News

Achieving a Unified View of Financial Crime Risk

ISO 20022: Tepid U.S. Embrace for New Financial Standard

The push to adopt a new ISO standard for financial transactions is gaining momentum on a global scale—even as the United States continues to weigh the business case for it. “It’s important because it is seen as the standard that all new financial transactions will move to over time,” says Barry Kislingbury at consulting firm ACI Worldwide. Compliance technologists in the U.S. banking sector, however, remain unconvinced. Details inside.

Firms Struggle to Secure Data

Hard Measures: Gauging the Effectiveness of Online Training

Nearly all companies provide some online compliance training. So how do they know it is working? Many don’t. But companies are getting better at evaluating the effectiveness of training and observing to see if it actually changes behavior at the company. “Over the last twelve to 18 months, I’m hearing more clients talk about effectiveness,” says Ingrid Fredeen, vice president of advisory services with NAVEX Global. 

Study Up: Online Learning May Be Vulnerable to Hack

Online learning is a booming part of compliance training—and a seldom-discussed IT weakness in such systems is growing along with it. Learning systems can be hacked, experts say, jeopardizing a company’s training documentation. “Both sides of the equation have changed,” says Jan Sramek of Better, an e-learning vendor. “Cheating has gotten easier, while breaches have become more costly.” More on the hack (and how to stop it) is inside.

Facebook’s Big Data Fail Spurs Call for More Ethics

Facebook’s recent stumble with an experiment that manipulated users’ news feeds has once again reopened the discussion of integrating ethics into how companies and their vendors use Big Data. “We are starting to realize that, when it comes to data, the era of digital strip mining is over,” says Neil Richards, a law professor at Washington University.

States Making Tough New Breach Notification Demands

Florida has become the latest state to adopt its own data breach notification law in the absence of any federal legislation to that end. The Sunshine State’s law is more expansive than most, and the fundamental problem for compliance officers isn’t going away. “The key is understanding what the entire patchwork [of legislation] is and then trying to set some standards to account for all of them,” says Philip Zender of the law firm Squire Sanders.

ERP Systems Have Come a Long Way on GRC Solutions

Sure, a company can put together an elegant suite of best-in-class solutions for governance, risk, and compliance, but before investing in dedicated solutions, don’t overlook what you might have in place already—an enterprise resource planning suite that may be well suited to cover your GRC needs. “Industry-specific compliance, plus regulations like the Sarbanes-Oxley Act, plus globalization and outsourcing, have led users to expect more from GRC features from ERP,” says Chuck Langenhop, senior director of CFO Advisory Services.

ERP Systems Have Come a Long Way on GRC Solutions

Sure, a company can put together an elegant suite of best-in-class solutions for governance, risk, and compliance, but before investing in dedicated solutions, don’t overlook what you might have in place already—an enterprise resource planning suite that may be well suited to cover your GRC needs. “Industry-specific compliance, plus regulations like the Sarbanes-Oxley Act, plus globalization and outsourcing, have led users to expect more from GRC features from ERP,” says Chuck Langenhop, senior director of CFO Advisory Services.

BlackLine Systems Unveils COSO Jumpstart Solution

BlackLine Systems has unveiled its "COSO Jumpstart Solution" to help companies comply with new guidelines set forth in the updated 2013 COSO Internal Control—Integrated Framework. Details inside.

New Data Governance Tool Helps Mitigate Regulatory Risk for Banks

Collibra, a global data governance provider, has released a new product suite, designed to help large, complex financial institutions directly address some of their most challenging regulatory compliance and data reliability challenges. Details inside.

TSYS Partners With Oversight Systems

TSYS, a processor of merchant acquirers and bank credit card issuers, this month announced an agreement with Oversight Systems to provide an automated monitoring and analysis solution to help corporate purchasing professionals detect and eliminate fraud, policy misuse, and waste within their card programs.

