, and then putting them back in the driver's seat should be a real negative in the business world. Do you have to spend a lot of time reining in the tendency in people to win? Business is extremely competitive, and the desire to win at any cost, I think is pretty strong among very successful people.
No question about that. The desire to win is an important ingredient in business, and you really don't want to impede that desire to win. What you want to make sure is that everybody understands that the desire has to be measured with doing it the right way. I have to tell you that one of the things I talk to ethics officers about all the time is that you can sit there constantly and say no, no, no, you can't do this and you can't do that, and that may be one way to do your job. A better way to go about your job is to work with business and say, what is it that you're trying to accomplish and let's find the right way to do it. Your job is not really to be a preacher, I guess.
If I end up being a preacher, I'm dead. People don't want to be lectured to. Most people feel they have good values to begin with. What they need is some guidance in solutions that are good, positive and workable and still help them meet their goals. I use an example with sales all the time. I say, if you come to me and say, 'I want to bribe, is that OK?' the answer is no, it's not OK. But that's really not the question you wanted to ask me. You want to tell me what your problem is and we want to find a solution. Can you give me an example of a gray area where you have to come in and mediate?
Sure. You're out negotiating sales maybe in a foreign location. Someone comes to you -- a potential customer -- and says, 'I would really like to come visit your facility to see how your operation works.' This may not be a Computer Associates problem because we don't do a lot of manufacturing, but a lot of companies do. So, the answer is, of course, but the potential customer wants you to pay for it and the question is, 'Can we do that?' The answer in most instances is absolutely. But the gray area comes in when you ask how much entertaining you can do while you are there -- and are there any stop-offs, like to Orlando or to Las Vegas? Is there walking around money? Taking them out to dinner while they are there is certainly acceptable. Where you start to get uncomfortable is going beyond that and taking side trips, shopping trips. We talked a little bit about SOX. Is SOX is a good thing?
Absolutely. I actually wrote a paper saying be happy for Sarbanes-Oxley. There are some unintended consequences of Sarbanes-Oxley that make my life and everybody else's difficult, and one of them is the huge cost associated with it. But how do you argue a provision in the law that says you must document your controls? How can you argue against a provision that says you need to have a mechanism where your employees can bring accounting irregularities up through the system and the board and the suit committee can act on it? I think most people will tell you that the law itself is a very proper one Is there anything that CIOs should know about chief compliance officers?
The message I would want chief information officers to be aware of is that compliance officers and chief information officers should be working hand in glove. Some of the best controls that I am aware of are controls that are developed between the compliance organization and the chief information officer's organization. The more we can automate controls, the more we can take the human element out of it, the more reliance our employees and shareholders can have on the system. The chief compliance officer and the chief information officer should be married at the hip.