VideoOptions timing is clearly the cause du jour of federal regulators — and the terror of executives. After announcing investigations into dozens of companies this past summer, the Securities and Exchange Commission and the Department of Justice filed charges against former executives at Brocade Communications Systems and Comverse Technology, sparking what most expect to be an ongoing volley (see On the Record).
While investigators continue to focus on backdated options, companies may well be nervous about regulators' interest in related practices known as spring-loading (timing grants to come ahead of good news) and bullet-dodging (offering them after bad news), both of which aim to capture presumed lows in stock prices for the options' strike prices. Last November, Analog Devices spent $3 million to settle spring-loading charges with the SEC. Cyberonics is still under investigation for issuing options to top officers following Food and Drug Administration approval of a new product but before the market opened. Many others, including Home Depot and Merrill Lynch, have been tainted by The Wall Street Journal's recent revelations that abnormally large numbers of options were issued soon after the tragedies of September 11.
Such practices, which some say were widely used at volatile technology companies, are not technically illegal, provided the company's compensation committee was not deceived in any way. "It's a pure governance issue rather than the violation of any law," says Michael Sirkin, a partner at Proskauer Rose and co-chair of the law firm's new stock-option task force. (In most cases, investigations related to spring-loading center on whether companies ran afoul of disclosure rules.)
In fact, SEC commissioner Paul Atkins even promoted such tactics as a way for cash-poor companies to get more bang for their buck with options. "It's only a paper gain and it still has to be earned," Atkins told CFO.
Yet, few others are advocating options timing these days. "It's a cloudy ethical issue — a very gray area — so we don't do it," says J.D. Sherman, CFO of Akamai Technologies Inc.
Governance experts agree. Building in quick paper gains "seems to cut against the very notion of incentive compensation," says Pat McGurn, executive vice president of Institutional Investor Services. Not to mention that, strictly speaking, options given under such conditions would be nearly impossible to fairly value for reporting purposes. "Having additional information causes the Black-Scholes model, along with most others, to break down," says Stacy Powell, national practice leader for CCA Strategies's equity compensation consulting practice. The models work on the presumption that all sides have equal information, she explains.
In August, the SEC issued new rules on executive-compensation reporting that require the disclosure of the rationale behind options grants. Many companies are also moving to make grants at specific times each year, to avoid the appearance of opportunistic timing. — Alix Nyberg Stuart
Checkups on Providers Miss the Mark
SAS-70 audits assess the internal controls, in particular the data-security controls, of outsourcing providers. These checks have become a regular part of Section 404 compliance. The problem is, they cost a lot, and "it isn't clear that they are all that effective," says Jonathan G. Gossels, president of information security firm SystemExperts.
Part of the issue is that SAS-70 audits are not standardized; each accounting firm performs them differently. "If I were a CFO, I would want to know that my outsourcers have been measured against an objective standard, not one the auditor made up," says Gossels. Some audits, he says, look only at existing policies, not best practices. For example, if a company does not have a policy to prevent new data servers from being deployed with their default passwords, there is no guarantee that the audit will uncover it. Another problem is that the audits don't necessarily test every one of the outsourcing provider's facilities.
Larry Runge, CFO of dbaDirect, a data-infrastructure management firm, says the concerns are misguided. While he agrees that client firms need to ask about audit criteria, he is comfortable with the level of assurance the audit provides. More to the point, he says, "I don't see another alternative."
But Gossels has another suggestion: abandon the SAS-70 audit in favor of a "more comprehensive" international standard, such as ISO 27002. Rather than allow negotiation on procedures, ISO 27002 sets specific standards that must be met to earn what Gossels considers a meaningful seal of approval. — Rob Garver
Reader Comments» Post a comment