CORPORATE GOVERNANCE, SOX AND COMPLIANCE The Transformation of CA, Inc (formerly Computer Associates) John E. McDermott, CFE VP, Corporate Compliance Investigator CA, Inc. CA, Inc CA is one of the world's largest IT management software providers, unify and simplify complex IT environments—in a secure way—across the enterprise for greater business results. Founded in 1976, CA today is a global company with headquarters in the United States and 150 offices in more than 45 countries. It serves more than 99% of Fortune 1000 companies, as well as government entities, educational institutions and thousands of other companies in diverse industries worldwide. 2 October 24, 2008 ECI Conference Copyright © 2007 CA BACKGROUND 3 October 24, 2008 ECI Conference Copyright © 2007 CA Sanjay Kumar & Charles Wang 4 October 24, 2008 ECI Conference Copyright © 2007 CA SOUND FAMILIAR???????? > Wall Street’s wild rollercoaster ride continues > Stocks plunge again > Corporate Executives Blamed for Stock Woes > Corporations Fail – Stockholder Equity Lost 5 October 24, 2008 ECI Conference Copyright © 2007 CA Congress Responds – July 30, 2002 Public Company Accounting Reform and Investor Protection Act of 2002 AKA Sarbanes –Oxley Act (SOX) 6 October 24, 2008 ECI Conference Copyright © 2007 CA Sarbanes – Oxley Act Consists of 11 subsections Title I – Created the Public Company Accounting Oversight Board Title III – Corporate Responsibility (section 302 and complaint system) Title IV – Enhanced Financial Disclosure (section 404) Title VIII – Criminal Fraud Accountability Title IX – White Collar Crime Penalty Increase Title XI - Corporate Fraud Accountability (Whistleblower Protection) 7 October 24, 2008 ECI Conference Copyright © 2007 CA The Accounting Fraud “The 35Day Month” • Practice extending Computer Associates’ fiscal quarters beyond their natural conclusion to prematurely recognize revenue DOJ, SEC & FBI Investigatio n • Massive accounting fraud perpetrated by the company’s senior most executives from the late 1980s to 2001 & then a cover-up through 2004 The Outcome 9 October 24, 2008 ECI Conference • Convictions of 8 senior executives including CEO, CFO, General Counsel, and SVP F&A • $2.2 billion restatement • Deferred Prosecution Agreement (DPA) Copyright © 2007 CA The “35-Day Month” Fraud > The “35-Day Month” which was a practice extending CA’s fiscal quarters beyond their normal conclusion to prematurely recognize revenue. > The multi-billion dollar fraud allowed the company to fraudulently prop up the price of the stock and consistently meet or exceed Wall Street analyst’s revenue and earnings expectations. Former CEO Sanjay Kumar 10 October 24, 2008 ECI Conference Copyright © 2007 CA CA’s Deferred Prosecution Agreement Accepting Responsibility 18-month term Independent Examiner -Written reports to the Court and the Board of Directors Compliance Committee of the Board -Added to the Audit Committee function of the Board Chief Compliance Officer -Reports to the Audit & Compliance Committee of the Board of Directors and to the General Counsel 11 October 24, 2008 ECI Conference Copyright © 2007 CA CA’s Deferred Prosecution Agreement Comprehensive compliance program -Including an anonymous hotline Comprehensive ethics/compliance training program Comprehensive records management program Policy of cooperating with government investigations Head of Internal Audit and increased staff -Reports to the Audit & Compliance Committee of the Board of Directors and to the General Counsel Reorganization of Finance Department/Division. Chief Accountant and Controller function Restitution fund 12 October 24, 2008 ECI Conference Copyright © 2007 CA Establishing a Best-In-Class Compliance Program > Recruiting a Chief Compliance Officer > “Unfettered Access” > Instituting a Compliance Program > Joining the Defense Industry Initiative > Establishing Compliance Related Policies and Procedures > Upgrading the prior Code of Conduct 13 October 24, 2008 ECI Conference Copyright © 2007 CA The Headlines You Never Want to Read > U.S. Indicts Sanjay Kumar For Fraud, Lies > Ex-CFO at Computer Associates to Enter Plea in Accounting Probes > Computer Associates Ex-Executives Plead Guilty, Call Fraud Pervasive > Computer Associates Is In Talks to End Fraud Inquiry > Computer Associates Signs Deferred Prosecution Agreement > 14 Ex-CEO Gets 12 Years in Prison October 24, 2008 ECI Conference Copyright © 2007 CA 18 October 24, 2008 ECI Conference Copyright © 2007 CA “Don’t Lie, Don’t Cheat, Don’t Steal” > With this phrase, Gnazzo introduced himself to over 1200 CA employees > The former Chief Compliance Officer for United Technologies Corporation for 10 years Patrick J. Gnazzo, Former SVP, Business Practices, Chief Risk & Compliance Officer 20 October 24, 2008 ECI Conference Copyright © 2007 CA Business Practice Standards of Excellence: Our Code of Conduct 21 October 24, 2008 ECI Conference Copyright © 2007 CA Highlights from CA’s Code