Corporate Governance

www.vogon-international.com
 Corporate
Governance

Vogon International

Written By:

Clive Carmichael-Jones
Operations Director

This booklet has been written to complement ‘The Enemy Within’ publication,
which is now in its fifth edition. ‘Corporate Governance’ has been produced to
reflect some of the legislative and best practice changes in the corporate
governance environment and the practical issues that these changes raise.

Copyright © 2005 Vogon International Ltd all rights reserved. No part of this publication may be used or reproduced,
in any form or by any means without the written permission of the publisher except in the case of brief quotations
included in critical articles or reviews.
Published by Vogon International Ltd. Talisman Business Centre, Talisman Road, Bicester, Oxfordshire, OX26 6HR.
 About the author:

Clive joined Vogon International Limited in 1997. As Operations Director, he has responsibility
for the data recovery laboratories and forensic services groups within the UK head office;
the European offices based in Munich and Cologne in Germany; Oslo in Norway and the
United States Oklahoma centre.

Vogon’s multi-disciplinary computer forensic group specialises in computer forensic activities

and evidential bureau services for both commercial and law enforcement clients around the
world. The Vogon data recovery laboratories deal with customers worldwide. Clive’s
responsibilities include the development and product implementation of new forensic
computer hardware and software tools and procedures, as well as the provision of technical
support and training for customers worldwide. The team are responsible for the technical
work for Vogon’s own computer investigation staff.

With a truly international brief, Clive has carried out assignments around the world, including
work for legislators, Government and law enforcement agencies in Germany, Switzerland,
Austria and Hungary. He has also been involved in security reviews for organisations such
as an international banking corporation and the investigation of cases for many civil clients
including an international airline, one of the top five IT corporations and one of the top five
accountancy firms.

Clive joined the data recovery section of S&S International Plc in 1994 where he was involved
in the development of some of world first dedicated computer forensic products. Prior to
joining S&S International, Clive’s early career in the computer field was founded on the
analysis, development and production of computer hardware systems.
Clive lectures and presents worldwide, and writes extensively for many technical and legal
publications in the field of computer forensics both in the U.K. and overseas. Among the
publications that have benefited from Clive’s extensive writing are Computers and Law, the
Institute of Directors and the Barrister; and Vogon’s internal publication: The Enemy Within.

2
Introduction
Never before have the pressures been greater on organisations to demonstrate
sound corporate governance policy and practice. Investor’s confidence in the
trustworthiness and honesty of corporate accountancy policy has probably never
been lower. The penalties for failure to comply with corporate governance
legislation are potentially extremely serious both financially for the organisations
and personally for the senior managers who exercise control.

Central to the issues of effective control and sound governance practice is the
use, protection and distribution of data within an organisation. Corporate
governance and IT are inexorably linked at all stages of the management process.

Increasingly problems associated with poor data storage policy or practice arise,
causing serious compliance issues for organisations across the world.

This booklet gives an introduction to recent historical events that have led to
this political and social situation, highlights some of the applicable codes of
practice and legislation that has resulted from these incidents, and looks at the
practical impact that this may have on an organisation.

Vogon has been involved with compliance and disclosure related projects for
the past 20 years, and we hope that this booklet may offer the reader some
benefit of our experience. The information may also help prevent organisations
making the mistakes, some of which have been financially disastrous, which
others have in the past.

3
 A historical perspective of corporate fraud

Recent history is littered with high profile examples of corporate corruption.

The scale and frequency of this problem has resulted in a loss of confidence in
the investment security and financial integrity of some of the world’s largest
financial markets. The need to restore this confidence is the principle driving
force behind the wide-ranging legislation that has been introduced
internationally. The legislative environment is continually developing, and the
issues around corporate governance look set to remain at the forefront of these
changes.

Below is a short account of some high profile corporate corruption scandals that
have set the scene for the current legislative climate.

Maxwell Corporation - 1991

The Maxwell financial empire was largely supported by two publicly quoted
companies, namely Maxwell Communication Corporation and Mirror Group
Newspapers. Built up over many years, the group accrued too much debt, and
resorted to fraudulent practices to cover up the true extent of this. Following
the presumed suicide of Robert Maxwell, the true extent of the group’s financial
problems was exposed. It is believed that over £725 million had been stolen from
the pension funds of the two publicly listed companies and from other company
assets. As the magnitude of the problem became apparent, a further £1 billion
was lost to shareholders as the value of the public companies crashed.

This incident highlighted a number of serious corporate governance deficiencies:

• Control was highly concentrated in a single individual – Since 1991 Robert

Maxwell had held the position of both chief executive and chairman of
Maxwell Communication Corporation, and indeed, Macmillan Publishers,
for the same period. Such concentration of power facilitated the financial
abuses that occurred

• The non-executive directors that were appointed by Maxwell, whilst

reputable, did not effectively fulfil their role as independent board members

• The audit functions within the group were deficient, and did not highlight
the financial movements of money out of the pension fund. The pension
fund regulators also failed to investigate the activities of the pension fund
effectively

It is interesting, with hindsight, to note that as long ago as 1969, a report that
was instigated by the UK’s Department of Trade and Industry after questions
were raised over the proposed purchase of another of Maxwell’s companies
Pergamon Press. The report concluded that Robert Maxwell was ‘…not…a person
who can be relied on to exercise proper stewardship of a publicly quoted company’.

4
The Maxwell scandal was described at the time as
Corporation:
the greatest fraud of the 20th Century, and forced
An ingenious device for
the matter of both corporate governance and
obtaining profit without
financial ethics firmly into the public, business
individual responsibility.
and political arena.
Ambrose Bierce

Barings Bank - 1995

If the state of effective corporate governance in the publishing industry was
questioned after the Maxwell fraud, the collapse of Barings bank raised even
more troublesome questions for banking industry.

