From Very British Subjects:
Blog by Peter Troy
ptroy@fsbdial.co.uk

Thursday, October 20
Airbus whistleblower faces prison




By Ambrose Pritchard-Evans

Joseph Mangan thought he was doing Airbus a favour when he warned of a small but potentially lethal fault in the new A380 super-jumbo, the biggest and most costly passenger jet ever built.
.
Instead, Europe's aviation giant rubbished his claims, and now he faces ruin, a mass of legal problems, and - soon - an Austrian prison. Mr Mangan is counting the days at his Vienna flat across the street from Schonbrünn Palace, wondering whether the bailiffs or the police will knock first.
.
An American aerospace engineer, he has discovered that Austria offers scant protection to whistle blowers. Bankrupt, he is surviving with his wife and three children on gifts of food from fellow Baptists in Vienna.
.
Having failed to stump up a £100,000 fine for breaching a court gagging order, he now faces a year behind bars.
.
His troubles began in September 2004 when he contacted the European Aviation Safety Agency (EASA), claiming that the cabin pressure system in the A380 might not be safe, and that this had been concealed. Mr Mangan's message was not one that Europe wanted to hear, least of all from a garrulous American who jabbers aviation techno-babble at machine-gun speed.
.
TheA380 is the world's most ambitious aircraft, fruit of a joint effort by the French, Germans, British and Spanish. A double-decker giant, it can carry up to 856 passengers at 42,000 feet. "The symbol of what Europe can achieve," said French President Jacques Chirac as the aircraft completed its faultless maiden flight this April.
.
Airbus has overtaken Boeing, snatching 57per cent of the big jet market. It employs 52,000 staff, a fifth in Britain, where the wings are built. Not everybody is convinced that Airbus is wise to stake so much on a project loaded with new technologies.
.
The A380 uses glass laminates for the plane's fusilage, and questions have arisen as to whether the material might degrade under ultra-violet radiation. Airbus insists not. But any hint of hubris in one area spreads doubts about others, which is why Mr Mangan's saga is so unsettling.
.
His role in the A380 story is no more than a bit part. He was recruited from Kansas in September 2003 to take charge of the aerospace team at TTTech Computertechnik, an Austrian firm supplying Airbus components. He has accused the firm of "intentional non-compliance" with safety rules.
.
Public court documents in Vienna record his allegation that TTTech conspired to "keep certain information secret from the certifying authorities". Mr Mangan alleged "human lives could be in danger", according to the document - an injunction by a Vienna judge. TTTech denies the allegations, calling him a disgruntled ex-employee who never fitted into the team, and is now bent on revenge.
.
Mr Mangan claims a defect in the outflow valve control system could lead to an abrupt loss of cabin pressure, leaving passengers unconscious in as little as 20 seconds. "Normal oxygen masks don't work properly above 33,000 feet.
It would take two and half minutes to bring the aircraft down to the survival altitude of 25,000 feet. Pilots would have little time to act. In the worst case scenario, the plane could crash.
"The A380 uses a set of four identical valves that could all go wrong at the same time for the same reason. The typical jet has three different systems to eliminate such a risk," he claimed.
.
Glitches had arisen using the same operating system in February 2004 during a test in Phoenix for the Aermacchi fighter trainer, which he had helped to fix, he claimed.
.
There were 160 cases of emergency loss of cabin pressure in Europe last year. Investigators suspect it played a role in the crash of a Helios Boeing 737 flight over Greece in August, killing 121 people.
.
Airbus dismissed fears about the A380 as baseless. "We have examined this internally and found absolutely no reason to be concerned. The scenario made up by Mr Mangan does not exist," said spokesman David Voskuhl.
.
But officials at the air safety watchdog EASA said they took the concerns"extremely seriously". An EASA source said that the agency was "able to confirm certain statements by Mr Mangan". A probe - conducted by the French authorities for EASA - allegedly found that TTTech was "not in conformity" with safety rules and had failed to carry out the proper tests.
The key microchip was deemed "not acceptable". EASA instructed Airbus to sort out the problem before the final certification of the A380 next year. It is unclear whether this has now been done.
.
EASA has refused to comment publicly on the details of the dispute, prompting concerns at the European Parliament. Eva Lichtenberger, an Austrian Green MEP, wrote an "urgent" letter to the agency last month demanding "prompt and extensive information on the matter".
.
"We cannot leave questions open like this when it comes to aircraft safety," she said. "I have received no reply up to now.
Unless I have a proper reply by next week, I will launch a formal complaint with the European Commission," she told theTelegraph. Rüdiger Haas, a professor of aircraft manufacture at Karlsrühe University, said he "shared the reservations of Mangan" over the safety of the outflow valve controls.
"The system markedly deviates from previous specifications in aircraft construction," he told Germany's ARD television. Mr Mangan claimed that his employers were under intense pressure to meet deadlines. The A380 venture was already ¤1.5billion (£850m) over budget and six months behind schedule. He claimed it would have taken two years to carry out the proper certification.TTTech falsely classified its micro-chip as a simple "off-the-shelf" product already used in car valves in order to excempt it from elaborate testing rules, he claimed. This would breach both EU and US law on aircraft regulation.
.
"I refused to sign off on the test results, but TTTech went ahead anyway," he claimed. The key papers relate to the TTPOS operating system and were allegedly dated August 24 2004. Mr Mangan is concerned that his name may have been linked to certification, leaving him with legal liability. "That's why I have to stick it out here inVienna until my name is cleared, " he said.
.
French prosecutors tracked alleged negligence in the 2000 Concorde crash to an American mechanic, who now faces a manslaughter probe. Mr Mangan said within days of reporting the alleged abuse he was sacked.
.
TTTech filed both a civil and criminal defamation suit - possible under Austrian law - securing a gagging order on all details regarding the case. Mr Mangan refused to remain silent.
.
"They say I can't even talk to safety officials about a threat to safety. This violates my duty to the public. People could die on that plane if they don't fix the problem," he said.
.
TTTech is a spin-off from the University of Vienna, specializing in"time-triggered technology". The firm said it was forced to take action after Mr Mangan had inflicted "severe damage" to its reputation with wild allegations that he had so far been unable to substantiate. It admits to a routine software glitch, since corrected, but said an external audit found no trace of any abuses.
.
"What he is saying is simply not true. We checked the evidence and found nothing wrong," said the chief executive, Stefan Poledna. He said TTTech was never informed by EASA of any alleged non-compliance, and insisted that certification was an on-going "iterative process".
.
"This is all very strange. It was clear the certification bar had been raised after October 2004, and we had to do a lot of double-checking, but we've never been told that anything was fundamentally wrong," he said.
.
For now, the first A380 is carrying out daily test flights from its base in Toulouse, racking up 350 hours of flying time. The results are secret.
Next month the A380 will take off for its first test trip around the globe, stopping in Frankfurt, Singapore, and Sydney, before gearing up for passenger flights next year.
.
Airbus is clearly confident that the A380 issafe. It will now have to convince prospective buyers.
Posted by Peter Troy at 20.10.05

