Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Keep me logged in Forgot your password?

Please wait...

Please wait...

Recent Coverage Of Internal Control Issues (SOX 404)

Below is some of the most recent Compliance Week coverage related to the internal control provisions of The Sarbanes-Oxley Act, ubiquitously known as "Section 404 of SOX." Includes extensive coverage of ICFR issues, including the PCAOB's Audit Standard No. 5, and related audit and "top-down, risk-based" approach issues. See also The Resource Exchange for checklists, process maps, surveys, questionnaires, and other tools submitted by public company executives to assist them in complying with SOX 404.

Winning the Battle to Get 'Buy-In' on Compliance

April 01, 2014

Getting executives and middle managers to support the goals of compliance can be an uphill battle at many companies, especially where compliance is viewed as an obstacle to getting things done. To change that view, compliance needs to show that the program can add value. "The stronger the safety controls, the more risks you can take," says Anthony Dell, global chief compliance and ethics officer at investment adviser Ares Management.

Setting the Scope of an Investigation

March 25, 2014

Establishing the parameters of an investigation is a critical responsibility for compliance officers. Define an investigation too narrowly and the company risks missing important pieces of evidence. Define it too broadly and the investigation can drag on for long time periods and burn through cash. Inside, we look at how to rightsize an investigation and avoid "scope creep" and other problems.

Studies Find Weaknesses in Data Management Programs

March 04, 2014

Big Data may be here, but lots of companies are still struggling to get a handle on garden variety information. Indeed, two separate benchmarking reports released last month revealed that while most companies claim to have information and records management programs in place, many are not up to par. "Organizations are not doing a great job at managing traditional, unstructured information," says Richard Wolf, founder of GRC advisory firm Lexakos.

More Companies Disclosing Measures of Realized and Realizable Pay

March 04, 2014

If you're not familiar with the new compensation metrics—realized and realizable pay—you should be; more and more companies are using them to provide investors with what they consider a more realistic picture of what their top executives are really earning. "As long as they're telling the story properly, it's appropriate to show another measure of pay," says David Eaton, vice president of proxy research firm Glass Lewis.

Business Agility Across the Extended Enterprise

January 28, 2014

Organizations often struggle to identify, manage, and govern extended business relationships. The challenge: Can you attest that risk and compliance are managed across extended business relationships? In our latest installment of the GRC Illustrated Series we provide companies with tips on how to build an effective, integrated approach to third-party management.

Should Deficiencies Under COSO Update Be Reported Now?

December 17, 2013

Many companies are currently analyzing how well their internal controls stack up against a newly revised framework from the Committee of Sponsoring Organizations. Some argue that deficiencies identified under the new framework might need to be reported now. "Finding a material weakness using the updated framework is a pretty strong indication that it also is a material weakness under the 1992 framework," said Tom Ray, former chief auditor at the Public Company Accounting Oversight Board.

PCAOB Alert Puts More Emphasis on Internal Control Audits

November 05, 2013

Expect auditors to seek more evidence that internal controls are effective after regulators issued formal guidance to auditors to intensify internal control audits. The Public Company Accounting Oversight Board has been warning them to look closer at internal controls, but new guidance details specific areas. It is saying, "Here's exactly what we think you should be looking for," says Sara Lord, a partner at McGladrey.

The Difficulties of Creating a Global Supplier Code of Conduct

October 22, 2013

Crafting an effective code of conduct is difficult enough for a single, domestic entity. Developing them worldwide and getting employees, vendors, and suppliers all to abide by one is an even taller task. At the Compliance Week Europe conference in Brussels last week, a panel discussed ways to get a diverse group of suppliers and vendors, which can number into the thousands at some companies, to abide by the code.

Busting the Barriers Between Compliance, IT, and the Business

October 22, 2013

Large, global companies have plenty of language barriers to consider—including the communication gaps that divide business functions. During a panel discussion at last week's Compliance Week Europe conference, compliance and legal executives from telecom giant BT and Bank of Ireland looked at how compliance executives can unify all three sides early, often, and effectively. More inside.

