Escolar Documentos
Profissional Documentos
Cultura Documentos
www.vogon-international.com
Corporate
Governance
Vogon International
Written By:
Clive Carmichael-Jones
Operations Director
This booklet has been written to complement ‘The Enemy Within’ publication,
which is now in its fifth edition. ‘Corporate Governance’ has been produced to
reflect some of the legislative and best practice changes in the corporate
governance environment and the practical issues that these changes raise.
Copyright © 2005 Vogon International Ltd all rights reserved. No part of this publication may be used or reproduced,
in any form or by any means without the written permission of the publisher except in the case of brief quotations
included in critical articles or reviews.
Published by Vogon International Ltd. Talisman Business Centre, Talisman Road, Bicester, Oxfordshire, OX26 6HR.
About the author:
Clive joined Vogon International Limited in 1997. As Operations Director, he has responsibility
for the data recovery laboratories and forensic services groups within the UK head office;
the European offices based in Munich and Cologne in Germany; Oslo in Norway and the
United States Oklahoma centre.
With a truly international brief, Clive has carried out assignments around the world, including
work for legislators, Government and law enforcement agencies in Germany, Switzerland,
Austria and Hungary. He has also been involved in security reviews for organisations such
as an international banking corporation and the investigation of cases for many civil clients
including an international airline, one of the top five IT corporations and one of the top five
accountancy firms.
Clive joined the data recovery section of S&S International Plc in 1994 where he was involved
in the development of some of world first dedicated computer forensic products. Prior to
joining S&S International, Clive’s early career in the computer field was founded on the
analysis, development and production of computer hardware systems.
Clive lectures and presents worldwide, and writes extensively for many technical and legal
publications in the field of computer forensics both in the U.K. and overseas. Among the
publications that have benefited from Clive’s extensive writing are Computers and Law, the
Institute of Directors and the Barrister; and Vogon’s internal publication: The Enemy Within.
2
Introduction
Never before have the pressures been greater on organisations to demonstrate
sound corporate governance policy and practice. Investor’s confidence in the
trustworthiness and honesty of corporate accountancy policy has probably never
been lower. The penalties for failure to comply with corporate governance
legislation are potentially extremely serious both financially for the organisations
and personally for the senior managers who exercise control.
Central to the issues of effective control and sound governance practice is the
use, protection and distribution of data within an organisation. Corporate
governance and IT are inexorably linked at all stages of the management process.
Increasingly problems associated with poor data storage policy or practice arise,
causing serious compliance issues for organisations across the world.
This booklet gives an introduction to recent historical events that have led to
this political and social situation, highlights some of the applicable codes of
practice and legislation that has resulted from these incidents, and looks at the
practical impact that this may have on an organisation.
Vogon has been involved with compliance and disclosure related projects for
the past 20 years, and we hope that this booklet may offer the reader some
benefit of our experience. The information may also help prevent organisations
making the mistakes, some of which have been financially disastrous, which
others have in the past.
3
A historical perspective of corporate fraud
Below is a short account of some high profile corporate corruption scandals that
have set the scene for the current legislative climate.
• The audit functions within the group were deficient, and did not highlight
the financial movements of money out of the pension fund. The pension
fund regulators also failed to investigate the activities of the pension fund
effectively
It is interesting, with hindsight, to note that as long ago as 1969, a report that
was instigated by the UK’s Department of Trade and Industry after questions
were raised over the proposed purchase of another of Maxwell’s companies
Pergamon Press. The report concluded that Robert Maxwell was ‘…not…a person
who can be relied on to exercise proper stewardship of a publicly quoted company’.
4
The Maxwell scandal was described at the time as
Corporation:
the greatest fraud of the 20th Century, and forced
An ingenious device for
the matter of both corporate governance and
obtaining profit without
financial ethics firmly into the public, business
individual responsibility.
and political arena.