http://seattlepi.nwsource.com/business/356600_eastman27.html

Boeing lays out case against ex-worker accused of media leaks
Ex-worker accused of media leaks
Last updated March 26, 2008 9:11 p.m. PT
By ANDREA JAMES
P-I REPORTER
Investigators for The Boeing Co. told a jury on Wednesday how they pieced together a relationship between a Seattle Times reporter and an ex-Boeing employee, a relationship that could land the former employee in prison.
Gerald Eastman is accused of 16 counts of computer trespass. If convicted, he could serve up to nearly five years in prison.
Anthony Maus, a senior manager for Boeing's investigations division, testified in King County Superior Court that his team examined leaks to Times aerospace reporter Dominic Gates, who wrote articles that relied on internal Boeing documents.
Maus said he has analyzed thousands of documents confiscated from Eastman's home computer. He showed jurors more than 100 PowerPoint slides that detailed which of those documents he believes Gates used for his articles.
The Times has said that it would not confirm whether Eastman was a source.
Each of the 16 charges against Eastman refers to documents that were the basis of up to 13 Times articles, according to testimony.
For example, Maus said that a Times article on Jan. 27, 2005, headlined "Bigger 747 gets a close look," is based on a PowerPoint presentation that belonged to then-Boeing Chief Executive Harry Stonecipher.
In another instance, The Times reported that 747 production would increase from one plane per month to 1.5 planes per month in mid-2005. That statement, according to Maus, correlates to a production schedule chart in another confidential Boeing document.
Maus also displayed Times newspaper graphics for the jury. One, which the jury analyzed, detailed a map of the globe to point out where different parts of the 787 Dreamliner were to be made.
A similar graphic appeared in internal Boeing documents found on Eastman's home computer.
Since Eastman's arrest in May 2006, no more articles have appeared in The Times that were attributed to top-level internal Boeing documents, Maus testified.
Eastman found the documents by looking through Boeing's internal share drives, some of which were not password-protected, according to testimony by Maus and Del Valerio, a Boeing computer forensics expert who investigates media leaks.
Boeing's internal network is one of the largest private networks in the world, with more than 200,000 users and 400,000 devices, Valerio said.
Users and groups within Boeing can create their own "file shares," which are like electronic filing cabinets and folders. Some file shares are restricted to certain users -- but some are open to everyone.
Public defender Ramona Brandes pointed out, through questioning Maus, that Boeing's computer systems allowed Eastman access.
"In fact, anybody who had access to the Boeing computer network could have accessed that file," Brandes asked, referring to a document that Maus said was leaked to The Times.
Maus responded, "Well, they would have had to know what they were looking for. There are 50,000 shares."
Brandes also asked if Maus ever saw Eastman tamper with programs or impersonate other users. Maus said, "No."
Over about two years, Eastman cataloged which parts of the network were restricted, and which were not. He also kept track of what types of documents could be found in the unrestricted file shares, according to testimony.
Many of the documents on Eastman's home computer were marked confidential.
Eastman's mother and sister attended part of Wednesday's proceedings.
Marc Boman, a partner at the Seattle law firm Perkins Coie, has been observing the trial. Boman handles internal investigations, according to his firm's Web site. Boeing is a Perkins Coie client.

P-I reporter Andrea James can be reached at 206-448-8124 or andreajames@seattlepi.com.

http://seattlepi.nwsource.com/business/323842_boeingqa217.html

Boeing responses to questions: Round two
Last updated July 16, 2007 10:08 p.m. PT