The collapse of Barings bank resulted from losses ultimately amounting to some
£830 million accrued as a result of unlawful trading by Nick Leeson, the general
manager and head of trading of Barings in Singapore. Despite relatively little
experience, this dual role gave Leeson control of stock market floor trading and
of the trading accounts themselves. Leeson illegally traded with clients’ funds to
initially cover up for losses, and later, after early success, to make large speculative
profits. Ultimately this illegal trading led to a series of massive losses, until they
ultimately accrued to such a significant amount that they led to the collapse of
the bank.

Whilst Leeson unquestionably acted illegally and If you owe the bank $100
unethically, it is equally important to highlight that's your problem. If you
the fact that serious shortcomings in corporate owe the bank $100
governance within the bank led directly to the million, that's the bank's
circumstances where this situation could arise. problem.
These issues can be summarised as follows: J. Paul Getty

• Lack of segregation in Nick Leeson’s duties

• Poor or ineffective supervision of Leeson’s activities by the bank’s senior

management

• The unusual profits made initially were not flagged as such, and the situation
was allowed to continue

• Lack of understanding about the nature of the business – in this particular

instance foreign derivatives trading

• Failure of the internal auditing system to spot these illegal activities

Enron - 2001
The collapse of Enron led to reforms in corporate governance legislation and best
practice recommendations all around the world. Enron was one of the ten largest
companies in the United States, and on 2 December 2001 it filed for creditor

5
 protection under Chapter 11 of the US Bankruptcy Code

Enron was a Houston based company that started

A billion here, a billion out as an energy company It later became a
there - pretty soon it adds financial and energy trading company. It
up to real money. developed a reputation for its skill in handling risk
Senator Everett Dirksen management derivatives and, on the back of the
deregulation of the energy industry, its early
financial success was meteoric. Created in 1985
from the merger of two pipeline companies, by 2000 the company’s revenue had
reached $100 billion. As early as February 1998, questions were being asked by
some elements of the Press about the sustainability of this growth.

There is no doubt that Kenneth Lay, the founder of Enron was hugely charismatic,
and concerns were voiced that the senior management team of Enron followed
Lay almost as a cult leader. The phrases arrogant and over ambitious were also
terms levelled frequently at the management and staff of Enron.

On August 2001 Jeffrey Skilling, the then chief

A criminal is a person with executive, left Enron, following a public incident
predatory instincts with an analyst who had the temerity to ask
without sufficient capital probing questions regarding the financial security
to form a corporation. of the company. Questions were also being asked
Howard Scott about the state of the company management.
During the remainder of Q4-2001, it became clear
that there were serious financial problems with the organisation. In January
2002 Kenneth Lay resigned, and later charges were made against senior members
of the company. These included wire fraud, money laundering, mail fraud, and
conspiracy to falsely inflate Enron’s profits for personal gain.

Confidence in the company collapsed in 2001. It became clear that fraudulent

accounting practices had been operating widely within the organisation.
Questions were then, belatedly, asked as to how this could have been allowed
to happen if the proper accounting and auditing practices had been followed.

Attention then turned to Arthur Andersen, Enron’s auditors. Andersen had

collected some $25 million in 2000 for auditing Enron, and an additional $27
million for consultancy services. This level of payment demonstrated a clear
potential conflict of interest in dealing with a company like Enron. In January
2002, the partner in charge of the Enron audit was fired, and in June 2002
Andersen, the body corporate, was convicted of obstructing justice for illegally
shredding documents relating to the Enron investigation. Largely as a result of
this and the loss of public confidence, Andersen no longer exists.

Enron was the largest ever business to collapse, resulting in the discrediting and
collapse of one of the world largest accountancy firms. The loss of confidence in
accountancy practices, corporate integrity and the general level of ethical
standards in the business world have been immense.

6
WorldCom - 2002
Having admitted inflating its profits by more There is no kind of dishonesty
than $4 billion, the tele-communications into which otherwise good
giant WorldCom filed for Chapter 11 people more easily and
bankruptcy protection claiming $107 billion frequently fall than that of
in assets and $32 billion in debts. This figure defrauding the government.
later increased to $41 billion. It is claimed that Benjamin Franklin
Scott Sullivan, WorldCom’s chief financial
officer, improperly reported expenses as
investments, to improve the apparent financial position of the company to
investors, and maintain shareholder confidence. The amounts owed to the three
largest creditors, JP Morgan, Citibank and Mellon Bank, alone amounted to over
$27 billion.

WorldCom was hit by a downturn in the market brought about by a global

overcapacity of bandwidth, coupled with a consumer price war and increased
use of mobile telephones. At its peak WorldCom was valued at $180 billion
employing 80,000 staff. Following the announcement of the debt, the share
price dropped valuing the company at $280 million. Arthur Andersen also audited
WorldCom.
Money is better than
The US Securities and Exchange Commission
poverty, if only for
(SEC) imposed a $500 million penalty after the
financial reasons.
full extent of the $11 billion accountancy fraud
Woody Allen
emerged.

Parmalat – 2003
Following the Enron scandal, it was hoped and largely assumed that no similar
financial collapse could take place in Europe, however Parmalat was declared
insolvent in December 2003. Subsequently, a number of fictitious offshore funds,
and bank accounts were found which had been used to hide the company’s debts,
amounting to some $16 billion. Parmalat employed 36,000 staff worldwide having
been founded in 1961. In 2002 Parmalat sales reached approximately $13 billion.

In November 2003, Parmalat defaulted on a $185 million bond. This caused

investors and analysts to examine more closely the company’s accounts. Allegedly
$4.9 billion of the company’s assets, accounting for approximately 38% of the
total assets, were supposed to have resided in a Bank of America account of a
Parmalat subsidiary in the Cayman Islands. This account did not exist.

Assets had been invented over a period of 15 years to hide as much as $16 billion
in liabilities and false accounting practices. This disclosure forced the $9.2 billion
company into bankruptcy.

The company traded on the New York Stock Exchange, and had sold $1.5 billion
in bonds to US investors. The US Securities and Exchange Commission (SEC) sued
Parmalat for misleading investors, in a “brazen fraud”.

