The Organization for Economic Co-operation and Development has issued new guidance on internal controls, ethics, and compliance to help its member countries implement anti-bribery strategies.

The OECD Working Group on Bribery has issued “Good Practice Guidance on Internal Controls, Ethics, and Compliance,” which calls for companies in the 38 countries that are party to the OECD Anti-Bribery Convention to put in place strict internal controls and establish ethics and compliance programs as part of a strategy to combat bribery in international business deals.

The March 3 guidelines “put further meat on the bones” of the Working Group’s November recommendations, which contained, among a number of key guidelines, “an important international recognition by 38 signatory countries of the need for companies to adopt proactive compliance and ethics programs to combat bribery and corruption when operating abroad,” says Donna Boehme, a principal with Compliance Strategists.

Specifically, the Guidance calls on businesses to: “Adopt a clear and visible anti-bribery policy that is strongly supported by senior management; instill a sense of responsibility for compliance with the policy at all levels of the company, as well as independent compliance structures; keep up regular communication and training on foreign bribery for all employees, as well as with business partners; and encourage observance of anti-bribery compliance measures, and disciplinary procedures to address their violations.”

The Guidance, which forms Annex II to the Working Group’s Recommendation of the Council for Further Combating Bribery of Foreign Public Officials in International Business Transactions, also recommends that business organizations play a leading role in providing information, advice, and training to companies, especially small- and medium-sized enterprises, on how to protect themselves against the risk of foreign bribery.

Boehme says the Guidelines not only incorporate the key principles of the Federal Sentencing Guidelines—including strong senior management tone and action, clear standards, protocols and internal controls, communication and training, and effective, appropriate disciplinary procedures—but in some respects, she says the guidelines “reach even further to validate the concepts of independent oversight and empowerment for the chief compliance officer.”

While the guidelines don’t have formal legal impact, the OECD Working Group will monitor each member country’s progress in encouraging companies to implement the guidance.

“We already have seen how this can be an effective change agent in how member countries approach anti-bribery and anti-corruption measures—expect to see more of the same as the Good Practice Guidelines are rolled out,” says Boehme. “It may take time, but this is an enormous step in ‘internationalizing’ the proactive approach of the FSG. Chief compliance and ethics officers should be proactive in educating their senior management and boards about this development and its impact on how countries beyond the United States are looking at bribery and corruption.”

Despite the progress made during the last year, both with respect to financial reform and reform of the Securities and Exchange Commission’s enforcement program, there’s more work to do, according to at least one SEC official.

While he praised some of the progress made to date, SEC Commissioner Luis Aguilar, in a Feb. 5 speech, said more change is needed, both by the SEC and lawmakers crafting regulatory reform.

“Whether reform legislation comes soon or not, the SEC must continue its own revitalization,” Aguilar said in remarks at the SEC Speaks conference in Washington, D.C. In particular, he flagged two issues he says would go “a long way to truly empowering our staff and removing barriers from their path.”

First, he repeated his call for the SEC to revisit its 2006 Penalty Statement, which he described as “a misguided approach to how to weigh factors one considers when deciding whether to seek a corporate penalty.”

“Every day these guidelines are in place they adversely impact the cases we are working on,” Aguilar said.

Under that framework, which prioritizes the presence or absence of a direct benefit to the company as a result of the violation and the degree to which the penalty will recompense or further harm the injured shareholders, Aguilar said, “the conduct itself becomes of secondary importance, and the Commission fails to appropriately focus on deterrence.”

He also called for the establishment of a uniform audit trail for securities trading to provide the staff quicker access to information regarding trades. Currently, the staff relies on information from the Electronic Blue Sheet system and information from the self-regulatory organizations, which he described as “an outdated, patchwork approach.”

Aguilar advocated replacing the current system with a searchable repository of trading data that would provide the staff with a “near real-time view of market activity.” He said such a system should be scalable to allow for the inclusion of new products and practices in securities markets, and ideally the derivatives markets.

As previously reported, SEC Commissioner Mary Schapiro noted in a speech at the same event that the commission will consider staff recommendations in the spring to have the SROs develop and implement a consolidated audit trail that captures customer and order event information across markets to help improve market surveillance.

Meanwhile, Aguilar noted that promised e-proxy changes and investor education efforts are coming. He said the SEC soon will establish educational efforts to help investors “understand e-Proxy and their rights” and amend its rules so that the process “is less confusing to investors.”

