CORPORATE
GOVERNANCE, SOX AND
COMPLIANCE
The Transformation of CA, Inc
(formerly Computer Associates)
John E. McDermott, CFE
VP, Corporate Compliance Investigator
CA, Inc.
CA, Inc
CA is one of the world's largest IT management software providers,
unify and simplify complex IT environments—in a secure way—across
the enterprise for greater business results.
Founded in 1976, CA today is a global company with headquarters in
the United States and 150 offices in more than 45 countries. It serves
more than 99% of Fortune 1000 companies, as well as government
entities, educational institutions and thousands of other companies in
diverse industries worldwide.
2
October 24, 2008
ECI Conference
Copyright © 2007 CA
BACKGROUND
3
October 24, 2008
ECI Conference
Copyright © 2007 CA
Sanjay Kumar & Charles Wang
4
October 24, 2008
ECI Conference
Copyright © 2007 CA
SOUND FAMILIAR????????
> Wall Street’s wild rollercoaster ride continues
> Stocks plunge again
> Corporate Executives Blamed for Stock Woes
> Corporations Fail – Stockholder Equity Lost
5
October 24, 2008
ECI Conference
Copyright © 2007 CA
Congress Responds – July 30, 2002
Public Company Accounting Reform and Investor Protection
Act of 2002
AKA
Sarbanes –Oxley Act (SOX)
6
October 24, 2008
ECI Conference
Copyright © 2007 CA
Sarbanes – Oxley Act
Consists of 11 subsections
Title I – Created the Public Company Accounting Oversight Board
Title III – Corporate Responsibility (section 302 and complaint
system)
Title IV – Enhanced Financial Disclosure (section 404)
Title VIII – Criminal Fraud Accountability
Title IX – White Collar Crime Penalty Increase
Title XI - Corporate Fraud Accountability (Whistleblower
Protection)
7
October 24, 2008
ECI Conference
Copyright © 2007 CA
The Accounting Fraud
“The 35Day Month”
• Practice extending Computer Associates’ fiscal
quarters beyond their natural conclusion to
prematurely recognize revenue
DOJ, SEC &
FBI
Investigatio
n
• Massive accounting fraud perpetrated by the
company’s senior most executives from the
late 1980s to 2001 & then a cover-up through
2004
The
Outcome
9
October 24, 2008
ECI Conference
• Convictions of 8 senior executives including
CEO, CFO, General Counsel, and SVP F&A
• $2.2 billion restatement
• Deferred Prosecution Agreement (DPA)
Copyright © 2007 CA
The “35-Day Month” Fraud
> The “35-Day Month” which was a practice
extending CA’s fiscal quarters beyond
their normal conclusion to prematurely
recognize revenue.
> The multi-billion dollar fraud allowed the
company to fraudulently prop up the price
of the stock and consistently meet or
exceed Wall Street analyst’s revenue and
earnings expectations.
Former CEO Sanjay Kumar
10
October 24, 2008
ECI Conference
Copyright © 2007 CA
CA’s Deferred Prosecution Agreement
 Accepting Responsibility
 18-month term
 Independent Examiner
-Written reports to the Court and the
Board of Directors
 Compliance Committee of the
Board
-Added to the Audit Committee function
of the Board
 Chief Compliance Officer
-Reports to the Audit & Compliance
Committee of the Board of Directors
and to the General Counsel
11
October 24, 2008
ECI Conference
Copyright © 2007 CA
CA’s Deferred Prosecution Agreement
 Comprehensive compliance program
-Including an anonymous hotline
 Comprehensive ethics/compliance training program
 Comprehensive records management program
 Policy of cooperating with government investigations
 Head of Internal Audit and increased staff
-Reports to the Audit & Compliance Committee of the Board of Directors and
to the General Counsel
 Reorganization of Finance Department/Division.
 Chief Accountant and Controller function
 Restitution fund
12
October 24, 2008
ECI Conference
Copyright © 2007 CA
Establishing a Best-In-Class Compliance
Program
> Recruiting a Chief Compliance Officer
> “Unfettered Access”
> Instituting a Compliance Program
> Joining the Defense Industry Initiative
> Establishing Compliance Related Policies and Procedures
> Upgrading the prior Code of Conduct
13
October 24, 2008
ECI Conference
Copyright © 2007 CA
The Headlines You Never Want to Read
> U.S. Indicts Sanjay Kumar For Fraud, Lies
> Ex-CFO at Computer Associates to Enter Plea in Accounting Probes
> Computer Associates Ex-Executives Plead Guilty, Call Fraud
Pervasive
> Computer Associates Is In Talks to End Fraud Inquiry
> Computer Associates Signs Deferred Prosecution Agreement
>
14
Ex-CEO Gets 12 Years in Prison
October 24, 2008
ECI Conference
Copyright © 2007 CA
18
October 24, 2008
ECI Conference
Copyright © 2007 CA
“Don’t Lie, Don’t Cheat, Don’t Steal”
> With this phrase, Gnazzo introduced
himself to over 1200 CA employees
> The former Chief Compliance Officer for
United Technologies Corporation for 10
years
Patrick J. Gnazzo,
Former SVP, Business
Practices,
Chief Risk & Compliance
Officer
20
October 24, 2008
ECI Conference
Copyright © 2007 CA
Business Practice Standards of
Excellence: Our Code of Conduct
21
October 24, 2008
ECI Conference
Copyright © 2007 CA
Highlights from CA’s Code of Conduct
> CA expects all employees to read and understand the Code
> Each year CA will require all employees to acknowledge through an
attestation his/her understanding of the Code
> It is the obligation of every employee to report suspected violations
of the Code and cooperate fully in any internal or external investigation
> Violations of the Code may result in disciplinary action up to and
including dismissal
> CA will not tolerate any retaliation against any employee who raises
a concern about CA’s business practices
> Compliance with the law is mandatory
> CA does not offer or pay bribes to government officials
> CA’s fundamental rule for financial reporting is: do nothing that would
mislead or misinform anyone about our finances
22
October 24, 2008
ECI Conference
Copyright © 2007 CA
A very well-written Code
with strong layout. It’s
obvious that CA has
invested heavily in their
ethics and compliance
program (not surprisingly).
Helpline
> Third-party Helpline