Ambrose Bierce
The collapse of Barings bank resulted from losses ultimately amounting to some
£830 million accrued as a result of unlawful trading by Nick Leeson, the general
manager and head of trading of Barings in Singapore. Despite relatively little
experience, this dual role gave Leeson control of stock market floor trading and
of the trading accounts themselves. Leeson illegally traded with clients’ funds to
initially cover up for losses, and later, after early success, to make large speculative
profits. Ultimately this illegal trading led to a series of massive losses, until they
ultimately accrued to such a significant amount that they led to the collapse of
the bank.
Whilst Leeson unquestionably acted illegally and If you owe the bank $100
unethically, it is equally important to highlight that's your problem. If you
the fact that serious shortcomings in corporate owe the bank $100
governance within the bank led directly to the million, that's the bank's
circumstances where this situation could arise. problem.
These issues can be summarised as follows: J. Paul Getty
• The unusual profits made initially were not flagged as such, and the situation
was allowed to continue
Enron - 2001
The collapse of Enron led to reforms in corporate governance legislation and best
practice recommendations all around the world. Enron was one of the ten largest
companies in the United States, and on 2 December 2001 it filed for creditor
5
protection under Chapter 11 of the US Bankruptcy Code
There is no doubt that Kenneth Lay, the founder of Enron was hugely charismatic,
and concerns were voiced that the senior management team of Enron followed
Lay almost as a cult leader. The phrases arrogant and over ambitious were also
terms levelled frequently at the management and staff of Enron.
Enron was the largest ever business to collapse, resulting in the discrediting and
collapse of one of the world largest accountancy firms. The loss of confidence in
accountancy practices, corporate integrity and the general level of ethical
standards in the business world have been immense.
6
WorldCom - 2002
Having admitted inflating its profits by more There is no kind of dishonesty
than $4 billion, the tele-communications into which otherwise good
giant WorldCom filed for Chapter 11 people more easily and
bankruptcy protection claiming $107 billion frequently fall than that of
in assets and $32 billion in debts. This figure defrauding the government.
later increased to $41 billion. It is claimed that Benjamin Franklin
Scott Sullivan, WorldCom’s chief financial
officer, improperly reported expenses as
investments, to improve the apparent financial position of the company to
investors, and maintain shareholder confidence. The amounts owed to the three
largest creditors, JP Morgan, Citibank and Mellon Bank, alone amounted to over
$27 billion.
Parmalat – 2003
Following the Enron scandal, it was hoped and largely assumed that no similar
financial collapse could take place in Europe, however Parmalat was declared
insolvent in December 2003. Subsequently, a number of fictitious offshore funds,
and bank accounts were found which had been used to hide the company’s debts,
amounting to some $16 billion. Parmalat employed 36,000 staff worldwide having
been founded in 1961. In 2002 Parmalat sales reached approximately $13 billion.
Assets had been invented over a period of 15 years to hide as much as $16 billion
in liabilities and false accounting practices. This disclosure forced the $9.2 billion
company into bankruptcy.
The company traded on the New York Stock Exchange, and had sold $1.5 billion
in bonds to US investors. The US Securities and Exchange Commission (SEC) sued
Parmalat for misleading investors, in a “brazen fraud”.
7
The total lack of transparency of the company’s
Corruption is like a ball of financial state permitted this fraud to be
snow, once it's set a rolling perpetuated for the extended period of time. The
it must increase. company’s auditor during the period 1990 – 1999,
Charles Caleb Colton was the Italian branch of Grant Thornton
International. Under Italian law, Parmalat was
forced to change its auditors and it replaced Grant Thornton with Deloitte Touche
Tohmatsu. Grant Thornton continued to audit Parmalat’s offshore entities.
Neither firm uncovered this massive fraud that had been perpetrated for many
years.
Discovery of the frauds noted above was inevitably followed by the financial
collapse of the organisations responsible. The collapse of business of this size
also had a huge knock on effect to primary and secondary suppliers and creditors.
