The Human Side of Compliance

A company's ability to comply with financial reporting regulations is only as good as its people. Some businesses are doing a lot to ensure that their people are doing the right thing.

CFOs often complain that the Sarbanes-Oxley Act represents a harsh overreaction to the corrupt acts of a few bad apples. Besides, they say, the new law cannot prevent fraud if an unethical manager is determined to skirt the rules. This argument points to one of the steepest challenges of sustaining compliance over the long haul: people. "As good fraud auditors already know, any individual -- from the most pious to the most incorrigible -- can be prone to commit fraud due to fundamental 'people factors' that emerge given the right external stimulus," notes Dwayne Jorgensen, director of the Sarbanes-Oxley services practice for consulting firm CTG's information security solutions division in Duluth, Ga. Public companies have strengthened their financial reporting processes and installed new technology to help monitor internal controls, but one bad apple on staff can poison those staggering investments. Companies with a long-term commitment to Sarbanes-Oxley compliance and corporate governance address the human challenge through effective communication, compliance training and staffing decisions. Most important, compliance leaders translate the abstract notion of "tone at the top" into a practical and visible component of daily decision-making throughout the organization.

Drilling Tone Into the Ranks

The executive team at Santa Clara, Calif.-based Sun Microsystems Inc. shone a spotlight on compliance issues well before Sarbanes huddled with Oxley. "When you have 30,000 employees, there's always a chance somebody is going to apply bad judgment or make a mistake," notes Sun vice president and chief compliance officer (CCO) David Farrell. "We stress a very strong expectation for integrity at the top. We typically err very much on the side of being conservative in our judgments, and we work to set that tone throughout the company."

Farrell drafted his company's original "Standards of Business Conduct," and in early 2001 he helped establish the business conduct office, which he managed until stepping into the CCO position. A glance at Sun's board of directors -- which includes former SEC chief accountant Lynn Turner -- confirms Farrell's claim that a commitment to governance and compliance resides in the company's DNA. And Farrell credits the board and executive team with ensuring that the company puts its good-governance genes to use.

Shortly after Sarbanes-Oxley became law, CFO Stephen McGowan asked Farrell and Robyn Denholm, the company's vice president and corporate controller, to develop a series of compliance and governance training sessions that became known as Sun's "fiduciary boot camp." The program, named for its intensive-indoctrination approach, delivers in-person sessions on legal and compliance issues, including Sarbanes-Oxley, Reg FD, analyst and media relations, export laws, global anti-corruption laws, and related issues. It's mandatory for all of the company's vice presidents and directors, as well as for other managers whose responsibilities require a sharp understanding of compliance issues (e.g., people in analyst relations or financial reporting, overseas sales managers).

The day-and-a-half program is divided into hour-long sessions led by managers from Sun's business conduct office and other internal subject-matter experts. In 2003 1,000 employees attended the training; last year that figure doubled. One hundred to 250 employees attend each boot camp event, a dozen of which were held in locations throughout the world in 2004.

Farrell believes that the most effective way to train people on compliance-related subjects is to engage them in a dialogue rather than bombarding them with slides. "There is a lot of gray area in many of these areas, a lot of judgment calls," he notes. Sun boot camp attendees flex their decision-making muscles by working through case studies set in those gray areas and debating sticky issues with their colleagues.

The fiduciary boot camps are now overbooked because many graduates have requested that their teams attend future sessions. The sessions have also attracted interest from the companies that benchmark with Sun. "Our approach is to be as innovative and effective as we can from a preventative perspective," Farrell says, pointing out that the key to effectiveness is to keep these issues top of mind throughout the organization.