Lehigh University
Lehigh University


Selected Media Coverage: June 2, 2006

IMA pursues alternative to COSO guidance on SOX 404
06/04/2006 - Accounting Today (cir. 35,225)

Codes on Sites 'Captcha'
05/31/2006 - Wall Street Journal, The (cir. 2,049,786)

LOVE ON EARTH -- One order of love, free shipping and handling
05/18/2006 - Associated Press (AP) - ASAP (cir. )

IMA pursues alternative to COSO guidance on SOX 404
06/04/2006 - Accounting Today (cir. 35,225)
Return to Top

IMA pursues alternative to COSO guidance on SOX 404
by Glenn Cheney

MONTVALE, N.J. — Make no mis take about it: The Institute of Management Accountants supports the Sarbanes-Oxley Act. It has even said that the legisla tion was long overdue.

But that doesn't mean that the IMA thinks SOX is working.

IMA president and chief ex ecutive officer Paul Sharman, ACMA, said that the intent of the act is not being realized, that the problem is in imple mentation, and that the solution is in better guidance.

"Small public companies are struggling with SOX compli ance," Sharman said. "Oddly enough, the implementation guidance was written from an external point of view, when in fact internal accounting staff are the ones that have to implement it and make it work in their businesses."

The problem has become so serious, Shannan warned, that some small public companies are considering delisting them selves from stock markets as viable alternative.

Sharman said that auditors are generally supportive of Sarbanes-Oxley and the stiff audit requirements issued by the Public Company Accounting Oversight Board simply because they mean more work-and more fees-for audit companies.

"It's all about the at testation that auditors are doing to test man agement assertion that their internal controls are effective," Sharman said. "Putting auditors in charge of deternuning whether internal controls are satisfactory is like putting the monkey in charge of the peanuts."

And it will only get worse in 2007, he said, when smaller companies — roughly 80 per cent of corporations in the United States — have to start meet ing the requirements of SOX Section 404.

The burden of compliance will be relatively heavier on these companies, because they lack the infrastructure, know-how and personnel to implement new controls.

Aware of the problem, the Securities and Exchange Commission's Advisory Committee on Smaller Public Companies has suggested exempting smaller companies from the need to comply with Section 404, but critics are warning that the Sarbanes-Oxley Act makes no such allowance for companies, and those smaller companies are precisely the ones where fraud and inaccurate financial statements occur. The IMA has fired off a comment letter on the exposure draft, questioning the legality and wisdom of creating a multi-tier or scaled system of control governance and audit opinion reliability. A more realistic, and legal, solution, the letter said, is to find cost-effective ways to help companies comply.

"We believe that ... the focus of corrective actions to the current SOX regime should be on addressing this core root cause 'head-on,'" the letter said. "The absence of practical top-down/ risk based assessment guidance for management is the real root cause that is at the heart of the massive and unintended consequences currently impacting companies of all sizes."

Can COSO handle it?

COSO — the Committee of Sponsoring Organizations of the Treadway Commission — recently took up a project to write SOX compliance guidance for small companies. Big Four firm PricewaterhouseCoopers was hired to write the guidance, but the IMA, which is one of COSO's five sponsors, said that the guidance, which is expected to be issued in late spring, isn't getting down to the fundamen tal problem, let alone solving it.

The new COSO guidance is being written by auditors," Sharman said. "And why would they want to do that? For auditors. The document is check lists, not guidance for companies about how to implement internal controls. It's guidance on what auditors will be looking for — the checklist that auditors would be using."

To enable effective Sarbanes-Oxley implementation, Sharman is dedicating the IMA to the development of a "manage ment-centric" implementation framework for SOX Sections 302 and 404, one that is focused on the identification and mitigation of real and plausible risks underlying the various account ing processes within an organization. That includes anti-fraud controls and the processes used by management to produce financial statements.

