A quick read of the Obama Administration’s proposed reforms of regulatory oversight leaves you with two impressions. First, for the large majority of compliance officers and financial reporting executives out there not involved in the financial sector, little will change. You still have much bigger concerns about increasingly aggressive folks at the Justice Department and Securities and Exchange Commission you need to worry about in your daily routines.

Second, not much has changed for those compliance officers who are in the financial sector, either: they still face too many voices in the regulatory realm, talking past each other and investors, sending conflicting messages about what financial firms are supposed to do.

To my thinking, the Administration’s proposed reforms fall somewhere between a missed opportunity and a mixed bag of under-developed ideas. Some seem sensible. Others seem to fly in the face of political reality. Most seem to have the potential to do good, but are in such an embryonic state that they could evolve into considerable new burdens or risks for corporations—financial and non-financial alike—by the time Washington is done fiddling with them.

A few high-lights:

• The agencies endure. Remember that halcyon time when everyone finally seemed to agree that the Commodities Futures Trading Commission and the Securities and Exchange Commission should be merged? Well, everyone in Washington has forgotten it. Both agencies will remain intact, doing what they’ve always done. At least one of them—presumably the SEC—will also start overseeing those over-the-counter derivatives that have caused so much trouble in the last year, but the Obama plan isn’t entirely clear on that point.

• Creation of a Consumer Financial Protection Agency. I already can envision new types of legal headache here. If an approved financial product fails to deliver on its promise—and good luck defining the scope of that—could an aggrieved investor sue the firm that sold it? Could corporations then claim some sort of pre-emption defense, akin to what drug-makers claim under Food and Drug Administration rulings? We also have no word on who would appoint this agency’s leadership. This is an important detail; remember, plaintiffs have hauled Public Company Accounting Oversight Board in front of the Supreme Court, saying its SEC-appointed leadership is unconstitutional.

• Enhanced regulatory cooperation internationally. The Administration might as well put this proposal out for comment in MAD Magazine. Politicians on both sides of the Atlantic are so busy pressuring securities and accounting rulemakers to relax the rules as a means of inflating economic growth, nobody will have time to develop a serious framework for international oversight of large institutions. That’s a shame, because we need one.

• Compensation crackdown! Don’t die of shock, but all public companies would now be required to let shareholders have an advisory vote on executive pay packages. They would also need to establish more independence on the board’s compensation committee, and achieve the fabled “alignment of executive pay with long-term shareholder value.” All of this is about as surprising as sunrise in the east. I was hoping the Treasury Department would decree that all CEOs are to be immediately enslaved.

• More accounting reforms. Financial firms would be required to use more forward-looking provisions for loan losses. Originators and issuers of securitized loans would be required to keep a financial interest in those loans. And fair-value accounting rules, which always crop up in these discussions, would get yet another examination to see how they can increase the transparency around cash-flows from holding investments. I’m not sure whether that’s code for “letting banks say they’re not going to sell worthless assets, so they don’t need to say the asset is worthless”—but since Congress already forced the Financial Accounting Standards Board to relax fair-value rules, I’m not sure we need to ask.

Alas, nowhere do we see some of the more creative solutions floated in past months, like imposing a small transaction tax on stock trades to curb speculators, or integrating the CFTC and SEC, or re-instating the Glass-Steagall Act to segregate investment banks and their dumb decisions from commercial banks that consumers depend on. Those were good ideas—and to boot, they could help unravel the financial crisis without imposing drastic new challenges on Corporate America and on the chief compliance officers who must ensure those challenges are met.

Instead, we will see a hodge-podge of regulatory reforms meander their way through Washington. Even if these ideas sound good—a statement I don’t know that I support, but it may be true—they will still need enforcement mechanisms. They will need to be quantified in data, which will need to be collected, disclosed, and reviewed or audited. How are you, the corporate compliance or governance executives, supposed to achieve that? Nobody really knows yet.

So like I said at the start—not much has changed.