Whilst there have been a number of other high profile corporate frauds, the
examples listed above are especially important in a historical context, since they
were the chief catalysts for the formation of the various committees, codes of
practice and legislation described below.
8
Berle and Means (1932)
As early as 1932, following the crisis in capitalism Corruption is worse than
that was consuming most of the developed world, prostitution. The latter
the requirements of corporate governance in a might endanger the
modern capitalist world were being explored. Adolf morals of an individual; the
Berle and Gardiner Means book ‘The Modern former invariably
Corporation and Private Property’ was considered endangers the morals of
the leading text of the time, and represented the the entire country.
emergence of what is now called corporate Karl Kraus
governance. Berle and Means were amongst the
first to identify and record the immense gap between corporate ownership and
control, and the emergence of a powerful class of professional managers who
were becoming increasingly disassociated from shareholder responsibility and
public accountability.
9
Greenbury Report 1995
During the mid 1990s, there was much concern regarding the value of director
remuneration, versus the performance of the companies, which they directed.
The numerous ‘Fat Cat’ incidents attracted substantial media attention and were
the subject of heated discussions with shareholders.
10
Basel committee looked particularly at lines of communication, oversights by
senior management, checks by internal and external auditors, compensation
and remuneration issues and lines of responsibility and accountability.
In Q4-2007, the Basel 2 regulations will take force. Basel 2 uses a much more
sophisticated model for investment risk analysis, and addresses some of the
weaknesses and negative effects of the existing Basel 1 regulatory framework.
The potential costs associated with the implementation of the Basel 2 principles
have been the subject of much discussion.
The code represents a level of corporate governance that its membership can
accept. In this light it represents the lowest acceptable common standard,
although this in itself is a step forward. Many of the principles are based upon
a reworking of the findings of the Cadbury Committee, and subsequent reports.
11
legislation is the Sarbanes-Oxley Act 2002.
The Act also restricts the activities or services that external auditors can offer to
companies they are auditing, in an attempt to strengthen their independence
and remove possible conflicts of interest.
A new regulatory body has also been set up under this Act, known as the Public
Company Accounting Oversight Commission (PCAOB) with which all US listed
companies must register, including foreign companies.
12
Redrafted Combined Code - 2003 (Post Higgs)
Following the recommendations made in the Higgs Report, the combined code,
that originally arose out of the Hampel Report was redrafted to incorporate the
majority of them. The new combined code focussed more on directors’ excessive
remuneration packages, and encouraged a greater shareholder involvement.
The new code was designed to aggressively encourage greater financial
transparency and accountability to company’s shareholders, and is seen as one
of the most radical steps in ensuring high levels of corporate governance.
13
process therefore deals with the management, monitoring and reporting of the
capital employed.
The data held by an organisation defines that organisation. It is often the case
that the inability to access stored data in an appropriate manner precludes an
organisation from discharging its governance duties effectively. Credible
compliance requires credible IT governance strategies and responses.
Data retention periods, and the policies that govern these, need to be carefully
aligned to the business requirements in order to ensure compliance. In many
instances following review, it becomes clear that extended retention periods are
required. This as a consequence means that the overall quantity of data stored
rises.
If the typical data retention profile is considered for organisations within a given
market sector, the trend will be for a rapid, but linear increase in the quantity of
14
data retained. This will usually reflect technological improvements in data
storage technology and the consequential lowering of the cost per unit quantity
of data stored.
The impact of changes in data retention policy, driven by the requirements of,
and in response to, recent corporate governance legislation, has had the effect
of greatly increasing the rate at which the volume of corporate backup data
increases. The rapidity of this corporate response is atypical, even by the fairly
dynamic standard of the IT industry.
This touches on a number of highly important issues relating not only to corporate
governance, but also to disaster recovery/business continuity planning and
compliance with local data protection legislation.
15
inadvertent or otherwise.
The situation can become tremendously complex when you consider the nature
of a typical data storage strategy used by a large organisation. Data used and
accessed daily is most likely to be stored on local hard drives, server based hard
drives, or perhaps a storage area network solution.
This is fine as far as it goes, although this may still present a high level of technical
complexity in terms of accurate disclosure if, for example, the contents of the
email server are to be correctly disclosed.
• Current emails
• Deleted emails
• Email attachments
• Deleted email attachments
This level of analysis is of course not adequate for a typical disclosure situation,
since the requirement is to disclose all information stored, and not simply that
information that is currently stored on the system.
At this point the backup strategy must be considered and examined in detail to
determine what has been backed up, and how the disclosure requirements can
be met. This is often far more complex than it may at first sight appear.
16
dealing with any form of disclosure related work, the importance of the historical
data cannot be overemphasised. The period of time associated with the normal
disclosure process is historical, so consequently analysis of historical data is
essential.
It is often the case that very old data storage media, or newer media stored under
inappropriate conditions requires the application of specialist data recovery
techniques before any data can be disclosed.
If the data storage and backup systems have been viewed as an overhead, and
a cost directly off the bottom line profit of an organisation, then the mentality
and policy that accompanies this frequently results in increased likelihood of
serious data loss.
17
• Failure to invest in appropriate levels of staff and staff training to implement
and be responsible for the backup policy and process
Case Study
A situation occurred whereby following a serious building fire, an organisation
required a full data restore from their backup tapes. Fortunately the company
backup tapes had been stored in the company’s fireproof safe. Unfortunately
the person responsible for following the organisation’s backup process did
not know the tapes (which were still in their cellophane wrappers) first needed
data to be written on them!
• Failure to backup all required information. Only data is backed up, but
environment information or application software is not. The data in itself
may not be sufficient to recreate the system in the event of system failure
Case Study
An organisation had invested heavily in protecting large quantities of
historical information. During the course of an investigation, it was required
by the courts to urgently disclose a sub-set of this information. Whilst it was
compelled by law to comply with this instruction, it discovered that it no
longer had the proprietary software necessary to access the data. This required
Vogon performing a low level data conversion of the data to enable it to be
read into the currently used system.
When music CDs made their début, in the United Kingdom a respected
national science television programme “Tomorrow’s World” demonstrated
how CDs were nearly indestructible by eating baked beans from one, cleaning
it and playing it.
Red Book error detection is good, but would you be happy treating your
backup CDs containing critical data like this now?
• The data backup media may be preserved correctly, but the means to read
it may have long gone. The ability to read a tape or optical media after 50
years is all very well and good, but it is of limited utility if no working tape
or optical drives capable of reading the tapes exist
18
• The backup media is so old and used, that it has simply worn out. The same
tapes are often used in the same drive continuously over the course of several
years. Toward the end of its life the tape is almost transparent, with no
magnetic recording material left on the substrate
Case Study
A large number of phase change optical disks were sent to us in order that
we could recover a relatively small amount of data. The problem was twofold:
Firstly the owners no longer had any optical phase change drives capable of
reading the disks.
Secondly, they did not know which disk contained the relevant data. Some
of the optical disks were written on a UNIX machine, and some were written
as striped Netware volumes. Even if the customer could physically access the
optical disks, they had long since migrated the organisation to an NT platform,
and they were unable to recreate an appropriate restore environment for the
data.
The recovery involved identifying the data disks, patching together the striped
Netware volume that five of the disks represented, and performing a data
conversion to allow the customer to migrate the data to their NT based
application.
19
Case Study
After installing a large robotic tape backup library to handle its organisation-
wide backup requirements, performance was enhanced by enabling the
multiplexing option for the incoming data streams from the various
workstations (many workstations to a single data stream, and hence tape).
This did improve performance, but it also spread the data backed up from a
single workstation over many tapes – in some instances as many as 27.