of Conduct > CA expects all employees to read and understand the Code > Each year CA will require all employees to acknowledge through an attestation his/her understanding of the Code > It is the obligation of every employee to report suspected violations of the Code and cooperate fully in any internal or external investigation > Violations of the Code may result in disciplinary action up to and including dismissal > CA will not tolerate any retaliation against any employee who raises a concern about CA’s business practices > Compliance with the law is mandatory > CA does not offer or pay bribes to government officials > CA’s fundamental rule for financial reporting is: do nothing that would mislead or misinform anyone about our finances 22 October 24, 2008 ECI Conference Copyright © 2007 CA A very well-written Code with strong layout. It’s obvious that CA has invested heavily in their ethics and compliance program (not surprisingly). Helpline > Third-party Helpline Provider called Global Compliance Services (GCS). Located in North Carolina, USA > Continuous Service 24 hours 7 Days a week 365 Days a year > Accessible world wide via in country access numbers In local languages > Provides services to many companies; 24 October 24, 2008 ECI Conference Including Wal-Mart, Altria, General Dynamics, etc. Copyright © 2007 CA Changing the Culture at CA > Role of CA’s Senior Leadership Team Connecting compensation to compliance > The Ethics and Compliance Officers Association has reported that less than 10% of Corporate America ties executive compensation to ethics and compliance. > “Raise your Hand” > Borrow from the NYC MTA 25 October 24, 2008 ECI Conference Copyright © 2007 CA THE IMPORTANCE OF RAISING ISSUES Dear CA Colleague: We all play a critical role in building a new culture at CA, in which the highest standards of business ethics are consistently adhered to throughout the organization. Everyone at CA has an obligation to come forward if they see something that isn’t right. On a number of occasions in CA’s past, employees stood by while unethical, inappropriate or illegal conduct took place. Failing to report unethical or illegal activity is just as bad as taking part in such acts -- and the consequences are the same. This email is a reminder of your responsibility to come forward if you see something that doesn’t seem right. All employees should feel comfortable discussing matters of concern with their manager. However, where that is not the case, there are other avenues available: including HR, the Law Department, the Compliance Officer, or the Compliance and Ethics Helpline, which is available 24 hours-a-day. Building and maintaining a winning culture is one of our Six Key Priorities and requires everybody’s active participation. Take a few moments to review our Code of Conduct to ensure you understand your responsibilities under it. Thank you for giving this effort the attention it deserves. Regards, John 26 October 24, 2008 ECI Conference Copyright © 2007 CA Promoting Tone at the Top > Has the executive taken the required ethics courses? > Has the executive handled compliance matters appropriately when they have occurred in his or her area? > Has the executive communicated the importance of the Code of Conduct throughout his or her organization? > Has the executive set the appropriate “tone at the top” and is it communicated and practiced? 27 October 24, 2008 ECI Conference Copyright © 2007 CA Compliance Investigations > Hired a compliance investigator > Responsible for the investigation of all allegations, inquiries and government requests for the company worldwide > Responsible for the policies and procedures relating to investigations, CA’s Helpline and the Case Management System 28 October 24, 2008 ECI Conference Copyright © 2007 CA Compliance Cases Allegations Compared to All Other Case Types Allegations All other case types (HREI, Security, Board, Inquiries, Government requests) 30 October 24, 2008 ECI Conference Copyright © 2007 CA COMPLIANCE ALLEGATIONS Active or closed and verified by fiscal year 31 October 24, 2008 ECI Conference Copyright © 2007 CA What are the Federal Sentencing Guidelines? Apply to all organizations: Private and public, profit & non-profit Originally drafted in 1991 7-part test to determine appropriate range of sentencing Revised in 2004 Extends focus to “having a culture of compliance” Relevance? Guidance for Judges Department of Justice uses, plus McNulty Memo Represent Best Practices 32 October 24, 2008 ECI Conference Copyright © 2007 CA 1. Code/Policy/Procedure Standard To have an effective compliance and ethics program, an organization shall— (A) exercise due diligence to prevent and detect criminal conduct; and (B) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. How is CA complying? 