The working title of this framework is "Collaborative As surance and Risk Design Management Edition." To establish a basis for its guidance, the IMA has joined with the Institute of Internal Auditors to sponsor an independent research study. Parveen Gupta, professor of accountancy at Lehigh University and co-author of "Sarbanes-Oxley: A Practical Guide to Implementation Challenges and Global Response," has just compiled the raw data from the research and hopes to issue a completed study in May.
Preliminary analysis, Gupta said, indicated that companies are not really using the COSO framework that was issued in 1992, and which was never in tended to be used as guidance on complying with Sarbanes-Oxley. Instead, they are using the PCAOB's Auditing Standard No. 2 to guide them toward compliance, or at least toward passing their audits.

"Management should come to the table with a certain opin ion on the effectiveness of their internal controls based on management-centric frame work, and the auditors should arrive at a certain conclusion based on their auditing of the management process," Gupta said. "I, personally, am of the opinion that faulty implementation of the intent of Sections 302 and 404 is not a ground for absolving companies of any size of their responsibilities under that law. Rather, the right thing to do is to fix the implementation of this important law by taking a more management-centric, risk-focused approach."

Management accountants, Sharman said, are inherently more qualified than auditors to design, implement and monitor guidance on internal control.

The institute is pulling to gether an advisory board to develop and deploy the new guidance, which, it hopes, the SEC will sanctify as the appropriate framework for establishing ade quate, functional, cost-effective SOX compliance. The institute plans to follow a due process involving exposure drafts and public comment.

Jeffrey C. Thomson, IMA vice president of research and prac tice development and a member of the COSO board of directors, reiterates that the IMA is hop ing to work with COSO on the new framework.

"Our overall objective isn't to slam COSO, but to address market need," Thomson said. "There are some good things about the COSO framework. It's principles-based, it describes what internal control is about and it has stood the test of time. But I don't know too many products that go 15 years with out improvement or rejuvenation. We need to take COSO to the next level."


Codes on Sites 'Captcha'
05/31/2006 - Wall Street Journal, The (cir. 2,049,786)
Return to Top

Dave Simmer is a computer-savvy graphic designer. Yet when he surfs the Internet, he often gets stumped by the distorted jumbles of letters and numbers that some Web sites ask users to retype to gain access.

"They keep warping them and making them longer," says the 40-year-old from Cashmere, Wash.

The visually impaired have long decried these codes, which protect sites such as Yahoo.com and Ticketmaster.com from computer programs that create scores of email accounts for spammers or buy hundreds of concert tickets for scalpers. Now, the quizzes are irritating a wider array of Web surfers as companies toughen them as part of their arms race with the spam crowd.

The codes, called captchas, are also showing up more often amid a boom in new Web services, ranging from blogging tools to social-networking sites. The trickiest ones "make you not want to go to those sites anymore," says Scott Reynolds, a 29-year-old software architect in Ocala, Fla., who lambasted the devices on his blog last year.

The captchas' flaws are prompting academics, independent computer programmers and some Web companies to craft new variations that they hope will be easier for humans to decipher but harder for computer programs. The World Wide Web Consortium, an international group that encourages improved standards for Web programming, published a paper last November that advocates the creation of alternatives, saying the tests "fail to properly recognize users with disabilities as human" and are vulnerable to defeat by astute programmers.

Internet companies defend their use of the codes, saying they face a difficult balancing act of trying to fend off attackers while providing a good experience for users. "We know there's no perfect panacea, but we think this is a great tool to prevent malicious activity," says David Jeske, an engineering director at Google Inc. Google uses captchas for its free email service and its blog-writing service, among others. It is among companies that recently added an audio version, which lets the visually impaired listen to a series of letters or numbers and type them into their computer.

Some captchas have been solved with more than 90% accuracy by scientists specializing in computer vision research at the University of California, Berkeley, and elsewhere. Hobbyists also regularly write code to solve captchas on commercial sites with a high degree of accuracy.

But several Internet companies say their captchas appeared to be highly effective at thwarting spammers. "Researchers are really good, and the attackers really are not," says Mr. Jeske of Google, based in Mountain View, Calif. "Having these methods in place we find extremely effective against automated malicious attackers."