Under the current rule, companies can post their proxy materials online and send shareholders a notice that they’re available without sending a full set of paper materials unless requested. However, data showed that participation by retail investors plummeted at some companies that used the so-called “notice only” model, sparking criticism by some, including Aguilar, who urged the SEC to either fix or scrap e-proxy.

Aguilar said he’ll be “watching to see if the amendments result in real improvement.”

He also reiterated his call for the SEC to be self-funded. While an early draft of the Senate financial regulation reform bill provided for self-funding, it’s unclear whether that provision will make it into any final legislation. As recently reported, the President’s recent budget request of $1.258 billion for fiscal 2011 would increase the Commission’s coffers by roughly $139 million, or 12 percent over its fiscal 2010 funding level, and would enable the agency to add hundreds of staff positions.

In order for reforms to be sustainable, Aguilar said existing rules must be “implemented fully and enforced.” For example, pointing to the recently adopted Proxy Disclosure Enhancement rule, which requires greater disclosure about board member qualifications, Aguilar said the usefulness of that disclosure to investors will depend on how well the rule requirements are implemented.

“To that end, I commend those who will work to meet not only the letter of the law, but the spirit as well,” he said.

His remarks were part of a broader speech lamenting the lack of progress on financial regulatory reform. Despite the “intense focus” on financial reform over the last year, Aguilar said “very little has changed.”

“There have been many speeches given and many preliminary steps taken toward regulatory reform, but for all the activity, reform itself has yet to be achieved,” he said. For example, he said over-the-counter derivatives, hedge funds, and municipal securities markets “still lack appropriate regulation, and our inspection and enforcement efforts in these areas continue to be severely undermined.”

Aguilar also chastised the use of the reform process by some as an “opportunity to weaken strong investor-focused laws arising from lessons learned in prior crises.” In particular, he has criticized the Wall Street Reform and Consumer Protection Act passed by the House in December because it would exempt non-accelerated filers—which he says account for 50 percent of all U.S. public companies—from having an outside audit of their internal controls as required under Section 404(b) of Sarbanes-Oxley. The Senate draft bill was silent on that issue.

Meanwhile, he lauded two initiatives he advocated last year: the creation of the Investor Advisory Committee and the streamlining of the formal order process, which delegated the power to issue a subpoena to senior staff. Aguilar said the change has resulted in “a huge improvement in the speed and efficiency” by which the enforcement staff can conduct an investigation.

If it clears Congress, an amendment to pending legislation could roll back the auditor attestation requirement of Sarbanes-Oxley for more than 6,000 public companies, according to a Securities and Exchange Commission official.

SEC Commissioner Luis Aguilar, who railed against an amendment to The Investor Protection Act passed by the House Financial Services Committee last week, in a Nov. 6 speech cited staff estimates that over 6,000 public companies may fall under the threshold of $75 million or less in public float—and would therefore be exempt from the requirement for an independent audit under Section 404(b) if the act passes in its current form.

“The companies that would be exempted are not mom-and-pop neighborhood stores,” he said in prepared remarks. “These are publicly traded companies that offer their shares to all types of investors. And just so you know, this repeal has wide-ranging ramifications and would appear to affect the majority of public companies.”

Pointing to the numerous deferrals for non-accelerated filers and the work done by the SEC and the Public Company Accounting Oversight Board to reduce the compliance burden for smaller public companies, Aguilar said repealing that part of SOX now is “to throw away a substantial amount of work done by regulators, companies, and private organizations to make compliance with 404(b) more cost-effective.”

As reported previously, the SEC on Oct. 2 announced what it said was the last delay for smaller companies to comply with 404(b). Those companies are currently slated to comply with the provision for their annual reports for fiscal years ending on or after June 15, 2010.

“We should remember why 404(b) was passed, recognize the significant positive effects it has had for companies that have complied, and appreciate that a lot of careful work has gone into preparing the standards for use by smaller public companies,” he said. “When we do so, it is clear that repealing 404(b) as to the majority of public companies would be a mistake and inconsistent with the objectives of reform that strengthens investor protection.”

Of course, as Aguilar noted, there’s still time for the provision to be stripped out of the bill. “My hope is that the Senate will not include this deregulatory initiative as it develops legislation,” he said.

Aguilar also shared his views on other reform proposals currently being debated, including another provision in the legislation that would transfer oversight of a substantial number of investment advisers from the SEC to the Financial Industry Regulatory Authority Inc.