7
 The total lack of transparency of the company’s
Corruption is like a ball of financial state permitted this fraud to be
snow, once it's set a rolling perpetuated for the extended period of time. The
it must increase. company’s auditor during the period 1990 – 1999,
Charles Caleb Colton was the Italian branch of Grant Thornton
International. Under Italian law, Parmalat was
forced to change its auditors and it replaced Grant Thornton with Deloitte Touche
Tohmatsu. Grant Thornton continued to audit Parmalat’s offshore entities.
Neither firm uncovered this massive fraud that had been perpetrated for many
years.

Discovery of the frauds noted above was inevitably followed by the financial
collapse of the organisations responsible. The collapse of business of this size
also had a huge knock on effect to primary and secondary suppliers and creditors.

These events had, cumulatively, an enormous and lasting impact on the

confidence of the financial markets and how investors viewed risks. Hundreds
of thousands of jobs and many billions of dollars have been lost; millions of
investors have been directly affected.

Whilst there have been a number of other high profile corporate frauds, the
examples listed above are especially important in a historical context, since they
were the chief catalysts for the formation of the various committees, codes of
practice and legislation described below.

Could this type of fraud happen again?

Despite significant changes to legislation covering corporate governance, covered
later in this booklet, it is important to retain a sense of realism about what this
will achieve. Fraud has been perpetrated in one form or another since the earliest
times. It is unrealistic, given the levels of financial inducements that are available,
to assume that large-scale fraud is not happening right now and will not happen
in the future.

A brief contemporary history:

corporate governance
legislation and regulation
Against this backdrop of corporate
scandal and fraudulent accounting
practice, the regulators and
governments of the various world
financial markets were working hard
to limit the damage caused and to
restore investor confidence. Below are
some of the key events that have
shaped the legislative landscape in
respect to corporate governance
regulation and compliance:
In testimony delivered before the
Senate Intelligence Committee in
February 2005, Robert S. Mueller III,
the director of the Federal Bureau of
Investigation (FBI), said that the FBI
is pursuing 334 corporate fraud cases
throughout the United States, a
more than 100 percent increase over
last year. Eighteen of those cases
involved losses to the public which
exceed $1 billion. “Unfortunately, the
volume of cases has yet to reach a
plateau, and the FBI continues to
open three to six new cases each
month – each case averaging a loss
exceeding $100 million,” Mueller said.

8
Berle and Means (1932)
As early as 1932, following the crisis in capitalism Corruption is worse than
that was consuming most of the developed world, prostitution. The latter
the requirements of corporate governance in a might endanger the
modern capitalist world were being explored. Adolf morals of an individual; the
Berle and Gardiner Means book ‘The Modern former invariably
Corporation and Private Property’ was considered endangers the morals of
the leading text of the time, and represented the the entire country.
emergence of what is now called corporate Karl Kraus
governance. Berle and Means were amongst the
first to identify and record the immense gap between corporate ownership and
control, and the emergence of a powerful class of professional managers who
were becoming increasingly disassociated from shareholder responsibility and
public accountability.

Employee Retirement Income Security Act 1974 (ERISA)

Established in the United States, ERISA dictates statutory federal duties for the
managers of private pension funds. It mandates private pension funds to vote
their shares, and is viewed as one of the first positive legislative steps towards
a modern corporate governance culture.

Cadbury Report 1992

The Cadbury report derived its name from Sir Adrian Cadbury who chaired the
committee that produced it. The formation of the Cadbury Committee, more
formally ‘The Committee on the Financial Aspects of Corporate Governance’ was
driven largely by public fears. These followed the Maxwell fraud and were levelled
at the apparent ease with which power could be abused within large
organisations, and the recognition of the urgent need to look closely at the issues
of corporate governance. It produced its report, and associated Codes of Best
Practice towards the end of 1992. The committee was assembled under the basic
belief that the existing system of corporate governance was sound, and that
greater transparency and accountability was all that was required to improve
standards.

The resultant ‘Cadbury Code’, as it was called, was

not legally binding, although all companies that When a fellow says it ain't
were publicly listed on the London Stock Exchange the money but the
required a statement of compliance with the code. principle of the thing, it's
The report concentrated on three main areas of the money
accountability: board of directors, shareholders Kin Hubbard
and the process of auditing. It is generally
considered to have had a substantial and positive impact, both in the United
Kingdom and around the world, partly due to it’s ‘comply or explain’ approach to
corporate compliance, whereby an organisation should state that it is fully
compliant with the provisions of the code or provide explanation as to why it is
not.

9
 Greenbury Report 1995
During the mid 1990s, there was much concern regarding the value of director
remuneration, versus the performance of the companies, which they directed.
The numerous ‘Fat Cat’ incidents attracted substantial media attention and were
the subject of heated discussions with shareholders.

In response to this concern a second corporate governance committee was

formed. The remit of this committee was not explicitly to reduce the remuneration
packages of directors, rather to establish a link between their performance and
the level of the rewards received. The report recognised the need to attract high
calibre individuals to board level positions, but it also expressed concern over
the lack of transparency in directors’ pay packages, especially in relation to share
options and other additional sources of financial reward.

Hampel Report 1998

Following the Cadbury and Greenbury committees, the Hampel Report was
produced. This brought together into a single code the aspects of corporate
governance previously covered i.e. best practice in respect of corporate
governance and directors remuneration. The Hampel report was published and
‘The Combined Code’ arose out of this. The combined code, now in a revised form,
still forms the basis of corporate governance best practice in the United Kingdom.
It differs fundamentally in approach from the rules based, ‘tick box compliance’,
systems previously advocated, and focuses instead on the need to move to a
‘principle-based approach’ to corporate governance and compliance. The concept
is in stark contrast to the rule based, prescriptive format, currently favoured in
the United States.

Turnbull Report 1999

The remit of the Turnbull Committee was to focus on internal controls making
up the corporate governance framework within an organisation. The resultant
report produced a non-prescriptive common compliance framework for
companies. Guidance was provided on how a company could follow and develop
this framework, and clear best practice recommendations were made. The
Turnbull Report has revolutionised the process of corporate governance practice.
It has also attracted significant international attention.