Ticketmaster, a unit of IAC/Interactive Corp., has altered its captchas over the years in response to automated computer programs, called "bots," that have cracked certain codes, says Brian Pike, Ticketmaster's chief technology officer. He says the robust resale market for tickets gives people a high incentive to try to swiftly snare tickets on its site.

Spam companies sometimes get around the challenge of captchas by hiring workers to fill out the forms for them instead of relying on bots, according to the World Wide Web Consortium. The group said in its paper last year that "it is a logical fallacy...to hail captcha as a spam-busting panacea."

Captcha is an acronym for Completely Automated Public Turing Test to Tell Computers and Humans Apart. Computer scientists at Carnegie Mellon University coined the term in 2000 to describe codes they created to help Internet giant Yahoo Inc. thwart a spam problem. "Turing" refers to Alan Turing, a mathematician famous for his codebreaking work during World War II and, later, as a pioneer in artificial intelligence. In 1950, Turing wrote a paper that proposed a test in which a person in one room would ask questions of both a human and a computer in another to try to determine which of the respondents was human. If the judge couldn't tell which was which, the computer could be said to be able to think.

Captchas deployed by commercial Web sites vary widely. For example, Microsoft Corp.'s Hotmail email service requires registrants to read a long series of twisted letters or numbers, obscured by several lines of varying shape. In contrast, eBay Inc.'s PayPal payment service shows simple block-style letters or numbers against a grid. Other sites use complex multicolored backgrounds.

Mr. Reynolds, the Florida software architect, says he has been confused by captchas shown by everyone from Microsoft to Apple Computer Inc. "The ones they make hard for a computer bot to break are also really hard for us to read," he says. "It kind of defeats the purpose."

Henry Baird, a professor of computer science at Lehigh University who studies PC users' responses to the codes, has been working with colleagues to develop new generations of captchas that are designed to be easier on humans but baffling for computers. One, called "scattertype," shatters each letter shown to users into pieces.

Some Internet companies have changed their captchas to make them simpler for users. Digg.com, a news Web site, changed the background to gray from multicolored earlier this year and now allows users to type in either capital or lower-case versions of the letters, says Steve Williams, a computer programmer for the company.

The difficulty of deciphering the visual codes is prompting even those who don't have a vision problem to begin clicking audio captchas whenever sites make them available. A growing number of sites, including Hotmail.com and PayPal.com, offer audio captchas. Google added it for its email service in March and for its blogging and Google Groups service in April. (Alternatively, some Web sites urge users having trouble to call a phone number for customer service or send an email to the company.)

The World Wide Web Consortium is urging programmers to devise viable alternatives to visual captchas because they affect people with a wide range of disabilities, including people with dyslexia and short-term memory problems, says Judy Brewer, director of the group's Web Accessibility Initiative, who is based in Cambridge, Mass. Captchas, "in their current form, are a misnomer," she says. They "don't tell humans and computers apart; instead, they tell able-bodied humans and computers, along with disabled humans, apart."

Some Web sites and independent computer programmers have rolled out new types of captchas. They generally involve solving simple equations or answering simple questions and could be adapted for use by the blind, although they would still present problems for people with learning disabilities


LOVE ON EARTH -- One order of love, free shipping and handling
05/18/2006 - Associated Press (AP) - ASAP (cir. )
Return to Top

LOVE ON EARTH -- One order of love, free shipping and handling

My best friend called yesterday, asking me to check out his latest crush. I typed his username and password into the dating Web site Match.com and within seconds I was reading every word of the flirtatious exchange leading up to their first date. It's surreal, peeking at the pseudo-intimacy blossoming between people who've not yet met. But it shouldn't strike me as odd, given that nearly all my single friends -- straight and gay, mid-twenties through mid-forties -- search for love on Match.com, eHarmony.com and JDate.com.

And no wonder they do. In an increasingly outsourced world where everything from banking to grocery shopping can be done online, we go days without introducing ourselves to a flesh-and-blood stranger. If your whole life is stored inside a BlackBerry, why not search for love in there too? 'We lead such regimented lives that if you're hoping you're going to bump into somebody at the Starbucks, it's probably not going to happen,' says Match.com's spokeswoman, Kristin Kelly.