Provider called Global Compliance Services (GCS).
Located in North Carolina, USA
> Continuous Service



24 hours
7 Days a week
365 Days a year
> Accessible world wide


via in country access numbers
In local languages
> Provides services to many companies;

24
October 24, 2008
ECI Conference
Including Wal-Mart, Altria, General Dynamics, etc.
Copyright © 2007 CA
Changing the Culture at CA
> Role of CA’s Senior Leadership Team Connecting
compensation to compliance
> The Ethics and Compliance Officers Association has
reported that less than 10% of Corporate America ties
executive compensation to ethics and compliance.
> “Raise your Hand”
> Borrow from the NYC MTA
25
October 24, 2008
ECI Conference
Copyright © 2007 CA
THE IMPORTANCE OF RAISING ISSUES
Dear CA Colleague:
We all play a critical role in building a new culture at CA, in which the highest standards of
business ethics are consistently adhered to throughout the organization.
Everyone at CA has an obligation to come forward if they see something that isn’t right. On a
number of occasions in CA’s past, employees stood by while unethical, inappropriate or illegal
conduct took place. Failing to report unethical or illegal activity is just as bad as taking part in
such acts -- and the consequences are the same. This email is a reminder of your responsibility
to come forward if you see something that doesn’t seem right.
All employees should feel comfortable discussing matters of concern with their manager.
However, where that is not the case, there are other avenues available: including HR, the Law
Department, the Compliance Officer, or the Compliance and Ethics Helpline, which is available
24 hours-a-day.
Building and maintaining a winning culture is one of our Six Key Priorities and requires
everybody’s active participation. Take a few moments to review our Code of Conduct to ensure
you understand your responsibilities under it. Thank you for giving this effort the attention it
deserves.
Regards,
John
26
October 24, 2008
ECI Conference
Copyright © 2007 CA
Promoting Tone at the Top
> Has the executive taken the required ethics courses?
> Has the executive handled compliance matters appropriately when
they have occurred in his or her area?
> Has the executive communicated the importance of the Code of
Conduct throughout his or her organization?
> Has the executive set the appropriate “tone at the top” and is it
communicated and practiced?
27
October 24, 2008
ECI Conference
Copyright © 2007 CA
Compliance Investigations
> Hired a compliance investigator
> Responsible for the investigation of all
allegations, inquiries and government requests
for the company worldwide
> Responsible for the policies and procedures
relating to investigations, CA’s Helpline and the
Case Management System
28
October 24, 2008
ECI Conference
Copyright © 2007 CA
Compliance Cases
Allegations Compared to All Other Case Types
Allegations
All other case types
(HREI, Security, Board, Inquiries,
Government requests)
30
October 24, 2008
ECI Conference
Copyright © 2007 CA
COMPLIANCE ALLEGATIONS
Active or closed and verified by fiscal year
31
October 24, 2008
ECI Conference
Copyright © 2007 CA
What are the
Federal Sentencing Guidelines?
Apply to all organizations:
Private and public, profit & non-profit

Originally drafted in 1991
7-part test to determine appropriate range of sentencing

Revised in 2004
Extends focus to “having a culture of compliance”

Relevance?
Guidance for Judges
Department of Justice uses, plus McNulty Memo
Represent Best Practices
32
October 24, 2008
ECI Conference
Copyright © 2007 CA
1. Code/Policy/Procedure
Standard
To have an effective compliance and ethics program, an organization
shall—
(A) exercise due diligence to prevent and detect criminal conduct; and
(B) otherwise promote an organizational culture that encourages ethical conduct and a
commitment to compliance with the law.
How is CA complying?