These are the P-I's second round of questions and Boeing's written responses.
· Some organizations, including Standard & Poor's, encourage full disclosure of deficiencies even though law does not require it. What factors went into Boeing management's decision not to discuss internal control deficiencies in its filings to the Securities and Exchange Commission?
A: Standard & Poor's is a rating agency and provider of financial market intelligence. It has no regulatory jurisdiction. Boeing discloses all relevant material information in its public filings with the SEC. While we respect S&P's opinion as described in your question, there is no requirement for a company to disclose significant deficiencies. We are confident we are meeting all disclosure requirements for a public company.
· It appears that Boeing missed almost every key 2006 benchmark to satisfy to Deloitte & Touche that its IT compliance troubles should not constitute a material weakness. Why wasn't Boeing able to finish all of its 2006 IT SOx testing? What is keeping testing pass rates below 90 percent? What reassurances was management able to provide Deloitte to deter it from elevating the significant deficiency that had been in place since 2004?
A: We will not speak for Deloitte & Touche. But for our part, we politely refute the premise of your question(s).
Boeing Corporate Audit did complete all testing requested by IT management for 2006. That testing was completed in early 2007 and prior to the IT ratings and management certification. Any controls that remained open were due to not having sufficient sample sizes available. In these cases, Boeing tested as many samples as were available.
Pass rates for Boeing's 2006 SOX IT testing were above, not below, the figure you reference. That includes select controls that had failed earlier tests, and required remediation and successful re-testing. While Boeing set certain internal challenges around "first-time" pass rate (which is presumably what you are referencing in your question), what matters ultimately is overall pass rate, and that is above what you cite. It is simply incorrect to suggest something is "keeping pass rates below 90 percent."
Independent external auditors do not issue opinions based on "reassurances from management"; they do so based on their own assessment of findings based on rigorous procedures that are independent from company management. Our external auditor issues two opinions at the end of each year related to Boeing's internal control over financial reporting. One provides an opinion on whether management processes to evaluate their internal controls is effective; the other concludes whether Boeing's internal control over financial reporting is effective. As disclosed in our 2006 10-K, Deloitte issued an independent and unqualified opinion on both management's assessment process and the effectiveness of Boeing's internal control over financial reporting.
Finally, it's important to note that determination of SOX compliance and categorization of material weakness is ultimately a binary event as of the closing date. While a project may have internal "benchmarks" or schedules designed to organize efforts, there is no direct correlation between meeting internal schedule milestones and classification of deficiency or weakness as of the closing date. Any internal milestones on the project were not related to mitigating a material weakness, as you suggest, but rather to ensuring an efficient audit schedule and use of resources.
· In your last response, you said that you believe you are SOx compliant. Considering that in the 2006 fiscal year, Boeing's information technology division had "not demonstrated a robust control environment," how is that possible?
A: While we are not sure what document you are apparently quoting from, we reaffirm our previous statement of Boeing SOx compliance.
Being SOx compliant does not require zero deficiencies. It requires that mechanisms are in place to effectively identify, evaluate and remediate any deficiencies to the internal control structure. It also requires that appropriate reporting occur based on the significance of those deficiencies. And it requires that deficiencies are remediated within a reasonable time period. All of those activities were in place and occurred throughout 2006.
· Your last response said, "We have focused on documenting IT controls in appropriate detail and on demonstrating the operational effectiveness of our controls." How did management assert that controls were effective in its 302 and 404 statements, if the internal staff only audited operating effectiveness, and not design?
A: Boeing Corporate Audit is chartered with performing operational effectiveness tests and therefore was not asked to assist management in their design effectiveness assessments. Process owners and our SOx teams perform the design effectiveness assessments as part of our overall compliance strategy and did so in each of 2004, 2005 and 2006. We have chosen to split the responsibility along the lines that focus on where our best assessments can be determined. Corporate Audit has experience in testing against a process or design. SOX teams and process owners need to be able to assess the design of their controls effectively and they have the expertise in this area.
· What is Boeing doing to mitigate security weaknesses with its database design? We understand that the company is implementing application-level controls to address the segregation-of-duties concern and that audit tests in 2007 are improving. What changes is Boeing making to its IT infrastructure to drive those improvements?
A: Through auditing and SOX IT testing, Boeing identified an opportunity to further strengthen an element of database design involving select administrators having access to all aspects of the database to perform required functions. This necessary, so-called super-user access is a common issue across the industry. Because super-user access also includes the ability to change data, we have taken action to reduce the level of access to as few personnel as possible and monitor to ensure access remains at minimal level needed. We have also put in place logging of database activity where appropriate and review those logs regularly for any irregularity. In addition, controls exist in the business side that monitor the validity of the data resulting from our databases that would identify intentional or unintentional misstatements resulting from the database administrators having the super-user access to the database and the data contained within.
· Regarding the deficiency around database segregation of duties: Why didn't Boeing implement additional database security to address the problem?
A: Boeing took actions around additional database security as noted in the prior question. Implementation of corrections occurred across 2006 and Q1 2007.
· SEC filings show that Boeing has not disclosed any major internal control changes in response to control deficiencies. Does this mean that you are not addressing your deficiencies?
A: While there is a requirement for companies to disclose any material changes to their internal control over financial reporting, none of the changes we have made in our IT general computing control environment fall into this category. Our effort has been on improving our documentation and in being able to provide sufficient evidence to support our tests. These types of changes are not changes to our underlying processes and therefore are not required to be disclosed. Boeing has disclosed all items it considered material changes to its internal control over financial reporting.
· The Institute for Internal Auditors holds the standard that internal audit staff should not also design controls. How was Boeing able to reconcile that in 2006, for a period of at least two months, PricewaterhouseCoopers consultants provided services to both the IT and Audit teams? (We understand that a separate PwC partner is handling each side for 2007.)
