Failings could leave it open to fraud, theft

Tuesday, July 17, 2007
Last updated July 24, 2007 3:44 p.m. PT

By ANDREA JAMES AND DANIEL LATHROP
P-I REPORTERS

For the past three years, The Boeing Co. has failed, in both internal and external audits, to prove it can properly protect its computer systems against manipulation, theft and fraud.

Internal documents and interviews conducted over the past six months detail the angst and turmoil within the auditing and information technology wings of the aerospace giant. They also provide a rare glimpse of how the company that builds the most complex flying machines in the world has been stymied for years by a few obscure paragraphs in the Sarbanes-Oxley Act, the federal law enacted in the wake of the Enron scandal.

It’s a view of the company that stockholders don’t get to see.

Top company executives insist that the company is compliant with Sarbanes-Oxley and that its financial information is sound. But they acknowledged, in response to Seattle P-I inquiries, that the failings forced Boeing to scramble at the end of each year to assure that its financial information had not been affected.

And two recent theft cases — one involving documents that Boeing said could have cost the company $5 billion to $15 billion — underscore that the vulnerability of the company’s computer systems is not confined to Sarbanes-Oxley.

The continuing effort to fix the problem has cost millions of dollars. Boeing has had a full-time staff of dozens and, at times, up to 65 consultants charging from $115 to $500 per hour, engaged in testing the systems that affect financial reporting to prove it can lock its computer doors.

Boeing and its external auditors have rated the company’s inability to patch database and software development security holes as a “significant deficiency” with the computer infrastructure since 2004 — the first year it had to comply with the 2002 law. The failure has been deemed serious enough that for three years in a row, finance teams have spent the last 45 days of each year testing whether financial numbers are correct. Director of Financial Compliance Michael Zanoni said the “massive” effort in each case reassured the company that stockholders’ assets were safe.

The company says it is making progress.

“We are well ahead of schedule in our testing this year. We’re seeing significant improvement and are confident we will be able to close any outstanding issues later this year,” said Anne Eisele, Boeing director of finance communications.

Problems persist. Interviews and about 5,000 internal documents examined by the P-I show in detail the struggles created for Boeing — and perhaps for many corporations — by the post-Enron, Sarbanes-Oxley requirements, often referred to as “SOx.”

Among the problems the P-I found:

·  Boeing’s internal audit findings were so poor — meaning that so many computer system controls were failing or evidence was missing — that external auditor Deloitte & Touche decided not to rely on the results for three consecutive years.

·  Boeing exposed sensitive information about computer systems’ holes to employees who did not need access to all of the data, according to e-mails and interviews.

·  An internal complaint was filed with the company’s ethics board that audit results had been manipulated. The company decided last September that the allegation was unsubstantiated.

·  Some employees involved in the compliance process perceived a threatening culture. A late 2006 internal report said that employees felt they were being told that their jobs and salaries were “on the line,” and they were being pressured to produce evidence for audits “ahead of events occurring normally.”

Law meant to halt Enrons

Sarbanes-Oxley is a wide-ranging law aimed at preventing stockholder rip-offs such as the Enron scandal from happening again. Among its requirements, it forced public companies such as Boeing to shine a light on their internal controls. It must show it has checks and balances on people and computer systems to guarantee accuracy of financial statements.

No one has alleged financial fraud at Boeing, or claimed there is missing money. And the new law hit the airplane maker as it was in the midst of some of the biggest challenges it had ever faced, including developing an all-new airplane and an ethical makeover after a procurement scandal, the resignation of two CEOs, the jailing of a chief financial officer and revelations that it had stolen trade secrets from a competitor.

The federal guidelines for computer controls are unclear, and where the law is murky, auditors and company officials are left to fill in the gaps — facing criminal penalties if they are wrong. Companies are hungry for clarification on how to handle the information technology portion of Sarbanes-Oxley, according to The Institute of Internal Auditors, a leading professional association.

In 2004, Boeing considered how it would handle what would be a massive compliance effort for a firm that spans six continents and handles about $1 billion in transactions per week.

Corporate Controller Harry McGee set up a team to handle Sarbanes-Oxley the same way the company would tackle building an airplane, with daily progress updates. The company wanted to get it right — the first time — and parts of the corporation had no trouble, particularly the financial teams that were used to audits and strict standards.

First 2 years were ‘pure hell’

But Boeing’s information technology staff suffered.

“They weren’t used to being involved in a finance-related audit,” McGee said in a June interview at Chicago headquarters. “We drove process discipline pretty hard.”

One person involved in the compliance effort, who asked not to be identified, told the P-I that information technology managers thought the new rules would blow over and that workers were “openly hostile” to the audits. The level of rigor — for example, documenting every single approval for a coding change — was foreign to the get-things-done culture of Boeing’s computer professionals.

The employee described the first two years as “pure hell” for the information technology staff. Colleagues agreed. Even auditors were unhappy, leading to infighting last year between consultants at PricewaterhouseCoopers and Jefferson Wells — the two firms contracted to help Boeing with internal audits.