33
CA has revised its Code of Conduct and is establishing
comprehensive written policies and procedures for compliance.
Examples are the Compliance and Ethics Helpline Policy, the CA
Business Practices & Compliance Program and intranet site,
which establishes an organizational structure for compliance,
and CA’s Code of Conduct. These set forth the Company’s
commitment to the highest level of legal and ethical standards
in the conduct of its business activities.
October 24, 2008
ECI Conference
Copyright © 2007 CA
2. Compliance Function
Standard
The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and
shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program. High-level
personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this
guideline. Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.
Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics
program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing
authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out
such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the
governing authority or an appropriate subgroup of the governing authority.
How is CA complying?
34

Hired a SVP Business Practices and Chief Compliance Officer who is responsible for the administration of
the compliance program which includes the development and implementation of the Company’s compliance
programs; this includes oversight of compliance training and investigations.

Board of Directors will provide adequate resources to Compliance Department to ensure compliance is
institutionalized at CA.

The Compliance Organization for FY07 has a full time-staff of 15 (plus 5 other lawyers who are dotted line)
to assist in the implementation of the program.

CA has implemented a Business Practices Officer (BPO) Program in the field of up to 87 part-time
compliance officers to assist the field in training, gifts & gratuities, and conflicts of interest questions.
October 24, 2008
ECI Conference
Copyright © 2007 CA
3. Communication/Training
Standard
The organization shall take reasonable steps to communicate periodically and in a practical manner its
standards and procedures, and other aspects of the compliance and ethics program by conducting effective
training programs and otherwise disseminating information appropriate to such individuals’ respective roles
and responsibilities. (Including to) the members of the governing authority, high-level personnel, substantial
authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.
How is CA complying?
35

CA utilizes a variety of techniques for employee notification, including: employee bulletins, newsletters, and
e-mails, blogs, desk-drops, management addresses.


Board of Director’s will have ethics training.

Beginning FY07 CA introduced its new ethics training course on the Code of Conduct, CA requires an annual
attestation that employee has read and understands the Code of Conduct and has no conflicts of interest
other than what is disclosed on the form. CA periodically reviews, revises, and redistributes its compliance
policy statements to reflect changes in the law.
CA has a Business Ethics Curriculum for all employees. The courses are given through a combination of
live training, video training, and web-based training.
October 24, 2008
ECI Conference
Copyright © 2007 CA
4. Auditing/Helpline
Standard:
The organization shall take reasonable steps—
>
to ensure that the organization’s compliance and ethics program is followed, including
monitoring and auditing to detect criminal conduct;
>
to evaluate periodically the effectiveness of the organization’s compliance and ethics
program; and
>
to have and publicize a system, which may include mechanisms that allow for anonymity or
confidentiality, whereby the organization’s employees and agents may report or seek
guidance regarding potential or actual criminal conduct without fear of retaliation.
How is CA complying?
36

CA engages in vigorous self-policing. The Company has devoted substantial resources to auditing the Compliance program and has
focused audits on areas of the Company’s business susceptible to violations of law.

In February 2007, the Compliance group initiated an ombudsman program. The Ombuds serves as a confidential, neutral and informal
channel of communication for employees to raise business-related issues in complete confidence without fear of retaliation.

CA has a third-party helpline for employees to disclose confidentially, or if they desire, anonymously, suspected or actual violations of
law or questionable business practices. Disclosures are investigated by the Business Practices and Compliance Officers, the Worldwide
Law Department, or HR, and recommendations for appropriate action are provided to the functional business manager with assistance
from HR.

On CA’s internet site, CA also has a “Contact the Board” where interested parties, such as customers, suppliers and employees, may
contact the board directly.
October 24, 2008
ECI Conference
Copyright © 2007 CA
5. Appropriate Discipline
Standard:
>
The organization’s compliance and ethics program shall be promoted and
enforced consistently throughout the organization through
>
appropriate incentives to perform in accordance with the compliance and
ethics program; and
>
appropriate disciplinary measures for engaging in criminal conduct and for
failing to take reasonable steps to prevent or detect criminal conduct.
How is CA complying?



The SLT has a percentage of their compensation tied to their commitment to compliance.

All disciplinary actions are reported to the SVP Business Practices and Compliance who, in-turn, provides
reports to the Audit and Compliance Committee of the Board of Directors.
37
CA investigates allegations of wrongdoing in violations of the Code.
Discipline meted out runs from Discharge in the most severe cases to training and counseling in those cases
which are less severe.
October 24, 2008
ECI Conference
Copyright © 2007 CA
6. Investigate/Correct
Standard:
After an offense has been detected, the organization must
have taken all reasonable steps to respond appropriately to
the offense and to prevent further similar offenses--including
any necessary modification to its program to prevent and
detect violations of law.
How is CA complying?