Noting that investment advisers will “need to be assessed a bill for this additional oversight,” he said, “if advisers have to write a check to someone, as the legislation would require, it makes much more sense for that check to go to the SEC—as the SEC already has the team and expertise in place.”

Oversight of the investment adviser community has been a partnership between state and federal regulators, and injecting an industry organization into the mix “dramatically changes the oversight structure in ways that do not make sense,” particularly given the other provisions in the proposed legislation, he said.

Meanwhile, Aguilar repeated his call for the SEC to become self-funded, which could be done by having the SEC retain the registration and securities transaction fees it collects. Those fees currently go to the Treasury.

In response to common misconceptions about his plan, he clarified that penalty amounts wouldn’t be used as a source of funding, and that as a self-funded agency, the SEC would still be subject to oversight by Congress and other federal entities, such as the Government Accountability Office, its own Inspector General, the Office of Management and Budget, the Office of Personnel Management, and the General Services Administration. The agency would also still be required to publish its strategic plan and to chart its progress against specific performance measures.

The House Financial Services Committee formally approved an amendment this morning to exempt small companies from Section 404(b) of Sarbanes-Oxley.

On a 37-32 vote—that, notably, went against the wishes of powerful committee chairman Rep. Barney Frank—the lawmakers approved an amendment to the Investor Protection Act that would exempt all non-accelerated filers from Section 404(b). The committee then went on to approve the entire Investor Protection Act by a vote of 41-28.

The amendment reportedly represents a compromise between anti-SOX lawmakers, who wanted to exempt a much larger group of filers, and the Obama Administration. But financial reporting executives shouldn’t rejoice yet: The bill must still be approved by the full House and then by the Senate to become law.

Section 404(b) requires companies to get an auditor’s attestation about the effectiveness of their internal controls over financial reporting and is widely considered the biggest compliance burden in the Sarbanes-Oxley Act. Large filers have had to comply with the provision since 2004, but the Securities and Exchange Commission has repeatedly extended the compliance deadline for non-accelerated filers.

The amendment, sponsored by New Jersey Reps. John Adler and Scott Garrett, also directs the SEC and the Comptroller General to conduct a joint study to determine how the SEC could reduce the burden of complying with Section 404(b) for companies with market caps between $75 million and $250 million.

Even if the measure does ultimately become law, non-accelerated filers (and everyone else) will still need to comply with Section 404(a), which requires companies to review and disclose the state of their internal controls. Section 404(a) went into effect for non-accelerated filers one year ago.

The committee’s action follows the SEC’s Oct. 2 announcement of one final delay for non-accelerated filers. Under that delay, the smallest public companies are supposed to begin complying with the provision beginning with their annual reports for fiscal years ending on or after June 15, 2010. The extension was granted at the same time the SEC released its study on SOX compliance costs and benefits.

An SEC spokesman said the Commission had no comment on today’s action by the committee, but referred to a letter sent by chairman Mary Schapiro on Oct. 16 to capital markets Sub-committee Chairman Paul Kanjorski.

That letter noted that, “According to our staff’s recent study of the costs and benefits of Section 404, surveyed investors indicated that Section 404 compliance ‘has significantly impacted their confidence in companies’ financial reports’ … Investors indicated that they have greater confidence when a Section 404 audit is performed.”

“… I believe that the enactment by Congress of Section 404 continues to significantly improve investor confidence in the integrity of companies’ financial reports and reporting,” Schapiro wrote.

Section 404 of the Sarbanes-Oxley Act has been in the legislative whirlwind this week.

Two amendments to delay or even rescind Section 404 for many companies came before the House Financial Services Committee on Wednesday, a surprise move that left investor advocates fulminating to anyone who would listen. One amendment to postpone Section 404(b) until 2011 for non-accelerated filers did pass on a voice vote, and will come before the full committee for a roll-call vote on Nov. 4.

The amendment, offered by Rep. Carolyn Maloney, D-N.Y., would require separate studies by the Government Accountability Office and the Securities and Exchange Commission to evaluate the costs and benefits of complying with Section 404(b) on issuers who aren’t accelerated or large accelerated filers—that is, the non-accelerated filers who have been excused from compliance for years already. Those studies would include recommendations, administrative reforms, and legislative proposals to reduce compliance burdens on those issuers and to determine the success of the SEC’s measures to limit the cost of compliance on smaller issuers.

The Maloney amendment would require separate reports by both agencies to Congress by June 1, 2010. Section 404(b) wouldn’t become effective for non-accelerated filers before the results of the report are delivered, and in no case before June 1, 2011.

