Talking 404 With Altera's Audit, Compliance Director

This profile is the latest in a series of weekly conversations with executives at U.S. public companies who are currently involved in establishing and developing compliance programs. An index of previous conversations is available here.

You’re the first compliance director Altera has ever hired. Why this position, and why now?

They were moving down this road for some time. It just became an opportune moment; they were at a point in their development of SOX compliance where they felt they needed to bring someone on board. They were doing it with outside consulting, and wanted to bring someone inside who would be here ongoing.

I’ve been with Altera a little more than a year. It’s a new function, ongoing, and we’re building it all the time—so Altera is getting used to it, and it is getting used to Altera.

And your areas of responsibility?

Altera hired me to do two things. One was to start and maintain an internal audit function, and the other is to service the compliance side of the business. That’s increasingly becoming a major responsibility.

Overall, I’m doing internal audits of financial, operational and IT parts of the company worldwide … The other area of my responsibility is ‘soft compliance.’ I review the 10-Ks, 10-Qs and so on, as well as Foreign Corrupt Practices Act, export regulations.

Most compliance executives are either lawyers or accountants. What’s your background, and what experience do you draw on?

My background is about 20 years of internal audit, for the most part as a director … I’ve also been a CFO for a company and a general manager at a company. It’s a pretty broad experience.

The financial experience is all-important. It’s also important to understand process, both financial and operational, so you can get an understanding of the overall implications of what you’re doing. One of the unique things we’ve done at Altera is that I report directly to general counsel and to the chairman of the audit committee. So where I encounter areas of strict interpretation, I can often fall back on the legal department and get support there.

How is personnel structured around this function?

We’re actually a very small group: myself and two others. Rather than it be a hierarchal group, it really works as a team executing audits, completing compliance reviews and so forth. We cover the entire sphere that you could imagine in SOX and SEC compliance: financial reporting, revenue, fixed assets, whatever.

Talk about Section 404. Who else at Altera has helped tackle that?

A tremendous number of people. Almost the entire company has been involved in one way or another. The initial approach was to define and develop the documentation—the narratives and control matrices and so forth—and to define the controls and what the risks were. That was predominantly done by the overall financial function, probably near 50 or 60 people. They weren’t full-time, of course, but each did their part. My involvement in that was more a consultive role, about what we really needed and in which direction to go.

Was the documentation phase challenging for Altera?

It was difficult. We of course had policies and procedures, but really getting the format and approach that enabled us to test and validate compliance was painstaking. Any time you have a lot of people trying to write a single task, it’s going to be a problem.

Outside consultants were involved initially; they were working on that upwards of six to eight months. I came aboard in March 2004, and I worked with the team and had concluded all documentation by June 2004. But there were a lot of iterations, revisions, editorials, and so forth.

What IT strategies did you employ to manage all this?

We took a simplistic approach to it using Excel and Word—very simplistic, but it worked for us. It was hard enough to implement the complexity of SOX, let alone another system to boot. We’re now looking at possible control systems for installation in 2005.

We hear the Excel approach a lot, actually. You really just wanted to cross the finish line alive?

I think that’s very true, for most companies. The requirements for SOX compliance were changing almost on a day-by-day basis throughout 2004. We were trying to work with our external auditors and the internal team to ensure we had adequate compliance. In my view, although we were successful in getting compliance, that led to an over-documentation in some areas—maybe too many controls in some areas.

Now, in 2005, will be when we stand back and say, “OK, let’s look at what we did. Do we need to streamline these processes? Do we need to pare down some of these controls that might be a bit over the top?”

Has Section 404 provided Altera a more detailed look into the controls environment?

Oh, I think undoubtedly there are benefits to this. We see them in processes; we uncovered some issues that needed to be addressed. Going forward, we’re better placed. Altera has always been a well-controlled company, so we started from a better position than many companies. Even so, we had issues to address. Now with this suite of documentation, we’re well-primed to move into 2005 and streamline things.

An example?

Well, some areas in the IT function—segregation of duties and access to systems. We needed a little enhancement to make sure we were covering all our bases for the processes there. We took action on that.

Aside from Section 404, how else did Sarbanes go?

Section 302 we pretty much pegged early in 2004; the management team really nailed that down. As far as records-management, that’s another one of my responsibilities. We are actively working on deployment of a records-management program, and an enterprise content-management system. That’s ongoing and will be deployed in 2005 and 2006 worldwide.

How large a headache is overseas participation in U.S. compliance?

Really, communicating is the word. A lot of the messages come from the top down, very strongly. They push the message through the financial arm, through sales and operations. We’ve done departmental meetings and larger meetings over time. They’ve been frequent and detailed.

I wouldn’t call it a headache; it’s just another part of the process. For example, we have operations in Malaysia. They were compliant with SOX as far as they needed to be, before the end of the year. And they were part of the evaluation that our external auditors looked at.

What’s your typical day like?

Busy! [Laughs]. I have to be very organized in what I’m doing, and basically laid out all the major audits and tasks and reviews that need to be done between now and the end of the year. I try to stick to that.

How much of your time is devoted to internal audit, versus compliance—or has that balance changed over time?

I’d say that increasingly you can’t distinguish between the two. The audits I have scheduled for this year are all integrated audits, that cover such things as SOX compliance and FCPA and export regulations. We’d review the 10-Q or 10-K in a normal fashion anyway—not so much for approval, but for information.

And what are your top compliance priorities for the next 12 months?

The areas where I mentioned IT—we actually remediated just about everything we had outstanding, and we did that before the end of the year. Those issues have gone away. What we now need to focus on is how to better manage the compliance of SOX and financial control, and streamline all the work that we did last year. That’s really the focus.

Will this be easier going from Year Two, in money and time?

We’re hoping so. Last year was a very expensive proposition, and nobody would say anything different. This year won’t be as expensive, either internally or externally. For the reasons I mentioned, we are looking at what we did, and we’re working with our external auditors to try to ensure that we complement each other rather than have multiple coverage. During the testing period last year, we were fortunate that our external auditors were able to take 50 to 60 percent of our work-product—which I think is an indication that our work product is pretty good. Hopefully we can take that and move forward.

Thanks, Michael.

Compliance Week regularly profiles corporate executives responsible for governance, compliance, ethics and risk. Click here for recent Q&As. If you would like to be considered for a future Q&A, or if you would like to nominate a public company executive for a Q&A, please email Matt Kelly.

Click here for upcoming Webcasts with compliance officers.