It’s hip to be square: Yale University’s Millstein Center for Corporate Governance has just announced the recipients of its second annual Rising Stars of Corporate Governance awards. The prizes go to various folks under the age of 40 who have made some notable contribution to the field. Full disclosure: Yours truly won a Rising Star award last year.

This year’s recipients are:

The Rising Stars of Corporate Governance for 2009 are:


· Nada Abdelsater-Abusamra, partner at the law firm Raphaël & Associés;

· George M. Anderson, partner at Tapestry Networks;

· Stephen L. Brown,  associate general counsel, corporate governance, at TIAA-CREF;

· Evelynne Change, coordinator for corporate governance at the African Peer Review Mechanism (APRM) Secretariat, New Partnership for Africa’s Development (NEPAD);

· Deborah Gilshan, corporate governance counsel at Railpen Investments;

· David Hess, assistant professor of business law and business ethics at the University of Michigan;

· Elizabeth Ising, associate at the law firm Gibson, Dunn & Crutcher;

· Alexis B. Krajeski, associate director for governance and sustainable investment, F&C Investments;

· Rachel C. Lee, senior corporate counsel at EMC Corp.;

· Julieta Rodríguez Molina, associate at the law firm of Galindo, Arias & López.

Hats off to all!

Compliance headaches have gone global this week, from Nigeria to China.

First, Royal/Dutch Shell finally blinked and settled a civil lawsuit against the company about to start in New York. Relatives of Ken Saro-Wiwa, a Nigerian civil-rights activist hanged by authorities there in 1995, had sued Shell under the U.S. Alien Tort Claims Act for alleged complicity with the government in Saro-Wiwa’s death. Shell agreed to pay $15.5 million to Saro-Wiwa’s family and the survivors of eight other activists executed along with him.

Second, China has announced rather Orwellian plans to require all personal-computer makers that sell PCs the country to include special Web-blocking software with each unit. Ostensibly this is to block citizens’ access to pornography sites, but practically this system will allow Chinese authorities to “update” the list of blocked sites much like your central IT department sends out security patches to your desktop.

To my thinking, both of these events are near-misses for corporate compliance departments: mildly ominous developments that expand, yet again, the list of worries you need to keep in mind. The Alien Tort Claims Act, for example, has gone from a historical chestnut on the law books (it was passed in 1789 and hardly used for centuries) to something rather like a right to private action under the Foreign Corrupt Practices Act: anyone, living anywhere, can sue any company in U.S. courts for providing assistance to a government that does something the plaintiff claims is dangerous.

I recently conducted a podcast interview on the case with Jonathan Drimmer from the law firm Steptoe & Johnson, and man, this stuff seems hazy. How do you craft a code of conduct to insulate yourself from Alien Tort lawsuits? How do you enforce compliance?

The Chinese ruling could also be a ticking time bomb. You can’t wave off compliance with regulations from the world’s largest consumer market—especially one where various government agencies have very cozy relationships with each other, that Westerners often can’t quite perceive. Compliance with the rule itself should be simple enough; either install the blocking software onto the PC’s hard drive, or include a disk carrying the software with the PC’s packaging. That’s a hassle, but it’s not really hard to do.

But there’s something decidedly un-American about cooperating with another government’s censorship efforts. I could even foresee some crafty dissidents from Tibet or Taiwan suing U.S. companies for their cooperation under the Alien Tort Claims Act. And all for a rule that, I’m sure, clever Chinese hackers will be able to circumvent in less than an hour.

Welcome to the global village, folks.

Just a few random thoughts jotted down after a whirlwind three days last week…

Are budgets really that bad? I’ve been assuming for nearly a year that budget increases and job openings went out of style with Bear Stearns. Imagine my surprise, then, at one gathering of about 15 chief compliance officers and two Justice Department officials—and as conversation went around the room, all 15 reported stable or slightly increased budgets, a smattering had job openings, and none said their CEOs or boards were giving them a hard time about the expense of compliance. Yes, it’s possible that most of the 15 were there because they’d had run-ins with the government before, and thus have stronger claims on company resources. But overall, concerns about budgets were quite tempered.

