[ntp:questions] Fwd: Weak Enforcement of Corporate Governance and Lax Technical Controls Have Enabled the Illegal Backdating of Stock Options
jaredmorrisen at gmail.com
Wed Feb 21 22:43:33 UTC 2007
*Weak Enforcement of Corporate Governance and Lax Technical Controls Have
Enabled the Illegal Backdating of Stock Options*
Feb 21, 2007
In 2006 hundreds of companies were implicated in stock-option timing
scandals, and a number of executives were indicted for illegally backdating
stock options. While greed is the primary reason for backdating, it is
abetted by weak enforcement of corporate governance that should prevent the
practice in the first place. Often, there also is a lack of technical
controls on corporate networks to deter such activities.
Options backdating is the dating of employee stock options with an earlier
date than the actual date of the grant. The objective is to choose a date on
which the price of the underlying stock is lower than the current price,
resulting in an instant profit to the grantee. When dealing with tens or
hundreds of thousands of shares, and price differentials in the range of $50
a share, the amount of illicit gain can be immense.
This time distortion results not only in the value of the option being much
greater to the employee receiving it, but in a correlative detriment to
shareholders by way of stock price dilution. While backdating of stock
options is not necessarily illegal if the grantor of the stock options
properly discloses the backdating, it remains to be seen whether some other
fiduciary duty has been breached.
Most of the legal issues arising from backdating are a result of the grantor
falsifying documents to conceal the backdating. According to attorney Louis
Brilleman, counsel at Sichenzia Ross Friedman Ference in New York, a law
firm specializing in securities matters, backdating is illegal under most
circumstances. The practice usually leads to the creation of fraudulent
documents through the disclosure of misleading corporate earnings and the
improper reporting of the option grant under applicable tax rules, Brilleman
Options backdating has been going on for many years. The rules changed in
2002 with the passage of Sarbanes-Oxley, but even that did not stop some
companies from continuing backdating practices. Accurate timing of
transactions — stock or otherwise — is fundamental to any SOX report.
Further, beginning in August 2002, and pursuant to SOX and other securities
laws, the SEC started requiring companies to disclose their stock-option
awards within two days of options grants.
With new regulations in place, backdating now is a regulatory issue, and, as
such, companies can no longer bury their heads in the sand and hope no one
notices. It has become clear that the element of time is now an internal
control. Any weaknesses in tracking the time of stock-option grants must be
investigated, reported and corrected.
Companies now must take the necessary steps to ensure that any backdating
will be detected. Besides the development of policies, procedures and
standards around backdating, there are technical solutions that can be
implemented to support such an endeavor.
*Time Synchronization Is Imperative*
These technical solutions center on time synchronization. Companies must
proactively create a time-synchronization mandate and ensure that it is
correctly deployed throughout their IT environments. Fortunately, creating
such a time synchronization infrastructure is relatively easy, and the ROI
on such an undertaking can be significant.
As time-synchronization hardware is a needed investment, properly
communicating the need to management is crucial to getting funding for the
technology. Synchronizing time is a fundamental business and technology
decision that should be an integral part of an effective network and
The need for this is evident in that an enterprise information network and
security infrastructure is highly dependent on synchronized time. In
addition, there also are regulatory issues that require correct synchronized
time — from NASD OATS, FFIEC and GLBA, to Visa CISP and many more. All of
these regulations recognize that correct time is critical for transactions
across a network. Many events on the network need the correct time to
initiate jobs, complete transactions, etc. Correct time is critical for
billing systems, authentication systems, manufacturing, forensics and more.
Common to all of these regulations is the requirement that financial
transactions and changes to electronic records be accurately time-stamped.
To provide accurate time stamps, all network devices must be synchronized
relative to national and international time standards.
At the application and operating system level, most applications and
networking protocols require correct synchronized time. Vendors such as
Microsoft, Cisco, Oracle, Red Hat, Novell and Baan all state that their
systems must be configured to an authoritative time server for proper and
Time servers cost from $2,000 to $10,000, depending on the level of accuracy
and redundancy required. Time servers, which take but a few hours to
install, provide additional benefits, such as reduced downtime and the
ability to mitigate legal exposure.
Options backdating is the problem, and time synchronization is the solution.
But getting from solution to implementation takes proper planning and
project management. With that, the following five steps can be used as a
high-level framework for implementing synchronized time in your
*Step 1: Risks and Requirements*
The first step is to formally determine the risk to your company if you do
not have synchronized time. Don't underestimate the risks; if you don't
practice due care pertaining to the time on your network system, you can be
legally liable for negligence and held accountable for the ramifications of
Next, determine how accurate your clocks need to be. This can be anywhere
from milliseconds to a few seconds. Finally, advise management of the risks
of nonsynchronized time and get their approval for the purchase of
time-synchronization equipment and the initiation of a time-synchronization
*Step 2: Hardware and Software*
Start meeting with vendors of time-synchronization equipment to determine
the solution that best fits your organization and specific needs. Some of
the leading vendors in this space include
Symmetricom <http://www.symmetricom.com/> and EndRun Technologies.
*Step 3: Policy*
If policies for time synchronization are not in place already, work with the
information security department to ensure that time synchronization becomes
part of the global enterprise information technology policy. Time
synchronization must be made part of the corporate IT systems and security
policies. Without a policy, there will be no impetus for staff to achieve
accurate, synchronized time. Often, a simple policy, such as, "Time
synchronization to an accurate time source is required on all enterprise
network devices," is a sufficient first step.
*Step 4: Architecture*
The first step to architecting an accurate time-synchronization solution is
to establish a network time source, known as a reference clock, for
tracability to national and international standards. A typical reference
clock would use GPS (Global Positioning System) to receive time from
satellites. Second, create a downstream topology for all network components
to use the reference clock as the network's master source of time.
*Step 5: Auditability*
Steps 1 through 4 are important from a technical perspective. But even with
the most sophisticated timing device, you still need to have independent and
auditable time controls in place. As part of this, you must be able to prove
to auditors and regulators that the time on any monitored system was
correctly synchronized with a specified time source.
Also, it is important to note that time synchronization will not magically
cure a regulatory material weakness leading to an internal controls problem.
Those in control of time synchronization still can manipulate time and/or
data. It becomes an issue, at least in part, of taking control over this
material weakness away from insiders. With that, it is imperative to ensure
that insiders are not engaging in any time-based data manipulation.
Also, if something goes to court, you need to prove that all your devices on
your network are synchronized and that all transactions that took place are
able to provide an accurate, authenticated time source. This requires that
all logs are handled within the context of digital forensics and staff
members are following the appropriate rules of evidence.
The backdating fiasco demonstrates that the need for synchronized time is a
crucial business and technology requirement. As such, it is an integral part
of an effective network and security architecture. Ensuring accurate time is
relatively inexpensive and offers a significant ROI. And it is a great way
to stop your company from getting negative press — not to mention to keep
your management team from being indicted.
More information about the questions