A: (Boeing did not provide an on-the-record response to this question.)
· On Nov. 9, 2006, PricewaterhouseCoopers partner Glenn Brady took Boeing employees to dinner and a show at a comedy club in St. Louis. The next year, Boeing expanded PwC's co-sourcing contract. Doesn't this violate Boeing's ethics rules?
A: Boeing employee attendance at the referenced event was approved in advance. The PwC host requested and received permission from the Boeing Director of Financial Compliance before inviting Boeing SOX employees. The event was part of a scheduled SOX working group offsite held at the Company's offices in St. Louis.
The referenced event does not violate Boeing's ethics rules or its policies governing acceptance of business courtesies. As documented in official procedures, employees may keep a business courtesy (including meals and entertainment like that referenced) that promotes successful working relationships and goodwill with persons or firms with whom Boeing may do business. Such courtesies include infrequent business meals and entertainment that are shared with the person who has offered to pay for the meal or entertainment. Employees are encouraged to use good judgment and decline invitations that create a perception of undue influence.
At the time of the dinner, PwC had already been retained for Boeing SOX for several months and was slated to assume select additional duties in coming months as our other SOX consultant, JWI, completed its assigned workscope. JWI had been told in 2004 that Boeing would eventually phase the firm out as documentation was completed. That occurred at the end of 2006, though some 30 JWI employees are still retained on a variety of duties at Boeing.
· Boeing has stored the results of its audits in an open data tool, giving many employees access to sensitive information about weaknesses. What is Boeing doing to mitigate that problem and protect that data? Is protecting it a priority? How can management be sure that, that information was not stolen and being used by someone who would want to commit fraud?
A: Boeing's Corporate Audit and SOx IT team has a culture of open communication and process ownership; this is critical to ensuring employees have the information they need to do their jobs. The SOX team (which includes approved consultants and auditors) uses certain documentation or information-sharing tools to accomplish its work. Those tools have built in security and user access controls that are designed to permit access on an as-needed basis. We review quarterly the access lists to ensure access remains limited to those with a need-to-know. Access to certain, more-sensitive information is subject to even stricter controls and monitoring (by-name access). Boeing has a strong commitment to information protection and we regularly train and educate employees and vendor-partners on the proper handling of information
We have a culture that sets expectations of each of our employees to conduct themselves with the highest levels of integrity and ethical standards. There is no tool that will monitor an employee's character or prevent dishonest and unethical employees/vendor-partners from stealing or committing fraud.
· What is Boeing doing to address the perception that management has created a threatening environment among auditors and IT staff? We have been told that there is an emphasis on making Boeing appear compliant, rather than actually be compliant.
A: Boeing strongly rejects any suggestion of an emphasis to "appear compliant" with SOX. Our goal has always been actual compliance and a strong control environment and it remains so. As described before, we have contributed significant resources and talent to meeting the challenge of achieving SOX compliance. To suggest those efforts were aimed at anything less than achieving actual SOX compliance is simply wrong.
While there was a sense of urgency and import around Boeing's SOX efforts last year, at no time were employees encouraged to do anything other than the right thing. Scott Griffin's November 2006 message to all employees working on SOX that "our objective is a strong set of computing controls, not simply passing a series of SOX tests" is indicative of the company's committed approach to meaningful compliance.
Also wrong is the suggestion "management has created a threatening environment" around SOX. While we cannot speak to every employee's individual interpretation, we are not aware of the "perception" you reference and in fact can cite repeated communications aimed at creating the opposite of a "threatening" environment.
Boeing leadership is committed to ensuring a culture of open and honest debate. We believe the fact that at least some SOX-IT participants felt comfortable voicing concerns about challenges encountered during the testing process -- and engaged in candid discussions with management about those challenges -- reiterates we have an open culture where issues can be raised.
· Why are quality ratings for auditors based on the number of their findings that are reversed?
A: Boeing uses several factors to determine auditor quality ratings on their internal performance reviews. One of those factors, among many, is accuracy of findings.
In 2006 Corporate Audit kept track of auditor productivity, which was number of controls tested and cycle time. There is an established escalation process whereby if IT doesn't agree with the audit results they can ask for an escalation or a review of the test results by higher management to determine if the conclusions reached by the auditor were correct. That review follows documented, objective criteria. In 2007, as an organization, Corporate Audit is tracking the number of times the audit findings were reversed upon management review as a quality check on the accuracy of our audit findings.
· : Describe in detail the process by which company leadership gets comfortable with what they need to know to certify. How do people at the top of the organization get informed enough about what's happening further down the chain to say with confidence the company's controls are robust?
A: Open and frequent communication at various levels within our organization on the results of our internal testing and the results provided to us by Deloitte of their testing is the primary method all levels in our organization use to support their certification. Process owners are informed of all test results, financial accounting and IT organization first-line managers are aware of the test results in their areas, senior finance and IT leadership have full visibility and weekly status on the results of their tests and progress of any necessary remediation; executive leadership is also provided monthly updates by compliance leadership and by Deloitte on status and quality of the tests being performed.
The Boeing Audit Committee receives at every meeting a report on the status and quality of our testing by finance leadership and independently by Deloitte. Additionally, Office of Internal Governance senior leadership provides to the audit committee any instance of fraud that has been alleged and any and all reported cases sent through the ethics or SOx whistleblower hotlines and a status and conclusion on each.
· Why did Richard Nanula, who was an audit committee member, resign from the Boeing board?
A: Per the company's corporate governance principles, directors who change the occupation they held when initially elected are expected to offer to resign from the Board. Mr. Nanula's letter was received May 4, 2007, and it became effective immediately. Mr. Nanula recently resigned his position from Amgen, which stated he was leaving to pursue other opportunities. It is not unusual for executives to evaluate outside board commitments in the event of a change in professional status. Mr. Nanula would be the best source for any further information on his future plans.