How loud should tone at the top be? We’ve all heard ad nauseam that tone at the top of a company is the paramount concern regulators have about the effectiveness of a corporate compliance program. That’s fine, but compliance officers still don’t know how harsh that tone should be. At least three times, I heard attendees ask various keynote speakers, Justice Department officials and other regulators whether it’s important to fire an errant employee right away.

Nobody gave a clear answer to that question. Still, the plain truth is that firing an executive the day you learn of an offense is one tone; conducting a long investigation and then sending him off with a seven-figure severance package is quite another. Ultimately, that latter course might be the more prudent to fend off civil litigation—but it might not impress investigators looking for a strong anti-corruption tone. I could be wrong on that; I don’t know. Apparently, nobody else does either. 

Lots of stealth accounting issues lie ahead. Russ Golden, technical director for the Financial Accounting Standards Board, gave an overview of new accounting issues that made my head spin. Three new standards coming out this month? All accounting standards boiled into the new Accounting Standards Codification by July 1? That alone could fill an hour; instead, Golden squeezed Codification—a profound change for all accounting executives—into the final three minutes of his talk.

Likewise for U.S. adoption of International Financial Reporting Standards. Yes, regulators have put IFRS adoption on the slow boat these days, but the top financial reporting guys at Microsoft and Eli Lilly gave a fascinating talk about their challenges just in mapping out what their financial reports in IFRS would look like—nevermind the Herculean task of actually getting those reports assembled. If this is a formidable project for the largest companies in the United States, one can only imagine what IFRS adoption means for the rest of us.

Keep everything in perspective. One of my most memorable conversations happened, as they usually do, in my taxi ride to the airport to fly home. My driver was from Sudan, doing some studies here before flying of to Dubai for some job he’d lined up over there. His take on life in the United States: “Sure things are bad, and the jobs are going away, but you still have the best country in the world. Anyone who complains or breaks the law—you just leave them in Sudan for three months. When they come home, they’ll kiss the ground here and never do anything wrong again.”

Words for all of us to live by.

Compliance Week’s annual conference happens in Washington, D.C., this week, and promises to be an information-packed event as usual. This is always my favorite week of the year—not just because the bar in the lobby of the Mayflower Hotel is legendary (although that helps), but also because this conference is the central way-station where those traveling the many paths of “corporate governance” converge.

I get to attend almost all sessions over the next three days, and I’m sure each will serve up excellent insights for the particular slice of governance it’s exploring. But for the attendees still deciding where they want to go, here’s my take on what’s likely to be most interesting:

• Luis Aguilar. The SEC commissioner is speaking Wednesday morning, and he’s always good for interesting comments. Since his appointment to the Commission last year, Aguilar has been an outspoken advocate for more shareholder-centric reforms; while he was a minority voice in the Bush Administration, he now has the force of a Democratic majority with him, and to my thinking Aguilar’s speeches are the ones to watch when you’re looking for hints of what the SEC plans to do next.

• David Ogden. Deputy attorney general of the United States, and chief arbiter of all questions about corporate investigations. He closes out our Thursday sessions. You haven’t really heard much from Ogden since he started work at the Justice Department this spring. I’m hoping he’ll give fresh clues about the Department’s stance on waiver of attorney-client privilege. In fact, if he doesn’t, I’m going to ask him about it.

• Bill Senhauser. You think your job is hard? Senhauser is the chief compliance officer of Fannie Mae, the mortgage giant that committed every ethical lapse known to man before it lurched into government receivership last year. At a Compliance Week editorial roundtable in March, he described how he’s supposed to managed compliance “when U.S. attorneys are fighting over the carcass otherwise known as your company.” You don’t want to be this guy, but he is an engaging, energetic speaker; you do want to listen to him. He’s on deck Wednesday morning after Aguilar.

• Amy Schuh. Schuh is associate general counsel for compliance at Hewlett-Packard, and on Thursday afternoon she’ll offer an extensive look at how HP conducts compliance risk assessments. HP has been no stranger to ethics missteps in the last several years, but has now put those problems behind it. I’ll be eager to hear Schuh talk about how the company makes sure problems stay there.