A separate amendment, offered by Rep. John Adler, D-N.J., would have gone even further: exempting all companies with less than $700 million in market capitalization from Section 404(b), which would include many filers already complying with it. That idea, however, failed on a voice vote on Wednesday, although it too will come to a roll-call vote next week as a formality.

The moves to provide more SOX relief come on the heels of the SEC’s Oct. 2 announcement that it would delay Section 404(b) for small companies until fiscal years ending on or after June 15, 2010. That delay—which the SEC has firmly said will be the last—came at the same time the SEC published its study on the costs of Section 404 compliance.

Both amendments were slipped into legislative work the Financial Services Committee was doing to mark up the Investor Protection Act, HR 3817. Work on that bill is scheduled to resume Nov. 4.

Investor groups quickly voiced their opposition to the amendments in an Oct. 26 letter to several key members of Congress. Signed by leaders from the Council of Institutional Investors, the Consumer Federation of America, the American Association of Individual Investors, and the CFA Centre for Financial Market Integrity, the letter opposes any effort to further defer or exempt any public companies from the internal control requirements of Section 404, which they say “would do a grave disservice to investors whose trust in the markets is an essential ingredient in any financial recovery.”

“It is our view that the Section 404(b) requirements under SOX provide significant benefits to investors, are valuable regardless of a company’s size and represent an appropriate use of a company’s resources given the importance a strong system of internal controls has in producing reliable financial reporting,” the letter states.

Meanwhile, as Compliance Week previously reported, a separate bill, introduced this month by Rep. Scott Garrett (R-N.J.) dubbed the “Small Business SOX Compliance Relief Act” would permanently exempt non-accelerated filers from the reporting requirements of Section 404(b).

Here we go again. Roughly a week after the Securities and Exchange Commission announced what it vowed its last extension for non-accelerated filers to comply with the auditor attestation requirement under Section 404(b) of Sarbanes-Oxley, Congress has revived efforts to exempt those companies from the provision.

Rep. Scott Garrett (R-N.J.) on Oct. 8 introduced the “Small Business SOX Compliance Relief Act” to permanently exempt non-accelerated filers from the reporting requirements of Section 404(b).

Garrett has previously co-sponsored legislation to exempt and/or delay the provision for smaller companies.

“Although the stated intent of Sarbanes-Oxley was to provide investor confidence in our markets through greater accountability and disclosure, the Act has had the unintended effect of creating undue and often unbearable burdens on small businesses,” Garrett said. “It is diverting valuable resources away from other legitimate business needs; creating massive and tedious documentation requirements; and discouraging the public listing of both international and domestic companies on U.S. markets.”

“Especially now, as our country struggles to emerge from a recession, the last thing American small businesses need is another barrier to economic stabilization,” he continued.

A press release from Garrett announcing the move cites the SEC’s own SOX 404 study released last week. “Although reforms were made in 2007 to relax the guidelines for smaller companies, businesses of all sizes still report excessive compliance costs … In summarizing survey responses from businesses regarding the benefits of Section 404 compliance, the SEC wrote, ‘[A] majority felt that the costs of compliance outweighed the benefits. This was especially true among smaller companies.’”

Good news for non-accelerated filers: The Securities and Exchange Commission has granted them more time to begin providing audited assessments of their internal controls over financial reporting as required under Section 404(b) of the Sarbanes-Oxley Act,

The SEC announced the extension today at the same time it published the findings of its long-awaited study on the cost of complying with the statute’s ICFR requirements.

The announcement means that the smallest public companies will begin complying with the provision in nine months, beginning with their annual reports for fiscal years ending on or after June 15, 2010, instead of for fiscal years ending on or after Dec. 15, 2009. That was the deadline under an earlier extension granted by the SEC so its Office of Economic Analysis could complete the study of whether additional guidance provided to management and auditors in 2007 was effective in reducing the costs of compliance.

“Because the study was published less than three months before the December 15 deadline, the Commission determined that additional time is appropriate and reasonable so that small public companies and their auditors can better plan for the required auditor attestation,” the SEC press release states.

“Since there will be no further Commission extensions, it is important for all public companies and their auditors to act with deliberate speed to move toward full Section 404 compliance,” SEC Chairman Mary Schapiro said.

Among the study’s findings: The evidence…indicates that there is an “economically and statistically significant reduction in Section 404 compliance costs following the 2007 reforms,” which is most pronounced among larger companies.

