Recent Coverage Of Internal Control Issues (SOX 404)

Below is some of the most recent Compliance Week coverage related to the internal control provisions of The Sarbanes-Oxley Act, ubiquitously known as "Section 404 of SOX." Includes extensive coverage of ICFR issues, including the PCAOB's Audit Standard No. 5, and related audit and "top-down, risk-based" approach issues. See also The Resource Exchange for checklists, process maps, surveys, questionnaires, and other tools submitted by public company executives to assist them in complying with SOX 404.

Compliance Budgets Rising for Banks as Regulations Multiply

May 21, 2013

The onslaught of new regulations for financial institutions continues to make life difficult for compliance officers at financial services firms. In response, banks and insurers are increasing their compliance budgets, according to a survey by Thompson Reuters. Still many report the added resources aren't enough. "There's so much going on. It's the 'bombs bursting in air' kind of thing," says Richard Riese, senior vice president at the American Bankers Association Center for Regulatory Compliance.
 

Updated COSO Framework to Spark Review of Internal Controls

May 21, 2013

Now that COSO has completed the update of its widely used internal control framework, it's time for companies to determine where control changes might be in order. The good news is that the framework keeps the five core principles, but it also adds 17 new underlying principles that will likely require additional documentation. "Now you need to go one level below," says Christian Peo, a partner with KPMG.
 

Cracking the Code: Codes of Conduct That Actually Work

May 07, 2013

Nearly every company has a code of conduct. At some it's a commonly cited guide to behavior at the organization. At others, it gets more use as a beverage coaster. The difference may lie in how the document is crafted. Codes of conduct that are too long, use legalese, or are short on examples are more likely to gather coffee rings than to spur employees to uphold company values. More details inside.
 

How Compliance and HR Can Get It Together

April 16, 2013

Compliance and human resources have always had a love-hate relationship. Now some companies are finding that getting them aligned can yield large benefits for both functions and improve the organizational culture. That collaboration, while vital, can be hard won, however. Inside, we look at ways to break down the barriers and foster better communication and cooperation between compliance and HR.
 

Creating a Speak-Up Culture

April 02, 2013

Creating a speak-up culture is the Holy Grail of compliance. Companies that have successfully created this type of environment have won the trust and confidence of employees and have gotten them to buy-in to the company's values. Inside, guest columnist Joel Katz, chief ethics and compliance officer at CA Technologies, shares his perspective on how to get employees to create a culture where employees are comfortable asking questions and raising concerns.
 

Russia Anti-Bribery Law Sets New Compliance Standards

March 26, 2013

Russia's recently enacted anti-corruption law goes where none have gone before, by requiring organizations that operate in Russia to put a compliance program in place and to develop systems to cooperate with law enforcement even before any corruption is identified. Still, some are skeptical that it will be enforced evenly by Russian regulators. "Enforcement is still very erratic," says Delphine Nougayrède, a partner in the Moscow office of law firm DLA Piper.
 

e-Discovering the Cloud

March 26, 2013

Moving data-heavy components such as e-mail and collaboration systems to the cloud is a no-brainer, right? Not so fast. Companies that don't consider the cloud's implications on e-discovery could suffer major headaches later in excess litigation costs or damages resulting from poor recordkeeping. "You can see it as a train wreck waiting to happen if you don't think about these things in advance," says Michael Lackey, a partner at law firm Mayer Brown.
 

Tackling the Toughest Issues in Internal Investigations

March 19, 2013

When allegations of corporate misconduct surface, an effective internal investigation is essential to uncovering facts and formulating an appropriate response. But how do you maintain independence when the problem at hand involves a senior executive and external auditors are breathing down your neck? Assemble a cross-functional team, and proceed with extreme caution. Details inside.
 

Developing an Effective Approach to Third-Party Due Diligence

March 05, 2013

More than 90 percent of reported Foreign Corrupt Practices Act cases involve third parties, such as sales affiliates and resellers, acting on the company's behalf, yet many companies focus their anti-corruption efforts on their own employees. These companies need to focus in on the riskiest business partners doing business in the riskiest nations. Inside, lessons on building an effective third-party due diligence program.
 