Risk Committees Go Mainstream

October 16, 2013

After the financial crisis, most big financial services firms added risk committees to the board to escalate the oversight of risk management. Indeed, the Dodd-Frank Act requires banks with more than $10 billion in assets to have one. Now companies beyond Wall Street are warming up to the idea and moving oversight of compliance from the audit committee to the risk committee. Some are even establishing a dedicated compliance committee. More on the trend inside.

Companies Hesitant on Transition to COSO Revised Framework

September 27, 2013

When the Committee of Sponsoring Organizations updated its framework for internal controls, it provided plenty of lead time for implementation—and companies appear to be taking advantage of it. Many are holding off on adopting the new framework for now, waiting for more guidance or letting others take the lead. "Since the revised framework was issued in May, many companies appear to have taken a 'wait and see' approach,'" says Andrew Schweik, director of risk services at audit firm Crowe Horwath.

Companies Hesitant on Transition to COSO Revised Framework

September 24, 2013

When the Committee of Sponsoring Organizations updated its framework for internal controls, it provided plenty of lead time for implementation—and companies appear to be taking advantage of it. Many are holding off on adopting the new framework for now, waiting for more guidance or letting others take the lead. "Since the revised framework was issued in May, many companies appear to have taken a 'wait and see' approach,'" says Andrew Schweik, director of risk services at audit firm Crowe Horwath.

Studies Say Companies Lacking in Supply Chain Risk Management

August 27, 2013

Could companies be doing a much better job of managing supply chain risks? Two recent studies suggest they could. According to the studies, companies have too narrow a view of supply chain risks, don't align the goals of suppliers with their own, and don't conduct enough formal risk assessment on important suppliers. "We still have a tremendously long way to go," says Glen Goldbach, a director in PwC's advisory practice.

Assembling a Top-Notch and Flexible Investigations Team

July 09, 2013

Conducting internal investigations is one of the most difficult duties of compliance departments, and assembling the right team can make all the difference. Phillip Morris, for example, leverages other skills through the organization to provide local and subject matter expertise. "One of our investigating principles is to be able to investigate fairly and impartially, but also promptly," says Karen Handelsman Moore, director of compliance at Philip Morris.

Rethinking Policy Management at Dell

June 04, 2013

To break through a siloed approach to policy making and to compliance itself, Dell assembled a coalition of executives with compliance responsibilities and set about remaking its policy management system. The result is a streamlined process for developing and implementing compliance policies company-wide. "The policy is the cornerstone of the compliance programs at Dell," said Kristi Kevern (at left), director of operational compliance at the Compliance Week 2013 conference last month.

How FMC Automated Controls to Improve Financial Visibility

June 04, 2013

When FMC Corp. took a hard look at its internal controls, it saw an opportunity to automate and improve them to increase the visibility of its reconciliation process. The company was also able to move to a more centralized process where data is readily available. "We are able to provide our CEO and CFO with any information they desire," said Nadia Ciaravino, finance control compliance director for FMC.

How Compliance Saved Tyco

May 29, 2013

By focusing on compliance and ethics and committing to making drastic changes, Ed Breen, former CEO and current chairman of Tyco, was able to help the company avoid the fate of those it was commonly mentioned alongside, such as Enron and WorldCom. Today it is thriving. "Trust is the secret weapon of a good business leader," he said, during a keynote address at the Compliance Week 2013 conference. "If you don't have it, you are toast." More from his talk inside.

Updated Control Framework Makes Companies Dig Deeper

May 29, 2013

The burden of adopting the newly updated COSO framework for internal controls will depend on how closely a company's control environment is aligned with the original framework, said internal control experts from Raytheon and Pfizer at the Compliance Week 2013 conference last week. "When you document your system of internal controls today, you probably aren't talking about the 17 principles, but clearly you'll need to do that," said Ray Purcell, director of financial controls at Pfizer.

Compliance Budgets Rising for Banks as Regulations Multiply

May 21, 2013

The onslaught of new regulations for financial institutions continues to make life difficult for compliance officers at financial services firms. In response, banks and insurers are increasing their compliance budgets, according to a survey by Thompson Reuters. Still many report the added resources aren't enough. "There's so much going on. It's the 'bombs bursting in air' kind of thing," says Richard Riese, senior vice president at the American Bankers Association Center for Regulatory Compliance.

