Annually Review Governance Control Programs

A client of mine recently updated their rich corporate governance program, and beyond obvious extensions to include recent State laws (introduced in the last 6 months) governing data usage and some International legislation there was particular attention towards the Federal government use of the FSG (Federal Sentencing Guidelines).  A recent increase in DOJ attention has raised this mandates requirements above the normal baseline within the organization, and now carries equal weight with such initiatives as SOX, PCI DSS, and NASD listing requirements.

Two nice sources for FSG are the full guidelines themselves – of particular interest may be section 8B2.1 Effective Compliance and Ethics Program“, and a nice text published by Theodore L. Banks and Frederick Z. Banks entitled, “Corporate Legal Compliance Handbook”.  Here is a link to Google Book Search with some interesting content already highlighted.

As a best practice, always review your responsibilities to stakeholders (whether they be investors, employees, industry watch groups, government agencies, or international treaty conditions) on a regular basis.  These periods of review vary depending on the growth and change of your particular industry, but should not exceed an annual inspection.  Reviews should focus on the business impacts these mandates impose and the controls established to satisfy each.  An executive session should be included in this process to ensure that strategic direction is captured, and that any shifts are embraced by management and all divisions of a company.

Best,

James DeLuccia

Update: Book Release is now March 19th 2008!! Pre-Order Today

IIA South Eastern Regional Conference Day 2.1 – Effective Compliance Programs

The second day of the conference was excellent. Everyone I spoke with regarding the speakers, topics, and materials thought day 2 was the best and blew away the first day. I had the privilege to attend several sessions that focused on Corporate Governance, Audit Committee Oversight duties, Fraud Risk Assessments, and Effective Audit techniques. I was unable to attend the full day on Wednesday, Day 3, but was able to enjoy Ed Robinson’s presentation and a thorough breakdown on the Foreign Corrupt Practices Act (FCPA). I will post my notes from the conference in sections given the need to digest all that I heard prior to posting:

“Structuring an Effective / Comprehensive Compliance Program“, was presented as a panel discussion that included several notables on the panel to include – Ryder, OCEG, Turner, and Southern Company.

• It was noted that SOX provided several benefits – attention and resources around the existing compliance program and the motivation to mature. Second, SOX identified how weak many of the technology controls were surrounding the controls of the financial reporting systems.
• A study from the OCEG was presented with several trends and statistics (Available – Check out this post for the OCEG and many more):

• The Status Quo in organizations is the existence of SILOS (Finance, HR, IT) on the management of compliance and control requirements
• Technology solutions are trending to bridge these SILO gaps and create a central management approach
• 2/3 of companies were found to be adversely effected from redundant/duplicate controls. These included:

• Pain of reconciling disparate data
• Difficult to find the truth

• • 1/2 of all identified failures caused harm and damage to the organization (deficiencies), but these effects were short lived and the memories were quickly forgotten in the organization.
  • Only 14% of respondents had integrated their compliance programs
  • The overarching theme that resonated from the study was the need for consistency and accountability

• Compliance departments must not become the Department of NO. (A role that IT Security once held, and in some cases still holds)
• The existence of a Chief Risk or Compliance Officer is attributed to the FSG (Federal Sentencing Guidelines)
• General overview of the FSG (Mainly pulled from Chapter 8):

• • Possess good policies and procedures
  • Assign a responsible party (Compliance Officer)
  • Existence and presence of a program
  • communicate / Publish / Train on program
  • Enforce the Standards
  • React and address problems
  • “Effective” as defined by the FSG is a program that has the ability to identify and prevent criminal activity
  • Note: The government does not care how much was spent on a safeguard, but only that it is effective – business perspectives must be considered
  • FSG is not a compliance or standard for an organization, but should be incorporated to ensure that the organization is both protected and due care is taken for the personnel

• Challenge of Ethics

• • Organizations can choose to accept fines for non-compliance if only direct costs are considered
  • Ethics are decided based upon social duties, doing the right thing, and based on the maturity of the business

• When dealing with auditors, create a relationship and seek to understand the intent of the effort

• Understanding the reasons information is sought allows for the organization to provide the correct information.

• OCEG – the Red Book published in its current form has recommendations on establishing a compliance program
• The risk faced by an organization can come from a number of areas and must be centrally responsible to a core group, i.e. the Compliance group. These risks may be categorized as environmental, compliance, people, ethics, regulations, and business
• A simple method of gaining acceptance by business parties is to first identify the risks (see categories above), second vet these against a formal corporate compliance steering committee (vet and weigh the risks), third give business another pass, and finally compare these digested risks and ratings against any multinational rankings.
• Benchmarking is very important to ensure a business is not over spending or falling behind in the technology innovations. Benchmarks can be gathered through OCEG and public surveys.
• Several Studies were recommended to include:
  • The Conference Board – a Global Study
  • The Conference Board – Emerging Governance Practices in Enterprise Risk Management
• A common refrain by the panel was that compliance programs should promote the delivery of advanced information on compliance to satisfy the concern of management, the Board, and the Audit Committee
• Some takeaway tips from the session:
  • Develop an Agree Upon Procedure process for GRC
  • Define hard metrics for a framework – consider OCEG Red Book
  • Become certified – whether by ANSI, OCEG, or others
  • A tip by the OCEG spokeswoman was that everyone should join the OCEG study survey process, because all participants get a free customized report that provides benchmarks based on each survey.