• Russ Golden. Golden is technical director at the Financial Accounting Standards Board, and the highest-ranking official there who isn’t on the FASB board itself. He will give a wide-ranging review of critical accounting issues on Thursday morning. Anyone who wants to grill him over determining the fair value of an asset during inactive markets, this is your big chance.

For the record, it’s still not too late to attend—anyone in the Washington area this week can do a walk-in registration. For the rest of you, be sure to check our website regularly throughout the week; we’ll be posting short updates of many sessions. After the conference wraps up, we’ll also make speakers’ presentations and other materials available to Compliance Week subscribers.

And for those of you who are attending: I look forward to meeting you. Feel free to introduce yourself during the conference, and if all else fails, look for me at the lobby bar!

To the best of my knowledge, XBRL has no tag for “disinterest.” That’s unfortunate, since it seems to be the adjective that best fits the U.S. Securities and Exchange Commission these days.

Yes, large U.S. companies must begin filing financial statements tagged in XBRL technology starting June 15. Yes, that’s because the SEC approved an XBRL mandate months ago after years of telegraphing its intention to do so. And yes, the plain truth is that most large filers will muddle through their first XBRL submissions without collapsing into chaos or bankruptcy.

Still, at what should be a proud hour for XBRL, enthusiasm has faded. We’re filing. Oh. Yippee.

The culprit here is new SEC Chairman Mary Schapiro. Given America’s current economic plight, she has astutely identified XBRL for what it is: the financial reporting equivalent of tidying up the front lobby for visitors, while the back of the company crumbles to the ground. Schapiro believes the SEC has much, much bigger problems to worry about than XBRL and the promise of easier comparison of financial data—and she’s right. The agency’s enforcement arm is a mess; the Obama Administration has proposed parceling out most SEC functions to the Federal Reserve or other agencies-to-be-named later as part of Washington’s wholesale regulatory reform. Now is not the time for the SEC to be worrying about tags.

William Lutz, director of the SEC’s 21st Century Disclosure Initiative, admitted as much at a May 28 conference discussing the future of XBRL. “A lot of the commission’s resources are turned internally” right now, he said, leaving “limited resources” for XBRL. Lutz added that two XBRL projects planned for this year—one to tag the Compensation Disclosure and Analysis and another to tag asset-backed securities—have been put off until next year, at least as far as SEC participation goes.

You can’t fault the SEC for putting its resources where they are needed. But it does underscore a fundamental problem with XBRL: adoption not only requires some specific vow of action; it requires maintenance, day in and day out, and that can be hard to deliver. Already, the XBRL taxonomy on the SEC’s website uses U.S. Generally Accepted Accounting Principles as of 2008—not the updated taxonomy for 2009, which was released in April. And neither taxonomy incorporates Financial Accounting Standard No. 165, Accounting for Subsequent Events, approved by the Financial Accounting Standards Board only last week.

Will either of those glitches last very long? Probably not. Still, they probably will last until someone at the SEC decides to fix them—and with the new SEC leadership responding to new problems that will endure for quite a while, expect fewer people at the SEC to be thinking about XBRL.  

All right, we’re going to say it: Occasionally prosecutors go overboard.

This is a big admission for Compliance Week, because like good reporters everywhere, we tend to be cynical people. When we hear the word “indicted” we assume “guilty” and wonder when the person in question will resign. 

Lately, however, we’ve seen two instances of heavy-handed prosecution. Most notable was the case of Ted Stevens, the former Alaska senator, whose conviction on corruption charges was tossed out by a federal judge on April 7 because of prosecutorial misconduct. The judge was so incensed over the prosecutors’ behavior he referred them for criminal investigation. We’re not sure how much of a salve that is to Stevens, who was convicted in late October and promptly lost his job on Election Day.

Likewise, we have the hollow victory of Kent Roberts, former general counsel for IT security company McAfee. Roberts was indicted in February 2007 for alleged improprieties over backdated stock options. He was acquitted by a jury of some charges in October 2008, and the Securities and Exchange Commission dropped all other remaining charges against Roberts in March.