CA evaluates and performs root cause corrective action process to analyze, address,
and prevent possible systemic deficiencies. Revisions may include increased auditing
and employee training, changes in procedures and changes in personnel.

CA updated its Investigations Policy to clearly outline the purpose and scope of all
CA investigations as well as the related roles and responsibilities of employees and
management. It promises that all involved will be treated professionally and fairly,
with the utmost confidentiality.
38
October 24, 2008
ECI Conference
Copyright © 2007 CA
7. Tone at the Top
Standard:
The senior management of the organization must promote an
organizational culture that encourages ethical conduct and a
commitment to compliance with the law.
How is CA complying?

The SVP Business Practices and Compliance is providing ethics training for the Board of
Directors.

CA is developing a “Tone at the Top” that is more robust that just the ELT delivering the
message. “Tone at the Top” for embracing the compliance program is delivered through
the functional managers to the rest of the organization.

The SLT has revised and reissued the CA core values to include Integrity, with an
updated Charter.


The SLT has a percentage of their compensation tied to their commitment to compliance.
39
The Company is committed to funding the Compliance Programs to institutionalize
business practices and compliance at CA.
October 24, 2008
ECI Conference
Copyright © 2007 CA
Business Practice Officers Program
Global extension of the Business Practices and Compliance Organization
▪
Nominated and supported by CA management
▪
Appointed by location and function within the organization
▪
Maintain full-time positions in various roles throughout the company
▪
Help interpret the Code of Conduct and assist employees with questions and concerns regarding a business
practices or compliance issues
▪
A resource to management in assisting them in fulfilling their obligations in fostering a culture of ethics
and compliance at CA.
Eighty-seven Business Practice Officers (BPOs) representing the major
facilities:
▪
23 Europe Middle East Africa
▪
24 Asia Pacific Japan
▪
4 Latin America
▪
36 North America
40
October 24, 2008
ECI Conference
Copyright © 2007 CA
Local BPO Locations
41
October 24, 2008
ECI Conference
Copyright © 2007 CA
If employees have questions or concerns…
Multiple channels of communication:
 Manager
 Human Resources
 Local Business Practice Officer
 Business Practice Department
 Law Department
 Office of the Ombuds
 3rd party Helpline
 3rd Webline reporting System added in 2008
(can be anonymous)
42
October 24, 2008
ECI Conference
Copyright © 2007 CA
The Importance of an Effective Compliance
Program
> Mandated by the DPA
> Requirement of the Federal Sentencing Guidelines
> The key word is “effective”
> Government business
> Competitive advantage
43
October 24, 2008
ECI Conference
Copyright © 2007 CA
CA’s Compliance Program Best
Practices
> The head of Compliance as a senior level executive
> Ability to be independent with a solid reporting line to the Audit and
Compliance Committee of the Board of Directors.
> Open communication with many different avenues for employees to
raise issues, anonymously and confidentially
> Strong investigative process that can be observed by those Business
Units that need to be informed and involved; such as Legal, Finance,
Internal Audit, etc.
> A local compliance presence (BPOs) that enables employees worldwide
to feel that ethics and compliance are not just corporate-centric.
Promotion of a culture to empower CA’s employees to always do the
right thing.
44
October 24, 2008
ECI Conference
Copyright © 2007 CA
The Dawn of a New Day
May 21, 2007
CA has “complied with the terms of the DPA”
-US Attorney for the Eastern District of New York and
Lee Richards Independent Examiner
"The expiration of the DPA is the result of the willingness of the government to
allow CA to operate under a DPA and the strong commitment by all the
Company's employees to take the steps necessary to meet its requirements.
This has been a very healthy process for the Company,"
-Lewis Ranieri, chairman of CA's Board of Directors
"Our efforts won't stop because we have met the requirements of the DPA, we will
continue to demand a high level of transparency, ethical behavior and integrity
from our entire organization.
-John Swainson, CA's president and chief executive officer
45
October 24, 2008
ECI Conference
Copyright © 2007 CA
Benchmarking
CELC Program Assessment
Compliance and ethics program assessment across 28
key categories including:

standards & procedures

training & communication

investigation

discipline & incentives
Near perfect scores in all 28 categories
47
October 24, 2008
ECI Conference
Copyright © 2007 CA
Employee Survey Result 2006 - 2008
48
October 24, 2008
ECI Conference
Copyright © 2007 CA
“The time is always right to do
what is right”
- Dr. Martin Luther King Jr.
Never doubt that a small group of
committed people can change a
company
- Adapted from Margaret Mead