33 CA has revised its Code of Conduct and is establishing comprehensive written policies and procedures for compliance. Examples are the Compliance and Ethics Helpline Policy, the CA Business Practices & Compliance Program and intranet site, which establishes an organizational structure for compliance, and CA’s Code of Conduct. These set forth the Company’s commitment to the highest level of legal and ethical standards in the conduct of its business activities. October 24, 2008 ECI Conference Copyright © 2007 CA 2. Compliance Function Standard The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program. High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program. Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority. How is CA complying? 34 Hired a SVP Business Practices and Chief Compliance Officer who is responsible for the administration of the compliance program which includes the development and implementation of the Company’s compliance programs; this includes oversight of compliance training and investigations. Board of Directors will provide adequate resources to Compliance Department to ensure compliance is institutionalized at CA. The Compliance Organization for FY07 has a full time-staff of 15 (plus 5 other lawyers who are dotted line) to assist in the implementation of the program. CA has implemented a Business Practices Officer (BPO) Program in the field of up to 87 part-time compliance officers to assist the field in training, gifts & gratuities, and conflicts of interest questions. October 24, 2008 ECI Conference Copyright © 2007 CA 3. Communication/Training Standard The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities. (Including to) the members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents. How is CA complying? 35 CA utilizes a variety of techniques for employee notification, including: employee bulletins, newsletters, and e-mails, blogs, desk-drops, management addresses. Board of Director’s will have ethics training. Beginning FY07 CA introduced its new ethics training course on the Code of Conduct, CA requires an annual attestation that employee has read and understands the Code of Conduct and has no conflicts of interest other than what is disclosed on the form. CA periodically reviews, revises, and redistributes its compliance policy statements to reflect changes in the law. CA has a Business Ethics Curriculum for all employees. The courses are given through a combination of live training, video training, and web-based training. October 24, 2008 ECI Conference Copyright © 2007 CA 4. Auditing/Helpline Standard: The organization shall take reasonable steps— > to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct; > to evaluate periodically the effectiveness of the organization’s compliance and ethics program; and > to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation. How is CA complying? 36 CA engages in vigorous self-policing. The Company has devoted substantial resources to auditing the Compliance program and has focused audits on areas of the Company’s business susceptible to violations of law. In February 2007, the Compliance group initiated an ombudsman program. The Ombuds serves as a confidential, neutral and informal channel of communication for employees to raise business-related issues in complete confidence without fear of retaliation. CA has a third-party helpline for employees to disclose confidentially, or if they desire, anonymously, suspected or actual violations of law or questionable business practices. Disclosures are investigated by the Business Practices and Compliance Officers, the Worldwide Law Department, or HR, and recommendations for appropriate action are provided to the functional business manager with assistance from HR. On CA’s internet site, CA also has a “Contact the Board” where interested parties, such as customers, suppliers and employees, may contact the board directly. October 24, 2008 ECI Conference Copyright © 2007 CA 5. Appropriate Discipline Standard: > The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through > appropriate incentives to perform in accordance with the compliance and ethics program; and > appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct. How is CA complying? The SLT has a percentage of their compensation tied to their commitment to compliance. All disciplinary actions are reported to the SVP Business Practices and Compliance who, in-turn, provides reports to the Audit and Compliance Committee of the Board of Directors. 37 CA investigates allegations of wrongdoing in violations of the Code. Discipline meted out runs from Discharge in the most severe cases to training and counseling in those cases which are less severe. October 24, 2008 ECI Conference Copyright © 2007 CA 6. Investigate/Correct Standard: After an offense has been detected, the organization must have taken all reasonable steps to respond appropriately to the offense and to prevent further similar offenses--including any necessary modification to its program to prevent and detect violations of law. How is CA complying? CA evaluates and performs root cause corrective action process to analyze, address, and prevent possible systemic deficiencies. Revisions may include increased auditing and employee training, changes in procedures and changes in personnel. CA updated its Investigations Policy to clearly outline the purpose and scope of all CA investigations as well as the related roles and responsibilities of employees and management. It promises that all involved will be treated professionally and fairly, with the utmost confidentiality. 