Info Governance: Get Data Classification Right First

March 05, 2013

Data classification is one of the most crucial elements of information governance—yet one that many companies fail to implement well. They want to put adequate security controls around the most sensitive data, but they have no process for determining what that data is, or where it resides. In part three of our six-part series on information governance, we look at common mistakes in data classification.
 

The Art of Managing Policy Exception Requests

February 26, 2013

Exception requests are often a thorn in the side of policy managers, and yet they are unavoidable for most. Granting too many exceptions can undermine policies and expose companies to legal risk, while too few can tempt employees to ignore policies. "Some policies are necessarily more granular, more transactional, or more employee-driven, and therefore lead to more exception requests," says David Frishkorn, chief compliance officer at Comverse Technology.
 

New Law Expands Whistleblower Protections at Federal Contractors

January 29, 2013

Last month President Obama signed the National Defense Authorization Act into law, which expands whistleblower protections to Defense Department sub-contractors and sets up a pilot program to test expansion of the program to contractors of other agencies. The law means government contractors will have to be on high-alert for whistleblower retaliation. More details inside.
 

Auditors to Focus on Internal Controls After Poor Inspection Results

December 18, 2012

Public companies can expect extra scrutiny of their internal control over financial reporting in the upcoming audit cycle after regulators warned auditors to fix lingering problems. The Public Company Accounting Oversight Board said the percentage of audits with inadequately supported opinions on internal control over financial reporting rose to 22 percent of cases examined in 2011, from 15 percent in 2010. "Those numbers are too high," said PCAOB member Jeanette Franzel.
 

Fostering Ethics Transparency in the Expanding Supply Chain

November 20, 2012

Identifying ethical and social compliance risks in the supply chain, such as child labor, worker abuse, and poor working conditions, is becoming increasingly difficult in expanding and complex supply chains. During a panel at the Compliance Week West conference in Palo Alto, Calif. last week, executives from Target, Gap, and MetricStream provided strategies for gaining better visibility and monitoring of supply chains. A rundown of their discussion is inside.
 

Disclosure Questions Arise After a Cyber-Attack

November 13, 2012

When hit with a cyber-attack, many companies choose to remain tight-lipped on the incident, despite guidance from the SEC that requires disclosure of cyber-security risks and attacks that result in material losses. "Companies may find that the risk of actual disclosure is much higher than the penalties for not disclosing," says Josh Walderbach, senior network security and compliance analyst at data security company LogRhythm.
 

Codes of Conduct: Values or Principles-Based?

November 06, 2012

Many companies are reviewing their codes of conduct to consider new regulatory risks and other developments like social media and privacy concerns. But a debate is brewing over how much to include in the code of conduct. Should they address a few core principles—Boeing's code runs just one page—or should they cite chapter and verse on policies and rules? Pros and cons of each approach inside.
 

Fostering a Unified, Ethical, and Global Corporate Culture

November 06, 2012

Building an ethical corporate culture can be difficult under even the best of circumstances. Add to the mix a workforce located in multiple countries, each with its own culture, language, and legal system, and the challenges are magnified. Yet, companies can't ignore these obstacles. "The goal is to inspire, across cultures, the behaviors you want to see more of," says Wayne Brody, ethics and compliance advisor at consulting firm LRN.
 

Identifying Compliance Risks and Trends

October 10, 2012

Analyzing data for emerging risks, trends, and remediation is no easy task. First, companies must know what data they have and where it is, and then how to turn it into useful knowledge. To help get the job done, companies are increasingly turning to governance, risk, and compliance systems that give them more visibility into risks and provide reporting to the units that manage those risks. Details inside.
 

COSO's Take Two on Internal Control Framework Earns Praise

October 10, 2012

The Committee of Sponsoring Organizations circulated its second attempt at revising its Internal Control—Integrated Framework, which virtually all public companies rely on to assess their systems of internal control. While some still have concerns, the near-final draft is earning praise for its clearer, practical approach. "When I looked at the new material I was very pleasantly surprised," says Normal Marks, vice president at SAP.
 

EEOC Enforcement Plan Signals Shift to Systemic Cases

October 10, 2012

The Equal Employment Opportunity Commission's revamped strategic enforcement plan, released last month, indicates a shift by the agency to focus more on systemic cases—those that indicate widespread abuses of EEOC rules, the agency says, rather than focusing on specific individual complaints. "Those systemic cases bring with them much litigation risk to employers," says Steven Gutierrez, a partner with law firm Holland & Hart.
 

