Published: December 29 2009, 10:15 AM | no comments
by Chris Stoneley

As previewed by Sumner Blount in his November 30^th blog post, the Supreme Court on December 7^th heard opening arguments challenging the constitutionality of the 2002 Sarbanes-Oxley Act, which came out of the scandalous collapses of Enron, WorldCom, Tyco and other companies early this decade. At issue in the lawsuit, filed by the Free Enterprise Fund and a Nevada accounting firm, is the Sarbanes-Oxley law's creation of an independent board to police auditors of publicly held companies.

“If you combine the ability to make laws and enforce the law, that’s what King George did – and that is the ultimate definition of tyranny,” said Lawyer Michael Carvin in an associated NPR interview. Their story and an audio recording can be found here.

In case you missed Sumner’s previous post, the crux of the matter, as reported by the Courier, is:

“The plaintiffs argue the Public Company Accounting Oversight Board violates the Constitution because it is not accountable to the president. The president lacks power to review the board's work or influence its finances, the plaintiffs said. Board members are appointed by the Securities and Exchange Commission, which cannot remove board members for anything other than willful violations, the plaintiffs have said. They also have argued the arrangement violates the constitutional guarantee of a separation of powers because Congress has at least as much control over the accounting board, if not more, than the White House. The Securities and Exchange Commission and the accounting oversight board are both subject to congressional oversight.”

Much has been made of this law since It was enacted and its subsequent consequences, with many as a result calling it the ‘new employment act for auditors’ – but now that the requirements of the act are so ingrained in so many large, publicly traded companies, is it here to stay? Certainly there are those that have protested its very existence from its initial enactment – a quick Google search brings a myriad of articles on the subsequent mass privatization of companies and the exodus of companies to stock exchanges and trading boards in countries with far less stringent reporting requirements – but is the anti-SOX wave now reaching tsunami like proportions?

Many point to recent ‘smaller wins’ such as that voted on by the house in November, working towards excepting smaller companies from some of the more onerous requirements as small victories in a much larger battle. (Garret / Adler amendment.)

Having been entrenched in a large financial institution during the more formative years of the Sarbanes-Oxley act (the so called ‘year zero’ through the publication of the PCAOB’s Audit Standard No. 5 and the Security and Exchange Commissions’ guidance), I can see the benefit of the enterprise governance, risk and compliance (GRC) programs that were largely established in the wake of SOX and in some cases further developed and tuned in response to the more prescriptive guidelines and requirements that were to follow (such as PCI for example).

While I can see portions of the act that must change over time, to re-encourage the sort of free enterprise and opportunity the United States built itself upon, I feel that many of the components of the act that promote oversight, clarity and visibility, both to executive management and to the public, must be here to stay. Yes, some relaxation of some of the rules may bring companies flooding back to ‘the greatest stock market in the world,’ but investors, forever burned by the likes of Enron, WorldCom, et al, are now always going to look for that extra insight that the publication of additional information and disclosure of significant events is going to bring. Even the companies themselves have become dependent on the value added by the extra level of documentation, testing and certification that comes with formally documented processes, controls, and the associated risk management and governance practices.

Unconstitutional? Perhaps – on a technicality, the Sarbanes-Oxley act will start to fray and unravel… but I firmly believe the tone of ensuring corporate transparency is welcome, necessary, and here to stay.

Share this post:  Email

Share

Published: December 22 2009, 10:11 AM | no comments
by Crystal King

Bill Manago talks with John Phillips, CEO of Information Technology Decisions, about the lifecycle of information and the impact technology has on its accessibility and availability. Organizations need to have a data migration plan and strategy for long term retention.

Share this post:  Email

Share

Published: December 22 2009, 09:45 AM | no comments
by Rob Toner

For starters, Basel II is the second set of recommendations on banking laws and regulations published by the Basel Committee on Banking Supervision.  It is the most important framework that is focused primarily on Financial Institutions.  The key principles of Basel II can be summarized in its three pillars -   minimum capital reserves, supervisory review, and market discipline.   Widely followed in Europe, it is becoming the standard in the United States. 

The intent of Basel II is to reduce excessive leverage (and therefore financial risk) in the banking industry.  By regulating how much capital a bank must keep in reserve (as a percentage of total assets), it has helped to ensure that banks would have sufficient reserves on hand to meet their normal customer needs.  In this sense, it has helped to reduce financial risk in many banking institutions.

In general, do regulations weaken the economy?

Some people will tell you that all regulations and government oversight unnecessarily weigh down companies with red tape and cost, therefore negatively affecting the overall economy.  Arguments to this effect are nothing new.  Others will tell you that the better business processes provided due to thorough evaluation of each business process more than pay for the increased costs that they bring.  The reality is that there is an appropriate level of oversight that is necessary in order to provide and maintain confidence on the part of the public and to make sure certain industry standards are met.