38 October 24, 2008 ECI Conference Copyright © 2007 CA 7. Tone at the Top Standard: The senior management of the organization must promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. How is CA complying? The SVP Business Practices and Compliance is providing ethics training for the Board of Directors. CA is developing a “Tone at the Top” that is more robust that just the ELT delivering the message. “Tone at the Top” for embracing the compliance program is delivered through the functional managers to the rest of the organization. The SLT has revised and reissued the CA core values to include Integrity, with an updated Charter. The SLT has a percentage of their compensation tied to their commitment to compliance. 39 The Company is committed to funding the Compliance Programs to institutionalize business practices and compliance at CA. October 24, 2008 ECI Conference Copyright © 2007 CA Business Practice Officers Program Global extension of the Business Practices and Compliance Organization ▪ Nominated and supported by CA management ▪ Appointed by location and function within the organization ▪ Maintain full-time positions in various roles throughout the company ▪ Help interpret the Code of Conduct and assist employees with questions and concerns regarding a business practices or compliance issues ▪ A resource to management in assisting them in fulfilling their obligations in fostering a culture of ethics and compliance at CA. Eighty-seven Business Practice Officers (BPOs) representing the major facilities: ▪ 23 Europe Middle East Africa ▪ 24 Asia Pacific Japan ▪ 4 Latin America ▪ 36 North America 40 October 24, 2008 ECI Conference Copyright © 2007 CA Local BPO Locations 41 October 24, 2008 ECI Conference Copyright © 2007 CA If employees have questions or concerns… Multiple channels of communication: Manager Human Resources Local Business Practice Officer Business Practice Department Law Department Office of the Ombuds 3rd party Helpline 3rd Webline reporting System added in 2008 (can be anonymous) 42 October 24, 2008 ECI Conference Copyright © 2007 CA The Importance of an Effective Compliance Program > Mandated by the DPA > Requirement of the Federal Sentencing Guidelines > The key word is “effective” > Government business > Competitive advantage 43 October 24, 2008 ECI Conference Copyright © 2007 CA CA’s Compliance Program Best Practices > The head of Compliance as a senior level executive > Ability to be independent with a solid reporting line to the Audit and Compliance Committee of the Board of Directors. > Open communication with many different avenues for employees to raise issues, anonymously and confidentially > Strong investigative process that can be observed by those Business Units that need to be informed and involved; such as Legal, Finance, Internal Audit, etc. > A local compliance presence (BPOs) that enables employees worldwide to feel that ethics and compliance are not just corporate-centric. Promotion of a culture to empower CA’s employees to always do the right thing. 44 October 24, 2008 ECI Conference Copyright © 2007 CA The Dawn of a New Day May 21, 2007 CA has “complied with the terms of the DPA” -US Attorney for the Eastern District of New York and Lee Richards Independent Examiner "The expiration of the DPA is the result of the willingness of the government to allow CA to operate under a DPA and the strong commitment by all the Company's employees to take the steps necessary to meet its requirements. This has been a very healthy process for the Company," -Lewis Ranieri, chairman of CA's Board of Directors "Our efforts won't stop because we have met the requirements of the DPA, we will continue to demand a high level of transparency, ethical behavior and integrity from our entire organization. -John Swainson, CA's president and chief executive officer 45 October 24, 2008 ECI Conference Copyright © 2007 CA Benchmarking CELC Program Assessment Compliance and ethics program assessment across 28 key categories including: standards & procedures training & communication investigation discipline & incentives Near perfect scores in all 28 categories 47 October 24, 2008 ECI Conference Copyright © 2007 CA Employee Survey Result 2006 - 2008 48 October 24, 2008 ECI Conference Copyright © 2007 CA “The time is always right to do what is right” - Dr. Martin Luther King Jr. Never doubt that a small group of committed people can change a company - Adapted from Margaret Mead