http://seattlepi.nwsource.com/business/323843_boeingqa117.html

Boeing responses to questions: Round one

Last updated July 16, 2007 10:08 p.m. PT
Before providing executives for interviews, The Boeing Co. asked the Seattle P-I to outline its questions in written form. The P-I submitted two rounds of questions, which are displayed here along with the company's official responses.
Boeing's summary statement:
Boeing is confident in the integrity of the company's overall control environment and in the accuracy of our financial statements, both of which have been independently audited by our independent external public accounting firm.
Like many other companies, Boeing has worked very hard to meet the challenge of SOX compliance with respect to information technology (IT) systems. It has not always been easy, but we are committed to high standards and effective internal controls. We continue to make significant progress in improving the execution of our IT controls and are confident that they contribute positively to the effectiveness of our overall system of internal controls over financial reporting. The company has applied and will continue to employ significant resources to assure that we are applying acceptable standards and best practices.
Boeing is committed to operating with the utmost integrity in our financial reporting, internal control framework, and legal and regulatory compliance activities.
· Please describe the issues Boeing is facing in making its IT systems Sarbanes-Oxley compliant.
Answer: Boeing, like many other companies, is working hard to meet the challenge of SOx compliance with respect to its information technology (IT) systems. We have focused on documenting IT controls in appropriate detail and on demonstrating the operational effectiveness of our controls. Although we identified some exceptions in our processes, at no time were these findings determined to be a material weakness in our internal controls over financial reporting. To ensure we are benefiting from industry-wide best practices, we have engaged two of the industry's leading firms to provide support, advice and testing assistance. Boeing has been and remains SOX compliant within IT.
· Detail Boeing's past and present timeline for bringing IT systems into Sarbanes-Oxley compliance.
A: We believe we are SOX compliant. Nonetheless, our efforts are focused on eliminating any exceptions to our processes and, in the spirit of continuous improvement that we apply throughout all of Boeing's activities, we are focused on eliminating any exceptions to our processes and to constantly enhancing and refining those processes.
· Describe concerns external auditor Deloitte & Touche discussed with Mr. Bell at their recent meeting on the status of information technology Sarbanes-Oxley at Boeing.
A: We do not generally comment on matters discussed in internal Boeing meetings. We can confirm, however, there are regularly scheduled monthly SOX status reviews with James Bell and in the mid-May meeting, among other things, attendees discussed good progress on SOX IT testing and leadership reiterated commitment to the effort.
· Describe Mr. Bell's and Boeing's plan to address those challenges.
A: We continue to communicate to, among other matters: (1) ensure our teams understand our expectation of flawless execution of our processes; (2) provide training and support to the control performers to help ensure they understand the documentation and evidence requirements necessary to demonstrate compliance with our controls; (3) constantly monitor our execution of our controls in accordance with our processes.
· Describe the role of information technology in corporate governance and financial reporting at Boeing.
A: Information technology plays several key roles in Boeing's application of its internal control framework (which is based on the COSO framework). (1) IT provides strategy, policy and direction related to the security, management, and monitoring of Boeing's information and data; (2) IT deploys processes and controls that mitigate specific risks related to infrastructure management; application and data integrity; and information security; and (3) IT interacts with the finance and operational organizations within Boeing to provide necessary information and communications support.
Boeing IT uses in-house developed best practices as well as those identified within the IT control framework of CoBIT.
· Describe how Boeing reports SOx compliance issues to its board, audit committee and shareholders.
A: Board and Audit Committee Communication: Regular reports are provided to both the audit committee and the board. Financial reporting topics, including our internal controls over financial reporting, are discussed at each audit committee meeting and our internal and independent external auditors attend all such meetings and present updates on the progress of their work.
Shareholder Communication: At the time Boeing files its 10-Qs and 10-Ks, the Boeing CEO and CFO are required to certify under SOX Sections 302, 404 and 906. As required, they provide a letter to shareholders providing a conclusion of their assessment of Boeing's internal control over financial reporting. Our 10-Ks include our independent external auditor's opinions on our financial statements, on our assessment of the effectiveness of our internal controls over financial reporting, and on the effectiveness of such controls at year end.
· Describe the role of PricewaterhouseCoopers' co-sourcing in IT and audit.
A: PricewaterhouseCoopers (PwC) was engaged in April 2006 to partner with our Corporate Audit team to help Boeing management understand, assess and test the effectiveness of our internal control system over financial reporting. Under SOX, management must come to its own conclusion about control effectiveness. Separately, our independent external auditor -- Deloitte -- must also test and opine on the effectiveness of the controls.
In January 2007, a new and separate PwC team led by a different partner was engaged to help us with the facilitation of process improvement workshops. PwC is also helping Boeing to evaluate and address the implications of recently-released regulatory guidance of the PCAOB and SEC.
· Why was PwC hired to perform these activities?
A: PwC was brought in because of their extensive experience in testing SOX 404 controls for their clients. We felt that such experience is useful in leveraging our internal resources to assure that we continually improve our methodologies for evaluating our compliance with our control processes. PwC also was able to provide all required services when Boeing went to a single SOX vendor in 2007 (in keeping with a companywide effort to reduce the number of paid consultants). While we continue to engage contract employees from Jefferson Wells (JWI) to augment our internal staff when needed, JWI was told in 2004 that Boeing would eventually phase out the firm as documentation was completed.
· Describe how Boeing evaluates and contracts with consultants for internal audit and IT.
A: Generally speaking, contractors are evaluated individually based on capabilities, relevant experience, certifications, availability and cost.
· Describe how Boeing makes its 404 and 302 certifications (i.e. How do the C-level executives learn what they need to make their certifications?)
A: Boeing has a very detailed SOX certification process, which is outlined in a formal company procedure PRO-6471, "Disclosure Controls and Procedures Over the Finance Reporting Process." Boeing's multi-tiered certification process rolls up from process owners throughout the organization to senior management to C-level executives.
Controllers at our business units review the detailed results of SOX financial control testing in their businesses. They communicate aggregated results to each business unit CFO and CEO. This information is then combined with information from various corporate functional organizations and Finance functional leadership to provide our company CFO and CEO sufficient information on which to base their certifications.
· Regarding Deloitte's finding of significant deficiency in general computing controls, please explain why it wasn't reported to shareholders, why it is not classified as a material weakness, and how it is being addressed.
A: There is no requirement for a company, including Boeing, to disclose significant deficiencies. There is a requirement to disclose material weaknesses. However, we have no such material weaknesses and, accordingly, have made no such disclosure.
· How is Boeing addressing corporate cultural challenges, as outlined by Mr. (CEO Jim) McNerney, and how does that extend to Boeing's SOX-IT process?
A: Boeing has been working to instill greater functional and process discipline, along with a culture where issues and concerns are discussed openly. Throughout the SOX IT compliance effort, candid discussions about the importance and the difficulty of the effort were and are common -- and are encouraged -- at all levels of the organization. While management set high expectations for these efforts, it is quite clear that the expectation is for performance with integrity, as always.
· Separately, on the matter of Robert Rice, the former supply chain management director who was convicted of fraud in 2005-06: How did Boeing catch him? Why was he able to manipulate the systems for as long as he did? And what steps has Boeing taken in response?
A: Boeing discovered Mr. Rice's wrongdoing through established processes undertaken as a result of an internal complaint. We conducted a thorough investigation, turned over the information to the appropriate authorities, cooperated in their subsequent investigation and dismissed Rice. The amount of Mr. Rice's fraud was about $300,000. While that represents a significant amount of money for an individual, in the larger scope of Boeing operations, it is clearly not material to our organization.
Details of Mr. Rice's activities are outlined in Department of Justice case files. Following discovery of Mr. Rice's activities, Boeing tightened processes and controls around applications and usage of company purchasing cards, increased the frequency of audits, and implemented several additional fixes as recommended by the Defense Contract Audit Agency.

