Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

Could IT Spot Backdating? Experts Say No

Todd Neff | March 20, 2007

With hundreds of companies under investigation in the ongoing stock option backdating scandal and billions in shareholder wealth up in smoke as a result, one would think the seemingly straightforward, inexpensive solution of time servers—computers to track and confirm when an option is granted—would catch on.

It isn’t, say auditors, attorneys, and even time-server makers themselves. The reasons are complicated.

Time servers are computers that gather time accurate to less than a millionth of a second from Global Position System satellites or contain ultra-accurate atomic clocks themselves. Linked to a corporate network, time servers could theoretically be an easy means for confirming the actual file-create date of, say, an options grant. Grantors could backdate away, but the timestamps wouldn’t lie (assuming a user can be blocked from modifying his or her computer clock or otherwise subvert the system). The presence of auditable logs would make for a clear deterrent against backdating, so the thinking goes.


Such technology is also quite inexpensive. A small organization might get by with a single server costing $3,000—or even an open-source time server. A global enterprise might spend $100,000 for an integrated setup. Such systems have become common in firms in securities trading, telecommunications, electric utilities, and other fields. But Bruce Penrod, vice president of product development at EndRun Technologies, a time-server maker, says he hasn’t heard of a customer interested in options backdating per se as a reason for purchase. The real issue, he says, is being able to track the human element in various transactions.

“If some executive wants to go tell the IT guy to set the clock back on the server, there’s really nothing to keep him from doing that,” Penrod says. But, he adds, such a change would show up in log files.

“It would ripple down through the entire hierarchy. It does make it harder, and it really would look bad because it would be very clear that it was intentional,” Penrod says.

Dick Fox, a spokesman for time-server maker Spectracom, says even organizations that view providing accurate time as a core network service must draw the line somewhere. Controls having to do with time and auditability must extend to all relevant clients, which might include desktop and laptop computers running Windows, Linux systems, and even wireless devices.


“I don’t think any organization takes it to the point that they control every single document on every single device in the world,” Fox says. “And I think you have to take it to that level to prevent the kind of shenanigans we’re seeing with options backdating.”

Perhaps as a result, attorneys and auditors are not seeing companies look to time servers and other technology to combat options-timing issues. Rather, the trend appears to be focused on process.

“Companies are being much more specific with schedules of options grants, so there’s a lot less opportunity for those things to get reengineered after the fact,” says Edward Bright, chairman of the corporate and financial institutions practice group at law firm Thacher Proffitt & Wood.

Turning To Other Solutions


Bright says he is seeing compensation committees increasingly postdate options, so that they are granted after quarterly announcements when the gap between public and internal corporate knowledge is at its minimum.

“There is more process and more taking affirmative control back into the committee and away from management,” Bright says.

Jay Hanson, partner and national director of accounting for McGladrey & Pullen, says the small to mid-size public companies his firm audits have not turned to time servers, at least as far as he had heard.


Instead, his firm asks clients for information on every options award granted from 2000 forward and as a first step, simply compares grant dates to a stock chart over the same period. Questionable patterns bring more investigation. But one thing auditors don’t generally do is question the veracity of the dates posted on options grants, he says.

“Quite honestly, we’re not trained to be documents authenticators,” Hanson says.

On one hand, Hanson says, a time log to match documents with actual creation dates “would be very helpful.” Then again, complexities that often arise in the options-granting process—such as assigning a proper grant date to documents approved by compensation committee members via unanimous consent email exchanges—would limit the benefit of timestamping.

“What if the paperwork doesn’t get sent until the end of the month? The end of the quarter? The end of the year? A timestamp isn’t going to help you with that, necessarily,” Hanson says.

John Wirtshafter, practice leader of the executive-compensation group of law firm McDonald Hopkins, says he hasn’t seen clients installing time servers for the express purpose of backdating, either.

“I for one am a little bit suspicious of timestamping,” Wirtshafter says. “You could create an options-grant document once a month and use the one you like later.”

He says clients are “bending over backwards” to ensure trustworthy options granting practices, with some going as far as holding the meetings in which options are granted after the close of business on the grant date, and pricing grants based on that day’s actual market closing price.

Ben Rothke, a senior security consultant for British Telecom-INS, who in general stresses the importance of standardizing time on corporate networks, says options backdating may be a self-correcting problem.


“Everyone knows in March 2007, the SEC is on top of so many companies that a lot of people are just not doing it,” he says. “We all jaywalk and I’ve never met a person who’s gotten a ticket for jaywalking. But if cities were issuing $1,000 summonses for jaywalking, that would stop it.”

But Rothke says other legal issues should have companies considering time-server implementations, particularly to ensure accurate timing in logs that end up as centerpieces in computer-crime cases. Logs written by different servers with system clocks set hours apart can shed reasonable doubt on the timing of an alleged misdeed.

“Above and beyond the backdating issue, it’s a very needed technology,” he says.