Basel Committee - 1999 & 2004

Following the collapse of Barings Bank and other financial frauds the Basel
Committee was established as an attempt to reduce the number of bank failures.
This was achieved by linking a bank's own metrics (in this case its capital adequacy
ratio) to the degree of risk involved in the loans it made.

The objective of the guidelines was to enhance corporate governance standard

amongst the banking community across the world. The report produced by the

10
Basel committee looked particularly at lines of communication, oversights by
senior management, checks by internal and external auditors, compensation
and remuneration issues and lines of responsibility and accountability.

In Q4-2007, the Basel 2 regulations will take force. Basel 2 uses a much more
sophisticated model for investment risk analysis, and addresses some of the
weaknesses and negative effects of the existing Basel 1 regulatory framework.
The potential costs associated with the implementation of the Basel 2 principles
have been the subject of much discussion.

The OECD Principle -1999

The first set of internationally recognised standards on acceptable corporate
governance was created by the Organisation for Economic Co-operation and
Development (OECD) in 1999. The Organisation for Economic Co-operation and
Development is a Paris-based organisation of industrialised countries and also
for those aspiring to become so. Formed in 1961, it took over from, and was based
upon, the Organisation for European Economic Co-operation (OEEC), which
was set up as part of the Marshal Plan.

The code represents a level of corporate governance that its membership can
accept. In this light it represents the lowest acceptable common standard,
although this in itself is a step forward. Many of the principles are based upon
a reworking of the findings of the Cadbury Committee, and subsequent reports.

Myners Report - 2001

Following the Maxwell pension fraud, changes were made to the way that
pension funds could be used. It was felt that a greater degree of transparency
was still required In March 2001 a report was produced by Paul Myners, that
recommended a voluntary code of practice for the pension fund industry.

There were three principle elements to the report covering:

• Extending fraud compensation provision

• A requirement for pension funds to issue public, "transparency" statements

on their investment strategies

• Separating pension fund assets from the control of the company

Sarbanes-Oxley Act 2002

Again, following the collapse of Enron, WorldCom and Global Crossing,events
where the conflict of interests and close relationship between companies and
their external auditors were considered to be to blame, the United States
Congress agreed reforms with the New York Stock Exchange (NYSE). The resulting

11
 legislation is the Sarbanes-Oxley Act 2002.

This legislation has had a profound impact on

In an age that is utterly corporate governance strategies within the
corrupt, the best policy United Sates and abroad. The purpose of the Act
is to do as others do is to enforce the independence of external
Marquis de Sade auditors. It reinforces the duties of the CEOs and
CFOs by imposing strict penalties for
misrepresenting the financial position of their companies in their quarterly and
annual reports. These reports must state that the company is fully compliant
with all applicable securities laws, and that the forms presented to the investors
are a fair representation of the company’s financial state. Penalties of personal
fines up to $1m or imprisonment of up to 10 years, or both, are possible for mis-
declaration.

The Act also restricts the activities or services that external auditors can offer to
companies they are auditing, in an attempt to strengthen their independence
and remove possible conflicts of interest.

A new regulatory body has also been set up under this Act, known as the Public
Company Accounting Oversight Commission (PCAOB) with which all US listed
companies must register, including foreign companies.

Higgs Report - 2003

The 1998 combined code arising out of the Hampel Report covered many aspects
of corporate governance. Following the Enron fraud, it became clear that certain
areas needed closer examination, and in particular the role that non-executive
directors play within an organisation. The Higgs Report targeted the role of non-
executive directors specifically, and made recommendations for enhancements
to be made to the combined code. Chief among these recommendations was
that non-executive directors should champion the interests of the shareholders,
and the Report called for stronger communication lines to be formed between
the company’s principle shareholders and the non-executive directors.

Smith Report - 2003

Alongside the Higgs Report, and also in response to fears generated out of the
collapse of Enron, the Smith Committee was formed. The Smith Report focussed
on the role and effectiveness of the audit committee. The formation of an audit
committee was nothing new, and was a recommendation of the 1992 Cadbury
Report, as a means of monitoring the company director’s activities and practices.
The Smith Report looked closely at the responsibilities of a company’s audit
committee, and the relationship that external auditors have with the company
that they audit.

12
Redrafted Combined Code - 2003 (Post Higgs)
Following the recommendations made in the Higgs Report, the combined code,
that originally arose out of the Hampel Report was redrafted to incorporate the
majority of them. The new combined code focussed more on directors’ excessive
remuneration packages, and encouraged a greater shareholder involvement.
The new code was designed to aggressively encourage greater financial
transparency and accountability to company’s shareholders, and is seen as one
of the most radical steps in ensuring high levels of corporate governance.

Commission on Public Trust and Private Enterprise - 2003

This Commission was formed by the US influential non-profit organisation, the
Conference Board, to look at the situations and circumstances that give rise to
large-scale corporate fraud. It has focussed its work in three principle areas:
auditing and accounting, corporate governance, and director’s compensation.
The commission has issued two reports, one in 2002 covering ‘Directors’
Performance and Remuneration’, the second in 2003 and this commented upon
corporate governance, auditing and accounting.

Delaware Corporate Law

Over time the state of Delaware has built up a significant body of corporate case
law that has become widely adopted in corporate America. The approach taken
by Delaware is much less prescriptive than the rest of the United States and is,
in many respects, more aligned to the stance taken in Europe, particularly the
United Kingdom. It operates on the principles of fiduciary duty and acting in the
best interests of the shareholders of the company. Many companies, including
the major US listed companies choose to register in Delaware.

Legal and ethical considerations

Much is made of the legal requirement to exercise appropriate levels of corporate
governance – no doubt fuelled by the possibility under the Sarbanes-Oxley Act
of spending many years in prison for failures in this respect. It must also not be
forgotten that there is an implicit ethical requirement for any senior management
team, to act in the best interests of the company’s shareholders.

What is corporate governance?