Computer security faults put Boeing at risk
Failings could leave it open to fraud, theft
Tuesday, July 17, 2007

Last updated July 24, 2007 3:44 p.m. PT
By ANDREA JAMES AND DANIEL LATHROP
P-I REPORTERS

For the past three years, The Boeing Co. has failed, in both internal and external audits, to prove it can properly protect its computer systems against manipulation, theft and fraud.
Internal documents and interviews conducted over the past six months detail the angst and turmoil within the auditing and information technology wings of the aerospace giant. They also provide a rare glimpse of how the company that builds the most complex flying machines in the world has been stymied for years by a few obscure paragraphs in the Sarbanes-Oxley Act, the federal law enacted in the wake of the Enron scandal.
It's a view of the company that stockholders don't get to see.
Top company executives insist that the company is compliant with Sarbanes-Oxley and that its financial information is sound. But they acknowledged, in response to Seattle P-I inquiries, that the failings forced Boeing to scramble at the end of each year to assure that its financial information had not been affected.
And two recent theft cases -- one involving documents that Boeing said could have cost the company $5 billion to $15 billion -- underscore that the vulnerability of the company's computer systems is not confined to Sarbanes-Oxley.
The continuing effort to fix the problem has cost millions of dollars. Boeing has had a full-time staff of dozens and, at times, up to 65 consultants charging from $115 to $500 per hour, engaged in testing the systems that affect financial reporting to prove it can lock its computer doors.
Boeing and its external auditors have rated the company's inability to patch database and software development security holes as a "significant deficiency" with the computer infrastructure since 2004 -- the first year it had to comply with the 2002 law. The failure has been deemed serious enough that for three years in a row, finance teams have spent the last 45 days of each year testing whether financial numbers are correct. Director of Financial Compliance Michael Zanoni said the "massive" effort in each case reassured the company that stockholders' assets were safe.
The company says it is making progress.
"We are well ahead of schedule in our testing this year. We're seeing significant improvement and are confident we will be able to close any outstanding issues later this year," said Anne Eisele, Boeing director of finance communications.
Problems persist. Interviews and about 5,000 internal documents examined by the P-I show in detail the struggles created for Boeing -- and perhaps for many corporations -- by the post-Enron, Sarbanes-Oxley requirements, often referred to as "SOx."
Among the problems the P-I found:
· Boeing's internal audit findings were so poor -- meaning that so many computer system controls were failing or evidence was missing -- that external auditor Deloitte & Touche decided not to rely on the results for three consecutive years.
· Boeing exposed sensitive information about computer systems' holes to employees who did not need access to all of the data, according to e-mails and interviews.
· An internal complaint was filed with the company's ethics board that audit results had been manipulated. The company decided last September that the allegation was unsubstantiated.
· Some employees involved in the compliance process perceived a threatening culture. A late 2006 internal report said that employees felt they were being told that their jobs and salaries were "on the line," and they were being pressured to produce evidence for audits "ahead of events occurring normally."