Unfortunately the mapping of this data was not recorded, and the ability to
reconstitute the data was lost, effectively making the backup worthless. The
recovery consisted of de-multiplexing data from several thousand tapes, and
recombining it under the original backup system, for reintegration into the
corporate network.
The nature and quantity of the inappropriate material will vary, and the
consequences of its discovery will change depending upon a number of factors:
• The social acceptability of the material found within the geographical and
social environment
The amount of skin exposed, and particularly the exposure of breasts, is the
obvious example here. What is considered offensive or acceptable varies
from culture to culture. This is of particular importance to multi-national
companies when considering their global IT policies.
The policy must be clear as to what is, and is not acceptable. Online gambling,
shopping for holidays, and so on may be considered inappropriate. If the
policy allows for unlimited personal use with no guidance, or worse, there
is no policy, it is difficult to contemplate any effective further action, other
than a policy review.
20
• The ability to tie the inappropriate material to the actions of a specific
individual
If the policies that exist within an organisation are not adequately enforced,
or are enforced inconsistently across an organisation, this can be highly
damaging to any attempted enforcement. It is an easy matter to cite
discrimination, if differences in enforcement practices are adopted, between
for example, different departments. In highly litigious cultures, this is a
particularly important consideration.
Case Study
An organisation with tens of thousands staff located in offices situated
globally, running in excess of 50 email servers, wished to carry out a risk
profiling exercise on it staff. This need was driven by the requirements of
good corporate governance practice, in the face of an impending merger
deal. The data was collected, analysed and profiled. The reports generated
identified many areas of material that required further attention, against
categories agreed with the organisation at the start of the audit. Relationship
profiling was carried out, and extensive disciplinary action was the result.
The organisation had demonstrated a high level of sound governance
practice, and the board could demonstrate that they had taken all reasonable
steps to ensure that offensive and inappropriate material had been identified
and removed from the system. The consequential effect was to reinforce
the exiting company policies, and engender a greater respect for these
policies by the employees at all levels across the group.
21
Risk profiling involves the categorisation of data stored or controlled by an
organisation. This may include email servers, email archives, tape archives, and
the full range of backup systems.
Against a predefined series of categories, based upon some of the social and
cultural considerations highlighted above, a data audit may be carried out. It is
important to ensure that the process is carried out on broad data collections,
and not individuals at this stage to prevent any allegations of victimisation or
targeting of specific individuals.
The result of such an audit is that risks can be identified and quantified, and
remedial action planned.
For the more serious cases identified in a risk profiling exercise a further step of
relationship profiling is frequently carried out.
Relationship profiling seeks to identify the relationship between the use and
movement of inappropriate material within an organisation. For example, if
pornography is regularly being distributed between certain members of staff
across a corporate system, this relationship can be identified against a timeline.
Being armed with facts and data of known good evidential veracity forms the
basis for disciplinary, civil or possibly criminal action.
• Contain an assessment as of the end of the most recent fiscal year of the
issuer, of the effectiveness of the internal control structure and procedures
of the issuer for the financial reporting
• With respect to the internal control assessment required from the above
provision, the organisation shall attest to, and report upon the assessment
made by the management
22
BS 7799
BS 7799 has become the most widely referenced and recognised information
security standard in the world. It was originally published in the mid-nineties,
and was heavily revised in May 1999. This version became, in December 2000,
an international standard issued by the International Standards Organisation
(ISO) as BS EN ISO 17799.
Case Study
COBIT
The COBIT (Control Objectives for Information and related Technology)
framework has been developed by the IT Governance Institute. The COBIT
framework is designed to assist management functions of compliance by
attempting to unify the various elements of business risk, technical requirements
and the overall need to put in place appropriate management controls. The
benefits of COBIT are often cited when looking at the issues associated with
Sarbanes-Oxley Section 404 compliance.
23
How Can Vogon Help?