ISACA Explains Interplay of COBIT Framework with COSO

ISACA, an organization that provides guidance and information on auditing computer controls, has published a guide to explain how its COBIT framework, widely used for the governance and management of enterprise information technology, relates to the new COSO Internal Control—Integrated Framework.

ARMA International Launches Information Governance Assessment

ARMA International launched this week its Information Governance Assessment, a software platform that organizations can use to identify information-related compliance risks across the enterprise, drive improvements, and develop metrics for measuring information governance program maturity. Details inside.

Busting the Barriers Between Compliance, IT, and the Business

Large, global companies have plenty of language barriers to consider—including the communication gaps that divide business functions. During a panel discussion at last week's Compliance Week Europe conference, compliance and legal executives from telecom giant BT and Bank of Ireland looked at how compliance executives can unify all three sides early, often, and effectively. More inside.

Investigations & Data: Get a Grip

Internal investigations, and the endless reams of data each one can bring, may seem overwhelming—but with savvy use of modern IT systems, compliance teams can cut an investigation's time and cost while increasing its effectiveness. Big Data analysis, de-duplication, automated translation, visualization, and other tools can turn an unwieldy probe into an organized one. More details inside.

e-Discovering the Cloud

Moving data-heavy components such as e-mail and collaboration systems to the cloud is a no-brainer, right? Not so fast. Companies that don't consider the cloud's implications on e-discovery could suffer major headaches later in excess litigation costs or damages resulting from poor recordkeeping. "You can see it as a train wreck waiting to happen if you don't think about these things in advance," says Michael Lackey, a partner at law firm Mayer Brown.

After Fending Off a Cyber-Attack, Disclosure Questions Will Arise

When hit with a cyber-attack, many companies choose to remain tight-lipped on the incident, despite guidance from the SEC that requires disclosure of cyber-security risks and attacks that result in material losses. "Companies may find that the risk of actual disclosure is much higher than the penalties for not disclosing," says Josh Walderbach, senior network security and compliance analyst at data security company LogRhythm.

Auditing in the Cloud Creates Storm of Problems and Concerns

The move to cloud services continues to accelerate, but the shift is more than just a change in technological platforms. It fundamentally alters the way business and IT systems function. Inside, Columnist José Tabuena looks at the many challenges the cloud creates for internal audit, including a lack of security standards, and finds that no way currently exists to audit the cloud in a consistent manner.

Defense Giants Step Up IT Security Controls

The U.S. Army describes its Future Combat Systems program as a “cohesive system-of-systems” comprised of software, networks, and hardware (as in next-generation tanks) that will allow the future soldier “to see first, understand first, act first, and finish decisively.”

Beyond Delete: Intelligent Email Policies

Corporate email retention policies continue to be driven by fears of litigation, leading many companies to adhere to strict “save it until you can delete it” procedures. But more nuanced alternatives exist for companies that want their email policies to be motivated more by business needs than legal risks.

Spreadsheet Controls, Without Going Crazy

Companies trying to comply with the Sarbanes-Oxley Act of 2002 are finding that one of the toughest—and yet most essential—areas for establishing controls over internal processes and procedures isn’t even required under the law: spreadsheets.

Getting Through A SAS 70 Audit: First-Hand Experience

In the wake of Section 404 of Sarbanes-Oxley, Compliance Week has written extensively about SAS 70 Type II audits. This week, we speak with the CEO of a database company that has recently undergone a SAS 70 audit

Spreadsheet Blues: Few Controls Yield Many Weaknesses

Hussain Hasan, managing director of technology risk management services at the Chicago accounting firm RSM McGladrey, minces no words about how poorly spreadsheets satisfy the requirements of The Sarbanes-Oxley Act of 2002. “They don’t at all,” he says. “Most public companies should not use spreadsheets as their main financial tool.”

Case Study: Internal Control Software At FMC Corp.

This "case study" is the latest in a series articles aimed at helping public companies understand how other organizations are using technology to comply with new regulations and standards.