Law meant to halt Enrons
Sarbanes-Oxley is a wide-ranging law aimed at preventing stockholder rip-offs such as the Enron scandal from happening again. Among its requirements, it forced public companies such as Boeing to shine a light on their internal controls. It must show it has checks and balances on people and computer systems to guarantee accuracy of financial statements.
No one has alleged financial fraud at Boeing, or claimed there is missing money. And the new law hit the airplane maker as it was in the midst of some of the biggest challenges it had ever faced, including developing an all-new airplane and an ethical makeover after a procurement scandal, the resignation of two CEOs, the jailing of a chief financial officer and revelations that it had stolen trade secrets from a competitor.
The federal guidelines for computer controls are unclear, and where the law is murky, auditors and company officials are left to fill in the gaps -- facing criminal penalties if they are wrong. Companies are hungry for clarification on how to handle the information technology portion of Sarbanes-Oxley, according to The Institute of Internal Auditors, a leading professional association.
In 2004, Boeing considered how it would handle what would be a massive compliance effort for a firm that spans six continents and handles about $1 billion in transactions per week.
Corporate Controller Harry McGee set up a team to handle Sarbanes-Oxley the same way the company would tackle building an airplane, with daily progress updates. The company wanted to get it right -- the first time -- and parts of the corporation had no trouble, particularly the financial teams that were used to audits and strict standards.
First 2 years were 'pure hell'
But Boeing's information technology staff suffered.
"They weren't used to being involved in a finance-related audit," McGee said in a June interview at Chicago headquarters. "We drove process discipline pretty hard."
One person involved in the compliance effort, who asked not to be identified, told the P-I that information technology managers thought the new rules would blow over and that workers were "openly hostile" to the audits. The level of rigor -- for example, documenting every single approval for a coding change -- was foreign to the get-things-done culture of Boeing's computer professionals.
The employee described the first two years as "pure hell" for the information technology staff. Colleagues agreed. Even auditors were unhappy, leading to infighting last year between consultants at PricewaterhouseCoopers and Jefferson Wells -- the two firms contracted to help Boeing with internal audits.
By the time 2006 arrived, Boeing was eager to eliminate its significant deficiency. But it didn't.
In testing its computer controls, the company missed most of its important internal benchmarks last year, for the third year in a row, documents show. Auditor Deloitte decided it would do its own tests to come to its own conclusion about control effectiveness and decide whether to "close" the significant deficiency.
The result wasn't good. An internal briefing document stated the company's information technology division "has not demonstrated a robust control environment."
In late 2006, Chief Financial Officer James Bell sent an e-mail to employees on the compliance effort telling them that "this performance is unacceptable."
Chief Information Officer Scott Griffin, who led the information technology division through the Sarbanes-Oxley compliance effort, retired at age 52 on July 1. He declined to comment on the problems.
In its official response to the P-I, Boeing said that what matters most in Sarbanes-Oxley compliance is where the company stands at year's end, and that "while a project may have internal 'benchmarks' or schedules designed to organize efforts, there is no direct correlation between meeting internal schedule milestones and classification of deficiency or weakness as of the closing date."
Boeing officials say they are confident that its problems with general computer controls will be solved soon and they are happy with their progress, despite the inability for three years to resolve it.
"For the complexity of the stuff we do and the number of things we look at, it's a strong system of internal control," McGee said. "We're working to try to optimize it."
He firmly denied that the company has manipulated any results of its internal audits, as some employees have charged.
"Absolutely not," he said. "I honestly believe there's no fraud on this. Nothing."
He said he must be comfortable with the corporate controls before recommending that Chief Executive Jim McNerney and CFO Bell sign off on control soundness, and that he trusts Boeing's processes and its people.
Fortune 50 companies are better equipped to fix significant deficiencies, which makes Boeing's problem unusual, experts say. Significant deficiencies were more common in 2004, when most major public companies had to begin complying with the law.
"Having them at the moment is a bit of a surprise, to be honest with you," said Christopher Fox, a technology audit consultant who has co-written industry guidelines on the topic. "How did they get into this situation? I don't know. I'm surprised they're in it, this many years in."
'I'm sick of all this'


- See the complete e-mail here. (PDF)
To figure out how Boeing found itself in its fourth year of technology-compliance woes, the P-I contacted dozens of employees and contractors and read thousands of internal e-mails.
Senior managers said that compliance was always a top priority. But junior managers said they didn't have enough resources. Auditors said that the information technology department was too resistant to change. IT workers said that auditors kept changing their minds about what they wanted and were too eager to fail controls.
Meanwhile, the experts at Jefferson Wells and PricewaterhouseCoopers spent hours -- billed to Boeing -- disputing each other's findings.
"I'm sick of all this and I will be retiring as soon as I can process the paperwork," wrote Michael DuPas, an IT worker, in a June 2006 message to managers and directors. "None of the core team, (corporate audit), or Deloitte folks view anything the same so everything is a nightmare of explanations, discussions. That is why SOx is failing in Boeing."
Another IT worker, Bryce Lytle, wrote: "We've been at this three years, and these type of things come up almost on a daily basis. ... As a company we can do better than this and I'm frustrated as to why we are not."
Arguments ensued when managers overturned audit findings. Tension was rife between auditors and IT workers. "You are preventing us from getting results documented," auditor James Estep wrote in an e-mail after discovering a control rated as "passed" that he had rated as failing. "Is that your intent?"
Another auditor, Macy Moring, warned managers that a large number of employees had access to the audit findings -- practically a blueprint for how to commit and hide financial fraud at Boeing.
"We are talking all the potential ways of inappropriately manipulating our financial systems out there for the multitudes to see," she wrote. "This one makes me very uncomfortable."
DuPas has since retired. When contacted by the P-I, he said he would "only do a disservice" to the company by speaking about such a "loaded" topic. Lytle, Estep and Moring declined to comment.
McGee acknowledged that emotions were high, but he said that the same sentiment could be found in airplane programs -- or any other instance where the company demands high standards under a tight deadline.
Experts contacted by the P-I were not surprised that the IT workers at Boeing did not greet the auditors as liberators, they said, though they said that the level of emotion seemed unusual. But experts did not agree on who was at fault; they blamed too-vague federal rules, too-picky auditors, too-complacent Boeing and every possible combination of each.
"This sounds really, really messy," Heriot Prentice, director of technology practices at the Institute of Internal Auditors, said upon hearing all of the charges and countercharges without knowing that he was speaking about Boeing, specifically. "This sounds like a big mess."
Companies have been monitoring their computer systems for years -- but under Sarbanes-Oxley, it was the first time that all public companies were required by law to do so as a part of a company's "internal control over financial reporting."
That control requirement, often nicknamed "404 compliance" after its corresponding part of the law, has been the most controversial and expensive aspect of Sarbanes-Oxley -- and federal rules are now under review. Many executives bristled at the soaring costs of information technology compliance.
This year, Boeing has overhauled its strategy so that it focuses more on potential risks. It is relying on the work of 33 auditors from Pricewaterhouse, 10 Boeing auditors and one from Jefferson Wells, though numbers fluctuate.
Why problems not disclosed
Federal accounting regulations say that companies have a "reasonable" time to fix deficiencies before they must be classified as a "material weakness," and thus must be reported to shareholders. A material weakness is the technical term that means a company's profit or revenue figures could be off by a large amount.