By the time 2006 arrived, Boeing was eager to eliminate its significant deficiency. But it didn’t.

In testing its computer controls, the company missed most of its important internal benchmarks last year, for the third year in a row, documents show. Auditor Deloitte decided it would do its own tests to come to its own conclusion about control effectiveness and decide whether to “close” the significant deficiency.

The result wasn’t good. An internal briefing document stated the company’s information technology division “has not demonstrated a robust control environment.”

In late 2006, Chief Financial Officer James Bell sent an e-mail to employees on the compliance effort telling them that “this performance is unacceptable.”

Chief Information Officer Scott Griffin, who led the information technology division through the Sarbanes-Oxley compliance effort, retired at age 52 on July 1. He declined to comment on the problems.

In its official response to the P-I, Boeing said that what matters most in Sarbanes-Oxley compliance is where the company stands at year’s end, and that “while a project may have internal ‘benchmarks’ or schedules designed to organize efforts, there is no direct correlation between meeting internal schedule milestones and classification of deficiency or weakness as of the closing date.”

Boeing officials say they are confident that its problems with general computer controls will be solved soon and they are happy with their progress, despite the inability for three years to resolve it.

“For the complexity of the stuff we do and the number of things we look at, it’s a strong system of internal control,” McGee said. “We’re working to try to optimize it.”

He firmly denied that the company has manipulated any results of its internal audits, as some employees have charged.

“Absolutely not,” he said. “I honestly believe there’s no fraud on this. Nothing.”

He said he must be comfortable with the corporate controls before recommending that Chief Executive Jim McNerney and CFO Bell sign off on control soundness, and that he trusts Boeing’s processes and its people.

Fortune 50 companies are better equipped to fix significant deficiencies, which makes Boeing’s problem unusual, experts say. Significant deficiencies were more common in 2004, when most major public companies had to begin complying with the law.

“Having them at the moment is a bit of a surprise, to be honest with you,” said Christopher Fox, a technology audit consultant who has co-written industry guidelines on the topic. “How did they get into this situation? I don’t know. I’m surprised they’re in it, this many years in.”

‘I’m sick of all this’


See the complete e-mail here. (PDF)

To figure out how Boeing found itself in its fourth year of technology-compliance woes, the P-I contacted dozens of employees and contractors and read thousands of internal e-mails.

Senior managers said that compliance was always a top priority. But junior managers said they didn’t have enough resources. Auditors said that the information technology department was too resistant to change. IT workers said that auditors kept changing their minds about what they wanted and were too eager to fail controls.

Meanwhile, the experts at Jefferson Wells and PricewaterhouseCoopers spent hours — billed to Boeing — disputing each other’s findings.

“I’m sick of all this and I will be retiring as soon as I can process the paperwork,” wrote Michael DuPas, an IT worker, in a June 2006 message to managers and directors. “None of the core team, (corporate audit), or Deloitte folks view anything the same so everything is a nightmare of explanations, discussions. That is why SOx is failing in Boeing.”

Another IT worker, Bryce Lytle, wrote: “We’ve been at this three years, and these type of things come up almost on a daily basis. … As a company we can do better than this and I’m frustrated as to why we are not.”

Arguments ensued when managers overturned audit findings. Tension was rife between auditors and IT workers. “You are preventing us from getting results documented,” auditor James Estep wrote in an e-mail after discovering a control rated as “passed” that he had rated as failing. “Is that your intent?”

Another auditor, Macy Moring, warned managers that a large number of employees had access to the audit findings — practically a blueprint for how to commit and hide financial fraud at Boeing.

“We are talking all the potential ways of inappropriately manipulating our financial systems out there for the multitudes to see,” she wrote. “This one makes me very uncomfortable.”

DuPas has since retired. When contacted by the P-I, he said he would “only do a disservice” to the company by speaking about such a “loaded” topic. Lytle, Estep and Moring declined to comment.

McGee acknowledged that emotions were high, but he said that the same sentiment could be found in airplane programs — or any other instance where the company demands high standards under a tight deadline.

Experts contacted by the P-I were not surprised that the IT workers at Boeing did not greet the auditors as liberators, they said, though they said that the level of emotion seemed unusual. But experts did not agree on who was at fault; they blamed too-vague federal rules, too-picky auditors, too-complacent Boeing and every possible combination of each.

“This sounds really, really messy,” Heriot Prentice, director of technology practices at the Institute of Internal Auditors, said upon hearing all of the charges and countercharges without knowing that he was speaking about Boeing, specifically. “This sounds like a big mess.”

Companies have been monitoring their computer systems for years — but under Sarbanes-Oxley, it was the first time that all public companies were required by law to do so as a part of a company’s “internal control over financial reporting.”

That control requirement, often nicknamed “404 compliance” after its corresponding part of the law, has been the most controversial and expensive aspect of Sarbanes-Oxley — and federal rules are now under review. Many executives bristled at the soaring costs of information technology compliance.

This year, Boeing has overhauled its strategy so that it focuses more on potential risks. It is relying on the work of 33 auditors from Pricewaterhouse, 10 Boeing auditors and one from Jefferson Wells, though numbers fluctuate.