Updated COSO Framework to Spark Review of Internal Controls

May 21, 2013

Now that COSO has completed the update of its widely used internal control framework, it's time for companies to determine where control changes might be in order. The good news is that the framework keeps the five core principles, but it also adds 17 new underlying principles that will likely require additional documentation. "Now you need to go one level below," says Christian Peo, a partner with KPMG.

Cracking the Code: Codes of Conduct That Actually Work

May 07, 2013

Nearly every company has a code of conduct. At some it's a commonly cited guide to behavior at the organization. At others, it gets more use as a beverage coaster. The difference may lie in how the document is crafted. Codes of conduct that are too long, use legalese, or are short on examples are more likely to gather coffee rings than to spur employees to uphold company values. More details inside.

How Compliance and HR Can Get It Together

April 16, 2013

Compliance and human resources have always had a love-hate relationship. Now some companies are finding that getting them aligned can yield large benefits for both functions and improve the organizational culture. That collaboration, while vital, can be hard won, however. Inside, we look at ways to break down the barriers and foster better communication and cooperation between compliance and HR.

Creating a Speak-Up Culture

April 02, 2013

Creating a speak-up culture is the Holy Grail of compliance. Companies that have successfully created this type of environment have won the trust and confidence of employees and have gotten them to buy-in to the company's values. Inside, guest columnist Joel Katz, chief ethics and compliance officer at CA Technologies, shares his perspective on how to get employees to create a culture where employees are comfortable asking questions and raising concerns.

Russia Anti-Bribery Law Sets New Compliance Standards

March 26, 2013

Russia's recently enacted anti-corruption law goes where none have gone before, by requiring organizations that operate in Russia to put a compliance program in place and to develop systems to cooperate with law enforcement even before any corruption is identified. Still, some are skeptical that it will be enforced evenly by Russian regulators. "Enforcement is still very erratic," says Delphine Nougayrède, a partner in the Moscow office of law firm DLA Piper.

e-Discovering the Cloud

March 26, 2013

Moving data-heavy components such as e-mail and collaboration systems to the cloud is a no-brainer, right? Not so fast. Companies that don't consider the cloud's implications on e-discovery could suffer major headaches later in excess litigation costs or damages resulting from poor recordkeeping. "You can see it as a train wreck waiting to happen if you don't think about these things in advance," says Michael Lackey, a partner at law firm Mayer Brown.

Tackling the Toughest Issues in Internal Investigations

March 19, 2013

When allegations of corporate misconduct surface, an effective internal investigation is essential to uncovering facts and formulating an appropriate response. But how do you maintain independence when the problem at hand involves a senior executive and external auditors are breathing down your neck? Assemble a cross-functional team, and proceed with extreme caution. Details inside.

Developing an Effective Approach to Third-Party Due Diligence

March 05, 2013

More than 90 percent of reported Foreign Corrupt Practices Act cases involve third parties, such as sales affiliates and resellers, acting on the company's behalf, yet many companies focus their anti-corruption efforts on their own employees. These companies need to focus in on the riskiest business partners doing business in the riskiest nations. Inside, lessons on building an effective third-party due diligence program.

Info Governance: Get Data Classification Right First

March 05, 2013

Data classification is one of the most crucial elements of information governance—yet one that many companies fail to implement well. They want to put adequate security controls around the most sensitive data, but they have no process for determining what that data is, or where it resides. In part three of our six-part series on information governance, we look at common mistakes in data classification.

The Art of Managing Policy Exception Requests

February 26, 2013

Exception requests are often a thorn in the side of policy managers, and yet they are unavoidable for most. Granting too many exceptions can undermine policies and expose companies to legal risk, while too few can tempt employees to ignore policies. "Some policies are necessarily more granular, more transactional, or more employee-driven, and therefore lead to more exception requests," says David Frishkorn, chief compliance officer at Comverse Technology.

New Law Expands Whistleblower Protections at Federal Contractors

January 29, 2013

Last month President Obama signed the National Defense Authorization Act into law, which expands whistleblower protections to Defense Department sub-contractors and sets up a pilot program to test expansion of the program to contractors of other agencies. The law means government contractors will have to be on high-alert for whistleblower retaliation. More details inside.