Again, that’s probably not much solace to Roberts. He was fired from McAfee in 2006, and was named countless times by the media—including Compliance Week—as an “alleged offender” in the backdating frenzy that swept Corporate America in 2006 and 2007.

Roberts’ and Stevens’ innocence is worth noting, since they’re not the only ones out there tarred by prosecutors and the media.

So what’s to be done?

First, Compliance Week is putting corporate investigations in the spotlight at our annual conference in June. We’ve corralled Roberts’ defense attorneys, Neal Stephens and William Freeman from the law firm Cooley Godward, to speak about investigations and the balancing act compliance officers face: how to demonstrate good-faith cooperation to prosecutors, what can go wrong, and how to keep legal troubles and costs to a minimum for your company. We encourage all our subscribers to attend; our full conference agenda makes it well worth the cost.

Second, keep hope alive. Congress has been yammering at the Justice Department for years to ease up its strong-arm habits of forcing companies to waive attorney-client privilege and the like. At least on paper, the Justice Department has been doing that with successive revisions of its policies for investigating and indicting corporations.

The cynics—and yes, we’re still among them—will be quick to say revised policies don’t matter as much as the people enforcing them. Well, on April 8, Attorney General Eric Holder assigned Marshall Jarrett, long-time director of the Justice Department’s Office of Professional Responsibility, to run the Executive Office of U.S. Attorneys and oversee what the 94 U.S. attorneys are doing.

Jarrett and Holder worked together closely in the 1990s, when Holder was deputy attorney general and Marshall served in his office. At the time, Jarrett helped to shape federal criminal law enforcement policy and supervised the prosecution of corrupt officials. Holder, meanwhile, was drafting “ the Holder Memo,” the department’s first-ever guidelines on corporate investigation and indictment.

So the key players know each other, have worked together, and presumably have a clear sense of what they want to do. Let’s hope that ending prosecutorial abuses is part of that.

Amgen is trying a new tool to blunt some of the shareholder outrage over executive compensation: a survey.

Tucked away on page 51 of the pharmaceutical giant’s proxy statement is mention of a page on Amgen’s website where shareholders can fill out a 10-question survey asking what they think of the company’s compensation policies. We at Compliance Week haven’t seen something like that before, and we doubt it will placate shareholders all that much—but it’s a gesture, and a much more conciliatory one than the gesture shareholders are giving corporations these days.

The survey itself comes from TIAA-CREF’s criteria to evaluate the Compensation Discussion & Analysis discussions in corporate proxy statements. We couldn’t find any direct link to the survey page from anywhere else on Amgen’s website, and corporate spokesmen couldn’t immediately tell us how many people have submitted their opinions since the site went live sometime late last month. (Amgen filed its proxy statement on March 26.) So clearly this is what the folks in marketing call a “soft-launch” product.

We do have a few concerns: Amgen could do a better job alerting shareholders to the survey’s existence (it only gets a two-sentence plug at the end of the CD&A’s executive summary). Security is loose; we identified ourselves as one Gregory House, M.D., to get past the registration page and see the survey questions. And of course, if Amgen were truly determined to gauge shareholder views on compensation, it could send out that survey in a paper mailing of some kind. 

Still, the concept gets a thumbs-up from us. Amgen wasn’t required to offer a survey like this at all. It provides relevant information from the proxy statement for each survey question, so people can see the company’s argument for approving its pay policies. For example, Question 4 asks: “Are the incentives clearly designed to meet the company’s specific business challenges, both short and long-term?” Right after that is a URL link to a two-paragraph response from Amgen, with more links to the specific pages in the proxy statement that address the point. Clearly, somebody at Amgen put thought into collecting this feedback.

The grand question still is how Amgen will now use the feedback it gets; if this survey is just a showpiece to help achieve a smooth annual meeting (Amgen’s price is hovering just above 52-week lows), that’s sad. But there are easier ways to make empty gestures, so we suspect this one is legitimate. And it’s certainly an idea other companies should mimic.