More than half of survey participants reported that the 2007 reforms led to a decrease in compliance costs, consistent with the objectives of the reform and the reported cost reductions. Nearly all respondents indicated that they relied on the Management Guidance and, of those, a majority found it to be useful, according to the report.

Among Section 404(b) companies, the mean total Section 404 compliance cost drops significantly from $2.87 million pre-reform to $2.33 million post-reform-a 19 percent decline in the total compliance cost, according to the report. “The compliance cost is expected to be lower still, with a mean cost of $2.03 million, representing a combined decline of 29 percent. When reporting compliance costs by size category, the mean total compliance cost decreases from $769,000 to $690,000 among filers with public float lower than $75 million, but this difference is not statistically significant.”

Compliance Week will provide readers with full details on the findings in an upcoming edition.

Given the economic downturn, record levels of government spending, and the uptick in enforcement, it’s not surprising most executives expect fraud and misconduct risks to stay the same or increase over the next year.

That’s one finding from KPMG’s 2009 Fraud Survey, which polled more than 200 executives on the nature of fraud and misconduct risks in their organizations and the challenges they face in trying to prevent, detect, and respond to those risks.

When asked which categories of fraud and misconduct pose the most significant risk, more than a third said misappropriation of assets (35 percent), while 31 percent cited other illegal or unethical acts, such as bribery and corruption. Fourteen percent said fraudulent financial reporting, while 20 percent said all three are an equal threat.

The nature of perceived fraud and misconduct risks varied by industry. For instance, executives from consumer markets were more likely to cite asset misappropriation as a concern, while respondents from health care and pharmaceuticals tended to cite other illegal and/or unethical acts, such as bribery, corruption, market rigging, or conflicts of interest as threats.

Looking ahead over the coming year, most executives believe fraud and misconduct risks will either stay the same or increase over the next twelve months. Nearly a third of the group expect an increase in at least one form of fraud and misconduct risk. One-quarter of executives expect increases in asset misappropriation, while 20 percent expect other illegal and unethical acts to increase, and 8 percent expect more fraudulent financial reporting.

Meanwhile, over the same period, the vast majority of executives (75 percent) expect the amount of funding their organization dedicates to combating fraud stay the same, while 16 percent expect it to increase and only 9 percent expect it to decrease.

As for the factors that executives say most enable fraud and misconduct to occur, two-thirds cited inadequate internal controls or compliance programs. Almost half (47 percent) cited management override of controls, while 44 percent cited inadequate director oversight over management. Nearly the same number (43 percent) cited collusion between employees and third parties, while almost a third cited collusion between management and third parties, and 27 percent cited collusion between employees and management.

When asked which sources they believed would mostly likely uncover fraud and misconduct within their organizations, almost half said internal audit, legal, or compliance personnel were most likely to uncover fraud and misconduct. Twenty percent cited employee whistleblowers, while 13 percent cited line managers and 9 percent cited external auditors.

However, the report points out that that might not be the reality, citing data from the Association of Certified Fraud Examiners which shows that frauds were more likely to come to light through whistleblower tips than through audits, controls, or any other means and KPMG survey data reporting internal audit as among the least likely channels to which employees said they’d feel comfortable reporting misconduct.

While the majority of executives report that their organizations have effective protocols in place to address how to respond when allegations of fraud arise, the report notes that some gaps remain. For example, just over one-quarter of respondents lack effective protocols on how investigations should be conducted and at what point the board of directors should be alerted to potential concerns. One-third lack protocols on how to determine remedial actions, and 38 percent lack protocols to address when a voluntary disclosure to the government should be made.

Respondents also acknowledged room for at least moderate improvement across the majority of their anti-fraud efforts. Areas where executives cited the most amount of improvement needed include employee communication and training, technology-driven continuous auditing and monitoring techniques, and fraud and misconduct risk assessment.

While procurement fraud risks are often thought of as the domain of large federal contractors, small and mid-sized firms are at risk as well, and thanks to increased enforcement, the stakes are higher than ever.

Recent changes to federal regulations; growth in federal, state, and local contracting activity; and vigorous enforcement activity mean increased procurement risk for corporations of all sizes, especially those that don’t traditionally focus on selling goods and services to the public sector, according to a report by PricewaterhouseCoopers examining procurement fraud enforcement activity.

“Procurement fraud is perceived as something that happens often and isn’t really a big deal,” says the report’s author, Dalit Stern, a partner in PwC’s forensic service group. “But the amounts associated with it could be significant.”

