540 likes | 668 Views
COMPLIANCE WITH NEW GOVERNMENT REGULATIONS WHAT DOES IT MEAN TO US?. Wayne Embry Systems Engineer IT Management Solutions Specialist SAS Customer Care 9401 Indian Creek Pkwy Overland Park, Ks 66210 913-663-3264 x 1362 wayne.embry@sas.com. KCCMG February 18, 2004.
E N D
COMPLIANCE WITH NEW GOVERNMENT REGULATIONSWHAT DOES IT MEAN TO US? Wayne Embry Systems Engineer IT Management Solutions Specialist SAS Customer Care 9401 Indian Creek Pkwy Overland Park, Ks 66210 913-663-3264 x 1362 wayne.embry@sas.com KCCMG February 18, 2004
Regulatory intrusion is rewriting the rules of business. Sarbanes- Oxley, HIPAA, Patriot Act and new SEC rules mandate changes in the way you capture, understand, retrieve and analyze enterprise information. Sarbanes-Oxley Act and other new regulations have made compliance a corporate imperative. The question is how do you develop an effective compliance program? Further, how do you choose from among the confusing array of technologies aimed at compliance? This presentation will explore the details of the most important content compliance challenges facing corporations today. I will also explore specific technologies and how they address high-priority compliance needs and demands.
Quote from “A History of the American People”, Paul Johnson, writes that J.P. Morgan believed that The tendency of economic activity in a free society was to produce primeval chaos, in which men fought savagely for supremacy and countless sins were committed. Freedom was needed for economic society to function efficiently, but the resulting chaos generated inefficiency as well as sin. He reasoned that some degree of order was needed, and that order could best be brought about by forms of economic concentration that imposed a degree of order without inhibiting freedom to the point where efficiency was again endangered. This valuable concentration was achieved by the corporation and trust.
DOES HISTORY REPEAT ITSELF? One of the most famous examples of fraud was the South Sea bubble of 1720. The South Sea Company was chartered in England in 1711 and granted a monopoly of British trade with South America and the islands of the Pacific Ocean. During the next several years, the monopoly rewarded investors handsomely. With the company’s stock appreciation rapidly, the task of persuading new investors was easy. Between January and July of 1720, the stock grew eight times in value, attracting all manner of speculators and inspiring no end of imitators. By November, however, nearly nine-tenths of the value of the stock of the company had vanished, disgracing the directors of the company (who proved to have collaborated in assorted shenanigans with the company’s accounts), ruining thousands of investors and wreaking havoc on the finances of the entire British Empire. To many, this sounds quite familiar when reflecting on the market activities of the early 2000s. source: Corporate Governance published by McGraw
GOVERNMENT COMPLIANCE ACTS • Securities Exchange Act of 1934. First, the rules require a company to disclose whether it has at least one "audit committee financial expert" serving on its audit committee, and if so, the name of the expert and whether the expert is independent of management. • Federal Deposit Insurance Corporation Improvement Act of 1991(FDICIA) developed innovative approaches for compliance. While there are some differences, there are many parallels between FDICIA and Section 404 of SOA, including similar requirements, goals andframeworks.
GOVERNMENT COMPLIANCE ACTS (cont) HIPPA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was designed to protect health insurance coverage for workers and their families when they change or lost their jobs.
GOVERNMENT COMPLIANCE ACTS (cont) PATRIOT ACT To satisfy the PATRIOT Act, financial services firms must define by Dec.31, 2002, a solution to spot patterns of behavior likely to reveal money laundering. This Act requires financial institutions with accounts in the United States to establish “due diligence” policies and procedures to prevent, detect and report possible instances of money laundering. Other requirements include designating an internal compliance officer and establishing an ongoing employee-training program related to anti-money laundering.
GOVERNMENT COMPLIANCE ACTS (cont) Sarbanes-Oxley Act Sarbanes-Oxley Act, signed into law in July, 2002 requires CEOs and CFOs of all publicly traded companies in the United States, and any companies outside the U.S. that are listed on the New York Stock Exchange or NASDAQ, to certify the accuracy of corporate financial reports.
GOVERNMENT COMPLIANCE RULES SEC Rule 17a-4 states that broker-dealers must preserve all electronic records "exclusively in a nonrewritable, non-erasable format." It goes without saying that these, and all other corporate records, be retained only as long as legally required, after which time they are destroyed. The rule also requires, however, that broker-dealers be able to produce those records in a timely manner in the event of an audit or regulatory investigation. This combination of requirements places enormous demands on a financial institution that can only be met with specific technologies.