How Basel II is different than most regulations

The effect of this regulation can be significant especially because of the Capital reserve requirements (Pillar 2).  These requirements could necessitate behavior which could accelerate a downturn once one starts.  The general nature of having a reserve is pro-cyclical, which means it magnifies what is already going on in the economy.  In good financial times, capital reserve requirements have less impact due to the increased value of the assets.  Unfortunately, in less prosperous times, the Risk Management Pillar of Basel II can actually dictate the need to be more conservative with investments.  This shift in thinking is exactly what the broader economy does not want to have happen.  For this reason, Basel II can, if not managed, make a shaky economy worse, and therefore be an overall negative for the economies of the world.
 
This same phenomenon occurs within our personal financial situations.  If there is news of a downturn in the economy, it is common to start being concerned with your job.  This concern may force you to delay new purchases.  These delays impact the people who sell those products and those that manufacture them, causing concerns on their parts about job security.  At some point, fear of a financial downturn can be a self-fulfilling prophecy.
 
Was Basel II responsible for last year’s financial crisis?

The answer to that is a resounding no.  First off, the flashpoint for the credit problems was the sub-prime real estate market in the United States.  Basel II, though coming to America, has not been fully adopted. For that reason, it can’t be blamed for the current economic situation.  In fact, there is a case to be made that the kind of Risk Analysis mandated by Basel II should help situations such as these.  Additionally, there is a wonderful opportunity to take advantage of our recent misfortune and use the extreme experiences of the past year to provide excellent stress testing for Basel II efforts. Evaluating risk programs against real world scenarios should provide excellent value.  Through this backward looking analysis, it will likely be clear that Basel II and Risk Management programs as a whole will need modifications.  Whether this will usher in the movement for a Basel III, a full rewrite of Basel II, is not likely.  Though time for Basel II ½ may be upon us. 

Share this post:  Email

Share

Published: December 18 2009, 07:50 AM | no comments
by Shirief Nosseir

It comes as no surprise that compliance requirements are expected to multiply over the next few years across many industries.  But the question I get asked often is how can a business continue to be effective at meeting increasing compliance requirements while not hampering its operational excellence and innovation. 

Well, increasingly more businesses are now taking a more strategic approach to compliance; making it risk-based and benefits driven. “Check box” compliance has proven to be an unreliable and costly way to meet audit and regulatory requirements. Risk assessment and rationalization of controls for multiple regulations continue to be the most-effective way of reducing the compliance burden. We need to keep in mind that on average in 2008 (according to GMG Insights - GMG Global IT Compliance Report 2009); large organizations in Europe had to monitor 48 separate regulations, so eliminating redundancies is a critical requirement. 

Also, too many businesses continue to tackle their regulatory requirements at the business unit level, which creates a series of ‘compliance silos’ across the business. At the same time, many businesses also treat compliance and risk management as silos of responsibility, supported by costly, reactive point solutions. In these cases, the business efficiency and value benefits of a comprehensive compliance and risk management program are lost.

Instead, the organisation should be looking to run its compliance needs according to risk priorities. Critical risk areas should be addressed by a set of corporate policies that make it easier to respond to all related regulatory requirements rather than creating a solution specific to each regulatory requirement.

According to a survey (GRC Strategy Survey 2007) conducted by the Open Compliance and Ethics Group (OCEG), 65% of respondents reported serious business problems through inconsistent or redundant compliance and risk management processes. Moreover, 71% of respondents who integrated their compliance and risk management activities met or exceeded their expectation. 

Here’s a CA paper with more thoughts on continuous compliance. 

Anyone out there with their own experiences/thoughts?

Share this post:  Email

Share

Published: December 17 2009, 03:40 PM | 1 Comment(s)
by Matthew Gardiner

One of the beautiful things that follows from the IT Cloud being an extended use case of the Web, is that all the work done on Web security-related standards over the last 10+ years applies directly to the IT Cloud.  It is almost like these standards - SAML, SPML, XACML, WS-Security, WS-Trust - were designed with the Cloud connected IT world in mind; which in fact they were.  These standards are directly related to the enforcement and management of security across various security domains.  They help ensure that my security system will talk to your (customer, partner, or cloud service provider) security system when we split-up and integrate our applications and data across the Internet using Clouds.

So what is the problem here?  Aren't the security problems solved then?  No, they are not.  What the Cloud industry lacks is standards adoption.  The security software vendors have done a good job enabling these security standards in our products (apologies for the indulgent self-congratulations), in part because we see demand for them in more traditional enterprise Web security applications. The new Cloud industry overall is behind in adoption, but I still have hope.  I suppose I must be patient as the Cloud industry is still relatively immature.  One promising exception has been the adoption of SAML for federated SSO by many of the big Cloud names.  This was highlighted at last summer's Burton Catalyst conference via an interoperability event. 

The problem is if we as an industry don't aggressively push on the use of security standards for the Cloud, then we are destined to be wallowing in proprietary Cloud security implementations and the insecure and expensive application security silos that come with them for the rest of our careers.

Share this post:  Email

Share