The definition varies according to the perspective of the individual. To some it
encompasses the whole spectrum of cultural, ethical, legislative and institutional
rules that specify what an organisation should do, and how it should behave. At
the other extreme, some have a much narrower definition of the term, and think
of corporate governance only in terms of ensuring a suppliers’ return on
investment. In this instance the supplier supplies capital, and the governance

13
 process therefore deals with the management, monitoring and reporting of the
capital employed.

The relationship between corporate governance and

IT governance
The areas that have been directly considered by the various committees and
reports and code of practice, broadly, are:

• Directors’ remuneration packages

• Transparency of accountancy practices

• Corporate governance practices

The role of IT governance is closely linked to all aspects of corporate governance

since, in virtually all organisations, the IT system supports all of the processes
and procedures that are carried out. The ability to exercise appropriate control
over the IT system is fundamentally related to the ability of an organisation to
make any statement to the compliance of any of its other governance procedures
and policies.

The data held by an organisation defines that organisation. It is often the case
that the inability to access stored data in an appropriate manner precludes an
organisation from discharging its governance duties effectively. Credible
compliance requires credible IT governance strategies and responses.

The consequence of corporate governance reform on

IT strategy and data storage
One of the most significant impacts that the continuing developments in
corporate governance legislation have had on the business world is the
requirement to be able to access information, particularly historical information.
The Sarbanes-Oxley Act has caused data retention and retrieval policies to be
carefully considered. Information (data) disclosure, and the ability to effectively
access and process stored corporate data is now a fundamental, legal, requirement
in many situations. Even if there is no strict legal requirement, good IT governance
practices, and plain common sense dictates that the storage of huge volumes of
data is a costly and ultimately pointless exercise if the data cannot be accessed
and used as required.

Data retention periods, and the policies that govern these, need to be carefully
aligned to the business requirements in order to ensure compliance. In many
instances following review, it becomes clear that extended retention periods are
required. This as a consequence means that the overall quantity of data stored
rises.

If the typical data retention profile is considered for organisations within a given
market sector, the trend will be for a rapid, but linear increase in the quantity of

14
data retained. This will usually reflect technological improvements in data
storage technology and the consequential lowering of the cost per unit quantity
of data stored.

The impact of changes in data retention policy, driven by the requirements of,
and in response to, recent corporate governance legislation, has had the effect
of greatly increasing the rate at which the volume of corporate backup data
increases. The rapidity of this corporate response is atypical, even by the fairly
dynamic standard of the IT industry.

The ability to provide accurate and reliable management information is closely

related to the ability to access data in most organisations. Whilst this fact may
seem obvious, insufficient thought and planning is used when considering the
way in which data can be retrieved and subsequently processed to retrieve the
required information.

This touches on a number of highly important issues relating not only to corporate
governance, but also to disaster recovery/business continuity planning and
compliance with local data protection legislation.

The relationship between governance compliance

and disclosure
There is an increase in the quantity and complexity of electronic disclosure work
as a direct consequence of the requirements of governance compliance.
Aspects of electronic disclosure, or discovery, are covered in Vogon’s ‘The Enemy
Within’ booklet. There are a number of reasons why, despite best intentions, an
organisation finds itself unable to disclose information either at all, within an
appropriate timeframe, or without incurring excessive costs. Often the only time
that this problem becomes apparent is precisely at the time when data disclosure
is demanded.

Consider information held electronically, for example, in the form of a spreadsheet.

A paper copy of the spreadsheet would reveal the numbers, but not the metadata
associated with the numbers. Meta data (data about data) in this example might
include:

• What formula, if any, was used to generate the results?

• When the spreadsheet was created
• When the spreadsheet was last updated
• Who ’owns’ the spreadsheet?
• Where was the spreadsheet stored?
• Was it password protected?
• What version of the application package was used to create the spreadsheet?

Electronic disclosure, or discovery, is the process of disclosing a carefully defined

sub-set of information. It needs to be completed as defined by and in accordance
with, the terms of reference governing the disclosure. Great care must also be
taken not to disclose improper material. Disclosure of certain material may place
you in breach of data protection legislation, whether the disclosure was

15
 inadvertent or otherwise.

The situation can become tremendously complex when you consider the nature
of a typical data storage strategy used by a large organisation. Data used and
accessed daily is most likely to be stored on local hard drives, server based hard
drives, or perhaps a storage area network solution.

This is fine as far as it goes, although this may still present a high level of technical
complexity in terms of accurate disclosure if, for example, the contents of the
email server are to be correctly disclosed.

In this example disclosure may, depending upon the circumstances, need to

encompass:

• Current emails
• Deleted emails
• Email attachments
• Deleted email attachments

This level of analysis is of course not adequate for a typical disclosure situation,
since the requirement is to disclose all information stored, and not simply that
information that is currently stored on the system.

At this point the backup strategy must be considered and examined in detail to
determine what has been backed up, and how the disclosure requirements can
be met. This is often far more complex than it may at first sight appear.

Some of the typical problems that are encountered include:

• Lack of understanding of exactly what has been backed up

• Lack of understanding at the right level of the backup strategy
• Lack of comprehension of the volume of data involved

These are essentially management related issues, and should be considered

carefully in the context of corporate and IT governance requirements, code of
practice and relevant legislation.

The relevance of historical data

A consequence of following sensible backup
processes and procedures is that large
amounts of historical data will be
accumulated. Indeed many legislative
frameworks require that certain data is
stored for a specified period of time, in some
instance many years.
Long-term data storage is typically, but not
always, committed to a tape archive. In
Inability to access data on old
tape formats is often a reason
cited for non-disclosure. This
may be because the hardware
necessary to read the tape, or
the software required to
interpret the data has not been
retained. Vogon’s skills in tape
data recovery provide a
solution to this.

16
dealing with any form of disclosure related work, the importance of the historical
data cannot be overemphasised. The period of time associated with the normal
disclosure process is historical, so consequently analysis of historical data is
essential.

It is often the case that very old data storage media, or newer media stored under
inappropriate conditions requires the application of specialist data recovery
techniques before any data can be disclosed.

Typical problems that an organisation may

encounter with data retrieval
The way in which an organisation has historically viewed its data backup and
retrieval systems, often provides an interesting reflection of their ability recover
their data in times of need.

If the data storage and backup systems have been viewed as an overhead, and
a cost directly off the bottom line profit of an organisation, then the mentality
and policy that accompanies this frequently results in increased likelihood of
serious data loss.

If however protection of a company’s data is viewed not as a cost, but as an

investment to help generate income and safeguard the company’s assets, there
is a much greater likelihood that it will be able to accurately respond to data
retrieval requirements, even exceptional ones, such as hardware failure, natural
disaster or human error. As a data recovery company, Vogon is in a unique
position to see the consequence of historical policy decisions taken with respect
to data storage systems and procedures. Below are a number of case studies that
highlight some potential problem areas:

Problems encountered in accessing historical data

Most large organisations have policies in
place to safeguard their data in the event Our core business is dealing
of a disaster. Most have some form of policy with data, either in the context
outlining the procedures to be adopted. of data recovery, data
Some are compliant with, or believe conversion, data investigation
themselves to be compliant with, relevant or other data related services. A
data security standards, for example BS 7799 huge amount of experience has
described later. Serious problems do still been gained relating to the
occur for a number of reasons: causes of an organisation’s
inability to retrieve their
archived data.
• Failure to invest in appropriate backup
technology. Inappropriate technology includes systems that are not able to
deal with the volume, diversity, or complexity of the data needing to be
protected

17
 • Failure to invest in appropriate levels of staff and staff training to implement
and be responsible for the backup policy and process

Case Study
A situation occurred whereby following a serious building fire, an organisation
required a full data restore from their backup tapes. Fortunately the company
backup tapes had been stored in the company’s fireproof safe. Unfortunately
the person responsible for following the organisation’s backup process did
not know the tapes (which were still in their cellophane wrappers) first needed
data to be written on them!

• Failure to backup all required information. Only data is backed up, but
environment information or application software is not. The data in itself
may not be sufficient to recreate the system in the event of system failure

Case Study
An organisation had invested heavily in protecting large quantities of
historical information. During the course of an investigation, it was required
by the courts to urgently disclose a sub-set of this information. Whilst it was
compelled by law to comply with this instruction, it discovered that it no
longer had the proprietary software necessary to access the data. This required
Vogon performing a low level data conversion of the data to enable it to be
read into the currently used system.

• Failure to migrate data stored on legacy technology. Despite what data

storage manufacturers say at the time of purchase, in practice it is almost
certain that data will be inaccessible in 100 years time on the original media
for a number of practical reasons:

When music CDs made their début, in the United Kingdom a respected
national science television programme “Tomorrow’s World” demonstrated
how CDs were nearly indestructible by eating baked beans from one, cleaning
it and playing it.

Red Book error detection is good, but would you be happy treating your
backup CDs containing critical data like this now?

• The data backup media not being stored in appropriate conditions.

Frequently it is too damp, too warm, too humid, too dusty or too sunny

• The data backup media may be preserved correctly, but the means to read
it may have long gone. The ability to read a tape or optical media after 50
years is all very well and good, but it is of limited utility if no working tape
or optical drives capable of reading the tapes exist

18
• The backup media is so old and used, that it has simply worn out. The same
tapes are often used in the same drive continuously over the course of several
years. Toward the end of its life the tape is almost transparent, with no
magnetic recording material left on the substrate

• No means are kept to identify what data is on which particular piece of

backup media. This problem is particularly acute where several different
backup systems are in use

• No verification of the backup process is made. On numerous occasions

organisations have requested data recovery from backup media that actually
has never been written to. There has been a failure in the recording process,
and data is never written. This obviously makes subsequent data recovery
challenging!

Case Study
A large number of phase change optical disks were sent to us in order that
we could recover a relatively small amount of data. The problem was twofold:

Firstly the owners no longer had any optical phase change drives capable of
reading the disks.

Secondly, they did not know which disk contained the relevant data. Some
of the optical disks were written on a UNIX machine, and some were written
as striped Netware volumes. Even if the customer could physically access the
optical disks, they had long since migrated the organisation to an NT platform,
and they were unable to recreate an appropriate restore environment for the
data.

The recovery involved identifying the data disks, patching together the striped
Netware volume that five of the disks represented, and performing a data
conversion to allow the customer to migrate the data to their NT based
application.

• Failure to appreciate at the correct level within the organisation the

implication in changes made to backup strategy. Implementation of new
technology can often have unforeseen consequences, especially relating to
the subsequent retrieval of data

19
 Case Study

After installing a large robotic tape backup library to handle its organisation-
wide backup requirements, performance was enhanced by enabling the
multiplexing option for the incoming data streams from the various
workstations (many workstations to a single data stream, and hence tape).
This did improve performance, but it also spread the data backed up from a
single workstation over many tapes – in some instances as many as 27.
Unfortunately the mapping of this data was not recorded, and the ability to
reconstitute the data was lost, effectively making the backup worthless. The
recovery consisted of de-multiplexing data from several thousand tapes, and
recombining it under the original backup system, for reintegration into the
corporate network.

Presence of inappropriate material in corporate data

It is inevitable that in a corporate environment, despite the best efforts of
management policy and the tools that technology can provide, a certain quantity
of inappropriate material will be found if a properly executed audit is carried
out. This often comes as a surprise to senior management and IT staff, but in
practice, the best efforts to regulate a workforce’s use of a complex system will
be less than totally effective.

The nature and quantity of the inappropriate material will vary, and the
consequences of its discovery will change depending upon a number of factors:

• The jurisdiction within which the material is found

An obvious example here is the discovery of suspected child pornography

on a corporate system. In most jurisdictions, the legislative system dictates
an immediate criminal investigation and a response from an appropriate
law enforcement agency.

• The social acceptability of the material found within the geographical and
social environment

The amount of skin exposed, and particularly the exposure of breasts, is the
obvious example here. What is considered offensive or acceptable varies
from culture to culture. This is of particular importance to multi-national
companies when considering their global IT policies.