It's an argument that 15 million Match subscribers have bought into so far. And since January, some have taken the outsourcing one step further An additional $8.99 per month buys them Match's MindFindBind service.

MindFindBind may sound like something hostage takers do to encourage Stockholm syndrome, but it's actually a database that uses the wisdom of the ubiquitous Dr. Phil McGraw to advise people on strategies for conducting the relationship that Match.com has begun for them. How Orwellian. What's next? A Web site that experiences the whole relationship for you, then sends an e-mail letting you know how things worked out? Entire relationships already begin and end without a face-to-face meeting. 'I did meet one Match guy that I never met in person,' says Rebecca Rich, a 30-something veteran of Match and JDate. After exchanging long e-mails daily for more than a week and enjoying it, Rebecca and this man spoke by phone. 'There was something in his voice that was a complete turnoff,' she says. 'I thought about ending it after our first phone call.'

But she decided to keep things going -- until he sent roses, a book he wrote and a box of chocolates. 'He was professing his love to me and I was like, 'Oh, absolutely no,'' she says. ''You don't know me!'' She then 'broke up' with him via e-mail, and 'even gave him advice, like 'you might want to slow it down a notch,'' she says. 'He wrote me back a five-page letter about what I was missing out on and still professing his love for me!' These two people met, flirted, liked each other, had a bad date, gave it another shot, then endured a messy breakup -- without ever being in the same room. (On the bright side, Rich later met her current boyfriend on JDate and they're happily living together.)

Even Match knows that online dating can run amok Their research suggests that 'couples' who spend too much time communicating online before meeting in person may end up with impossible expectations. Ditto for those who develop an online relationship, then schedule a first date that lasts an entire weekend.

To remedy that, Match's new spin-off service (Chemistry.com) guides people through a brief volley of e-mails, then instructs them to meet for a 30-minute coffee date. They even offer a map of Starbucks locations to take the guesswork out of choosing a meeting point. Sounds incredibly efficient. And antiseptic.

Are we moving toward the death of serendipitous dating? Or dates that suck for the first hour, but just before bailing you discover that you went to the same summer camp when you were 11 and suddenly you're totally connected? What about falling for someone that no computer would ever match you up with? When I met my husband, he was preparing for a trip to a frozen outpost of a city in Mongolia. We were co-workers on a business trip, discussing where we planned to vacation once our work was done.

'You're going to Mongolia? In February?' I asked. 'Isn't Mongolia, like, next door to Siberia?' 'I love the cold,' he answered with a shrug. 'Where are you going?' 'Hawaii,' I replied, 'I love the heat.' I walked away thinking, 'I could never date that guy.' He grew up traveling the globe, I was sequestered in suburbia. He eats jalapenos at 7 a.m. (honestly), I pour milk over my oatmeal. But somehow, eight years later, we're preparing for the birth of our second child.

Granted, no one can argue with the efficiency of online dating. 'The technology has increased the ability of people to meet others who are similar and meet a much greater number of people who are potential mates for them than has ever been true in human history,' says Robert E. Rosenwein, professor of social psychology at Lehigh University, who researches the connection between technology and human interaction. He also points out that online dating's current structure -- based primarily on text and not photos or video -- allows potential couples to connect without basing their interest on physical attraction. 'All the nonverbal stuff goes away. Attractiveness is about how you present yourself in words,' Rosenwein says.

For the first time in modern history, he says, we're seeing 'people learning to 'know' each other better by virtue of text.' So maybe I shouldn't worry that online dating is taking all the romance out of romance. But I do wonder whether, decades from now, these millions of perfectly matched people will have such perfectly balanced children that no one will ever create the next generation of punk music or become the next Jackson Pollock. That would render the world about as compelling as a dateless Saturday night.

Copyright 2006, The Associated Press. The information contained in the AP Online news report may not be published, broadcast or redistributed without the prior written authority of The Associated Press.

Posted on Friday, June 02, 2006

share this story: