compliance

Small companies struggle with controls

Jim Kim — Wed, 17 Sep 2008 09:33:42 -0400

No one thought non-accelerated filers would be all that smooth. But no one thought they would be an outright disaster. Most people assumed that most they would find a way to muddle through their first year of Sarbanes-Oxley compliance. And that's pretty much what happened. According to a Lord & Benoit survey, more than one-third of small companies reported they had ineffective internal controls this year. Only about half that percentage of larger companies said the same. Of course, CFO.com reports, these filers do not yet have to have an audit firm attest to the effectiveness of the controls, which could mask even more problems. Interestingly, about 20 percent of survey respondents did not comply with Sarbox, either by not filing a 404 report or failing to express an opinion about controls. You can bet performance will improve next year when 404(b) kicks in.

For more:
- here's the article

Costs of fraud still on the rise

Jim Kim — Wed, 17 Sep 2008 09:32:47 -0400

For whatever reason, fraud continues apace in the corporate world, according to a survey by Kroll and the Economist Intelligence Unit. The average company lost $8.2 million over the past three years to various types of fraud. That's a 22 percent rise from last year's survey, which would suggest a big kick up in the last year or so. Theft of physical assets was the most widespread fraud, affecting 37 percent of companies, up from 34 percent last year. Information theft increased to 27 percent from 22 percent, and regulatory and compliance breaches grew to 25 percent from 19 percent. It's not clear that a lot of this stems from executive malfeasance. So what does it all mean? Well, fraud will never be stamped out, and a tougher economy could be tempting employees in negative ways. As for executive fraud, Sarbanes-Oxley has raised the stakes, but no one thinks it will ever go away completely.

For more:
- here's the article

How to get p-card abuse under control

Jim Kim — Wed, 10 Sep 2008 10:54:25 -0400

Purchasing card abuse has long been a challenge in the back office. In today's highly regulated environment, more companies are taking steps to minimize their risk and enhance their auditing and compliance controls in this area. A recent report by JPMorgan offered four best-practice suggestions: 1) Adopt new technology, because you need every advantage, and you can't possibly do it all by hand anymore; 2) train first to make sure your people know how to run apps; 3) enhance auditing practices, perhaps extending them to area previously uncovered, like weekends; and 4) conduct periodic peer reviews. This might be done in conjunction with regular internal audits. Article

Have you successfully separated duties for info security?

Jim Kim — Thu, 04 Sep 2008 13:43:31 -0400

From the IT point of view, separation of duties is a pillar of the compliance process when it comes to Sarbanes-Oxley and other laws. On one hand, it is common sense. You want separate people in charge of separate functions, such that no one person can really work the system wrongfully. It also prevents people from having conflicting responsibilities, and from being put in a position to essentially report on themselves or their superiors. ComputerWorld offers a quick, three-question test: Can any one person alter or destroy financial data without being detected? Can any one person steal sensitive information? Does any one person have influence over control design and implementation, as well as over reporting of the effectiveness of the controls? If you answer yes to any of the above, then you need to revisit your system. Article

Jury still out on Sarbanes-Oxley and IPOs

Jim Kim — Wed, 13 Aug 2008 17:55:54 -0400

A San Jose Mercury News columnist notes that Sarbanes-Oxley has turned 6 and laments that he hasn't received a single invitation. Well, there were few parties in Silicon Valley, where Sarbox is still blamed for all manner of evil. But the columnist suggests--rightly in my opinion--that small companies that find a way to deal with the law will be better off down the road. Rackspace Hosting managed to go public. The San Antonio company attributed about $4.7 million of its $331 million in 2007 expenses to compliance with Sarbox. The hope is that the liquidity and gains in investor confidence will exceeds the costs. I have a sense that when the market and economy pick up again, we'll be seeing a lot more offerings. There's no reason why small companies can't find the same ROI that compliant big companies have.

For more:
- here's the column

Critics of XBRL hoping for a delay

Jim Kim — Tue, 12 Aug 2008 09:45:32 -0400

Has the fact that small companies won a series of reprieves from compliance with 404(b) of Sarbanes-Oxley emboldened big companies facing an aggressive XBRL adoption mandate? Maybe. Big companies seem to be hoping that the SEC will heed their warnings and delay XBRL adoption for companies both big and small. Recall that the SEC laid out a schedule that would call for big companies to report results for a fiscal period ending in late 2008 in XBRL; small companies would follow a year later. CFO reports that big companies have filed comments suggesting that the timetable is too aggressive. While this is understandable, companies may be better off if they ramp up their XBRL efforts now. The last thing you want to do is risk noncompliance. Pfizer and Comcast, reports CFO, warn of tricky vendor issues. Bottom line: Counting on a delay is a poor solution.

For more:
- here's the article

Top 10 ERM-GRC myths

Jim Kim — Mon, 28 Jul 2008 12:59:00 -0400

A lot of companies have moved to augment enterprise risk management platforms with dedicated governance, risk and compliance (GRC) solutions. That trend isn't going to disappear anytime soon, but some companies will likely come away disappointed with the results. It's fair to say that automation can seem like anything but in a lot of cases. Newsfactor.com offers a list of 10 ERM-GRC myths. I'll mention a couple here. Myth No. 9: CIOs embrace GRC--while this is literally true, it's also true that many parts of the organization were standardized on a common GRC platform, leaving piecemeal approaches intact. Myth No. 5: Traditional audit planning is good enough--you can't afford to scrutinize everything. "Is it worth tying up valuable stakeholders in management and on the audit committee to assess the risk inherent in the coffee procurement process for a remote sales office?" Fortunately, AS5 sets a good tone on this issue.

For more:
- here's the entire top 10

Bank spending on fraud and authentication soars

Jim Kim — Thu, 17 Jul 2008 08:41:56 -0400

Banks have a lot to worry about as they take their web-based services to new levels. Phishers and others fraud artists are boosting their sophistication levels, a challenge that banks cannot afford not to meet daily. Unsurprisingly, a Gartner survey has found that spending on anti-fraud technologies seems to be on the rise, even in a tough budgetary environment. According to Finance Tech, online banking fraud detection is the most implemented fraud management system among banks, followed by enhanced consumer authentication for websites. Over the next two years, plans for new spending include "stronger caller authentication for customers that telephone call centers." These trends are hardly surprising. This is smart from a compliance and PR point of view.

For more:
- here's the Finance Tech article

The compliance dangers of Web 2.0

Jim Kim — Fri, 11 Jul 2008 08:19:50 -0400

For hackers and thieves, the rise of Web 2.0 as an enterprise-level communications medium looms as a goldmine. Forrester Research says that a lot of new-age collaborative services are in operation without a lot of thought being paid to security and compliance concerns. The survey found that nearly all respondents noted benefits from the use of Web 2.0 applications, but only 5 percent actually implemented any protection mechanisms. This could lead to a lot of really painful hacking-like activity involving "malware," notes the NewsFactor Business Report. There is potential for a real compliance breach, as hackers find new ways to extract sensitive data. The article notes that scouring outbound email is hardly the answer these days. There are a wide range of solutions available. You might want to take a look now.

For more:
- here's the article

A quid pro quo for IFRS adoption?

Jim Kim — Thu, 03 Jul 2008 09:32:10 -0400

The big issue right now in the accounting world is International Financial Reporting Standards (IFRS). There's a whole lot of anxiety about when companies will have to comply. One idea that cfo.com mentions is a moratorium on new accounting rules, to give companies a fighting chance of implementing IFRS in good form. The changeover will be massive--a fact not lost on the rule makers (we hope)--and will affect just about all touch points in the reporting cycle, including Sarbanes-Oxley to some degree. Systems and processes and controls will have to be tweaked. Costs will rise. Most assume that the change will require two sets of books for a few years. One issue is whether this moratorium will hold for small company 404(b) compliance. It would mark yet another delay, but would certainly make IFRS adoption more palatable to nonaccelerated filers. We'll see if the idea has legs.

For more:
- here's the cfo.com article