Benchmark, Benchmark, Benchmark:

• There are some statistics that are not easy to locate and absorb into an organization for comparison that are timely or complete, however a great tip provided by the panel was to look after bad reports!
• Bad compliance or failed audit reports that are made public in proxy filings and by government agencies contain huge amounts of information on what was done wrong – Fannie Mae (348 page report worthy of any good flight across the pond), Boeing, CA)
• Take advantage of free webinars to learn about latest interpretations of laws and requirements

The greatest theme that resonated throughout this session, one-on-one interviews and discussions I had, and those of other sessions can be summed up in the following points:

• Seek to understand an organization’s culture – even transformational leaders must understand where the river flows before effecting change.
• Identify areas of value from the compliance program beyond avoiding fines, and contribute to the mission of the business
• Risk Assessments (of all risk categories) are a necessary starting point before any audit and monitoring is possible.
• Communicate in a language that can be understood – and gain a presence with the Directors and executive management.

A huge overview, and I hope some value to anyone seeking to hone their compliance programs. There is a tremendous amount of thought leadership in this area, and I encourage anyone to contact me to discuss these points.

Best regards,

James DeLuccia IV

U.S. Markets Competitive (again?) – SOX and company are good

Ernst and Young’s global survey released today indicated that despite popular press and political dancing (Paulson Interim Report, Bloomberg/Schumer Report) the U.S. IS, in fact, competitive. This is despite the existence of a strongly regulated market, and one where SOX, at full strength, did not, apparently, hurt the US. market prospects. The study showed that the U.S. generated the largest number of IPOs in 2006, and raised $34.1 billion dollars.

In addition to a stellar 2006, 2007 is working up to be another blockbuster year with the first quarter opening strongly. Plus massive private-equity IPOs (Blackstone, Carlyle, etc…) can only bolster the market as a whole new type of financial industry comes online.

“The fourth quarter of 2006 was the busiest for IPO activity by U.S. companies since 1999, raising $12.4 billion in 72 IPOs,” said Maria Pinelli, Americas Strategic Growth Markets Leader at Ernst & Young LLP. “In 2007, U.S.-based company activity continues to feed into the U.S. stock markets, which also attract key international IPOs, particularly in knowledge-driven sectors like technology and healthcare. Deal sizes are larger than ever and private equity is backing many of them.”

E&Y has some great additional details regarding the study, and I encourage everyone to review the data. The importance of this information is it represents a quantifiable demonstration of the impacts from a heavily regulated financial market and the preference of companies to “go public”.

The past several months have seen massive debate regarding regulations such as SOX, and their negative impacts. These papers, while supported by well researched financial data, are not consistent with the market performance and entrance of companies into the public markets.  A simple search via Google news will present the volumes of debate regarding SOX and competitiveness in the U.S.

The takeaway – Companies are going public in the U.S. with a heavily regulated environment. The U.S. markets may be more expensive to operate within as a company, but the upside from massive amounts of equity and a more transparent operational norm appears to be better for everyone.  This conclusion has also been supported by several academic studies recently highlighted at the WSJ.

A tangent from internal controls, but highly valuable as the question of regulation and controls comes under fire.

James

New format – New Feature

As the hundreds of non-rss readers know, a few days ago I switched the theme of this site to a simpler and easier to read layout. So, if you were tired of the dark fonts and murky background please come by and let me know your feedback. I will still focus on PCI DSS, of course, but will be continuing to expand the topics covered on this site to include global IT control regulations. What does that mean? Well, any standard U.S., EU, and anywhere else will be given some room. I will attempt to not merely repeat the obvious when news breaks, but instead focus on posting intelligent perspectives on the changes around the world.

Another change to the site is the “NEWS Feed” on the right hand side of this site. Please check it out, and feel free to set those as an RSS feed too. The NEWS Feed is my filter on what is important around the globe on the above topics. I sort through literally hundreds of posts, news items, client emails, and service provider information in an attempt to clear out the noise.

It is a new year (my fiscal year clearly is not following the Dec 31 date), and the plan for this site is simple. Keep posting helpful information whenever possible, and don’t simply post to post. On a personal note, I will update the Press Release page and About soon – and look forward to everyone’s comments and suggestions.

Always,

James DeLuccia IV

PCI Codified into Texas law (nearly)

The Texas House of Representatives is in the process to enacting House Bill 3222 that will codify the Payment Card Industry Data Security Standard into law. Specifically the law provides safe harbor those companies that are compliant with PCI DSS, and places liability for card re-issuing fees to those who are not compliant. This has much more momentum than the Mass. bill, and has tremendous support.

This is a trend that should be expected to domino across the country, as breaches due to another parties lack of controls continue to impact businesses in other regions.

Direct link to voting status of HB 3222

Direct link to the full text of the Engrossed Version (html version)

UPDATE:  Tis true, passed with absolute certainty.  Shall we begin the count down till the rest of the country catches on?

I guess the saying is true – you shouldn’t mess with Texas

Best,

James DeLuccia

**Great expansion on this topic may be found from great bloggers may be found at Michael’s site, and Merchant Blog.