This profile is the latest in a series of weekly conversations with executives at U.S. public companies who are currently involved in establishing and developing compliance programs. An index of previous conversations is available here.
We usually talk to chief compliance officers or governance officers. What can you tell us about your 'chief accounting officer' title?
I’ve been here about eight years, and came in as vice president and corporate controller.
When the Sarbanes regulations came out and the corporate-reform environment took hold, through our formal by-laws the position of chief accounting officer was designated to me in deference to our being a larger company and our having a lot of compliance regulations—both for the external public and internal regulations with HIPPA and things like that, since we’re a records-management business… We felt it was important to have that designation and to assign the responsibility specifically to an individual.
Iron Mountain does records management. You must benefit from Sarbanes-Oxley and see a nice bit of business from it, no?
That’s true. And even before the act came out, a lot of the C-level executives were recognizing the importance of good records management for a variety of reasons.
Go back to Enron: document destruction was a big part of that scandal. A lot of executives started to talk to Iron Mountain ... about how they could improve their polices and protect their company’s reputation.
When Sarbanes was enacted and it put personal liability on the CEOs and CFOs of public companies, then they also wanted to talk to us not only about their company’s brand but also their own personal responsibility under the Act…
What we’ve noticed is that this has moved from the back room, where our client base used to be in the past, to the boardroom. CEOs, CFOs, CIOs, general counsels—they’re very interested in making sure their records are protected.
So, what functions do you oversee?
Obviously I do the traditional corporate controller role: international taxes, tax planning, tax strategy; all of our internal reporting, which includes all of our accounting operations and internal control environments; all our computer financial applications report up through me; all reporting to shareholders in the form of SEC filings, press releases and things like that; financial planning, analysis and forecasting.
And obviously because I’m the chief accounting officer, in the last 18 months since Sarbanes was implemented I’ve been responsible for implementing the disclosure and compliance aspects, including Section 404.
Who are your direct reports to get this done?
Worldwide, the staff is probably 200 people; that includes clerical support and administrative support. I also have all our division finance people report to me, and that’s about three or four people.
At corporate headquarters, there are probably five more people who represent taxes, financial planning and analysis or internal reporting who report to me.
What about other governance issues, such as a code of conduct? Who oversees that?
We have three aspects to that. First we have an in-house counsel; he and I have worked very closely together on the code of ethics and on board composition and governance. Under the legal department—since, as I mentioned, we are a records-management company—we have a group that focuses on regulations that surround information, such as HIPPA or the Gramm-Leach Act. And thirdly, our HR department has a specific conduct code and an internal communication policy.
And how do you work with the board of directors?
The audit committee and the audit chairman are intimately involved in our 404 project. I meet on a monthly basis with the audit chairman, and I meet generally on a quarterly basis at minimum with the whole audit committee. We talk about Sarbanes control issues, general updates and things like that.
How’s the 404 project coming along, anyway?
I look at 404 as having two pieces. One is the actual internal control evaluation, design, testing and remediation work that gets us to the certification level our shareholders and the audit firms are looking for.
The other aspect is the records-management program; it’s one of the objectives embedded within Section 404. We are running a separate project basically to go back and reassess our own records-keeping policy worldwide, to make sure we’re doing everything we can and that we’re compliant in that area also.
Is that a smaller pill for Iron Mountain to swallow, since records-management is your core business anyway?
I would agree that we have an edge; obviously we have tremendous in-house talent. But in a lot of ways, the same problems in records-management that other companies face, Iron Mountain faces also. We grew very fast [$105 million revenues in 1995 to $1.7 billion in 2004], and in that growth we made a lot of acquisitions. Hence we inherited their records, and their records-management polices or not.
So while over the years we’ve had our own records program, under 404 we realized this was an important aspect… So we took the time to reassess our program.
And direct responsibility for the 404 project is yours?
It’s my responsibility. We have created a four-person core team called the internal control resource team, and they consist of three of our top technicians (people with extensive backgrounds in public accounting and very well-versed in internal controls). To that team, we added the director of internal audit…
One thing important to us is the morale of the team that is doing this, because it’s an extremely huge, time consuming project—we’re probably going to spend, when all is said and done in two years, 40,000 man-hours internally. Because this was all going to be very fluid, with regulations changing from what was originally thought, we needed to make sure the teamwork stayed good throughout the organization and that they understood that this was a negotiable thing.
Aside from 404, what else in Sarbanes-Oxley has given you grief?
I look it in three chunks. When it first came out, we had all the corporate governance items: making sure that the board was independent, that there was a financial expert on the audit committee, that we established a code of ethics for senior financial management, that we establish pre-approval services required with our external auditors… we had all of those up front, along with the 8-K related disclosure.
You go into people’s mindsets in a lot of ways, when you make them stop and think about these things—where before they might have received an option from the board and not even known about it for two days, never mind reporting it to the SEC. In the beginning they were a lot of compliance-oriented things; some of them Iron Mountain had already been doing, and some of them were just getting people to think about it in the forefront of their minds.
Can you give an example of changing mindsets?
I’d say the two-day window. For example, there were options granted to key officers at the beginning of the year, and some of these officers weren’t even notified that they were given options within that two-day timeframe. So we had missed filing the proper form, and had to disclose that in our 2003 proxy—and that hasn’t happened since!
We did set up a mechanism since then, so people are prompted to know that if you do any type of a stock transaction you need to alert the legal people as soon as possible and file these forms.
Speaking of mechanisms to communicate to people, how do you get that done when Iron Mountain has so many geographically diverse offices?
We’ve tried to get around that two ways. One is from a leadership role—who the leaders are in our international operations; there are communications to them about the importance of this and the importance of maintaining Iron Mountain’s brand in the marketplace through all of these regulations.
Also (and I’m obviously biased), I believe finance is a huge backbone within organizations. Our own finance team, which is a global team, communicates probably daily on everything that’s going on. Any time we have any policies or procedures that had to be implemented in the past year and half, we communicate extensively at all different levels to make sure the finance department is the backbone. Then we use that to communicate to our own international leadership, whatever countries they’re in.
What are your compliance priorities for the next 12 months?
You really have two things pulling at you. You have to make sure this compliance work gets done… and I try to integrate it into the business and show the value to the business. At the same time, we’re still a growing organization. We have business requirements that we have to fulfill. I’d say one other area is just in the world of improving business information—integrating information with our business needs on a much more timely basis and a much higher quality of control.
Unique to Iron Mountain due to our tax position is that we have to focus much more on global taxes, and that’s a very interesting area too. Taxes in general have been an area with its own mystique surrounding it and people do a lot of calculations and forecasting. The accuracy required for that forecasting is obviously a lower materiality level than what’s required when you report your external financials; I’d predict that the entire tax environment is going to have to move much more towards accuracy. In a lot of companies it’s a very large item on their P&L… They’re going to need to make sure it’s a very accurate area for them. And also it’s an area very ripe for records management in general.
Thanks, Jean.
An index of previous Q&A Interviews is available here.
This column should not be regarded as legal advice. It is for general information and discussion only, and is not a full analysis of the matters presented.
No comments yet