The Twin Cities local business paper reported Monday that Buca restaurants announced that they are suing their former CFO (who had resigned) and CIO (who they actually fired after an internal investigation) for all manner of malfeasance including most egregiously, manual journal entries and related party transactions. From the Business Journal:
The complaint alleges that Gadel and Motschenbacher caused the company to enter into unfavorable transactions with companies in which they had undisclosed, material financial interests, causing the company to overpay for goods and services. Buca also accuses Gadel and Motschenbacher of soliciting and receiving undisclosed kickbacks from a vendor, and seeking and receiving improper reimbursement from the company for personal expenses, such as family vacations, that were presented as business expenses.
In related news, Deloitte released their recent security survey of the top 100 global financial institutions, and found that while external security attacks barely increased (26% vs 25% year-over-year), security attacks from the inside increased dramatically (23% up from 14%). (Overview page at Deloitte, includes a link to a PDF version of the survey results.)
Now I had to laugh in light of these reports about an analysis piece
by Peter Abrahams of Bloor Research (never heard of them before)
suggesting that CIOs are the logical choice for being a public firm's
Chief Governance Officer (really Chief Compliance Officer). (Tip of the
hat to ComputerWorld Blogger Mitch Betts for the citation).
My reaction to Abrahams suggestion: pure and unmitigated
incredulity. This may be one of the most stupid ideas I have ever seen.
While Abrahams seems to be writing the piece to promote the use of HP
OpenView as a SOX compliance aid (everything is a SOX-compliance tool,
these days), the very idea that you have the same executive who
oversees one of the most significant potential sources of fraud risk
also be the head guy for compliance is just nuts. The whole
checks-and-balances thing isn't just about the three branches of
government.
Now if you wonder why I say that the IT organization is the most
significant potential fraud risk in most organizations, it's not
because I think IT folk are any less trustworthy than other groups. On
the contrary, I'd say that as a group they have at least as solid
ethical standards as the general population, and I might say slightly
higher. So while they don't have a higher propensity to be motivated to
do wrong, the IT side of the organization has got means and
opportunity in spades. Consider how transparent your IT organization is
(not very is usually the answer here) and how much access they have to
your companies inner information and workings (complete and total,
including staff who, by necessity of their job duties, need backdoor
and override access into all kinds of systems).
Now, does the CIO have a role to play in managing corporate
compliance? Clearly. Systems can absolutely help to enforce compliance
efforts, whether it is regulatory compliance or adherence to corporate
procurement policy. Does that make them a good candidate for being the
Chief Compliance Officer? Hardly. Applying parallel logic would suggest
that since the CIO is usually responsible for seeing an accounting
system implemented that he should be the CFO.
The net-net is that there is a great deal of faith companies must place in their IT organizations and their CIOs. As with any role, there is no substitute for well-deserved trust, but we sadly can't run our companies assuming everyone is honest, for the same reason we can't leave our houses unlocked when we go on vacation. Companies need to think about the potential risk in this area of the company, and develop strategies to mitigate those risks. Combining the CIO and compliance functions seems to be the absolutely wrong way to do this.
Comments