Some Boeing managers worried that the company's external auditor, Deloitte, would elevate its evaluation of the problem to a "material weakness" if it went uncorrected, sources told the P-I.
"There was a lot of talk about a fear of a material weakness," said one source who did not want to be identified. Other employees and e-mails confirmed that sentiment.
Deloitte never categorized the problem as a material weakness, even after the problem persisted for three years. Though Deloitte would not discuss the matter with the P-I, experts agree that an external auditor can keep mum on deficiencies if it feels that the financial statements are accurate and that the company is making progress toward fixing problems.
"It is unusual to have a deficiency stay out there that long, " said Trent Gazzaway, managing partner of corporate governance at Grant Thornton. But, "it sounds like there has been progress made. ... You have to look at the whole system together."
Also, general computer control failures rarely result in material weaknesses, said Nick Tootle, a partner at Kaufman Rossin & Co., a large Florida-based accounting firm.
"There's no bright lines," said Tootle, who asked not to be told which company the P-I was examining. "It's judgment, judgment and more judgment."
Boeing officials did not call the problem a significant deficiency in on-the-record conversations with the P-I -- to do so could be considered a disclosure under federal law, and such disclosures fall under strict guidelines.
Controller McGee spoke frankly about how much work went into compliance and how Boeing is addressing its computer control challenges. For example, the company has beefed up database security. Perhaps more important, the company says it has set up other procedures, such as manual checks, to ensure that data stay valid.
Boeing says that if it had a material weakness, it would have disclosed it, and that its problems do not affect its financial statements.
"Like many other companies, Boeing has worked very hard to meet the challenge of SOx compliance with respect to information technology systems," Boeing said in a written response to P-I questions. "It has not always been easy, but we are committed to high standards and effective internal controls."
Shareholders should be concerned if the significant deficiency is symbolic of a lax compliance ethos in management, says Romana Autrey, an accounting professor at Harvard Business School. That the problem persists at a large company does raise questions, she said
"This is a tone-at-the-top kind of problem," said Autrey, who also asked not to be told the company's name.
Stronger controls over computer systems also better prevent errors from slipping through -- and that's a desirable thing, experts say.
"If somebody can't get into the system, you don't need somebody else to check the report 75 times to make sure nobody messed with it," Tootle said. "In a Fortune 50 company, that's a pretty big task."
The larger question
In 2006 alone, Sarbanes-Oxley compliance cost Boeing $55 million, according to the company -- about the list price of one new 737 plane. A lot of that money has gone to the external auditor, Deloitte, and other large accounting firms that helped with its internal audit, including PricewaterhouseCoopers and Jefferson Wells.
In mid-May 2007, CFO Bell met with auditors from Deloitte to discuss the status of information technology compliance, sources said. Boeing confirmed that "attendees discussed good progress on SOx IT testing."
Such briefings between external auditors and executives are common because much of auditing ultimately comes down to a judgment call -- the external audit firm decides whether it believes its concerns should be public, or only discussed with management.
Deloitte has shared its concerns with Boeing management, but because it decided the problem did not rise to the level of material weakness, it gave the company's controls a clean bill of health in public documents filed with the Securities and Exchange Commission.
When it comes to telling shareholders all that it should, Deloitte does not have a spotless record, according to government records.
The Public Company Accounting Oversight Board, which was created by the Sarbanes-Oxley Act, inspects audit firms by reviewing samples of their work.
In the three reports the board has published on Deloitte, it has questioned dozens of decisions that made audit results appear rosier. In 2006, the board criticized one Deloitte audit for certifying information technology controls that the firm had not sufficiently tested. The company being audited was not identified, and Boeing said it was not the firm.
Experts said Boeing is not alone in its struggles, although the extent of other companies' information technology compliance problems is not known.
In fact, law or no law, computer security is a "monster," audit expert Jack Champlain said.
"I'd be afraid to be a CEO and have to sign off on a SOx certification," he said. "They are hoping beyond hope that it's secure, but there's no way they would know."
Do general computer controls matter? Experts say yes.
Tootle likened a company's financial statements to an apartment, and the general computer controls to the foundation and building that houses it.
"Your unit 4C on the fourth floor may be perfect, but if the foundation and everything around it is worthless, then your apartment is worthless as well," he said.
Sarbanes-Oxley, though painful, has forced business improvement at companies across the board, Tootle said.
"If you start from where they were to where they are now, you'd be hard-pressed to find anybody who hasn't improved," he said. "Now was it worth it? That's another story."

P-I reporter Andrea James can be reached at 206-448-8124 or andreajames@seattlepi.com. P-I reporter Daniel Lathrop can be reached at 206-448-8157 or daniellathrop@seattlepi.com.