Are your internal controls sufficient? Companies have made Herculean efforts to improve their internal controls to comply with Sarbanes-Oxley Section 404, but the improvements sometimes go wanting. Some believe a lapse of a Societe Generale magnitude could happen in thousands of other companies.

• Author: Cheney, Glenn
• Position: INTERNAL CONTROLS

How much internal control is enough? Financial executives should be relieved to know that that question has no correct answer. It's unfortunate, however, since knowing the answer is a key aspect of the finance executive's job.

The directors of Societe Generale thought they knew the answer, but now it seems the answer is down in the dark depths of a $7 billion hole and they're still looking for it. As Angelynn E. Meya, an attorney with the Paris office of Winston and Strawn LLP, opines, merely having internal controls wasn't enough for Societe Generale. It needed to live those controls.

"It does not appear to be a question of having 'enough' internal controls," Meya says, "but reinforcing and vigilantly adhering to existing controls. Government efforts now seem to focus not on restructuring internal procedures for banks, but rather on reinforcing existing controls and ensuring compliance."

The same problem may be widespread in the U.S., and not just philosophically. Companies have made Herculean efforts to improve their internal controls since Sarbanes-Oxley Section 404 went into effect, but sometimes the improvements have been less than adequate. Some have expanded their controls beyond necessity--while ignoring changes in their operations environment. They have lengthy checklists testifying to internal control, while ignoring vulnerabilities to anything from a devious employee to a bolt from the blue.

At the heart of the disaster at Societe Generale was a relatively simple failure of internal control, versions of which exist in companies around the world. An employee in the back office of information technology (IT) was transferred to a front-office trading desk. He brought with him not only knowledge of the company's computer system but also his old passwords, which allowed him to slip back into that system at will. He could mess with records and cover his tracks. And that's what he did as he discovered that he was phenomenally bad at trading equities derivatives but truly stellar at meddling with the innards of a computer network.

Could Happen in Thousands of Companies

Mark McClain, CEO and founder of SailPoint, a firm that makes identity risk management software that aims to help prevent SocGen-type gaps in IT security, says the problem that happened in Paris could happen at thousands of other companies.

"There's an awful lot of trust in IT today that depends on good behavior," McClain says. "Quite often, these large companies haven't been able to...