Building Regulatory Intelligence

July 31, 2012

Effective policy management starts with monitoring changes to the business, regulatory, and risk environments to determine how change impacts current and needed policies. The latest installment of our GRC Illustrated series offers insights on how best to track these changes so they can be analyzed in light of policy needs.
 

The Evolving Role of Internal Audit

July 24, 2012

Thousands of internal auditors convened in Boston earlier this month, and came away with one basic conclusion: The profession needs to expand its skills and expertise to prosper in today's data-soaked world. "We have a great challenge to push executive management and the board to respond to those changes," said Mark Carawan, chief audit executive for Citigroup. More on the state of internal audit is inside.
 

Why Do Policies Matter?

June 26, 2012

From time to time people still ask why policies matter: Aren't policies just more unnecessary bureaucracy, they ask? But good policies define the organization's governance culture and objectives. Without the guidance provided by well-written policies, corporate culture may morph and take the organization down unintended paths. The latest installment of our GRC Illustrated series offers insights on effective policy management.
 

State of Compliance 2012

June 19, 2012

According to the PwC and Compliance Week State of Compliance 2012 survey, companies are adding to compliance budgets and hiring more staff. Yet they struggle to leverage those resources to keep pace with the increasingly complex, specialized issues they must handle. "There is increased pressure on boards around risk management and it means increased pressure on compliance officers," says Sally Bernstein, a principal in PwC's advisory practice.
 

Improving Internal Audit & Control

June 12, 2012

Internal audit and control functions have long been war-weary parts of Corporate America, bombarded by ever-more risks to monitor and disclosures to make. Two sessions at the Compliance Week 2012 conference explored how audit and compliance executives can rally for a counter-offensive. Details inside.
 

The Metrics System: Measuring Compliance Effectiveness

June 12, 2012

Compliance officers are under increasing pressure to demonstrate to senior officers, their boards, and regulators that the compliance function works. That means finding ways to measure compliance program effectiveness. At the Compliance Week 2012 conference, compliance executives shared their approaches to capturing and reporting compliance metrics. Details inside.
 

Risk-Management Failures Highlight the Need for More Scrutiny

June 05, 2012

As recent problems at Walmart and JPMorgan indicate, companies still have more work to do on refining risk-management systems. A new survey from research firm Lexakos finds that companies are expanding risk-management committees to include more functions. Yet nearly half of those surveyed say they don't have a dedicated chief risk officer, and 43 percent say it's not a budget priority. More survey results inside.
 

Regulators' No Admission Settlement Policy Under Fire

May 30, 2012

The policy of the SEC and other regulators to settle cases of alleged fraud on a "neither-admit-nor-deny" basis is under increasing fire from critics who believe such settlements are too lenient. During a recent committee hearing, members of Congress assailed the policy as irresponsible, while others defended it as a practical necessity. Details inside.
 

Best Buy Debacle Offers Lessons in Crisis Management

May 30, 2012

When allegations arise against a CEO of an inappropriate relationship or other misdeeds, the compliance officer is often forced into a difficult balancing act. The CCO, in assisting the board, must weigh the need for quick action with the need for a thorough and fair investigation. Best Buy recently faced such a situation, and how the company responded may serve as a model for good crisis management. Details inside.
 

Electronic Information Deluge Putting a Strain on Records Management

May 22, 2012

Despite increased resources and good intentions, companies are still fumbling when it comes to executing a comprehensive information management program that balances the unique needs of physical and electronic documents. A recent survey from Iron Mountain found that nearly three-quarters of respondents said they lacked a cohesive, multi-year strategy for records and information management. More survey results inside.
 

Maintaining an Effective Compliance Program

May 22, 2012

Building out a first-rate compliance program is no easy task, but it's still only the start of the process. Maintaining its effectiveness by keeping up with rapidly changing regulations, assessing compliance gaps and filling them, and mitigating ongoing compliance risks are all necessary to ensuring that a compliance program stays on track. Details inside.
 

Integrating Risk Appetite and Risk Management

May 15, 2012

Three years after the financial crisis, it's clear that companies still struggle with how to manage risk in the organization; just ask JPMorgan. Part of the difficulty: Getting a handle on risk across the organization is a complex undertaking which requires a careful balancing act. Integrating a formal statement of risk appetite with the risk-management program is an important step. Details inside.
 