News of poor internal controls at the Securities and Exchange Commission always gets a rueful chuckle from compliance and financial reporting executives everywhere. Thus Compliance Week is happy to deliver yet another dose of SEC schadenfreude.

The agency’s inspector general just published a report on SEC pay practices, uncovering numerous lapses in judgment in the waning days of former chairman Christopher Cox. Most notably, the agency doled out pay raises and bonuses for seven senior employees—one receiving as much as $85,000—without any documentation, simply because those employees answered directly to Cox. 

None of those infractions amount to anything more than a rounding error in the SEC’s $906 million budget, of course. But they also serve as a valuable teaching moment for internal auditors about those times when immaterial numbers can raise material concerns anyway. As the inspector general himself noted:

Although the dollar amounts typically involved in “sensitive payments” are usually not large enough to materially affect the fair presentation of financial statements, sensitive payments are nonetheless a concern.

Why? Because such payments can entice a senior executive to manipulate numbers or override controls, or bypass given procedures—such as documenting the rationale for awarding a merit raise, which the SEC was supposed to do, and didn’t do here. And given the political sensitivity around government spending these days, any malfeasance, waste, or plain stupidity on the part of a senior government official can become a big deal, even when we’re talking chump change.

Corporate America should take that lesson to heart, since executives everywhere are only a few bad quarters away from becoming government officials too. I was always among that minority who believed AIG’s $165 million in bonuses was unbelievably stupid even though it was trivial compared to the billions upon billions AIG has received in bailout loans, precisely because once you are under the taxpayer microscope, small details like that appear to be huge lapses of judgment. AIG learned that lesson the hard way. You shouldn’t.

On the brighter side, the inspector general’s report did note that all the SEC commissioners dutifully stay within the $5,000 allowance they get to furnish their offices. At least they don’t have a John Thain problem.

Another week, another study lamenting the angst-filled uncertainty of the internal audit department.

The latest dispatch comes from the Institute of Internal Auditors, which has published a survey of more than 500 auditing executives at large U.S. companies. The 15-page report contains the usual useful tips, on how to run your department more efficiently (read: with less money) or how to engage all a company’s stakeholders (read: people who might sue, picket, or otherwise put your CEO in the news) to help shape internal auditing’s priorities. For that practical advice alone, the report is worth reading.

Most intriguing, however, are respondents’ thoughts about enterprise risk management—which send just the sort of contradictory signals that editors like us love. Ponder this:

• A majority of respondents say better risk management wouldn’t have helped prevent damage from the financial crisis;
• A majority of respondents say internal auditing could have helped identify key risks to mitigate damage from the crisis. 

At first glance, those two statements shouldn’t exist at the same time in the same universe. But there they are: Auditing executives say risk management wouldn’t have helped, but more internal auditing to find risks (which would then be managed) would have. What?

I suspect two forces are at work here. First, internal auditors are merely saying that their departments have the potential to do more—if they have proper resources. That is simple self-interest. It’s to be expected, especially when another factoid from the IIA report says 51 percent of respondents are facing budget cuts.

But more troubling is whether internal audit departments and the rest of Corporate America still have different definitions of what “risk” is. Too often we talk about enterprise risk management as some wholly contained thing: a program to execute, a department to staff, a number to appear on some dashboard application the audit committee sees quarterly. I routinely hear from internal auditors who aren’t even sure whether they’re supposed to play a role in risk management or leave that to some other executive. So they view ERM as a distant, theoretical goal that top management wants—and we all know how often distant goals from top management become reality.

Instead (my theory goes), internal auditors view enterprise risk management as the sum of all individual risks properly assessed and managed. Pondering all the possible risks from expansion overseas, or credit default swaps, or whatever, is a tall order, especially when department budgets are already so strained. Hence auditors don’t have much faith in the fabled ERM. But finding specific possible threats and quashing those—well, that’s what internal auditing has always been about.

Either way, it’s an interesting puzzle. Any thoughts out there?