Auditors to Focus on Internal Controls After Poor Inspection Results

December 18, 2012

Public companies can expect extra scrutiny of their internal control over financial reporting in the upcoming audit cycle after regulators warned auditors to fix lingering problems. The Public Company Accounting Oversight Board said the percentage of audits with inadequately supported opinions on internal control over financial reporting rose to 22 percent of cases examined in 2011, from 15 percent in 2010. "Those numbers are too high," said PCAOB member Jeanette Franzel.

Fostering Ethics Transparency in the Expanding Supply Chain

November 20, 2012

Identifying ethical and social compliance risks in the supply chain, such as child labor, worker abuse, and poor working conditions, is becoming increasingly difficult in expanding and complex supply chains. During a panel at the Compliance Week West conference in Palo Alto, Calif. last week, executives from Target, Gap, and MetricStream provided strategies for gaining better visibility and monitoring of supply chains. A rundown of their discussion is inside.

Disclosure Questions Arise After a Cyber-Attack

November 13, 2012

When hit with a cyber-attack, many companies choose to remain tight-lipped on the incident, despite guidance from the SEC that requires disclosure of cyber-security risks and attacks that result in material losses. "Companies may find that the risk of actual disclosure is much higher than the penalties for not disclosing," says Josh Walderbach, senior network security and compliance analyst at data security company LogRhythm.

Codes of Conduct: Values or Principles-Based?

November 06, 2012

Many companies are reviewing their codes of conduct to consider new regulatory risks and other developments like social media and privacy concerns. But a debate is brewing over how much to include in the code of conduct. Should they address a few core principles—Boeing's code runs just one page—or should they cite chapter and verse on policies and rules? Pros and cons of each approach inside.

Fostering a Unified, Ethical, and Global Corporate Culture

November 06, 2012

Building an ethical corporate culture can be difficult under even the best of circumstances. Add to the mix a workforce located in multiple countries, each with its own culture, language, and legal system, and the challenges are magnified. Yet, companies can't ignore these obstacles. "The goal is to inspire, across cultures, the behaviors you want to see more of," says Wayne Brody, ethics and compliance advisor at consulting firm LRN.

Identifying Compliance Risks and Trends

October 10, 2012

Analyzing data for emerging risks, trends, and remediation is no easy task. First, companies must know what data they have and where it is, and then how to turn it into useful knowledge. To help get the job done, companies are increasingly turning to governance, risk, and compliance systems that give them more visibility into risks and provide reporting to the units that manage those risks. Details inside.

COSO's Take Two on Internal Control Framework Earns Praise

October 10, 2012

The Committee of Sponsoring Organizations circulated its second attempt at revising its Internal Control—Integrated Framework, which virtually all public companies rely on to assess their systems of internal control. While some still have concerns, the near-final draft is earning praise for its clearer, practical approach. "When I looked at the new material I was very pleasantly surprised," says Normal Marks, vice president at SAP.

EEOC Enforcement Plan Signals Shift to Systemic Cases

October 10, 2012

The Equal Employment Opportunity Commission's revamped strategic enforcement plan, released last month, indicates a shift by the agency to focus more on systemic cases—those that indicate widespread abuses of EEOC rules, the agency says, rather than focusing on specific individual complaints. "Those systemic cases bring with them much litigation risk to employers," says Steven Gutierrez, a partner with law firm Holland & Hart.

Building Regulatory Intelligence

July 31, 2012

Effective policy management starts with monitoring changes to the business, regulatory, and risk environments to determine how change impacts current and needed policies. The latest installment of our GRC Illustrated series offers insights on how best to track these changes so they can be analyzed in light of policy needs.

The Evolving Role of Internal Audit

July 24, 2012

Thousands of internal auditors convened in Boston earlier this month, and came away with one basic conclusion: The profession needs to expand its skills and expertise to prosper in today's data-soaked world. "We have a great challenge to push executive management and the board to respond to those changes," said Mark Carawan, chief audit executive for Citigroup. More on the state of internal audit is inside.

Why Do Policies Matter?