• The wording of the corporate policy on inappropriate material

The policy must be clear as to what is, and is not acceptable. Online gambling,
shopping for holidays, and so on may be considered inappropriate. If the
policy allows for unlimited personal use with no guidance, or worse, there
is no policy, it is difficult to contemplate any effective further action, other
than a policy review.

20
 • The ability to tie the inappropriate material to the actions of a specific
individual

The discovery of large amounts of hardcore pornography on a system, for

example, is in itself unhelpful if the data cannot be associated with the
person who put it there, or distributed it. Disciplinary action that is not
firmly based in fact is unethical, unwise, and frequently proves very costly
in terms of both reputation and financially for the organisation involved.

• Existing practises within the organisation

If the policies that exist within an organisation are not adequately enforced,
or are enforced inconsistently across an organisation, this can be highly
damaging to any attempted enforcement. It is an easy matter to cite
discrimination, if differences in enforcement practices are adopted, between
for example, different departments. In highly litigious cultures, this is a
particularly important consideration.

Case Study
An organisation with tens of thousands staff located in offices situated
globally, running in excess of 50 email servers, wished to carry out a risk
profiling exercise on it staff. This need was driven by the requirements of
good corporate governance practice, in the face of an impending merger
deal. The data was collected, analysed and profiled. The reports generated
identified many areas of material that required further attention, against
categories agreed with the organisation at the start of the audit. Relationship
profiling was carried out, and extensive disciplinary action was the result.
The organisation had demonstrated a high level of sound governance
practice, and the board could demonstrate that they had taken all reasonable
steps to ensure that offensive and inappropriate material had been identified
and removed from the system. The consequential effect was to reinforce
the exiting company policies, and engender a greater respect for these
policies by the employees at all levels across the group.

The importance of the presence of this material on corporate systems is frequently

either overlooked or misunderstood. There is a duty of care on the employer to
offer its employees an environment free from offensive material. If, for example,
child pornography is discovered on a corporate system, depending upon the
jurisdiction it may convey liability for its presence on either the body corporate,
or the officers of the company.

Risk profiling and relationship profiling

Since good corporate governance practice dictates that an organisation should
take reasonable steps to minimise and remove inappropriate material from its
systems, a process that is becoming increasingly widespread is risk profiling and
relationship profiling, carried out against modern corporate data storage systems.

21
 Risk profiling involves the categorisation of data stored or controlled by an
organisation. This may include email servers, email archives, tape archives, and
the full range of backup systems.

Against a predefined series of categories, based upon some of the social and
cultural considerations highlighted above, a data audit may be carried out. It is
important to ensure that the process is carried out on broad data collections,
and not individuals at this stage to prevent any allegations of victimisation or
targeting of specific individuals.

The result of such an audit is that risks can be identified and quantified, and
remedial action planned.

For the more serious cases identified in a risk profiling exercise a further step of
relationship profiling is frequently carried out.
Relationship profiling seeks to identify the relationship between the use and
movement of inappropriate material within an organisation. For example, if
pornography is regularly being distributed between certain members of staff
across a corporate system, this relationship can be identified against a timeline.
Being armed with facts and data of known good evidential veracity forms the
basis for disciplinary, civil or possibly criminal action.

Sarbanes Oxley Section 404 compliance attestation

If covered directly by the requirements of Sarbanes-Oxley, or working towards
compliance with its requirements, Section 404 – Management Assessment of
Internal Controls, has a significant impact upon the compliance strategy adopted
by an organisation. It requires that each annual report shall:

• State the responsibility of management for establishing and maintaining

an adequate internal control structure and procedures for financial reporting

• Contain an assessment as of the end of the most recent fiscal year of the
issuer, of the effectiveness of the internal control structure and procedures
of the issuer for the financial reporting

• With respect to the internal control assessment required from the above
provision, the organisation shall attest to, and report upon the assessment
made by the management

Whilst perhaps not immediately apparent, the above requirements have

significant and far-reaching implications for the way in which data is used,
stored, and verified across an organisation.

Even if an organisation is not directly covered by the requirements of the

Sarbanes-Oxley Act, but wishes to adopt good IT governance practices, possibly
in preparation for the likely requirements of impending UK and European
legislation, compliance with the principles of British Standard 7799 – Information
Security Management may be a sensible first step.

22
BS 7799
BS 7799 has become the most widely referenced and recognised information
security standard in the world. It was originally published in the mid-nineties,
and was heavily revised in May 1999. This version became, in December 2000,
an international standard issued by the International Standards Organisation
(ISO) as BS EN ISO 17799.

This document is comprehensive; covering security issues and contains the

outline for appropriate control requirements. Full compliance and accreditation
is not a trivial task, although many organisations do use it as a basic guide for
good practice. Compliance with the principles of BS EN ISO 17799, is seen as a
good step towards compliance with local and international IT and general
corporate governance requirements.

Case Study

An organisation had fired its IT manager. The internal IT systems of the

organisation were in a critical state due to the manager’s incompetence,
and the organisation was in danger of loosing significant quantities of data
due to poor backup procedures and inappropriate virus detection and
prevention policy. We were able to recover the system, and put a number
of remedial measures in place. Two important points arise out of this case:

• Prior to this incident the organisation believed themselves to be largely

compliant with the broad requirements of BS EN ISO 17799

• As a direct consequence of this apparent level of compliance, the senior

management had not exercised appropriate levels of control

Poor levels of corporate governance almost put this organisation out of

business.

COBIT
The COBIT (Control Objectives for Information and related Technology)
framework has been developed by the IT Governance Institute. The COBIT
framework is designed to assist management functions of compliance by
attempting to unify the various elements of business risk, technical requirements
and the overall need to put in place appropriate management controls. The
benefits of COBIT are often cited when looking at the issues associated with
Sarbanes-Oxley Section 404 compliance.