Why problems not disclosed

Federal accounting regulations say that companies have a “reasonable” time to fix deficiencies before they must be classified as a “material weakness,” and thus must be reported to shareholders. A material weakness is the technical term that means a company’s profit or revenue figures could be off by a large amount.

Some Boeing managers worried that the company’s external auditor, Deloitte, would elevate its evaluation of the problem to a “material weakness” if it went uncorrected, sources told the P-I.

“There was a lot of talk about a fear of a material weakness,” said one source who did not want to be identified. Other employees and e-mails confirmed that sentiment.

Deloitte never categorized the problem as a material weakness, even after the problem persisted for three years. Though Deloitte would not discuss the matter with the P-I, experts agree that an external auditor can keep mum on deficiencies if it feels that the financial statements are accurate and that the company is making progress toward fixing problems.

“It is unusual to have a deficiency stay out there that long, ” said Trent Gazzaway, managing partner of corporate governance at Grant Thornton. But, “it sounds like there has been progress made. … You have to look at the whole system together.”

Also, general computer control failures rarely result in material weaknesses, said Nick Tootle, a partner at Kaufman Rossin & Co., a large Florida-based accounting firm.

“There’s no bright lines,” said Tootle, who asked not to be told which company the P-I was examining. “It’s judgment, judgment and more judgment.”

Boeing officials did not call the problem a significant deficiency in on-the-record conversations with the P-I — to do so could be considered a disclosure under federal law, and such disclosures fall under strict guidelines.

Controller McGee spoke frankly about how much work went into compliance and how Boeing is addressing its computer control challenges. For example, the company has beefed up database security. Perhaps more important, the company says it has set up other procedures, such as manual checks, to ensure that data stay valid.

Boeing says that if it had a material weakness, it would have disclosed it, and that its problems do not affect its financial statements.

“Like many other companies, Boeing has worked very hard to meet the challenge of SOx compliance with respect to information technology systems,” Boeing said in a written response to P-I questions. “It has not always been easy, but we are committed to high standards and effective internal controls.”

Shareholders should be concerned if the significant deficiency is symbolic of a lax compliance ethos in management, says Romana Autrey, an accounting professor at Harvard Business School. That the problem persists at a large company does raise questions, she said

“This is a tone-at-the-top kind of problem,” said Autrey, who also asked not to be told the company’s name.

Stronger controls over computer systems also better prevent errors from slipping through — and that’s a desirable thing, experts say.

“If somebody can’t get into the system, you don’t need somebody else to check the report 75 times to make sure nobody messed with it,” Tootle said. “In a Fortune 50 company, that’s a pretty big task.”

The larger question

In 2006 alone, Sarbanes-Oxley compliance cost Boeing $55 million, according to the company — about the list price of one new 737 plane. A lot of that money has gone to the external auditor, Deloitte, and other large accounting firms that helped with its internal audit, including PricewaterhouseCoopers and Jefferson Wells.

In mid-May 2007, CFO Bell met with auditors from Deloitte to discuss the status of information technology compliance, sources said. Boeing confirmed that “attendees discussed good progress on SOx IT testing.”

Such briefings between external auditors and executives are common because much of auditing ultimately comes down to a judgment call — the external audit firm decides whether it believes its concerns should be public, or only discussed with management.

Deloitte has shared its concerns with Boeing management, but because it decided the problem did not rise to the level of material weakness, it gave the company’s controls a clean bill of health in public documents filed with the Securities and Exchange Commission.

When it comes to telling shareholders all that it should, Deloitte does not have a spotless record, according to government records.

The Public Company Accounting Oversight Board, which was created by the Sarbanes-Oxley Act, inspects audit firms by reviewing samples of their work.

In the three reports the board has published on Deloitte, it has questioned dozens of decisions that made audit results appear rosier. In 2006, the board criticized one Deloitte audit for certifying information technology controls that the firm had not sufficiently tested. The company being audited was not identified, and Boeing said it was not the firm.

Experts said Boeing is not alone in its struggles, although the extent of other companies’ information technology compliance problems is not known.

In fact, law or no law, computer security is a “monster,” audit expert Jack Champlain said.

“I’d be afraid to be a CEO and have to sign off on a SOx certification,” he said. “They are hoping beyond hope that it’s secure, but there’s no way they would know.”

Do general computer controls matter? Experts say yes.

Tootle likened a company’s financial statements to an apartment, and the general computer controls to the foundation and building that houses it.

“Your unit 4C on the fourth floor may be perfect, but if the foundation and everything around it is worthless, then your apartment is worthless as well,” he said.

Sarbanes-Oxley, though painful, has forced business improvement at companies across the board, Tootle said.

“If you start from where they were to where they are now, you’d be hard-pressed to find anybody who hasn’t improved,” he said. “Now was it worth it? That’s another story.”

P-I reporter Andrea James can be reached at 206-448-8124 or andreajames@seattlepi.com. P-I reporter Daniel Lathrop can be reached at 206-448-8157 or daniellathrop@seattlepi.com.