June 26, 2012

From time to time people still ask why policies matter: Aren't policies just more unnecessary bureaucracy, they ask? But good policies define the organization's governance culture and objectives. Without the guidance provided by well-written policies, corporate culture may morph and take the organization down unintended paths. The latest installment of our GRC Illustrated series offers insights on effective policy management.

State of Compliance 2012

June 19, 2012

According to the PwC and Compliance Week State of Compliance 2012 survey, companies are adding to compliance budgets and hiring more staff. Yet they struggle to leverage those resources to keep pace with the increasingly complex, specialized issues they must handle. "There is increased pressure on boards around risk management and it means increased pressure on compliance officers," says Sally Bernstein, a principal in PwC's advisory practice.

Improving Internal Audit & Control

June 12, 2012

Internal audit and control functions have long been war-weary parts of Corporate America, bombarded by ever-more risks to monitor and disclosures to make. Two sessions at the Compliance Week 2012 conference explored how audit and compliance executives can rally for a counter-offensive. Details inside.

The Metrics System: Measuring Compliance Effectiveness

June 12, 2012

Compliance officers are under increasing pressure to demonstrate to senior officers, their boards, and regulators that the compliance function works. That means finding ways to measure compliance program effectiveness. At the Compliance Week 2012 conference, compliance executives shared their approaches to capturing and reporting compliance metrics. Details inside.

Risk-Management Failures Highlight the Need for More Scrutiny

June 05, 2012

As recent problems at Walmart and JPMorgan indicate, companies still have more work to do on refining risk-management systems. A new survey from research firm Lexakos finds that companies are expanding risk-management committees to include more functions. Yet nearly half of those surveyed say they don't have a dedicated chief risk officer, and 43 percent say it's not a budget priority. More survey results inside.

Regulators' No Admission Settlement Policy Under Fire

May 30, 2012

The policy of the SEC and other regulators to settle cases of alleged fraud on a "neither-admit-nor-deny" basis is under increasing fire from critics who believe such settlements are too lenient. During a recent committee hearing, members of Congress assailed the policy as irresponsible, while others defended it as a practical necessity. Details inside.

Best Buy Debacle Offers Lessons in Crisis Management

May 30, 2012

When allegations arise against a CEO of an inappropriate relationship or other misdeeds, the compliance officer is often forced into a difficult balancing act. The CCO, in assisting the board, must weigh the need for quick action with the need for a thorough and fair investigation. Best Buy recently faced such a situation, and how the company responded may serve as a model for good crisis management. Details inside.

Electronic Information Deluge Putting a Strain on Records Management

May 22, 2012

Despite increased resources and good intentions, companies are still fumbling when it comes to executing a comprehensive information management program that balances the unique needs of physical and electronic documents. A recent survey from Iron Mountain found that nearly three-quarters of respondents said they lacked a cohesive, multi-year strategy for records and information management. More survey results inside.

Maintaining an Effective Compliance Program

May 22, 2012

Building out a first-rate compliance program is no easy task, but it's still only the start of the process. Maintaining its effectiveness by keeping up with rapidly changing regulations, assessing compliance gaps and filling them, and mitigating ongoing compliance risks are all necessary to ensuring that a compliance program stays on track. Details inside.

Integrating Risk Appetite and Risk Management

May 15, 2012

Three years after the financial crisis, it's clear that companies still struggle with how to manage risk in the organization; just ask JPMorgan. Part of the difficulty: Getting a handle on risk across the organization is a complex undertaking which requires a careful balancing act. Integrating a formal statement of risk appetite with the risk-management program is an important step. Details inside.
 Subscribe to the RSS for this page  [view all our RSS feeds here]

Compliance Week now has a companion group on LinkedIn, where members can network and discuss the compliance and governance news of the day. Open to all compliance professionals, free to join.

Top Global GRC Risks
Sponsored by NAVEX Global

Thought Leadership

Data: The Tail That Wags the Stress Test
Sponsored by Trillium Software

Conflict Minerals Webcast Series
Sponsored by 3e Co., iPoint, Schulte Roth & Zabel and Source Intelligence

Compliance Week Podcasts ...

Every week we chat with leading thinkers in compliance, auditing, risk management, public policy and more. These short (10-15 minutes) interviews are free to all. Follow Compliance Week podcasts on iTunes.