I have been reading with interest the various reports on Powerline and NRO relative to the Obama campaign accepting donations from fictitious individuals via credit card through its website. I should say that I have not verified the individuals’ claims and I don’t believe Obama is remotely qualified to be President based on his slim experience and his vision for America.
Sarbanes-Oxley (SOX) was enacted in 2002 as a result of the various corporate scandals including Enron, Tyco, World Com etc. You can read more about the act here, but basically management (who sign the annual report) is responsible for establishing and maintaining a set of internal controls and the independent auditor is responsible for testing and rendering an opinion on the internal controls. I do remember watching the Congressional hearings at the time just thinking how absolutely ignorant Congress was related to financial statements, corporate governance and the role of the independent auditor.
Briefly on my qualifications relative to what is written below. I am an accountant with 20+ years experience in a variety of industries. I have passed the CPA exam (although my license is inactive). For the last 5 years I have been working in the internal audit function for several public companies on a consultative basis. This included documenting procedures, documenting controls and controls testing on a SOX and operational basis. What has been discussed on these blogs is a situation where donations from fictitious names with fictitious addresses have been made to the Obama campaign. Apparently something called the Address Verification System (AVS) would have to have been consciously disabled in order for this to happen.
There are two types of what I would call hard internal controls. They are preventive controls and detective controls. A preventive control inhibits an erroneous activity from occurring. An example of a preventive control would be “Campaign donations by credit card from fictitious or ineligible individuals are systematically inhibited via the Address Verification System as a valid address associated with that card is required.” A detective control would reveal that an error or questionable transaction has occurred after the fact. An example of a detective control would be “Campaign finance staff review a daily listing of credit card donations and investigate credit card donations made from fictitious (or deceased) personnel and investigate credit card donations associated with fictitious addresses.”
Preventive controls are considered more robust than detective controls as the questionable transaction is stopped up front rather than revealed after occurence. If the AVS had to be consciously disabled to allow these types of contributions to go through I would consider it a serious breach of internal control. If as part of SOX testing this type of control breach were detected the individual responsible for disabling the control would certainly be fired. Powerline also reports that a New York Times Blogger has stated the following: “Yet when Times reporter Michael Luo wrote it up for the Time’s campaign blog, he somehow missed the point ‘To be fair to the Obama campaign, Luo wrote, officials there have said much of their checking for fraud occurs after the transactions have already occurred. When they find something wrong, they then refund the amount.’” As an auditor that might be the single dumbest statement I have ever heard.
Auditors also consider controls termed soft controls. Soft controls are commonly referred to as entity wide or tone at the top controls. Basically what this means is that Executive Management sets a tone (example) for ethical behavior at the Corporation. An example of a soft control would be a published Employee Code of Conduct that employees have to annually certify compliance with. (I wonder if campaign employees have to sign codes of conduct?)
I would certainly consider a Presidential Campaign to be equivalent to a publicly held company with the nominee as the CEO. If the activities above actually occurred relative to credit card donations I would say that there is a serious tone issue at the Obama campaign. As Obama is the CEO of his campaign I wonder if he would be comfortable certifying like CEO’s do that his campaign has established and maintained a system of internal controls. Remember if elected and based on the current economic situation, this man with the help of a Democratic Congress will probably usher through sweeping corporate regulation the likes that this country has never seen. Do we want that from someone who has a campaign that looks like it might not be in compliance with corporate laws that currently exist? We’ll see on November 4th.