As the expiration date for the framework most public companies have used to achieve compliance with Sarbanes-Oxley Act rules on internal controls nears, companies are scrambling to update to the revised framework issued last year. Now some auditors are advising that it’s better to delay implementation for another year, rather than rush through it. “Companies shouldn’t rush to transition if they’re not prepared,” KPMG partner Dennis Whalen says.
Online learning is a booming part of compliance training—and a seldom-discussed IT weakness in such systems is growing along with it. Learning systems can be hacked, experts say, jeopardizing a company’s training documentation. “Both sides of the equation have changed,” says Jan Sramek of Better, an e-learning vendor. “Cheating has gotten easier, while breaches have become more costly.” More on the hack (and how to stop it) is inside.
The Department of Defense has proposed a rule that would shift responsibility for obtaining audits of certain business systems into the hands of the federal contractors themselves, reducing some compliance headaches while creating others. While the rule could hasten the process, it adds new risks. “Any time you have to certify something to the government, it always comes with risk,” Susan Cassidy, a partner with Covington & Burling, says.
Sometimes white space is a good thing—as long as it's used properly. In the latest edition of our GRC Illustrated Series, which explores effective policy writing and communication, Michael Rasmussen, principal analyst with GRC 20/20 Research, explores how good policy design can be just as important as the actual written word. But good policies start with an effective foundation: the code of conduct. More inside.
The Financial Stability Oversight Council may add the Systematically Important Financial Institution label to more insurers and asset managers—Metlife is imminent and Fidelity may be next. Yet some are arguing that the designation, which comes with stricter compliance requirements, was tailored for banks and doesn’t fit these other types of firms. “You apply traditional bank type regulations to a product like a mutual fund and that causes all kinds of potential problems,” says Bibb Strench, counsel at law firm Seward & Kissel.
“Everybody talks about the weather, but nobody does anything about it.” That popular quote could be updated by replacing Mother Nature with cyber-security and reputation risk. A new survey by audit firm EisnerAmper finds that boards are ranking IT and reputation threats well above traditional regulatory risks, but have taken few steps to mitigate them. In this week’s podcast, we talk to Steven Kreit, a partner at EisnerAmper, about why compliance risk is slipping from boards’ radar screens and how they can shore up their approach to growing threats.
As GM works to overcome the damage from its ignition-switch disaster and the resulting mass recall, one of the central tasks for CEO Mary Barra will be to recast GM’s wayward culture and fix its communication problems. In an open letter to Barra inside, columnist Richard Steinberg suggests ways GM can improve its culture and create an environment where executives take responsibility and do the right thing.
Many companies strike confidentiality agreements with employees who are leaving, but some are finding they run afoul of government whistleblower protection rules, especially when employees are asked to forgo whistleblower bounties. "We see a seemingly endless array of efforts by companies to come up with new ways to dissuade individuals from providing information to the government," says David Marshall, a partner at law firm Katz, Marshall & Banks.
Are executives ignoring cyber-risks? Even as cyber-attacks on corporate networks increase in number and severity, such risks have done little to illicit the type of alarm that senior leadership teams should be sounding, finds a new report. "It's a 21st Century risk that a lot of companies have not really come to grips with," says Sean Joyce, principal of PwC's U.S. Advisory Forensics Services practice.
Several companies in the retail industry are banding together to strengthen their defenses against hackers and data breaches. More than 50 of the largest retailers are participating in the Retail Cyber Intelligence Sharing Center, which will circulate information on recent attacks, threats, and hacking methods. It is the first such initiative for an industry that has been besieged by cyber-attacks resulting in massive data breaches at companies such as Target, Neiman Marcus, and Michaels Stores. More inside.
Many companies strike confidentiality agreements with employees who are leaving, but some are finding they can run afoul of government whistleblower protections, especially when employees are asked to forgo whistleblower bounties as part of their severance agreement. “We see a seemingly endless array of efforts by companies to come up with new ways to dissuade individuals from providing information to the government,” says David Marshall, a partner at the law firm Katz, Marshall & Banks.
By year’s end, new accounting standards from FASB will change how companies report discontinued operations in financial statements, whereby companies will only report a disposal as a discontinued operation if it represents a “strategic shift” or has a major effect on operations and financial results. “Often showing something as a discontinued operation and breaking out prior periods to show the reclassifications can be problematic,” Larry Dodyk, a partner with PwC, says. More inside.