Recipe for Anti-Corruption Successes: Due Diligence, Diverse Messaging

May 08, 2012

Much goes into doing anti-corruption properly, but there are four broad categories that top companies focus on: assessing corruption risks, devising controls against them, implementing those controls and procedures with the local workforce, and then following up with constant monitoring. Inside, more lessons for building an effective anti-corruption program.
 

Compliance Rescues Morgan Stanley From FCPA Prosecution

May 08, 2012

Morgan Stanley was exonerated from Foreign Corrupt Practices Act violations last month, despite a guilty plea by one of its top executives. The Justice Department and the SEC are citing the bank's strong compliance program for why it declined to pursue charges. "Corporate America has been sent a clear message that those who try will be rewarded," says Roy Snell, CEO of the Society of Corporate Compliance and Ethics.
 

How Not to Go Public

May 01, 2012

Online coupon purveyor Groupon got a rude awakening early in its public-company life: The Internet darling was forced to drastically revise down earnings and to admit to several internal control weaknesses. Shareholders quickly filed lawsuits. Such suits are likely to become more common now that the JOBS Act makes it easier for companies to go public without proper control systems. More inside.
 

Banks Collaborating on Account Management Automation

May 01, 2012

The world's largest banks are working together to build a system that will standardize and simplify the management of their corporate clients' bank accounts. Known as eBAM, the system automates the process and uses common terms to manage accounts. It also simplifies creation of reports that aggregate and analyze data, makes it easier to audit the accounts, and improves security features for clients. Details inside.
 

Enterprise GRC Systems: Ready When You Are

May 01, 2012

After years of industry consolidation, integrated enterprise governance, risk, and compliance systems are ready for prime time. The systems can produce sophisticated risk analytics, real-time reports, and alerts on control failures. To take advantage of these GRC system features, however, internal processes must be thoroughly understood and cataloged. Details inside.
 

COSO Framework Overhaul Sparking Deeper Debates

April 24, 2012

COSO's effort to update its famed, but 20-year-old, framework for managing internal controls has sparked a deeper debate this spring about how companies should approach internal control overall. "Some of COSO's own members are critical of the draft. It speaks to the fact that these organizations took their role seriously," says Norman Marks, vice president at SAP. A closer look is inside.
 

Remaking Internal Audit to Focus More on Strategic Risks

April 10, 2012

Once upon a time, internal audit departments were busy enough with reviewing financial statements and Sarbanes-Oxley compliance. But as company risks have exploded in recent years, the modern audit department has had to reconfigure its skills and priorities to match. The emerging result: audit departments pressured to understand what drives the business and to build deeper relationships with top managers. More inside.
 

Building an Effective Global Anti-Corruption Program

March 20, 2012

What are the hallmarks of a best-in-class anti-corruption compliance program? Anti-corruption experts cite five standard elements: a risk assessment, one global set of standards, wise use of technology, a strong tone-at-the-top, and constant monitoring of effectiveness. Companies that incorporate these characteristics will go a long way toward reducing corruption risks. More inside.
 

Starting a Compliance Program From Scratch

March 13, 2012

As many compliance officers know, being a compliance department of one is difficult enough. What if you're an organization's first-ever compliance officer? How do you go about building a program from scratch? Inside, we provide some insights on getting a compliance program off the ground. A more in-depth discussion of the topic will take place at the Compliance Week 2012 conference. Details inside.
 

Rethinking Supply Chain Risk Management Strategies

February 22, 2012

Companies such as Cisco Systems are working to get more visibility into, and control over, supply chain disruption risks. The strategy: invest heavily in analytics and build risk management into the design and planning phase of that. Other businesses, alas, still lag. "Overall, most companies don't have a strategy for managing supply chain risks," says Jerry O'Dwyer, a principal at Deloitte.
 

COSO Framework Update Strives for Incremental Change

January 03, 2012

The Committee of Sponsoring Organizations' proposal to modernize its landmark framework to govern internal controls is finally here—and is being praised as much for what it doesn't change as for what it does. "I don't see companies that have already used COSO having to change anything very much," says Norman Marks, vice president at SAP. A look at the tech-centric, globalized overhaul is inside.
 