Vogon has developed a portfolio of specialist services over the past 20 years that
support the requirements of compliance, both proactively and reactively. We
have unrivalled experience in dealing with huge data sets, both as a result of
working on some of the largest data recovery and data conversion projects
around the world, and as part of our involvement in the prosecution of a huge
number of disclosure and fraud related cases worldwide.
Vogon has helped with the prosecution of some of the highest profile cases,
including, Maxwell, BCCI, Sumitomo, Barings Bank, Polypeck, WorldCom; and
Guinness. This has enabled us to developed skill sets and software tools, which
are unrivalled.
Clients come to Vogon because we are able to capture, process, and produce
targeted disclosure ready output from the largest live storage and archival storage
quickly, accurately and cost effectively. Much of our business is repeat work and
this is based on a trust in our ability to deliver highly technically complex, bespoke
solutions, repeatedly, in a professional, timely and cost effective manner.
The integration of Vogon’s technical skills and high quality, locale specific legal
advice continues to be the key element in ensuring the successful completion of
key projects. This reputation is based upon a proven track record of professionally
executed and technically innovative collaboration with partners in the legal
profession.
Vogon are experts in data recovery and data conversion, skills that are also
employed in many of the techniques used in our forensic and disclosure work.
Time and time again, we have proven this – in fact, we are routinely sent jobs by
other specialist firms when they have been unable to help their customers.
24
We can, and do, recover data from all storage media and across all platforms.
The partnership agreements we maintain with leading hardware and software
manufacturers, together with our own research ensures that we are always able
to operate at the cutting edge of technology. Our investigators are always aware
of the latest developments and the tools they use are continually being updated
to work in any technological environment. All of these tools are exclusive to
Vogon.
Exabyte
V
Network
A S S O C I A T E S®
Data Conversion
Complementing our recovery capability is our data conversion service. We can
move data from one format to another – quickly, accurately, and regardless of
how obscure or archaic the source storage mechanism is. In many instances our
skills in the area of data conversion abilities are key to our success in disclosure
and compliance related work.
Whatever your data conversion requirements are, Vogon has the tools and
expertise to help.
25
Conclusion
In response to a history of fraudulent activities and spectacular failures of some
of the world’s largest companies over the past fifteen years, a range of
international legislation and codes of practice have emerged to try to regulate
and guide the activities of the corporate world.
26
27
Vogon Offices
United Kingdom
Vogon International Limited
Talisman Business Centre
Talisman Road
Bicester
OX26 6HR
United Kingdom
Tel: +44 (0) 1869 355255
Fax: +44 (0) 1869 355256
www.vogon.co.uk
email: info@vogon.co.uk
USA
Vogon International LLC,
Riverside Center, Suite 2625
2600 Van Buren
Norman
OK 73072
USA
Tel: +1 405 321 2585
Fax: +1 405 364 8242
www.vogon.us
email: info@vogon.us
Germany
Vogon International GmbH
Frankfurter Ring 193a,
80807 Munich, Germany
Tel: +49 (0) 89 32 35 03-0
Fax: +49 (0) 89 32 35 03-24
Vogon International GmbH
Am Westhover Berg 30
51149 Cologne
Germany
Tel: +49 (0) 2203 91 54 74-00
Fax: +49 (0) 2203 91 54 74-42
www.vogon.de
email: info@vogon.de
Norway
Vogon International AS
Østensjøveien 36
P.B. 6568
Etterstad
0607 Oslo
Norway
Tel: +47 2337 1400
Fax: +47 2337 1401
www.vogon.no
email: info@vogon. no
Vogon International Ltd
Talisman Business Centre, Talisman Road, Bicester OX26 6HR, UK
Tel: +44 (0) 1869 355 255 Fax: +44 (0) 1869 355 256
Web: www.vogon.co.uk Email: info@vogon.co.uk
Vogon International AS
Østensjøveien 36, P.B. 6568, Etterstad, 0607 Oslo, Norge
0111110100111011
011001101100
00001111011
11010101000
01010101
0110100
010100
110110
0101
011