23
 How Can Vogon Help?
Vogon has developed a portfolio of specialist services over the past 20 years that
support the requirements of compliance, both proactively and reactively. We
have unrivalled experience in dealing with huge data sets, both as a result of
working on some of the largest data recovery and data conversion projects
around the world, and as part of our involvement in the prosecution of a huge
number of disclosure and fraud related cases worldwide.

Vogon has helped with the prosecution of some of the highest profile cases,
including, Maxwell, BCCI, Sumitomo, Barings Bank, Polypeck, WorldCom; and
Guinness. This has enabled us to developed skill sets and software tools, which
are unrivalled.

We have undertaken large-scale electronic disclosure and compliance audits,

physical and logical security analysis projects for a range of large corporate
organisations and governments in Europe, United Kingdom and in the United
States. This experience, coupled with our ability to handle data from virtually
any hardware/software format and platform, gives us the edge when looking at
the highly complex data storage systems typically found in a modern corporate
environment.

Clients come to Vogon because we are able to capture, process, and produce
targeted disclosure ready output from the largest live storage and archival storage
quickly, accurately and cost effectively. Much of our business is repeat work and
this is based on a trust in our ability to deliver highly technically complex, bespoke
solutions, repeatedly, in a professional, timely and cost effective manner.

The importance of collaborative working with experienced legal teams cannot

be over stated, especially when dealing with large high profile corporate accounts
and complex multi-jurisdictional projects. Issues of policy creation and
maintenance, legal compliance and labour law all have to be addressed in a
holistic manner to ensure a technically and legally acceptable solution is reached.

The integration of Vogon’s technical skills and high quality, locale specific legal
advice continues to be the key element in ensuring the successful completion of
key projects. This reputation is based upon a proven track record of professionally
executed and technically innovative collaboration with partners in the legal
profession.

Vogon’s Other Services

Data Recovery

Vogon are experts in data recovery and data conversion, skills that are also
employed in many of the techniques used in our forensic and disclosure work.
Time and time again, we have proven this – in fact, we are routinely sent jobs by
other specialist firms when they have been unable to help their customers.

24
We can, and do, recover data from all storage media and across all platforms.
The partnership agreements we maintain with leading hardware and software
manufacturers, together with our own research ensures that we are always able
to operate at the cutting edge of technology. Our investigators are always aware
of the latest developments and the tools they use are continually being updated
to work in any technological environment. All of these tools are exclusive to
Vogon.

Our partners include:

Exabyte
V

Network
A S S O C I A T E S®

Data Conversion
Complementing our recovery capability is our data conversion service. We can
move data from one format to another – quickly, accurately, and regardless of
how obscure or archaic the source storage mechanism is. In many instances our
skills in the area of data conversion abilities are key to our success in disclosure
and compliance related work.

Whatever your data conversion requirements are, Vogon has the tools and
expertise to help.

25
 Conclusion
In response to a history of fraudulent activities and spectacular failures of some
of the world’s largest companies over the past fifteen years, a range of
international legislation and codes of practice have emerged to try to regulate
and guide the activities of the corporate world.

One of the consequences of this legislation is a much greater reliance on electronic

data storage to fulfil corporate governance and disclosure requirements.
The ability to be able to quickly, and reliably access these systems, especially
older historic systems is critical to effective internal IT governance and external
compliance.

Vogon offers an extensive portfolio of services with technology, expertise and

cost effectiveness unavailable elsewhere. With twenty years’ experience in the
field, and backed by world leading data recovery, forensic and data conversion
laboratories around the world, we have a proven track record in providing an
unrivalled world class service that deal with today’s disclosure and compliance
requirements.

26
27
Vogon Offices
United Kingdom
Vogon International Limited
Talisman Business Centre
Talisman Road
Bicester
OX26 6HR
United Kingdom
Tel: +44 (0) 1869 355255
Fax: +44 (0) 1869 355256
www.vogon.co.uk
email: info@vogon.co.uk

USA
Vogon International LLC,
Riverside Center, Suite 2625
2600 Van Buren
Norman
OK 73072
USA
Tel: +1 405 321 2585
Fax: +1 405 364 8242
www.vogon.us
email: info@vogon.us

Germany
Vogon International GmbH
Frankfurter Ring 193a,
80807 Munich, Germany
Tel: +49 (0) 89 32 35 03-0
Fax: +49 (0) 89 32 35 03-24
Vogon International GmbH
Am Westhover Berg 30
51149 Cologne
Germany
Tel: +49 (0) 2203 91 54 74-00
Fax: +49 (0) 2203 91 54 74-42
www.vogon.de
email: info@vogon.de

Norway
Vogon International AS
Østensjøveien 36
P.B. 6568
Etterstad
0607 Oslo
Norway
Tel: +47 2337 1400
Fax: +47 2337 1401
www.vogon.no
email: info@vogon. no
 Vogon International Ltd
Talisman Business Centre, Talisman Road, Bicester OX26 6HR, UK
Tel: +44 (0) 1869 355 255 Fax: +44 (0) 1869 355 256
Web: www.vogon.co.uk Email: info@vogon.co.uk

Vogon International GmbH

Frankfurter Ring 193a, 80807 München, Deutschland
Tel: +49 (0)89 32 35 03-0 Fax: +49 (0)89 32 35 03-24
Web: www.vogon.de Email: info@vogon.de

Vogon International GmbH

Am Westhover Berg 30, 51149 Köln, Deutschland
Tel: +49 (0)2203 91 54 74-00 Fax: +49 (0)2203 91 54 74-42
Web: www.vogon.de Email: info@vogon.de

Vogon International LLC

Riverside Center, Suite 2625, 2600 Van Buren, Norman OK73072, USA
Tel: +1 405 321 2585 Fax: +1 405 364 8242
Web: www.vogon.us Email: info@vogon.us

Vogon International AS
Østensjøveien 36, P.B. 6568, Etterstad, 0607 Oslo, Norge
0111110100111011

Tel: +47 2337 1400 Faks: +47 2337 1401

10100011000101

Web: www.vogon.no Email: info@vogon.no

1100111001001

011001101100
00001111011

11010101000
01010101
0110100

010100

110110

0101
011