The Reasonable Person: Internal Audit's Role in Internal Investigations

November 08, 2011

Yes, sometimes the best response to an allegation of misconduct is to commission an external investigation—but in many cases, an internal investigation will do just as well. How can you assure objectivity and independence in those cases? Inside, Compliance Week Columnist José Tabuena explores internal audit's role in serving as the "reasonable person" whose expectations are what counts in court.
 

SEC Settlement Gives Insight on Internal Control Requirements

November 08, 2011

A settlement between stock exchange Direct Edge and the Securities and Exchange Commission reveals some of the SEC's latest thinking on proper internal controls. The agency accused the company of failing to invest adequately in its systems and processes, and of lacking proper backup and failover systems. As part of the settlement, Direct Edge agreed to hire a chief compliance officer who reports directly to the CEO.
 

Boards Continue to Struggle With Oversight of Risk Management

September 27, 2011

A new report suggests that boards haven't done all they would like to tackle risk-management issues. More than half of those surveyed say they don't spend enough time on them, and about the same amount say their companies still don't have a chief risk officer. Meanwhile, more than 60 percent say that personal liability risks for directors are increasing. More survey results inside.
 

Proper Execution of an Employee Survey

August 16, 2011

Employee surveys are one of the best ways to measure corporate culture: They create data on workplace behavior, and indicate trouble spots. "What we gain out of them is a better understanding of the ethical environment in our organization," says Bob Miromonti, head of compliance at $1.5 billion Centene Corp. So how should a survey be conducted? Details inside.
 

Want Strong Controls? Start With Respect

August 16, 2011

Speaking of employee surveys—Jason Mefford, head of internal audit at Ventura Foods, writes in a guest column this week that one of the most important variables a survey should track is employees' perceptions of respect in the workplace. If you want more engaged and productive employees, he says, then focus on respect in your organization.
 

Auditing in the Clouds, Coming Down to Earth

July 12, 2011

The move to cloud services continues to accelerate, but the shift is more than just a change in technological platforms. It fundamentally alters the way business and IT systems function. Inside, Columnist José Tabuena looks at the many challenges the cloud creates for internal audit, including a lack of security standards, and finds that no way currently exists to audit the cloud in a consistent manner.
 

Improving Risk Assessments and Audit Operations

June 07, 2011

OK, you've been managing Sarbanes-Oxley compliance for years and your internal controls over financial reporting are solid. What's next for the internal audit team? How do you monitor other risks? Audit and compliance executives from Disney, Office Depot, Timken, and elsewhere gave attendees at Compliance Week 2011 a glimpse into their programs. Full coverage inside.
 
 Subscribe to the RSS for this page  [view all our RSS feeds here]

Compliance Week LinkedIn Group

Compliance Week now has a companion group on LinkedIn, where members can network and discuss the compliance and governance news of the day. Open to all compliance professionals, free to join.

Events of the Week

Addressing the Challenges of Solvency II Pillars 2 and 3
Sponsored by IBM

Information Governance: Managing the Lifecycle of Data
Sponsored by HP Autonomy

Who's Minding the Files? Managing the File Transfer Explosion
Sponsored by IBM

e-Books

Getting It In Writing: The Art of Policy Management
Sponsored by NAVEX Global

Information Governance: Managing the Lifecycle of Data
Sponsored by HP Autonomy

Anti-Money Laundering Illustrated: Visualizing an Effective Capability
Sponsored by OCEG

Thought Leadership

What Does an Effective Customer Risk Assessment Program Look Like?
Sponsored by OCEG

Getting Ready for the Physician Payment 'Sunshine' Rule
Sponsored by Bloomberg BNA

New Compliance Week and Kroll Benchmarking Report on Anti-Bribery & Corruption
Sponsored by Kroll

Strategies for Aligning GRC with Business Priorities
Sponsored by EMC

Upcoming Webcasts

Strengthening Controls in 2013, Part 3: Purchase-to-Pay Cycle
Sponsored by ACL

Evolution of Compliance: 2013 State of Compliance Survey Results
Sponsored by PwC

Compliance Week Podcasts ...

Every week we chat with leading thinkers in compliance, auditing, risk management, public policy and more. These short (10-15 minutes) interviews are free to all. Follow Compliance Week podcasts on iTunes.