And if you think Sarbanes-Oxley compliance eliminates procurement fraud risk, think again. Stern says the biggest misconception companies have about procurement fraud is that resources they’ve devoted to SOX compliance “make them largely immune to fraud in general and to procurement fraud in particular.”

However, internal controls over financial reporting and fraud management processes may be less effective against procurement risk schemes. Why? Because fraudsters who successfully perpetrate their schemes over long periods usually do so by operating under monetary thresholds determined for SOX testing purposes, according to the report, “Cracking down—The facts about risks in the procurement cycle.”

“The variety of industries, plethora of government agencies involved, and the spread of the crime’s geographical reach indicate that the common denominator of procurement fraud is vulnerability in corporate controls,” the report states.

Moreover, Stern notes that the stakes are higher during a downturn.

“Individuals have less loyalty and they’re under greater pressure, and recession causes management to focus on revenue generating activity,” she says. “This isn’t perceived as the best time to look at improving processes and controls.”

Add stepped up enforcement to the mix, and doing so is even more important.

A PwC review of enforcement data from the National Procurement Fraud Task Force shows that, since the Task Force’s creation in 2006, more than 400 procurement fraud cases have been pursued, resulting in more than 300 criminal convictions and the recovery of hundreds of millions of dollars in civil settlements and judgments.

From June 2007 through June 2008, more than 500 schemes or combinations of schemes were investigated. The vast majority of prosecutions addressed bribery (27 percent), bid rigging (21 percent), embezzlement (21 percent), and false claims (16 percent), according to PwC.

While the government is exposed and more focused on prosecution in defense and related industries, almost two-thirds of reported cases during the period reviewed don’t involve military-related spending. Of the non-military industries, procurement fraud cases involving the construction industry were most prevalent. Other industries subject to Task Force prosecutions include education, aerospace, and telecommunications.

While the Army, Navy, Air Force, and Department of Defense accounted for 38 percent of prosecuting agencies, the majority of cases (62 percent) were scattered across 62 different government agencies. The most prevalent non-military agencies involved in procurement fraud cases were those that most engage in contracting activity, such as the Department of Transportation, the Department of Housing and Urban Development, and the Department of Education.

More than half of defendants were vendors or their employees, and close to 32 percent of cases involved public servants, which PwC says underscores how purchasing authority tempts individuals engaged in procurement activities in the public or private sectors.

“Procurement fraud schemes are a combination of greed and lax or limited controls,” says Stern. “You can’t eradicate greed, but you can enhance your controls in your procurement cycle sub-processes, or at least in the sub-processes that are the most risky.”

She recommends companies assess their risk and focus on the processes that are most vulnerable.

Vendor maintenance is “a good place to start,” says Stern, “since not many companies go through a rigorous vendor due diligence process.”

The report includes a checklist for companies to assess their vulnerability to procurement fraud and provides a list of potential red flags for procurement risk.

A new report from the Institute of Internal Auditors says compliance with credit-card security standards is still sputtering, despite a coordinated push to bring retailers and merchant banks into compliance with the Payment Card Industry Data Security Standard.

The recent survey of internal auditors, “Moving Toward PCI Compliance,” indicates that only 56 percent of companies are in compliance with PCI DSS, even though the standard was first unveiled in 2004. Nearly 90 percent did say they are trying to implement a PCI compliance process, however.

Survey respondents offered a variety of suggestions to help companies ensure an effective and efficient compliance process. Among the ideas:

• Train and educate staff about data security breach risks, and how to help achieve compliance.
• Prohibit storing and tracking credit card information.
• Avoid unsecured wireless access.
• Perform an internal audit to determine high-risk areas.
• Establish network security controls, compartmentalizing the network areas that process credit card information and segregating PCI data from the rest of the network.
• Establish compensating controls need to be implemented for compliance.
• Create a steering committee, representing areas that can enhance compliance within the organization.

As part of the survey, the IT Compliance Institute also gave some tips on what internal auditors can do to help ensure PCI compliance:

• Provide reports to the board and management that state whether key information assets and systems are protected, business units are adhering to policies, programs are in place for continually updating and strengthening safeguards against network assaults, and existing security policies are reasonable.
• Assess the state of the information control environment and recommend improvements.
• Compare current organizational practices with industry practices and regulatory guidelines to validate that the organization’s PCI efforts are proactive and effective against current and emerging threats.

Download the full report at www.theIIA.org.