1. Material changes must be reported at light speed.Most CFOs are aware that they now must provide the SEC with an 8-K form within five business days if their company issues an earnings release. • 2. "Internal Controls" could mean much more than getting the numbers right.On the face of it, Sarbox seems to refer only to finance when it talks about the need for management to report on and assess internal company controls. • 3. Sarbox doesn't stop at the shoreline.Laws governing exports and imports and foreign-based bribes and money laundering don't seem to have much to do with the domestically focused act.
4. Executive mobility just got a whole lot tougher.Remember the home loans that employers made to company managers, either to relocate an executive or to lure new talent to a different part of the country? • 5. Private companies aren't immune to Sarbox.The Sarbox loan ban also figures into problems that nonpublic companies can encounter under the act. Officer loans are common practice in private companies, particularly in single-owner outfits
Risks of Non Compliance: • CEO’s and CFO’s are held personally accountable for the validity of financial reports • CIO’s and other executives may also be held liable • Possible class action suits • Reduction of investor confidence • Significant loss of market capitalization • Fraud litigation
PENALTIES OF NON COMPLIANCE Section 906 Penalties • CEO or CFO signs statement not meeting requirements: • Up to $1MM fine, up to 10 years in prison • Escalates to $5MM and 20 years for willful false certification • General penalties: • Up to 25 years in prison for knowingly defrauding shareholders of public companies
Former Enron accountant surrenders to FBI Enron Corp.'s former top accountant surrendered early today and was taken in handcuffs to the courthouse to face six federal fraud charges related to the disgraced energy giant's 2001 collapse. Richard A. Causey, 44, accompanied by a pair of attorneys, walked into the Houston offices of the FBI just before daybreak. They had no comment as they entered the building. Less than an hour later, Causey arrived at the courthouse to await an appearance before a federal judge. Causey was described in the six-count indictment unsealed today as "a principal architect and operator of the scheme to manipulate Enron's reported earnings." Enron imploded in late 2001 in a sea of hidden debt, inflated profits and accounting tricks.
GRAND JURY TO REVIEW SKILLING EVIDENCE Federal prosecutors are preparing criminal charges against former Enron Corp. chief executive Jeffrey Skilling for an indictment expected to be handed up this month, perhaps as early as next week. The two sources, who spoke on condition of anonymity, confirmed that Skilling, 50, was in the government's crosshairs on the heels of securing a guilty plea to two counts of conspiracy from former Enron finance chief Andrew Fastow last month. But they said the process was delicate and public revelation of the new case could be delayed. So far in the Justice Department's investigation into Enron's collapse, launched more than two years ago, 27 individuals have been charged. Source KC Star
ANOTHER FRAUD PENALITY A former xxxxx on Thursday pleaded guilty in federal court to a criminal charge of obstruction of justice in a case related to a $1 billion accounting scandal at the software maker. xxxx , a 16-year veteran at xxx who last held the position of senior vice president of finance, faces up to five years in prison and a $250,000 fine. Meanwhile, the Securities and Exchange Commission also filed civil charges against xxx, who was ousted by the software maker last October along with two other executives, including its chief financial officer. The SEC complaint alleges that xxxxx has participated in practices that led to early recognition of more than $1 billion in revenue from at least 95 contracts in fiscal 2000.
Paths to Compliance: • Evaluate existing controls • Identify high risk areas • Determine appropriate level of control • Establish and enhance controls • Ensure documentation passes 3rd party review • Communicate and train • Monitor via disclosure committee • Establish continuous improvement process • Certify with confidence
KEY PROVISIONS Section 302: • Provides for executive certifications of financial reports • Must include Management's certification of financial reporting controls • Effective for all filings on or after 8/29/2002
KEY PROVISIONS (cont) SECTION 404: • Provides for internal controls for financial reporting • Must include Management's evaluation of internal controls • Effective for all annual reports on or after 9/15/2003 The final rules the SEC approved an update regarding Section 404 of the Sarbanes-Oxley Act say companies must comply with the rules for the fiscal year ending after June 15, 2004, rather than the previous deadline of Sept. 15, 2003.
Compliance Services • Provide an independent “no conflict" Gap Analysis assessment Provide a clear, concise roadmap to compliance • Recommend solutions - products and services "Best Practice" policy and procedure development • Assess the 3 “A’s” of IT internal control: • Audit trails • Authentication • Access control
Compliance Services (cont) • Provide advanced financial and technical expertise • Project management capabilities • Security architecture development • IT strategic planning • Risk analysis • Independent review of vulnerabilities • Implement corrective actions, policies, and process improvements
Can Sarbanes-Oxley rekindle IT spending? AMR Research Survey Results: • U.S. companies are expected to spend more than $2.5 billion to comply with new accounting rules required by the Sarbanes-Oxley Act, with a significant chunk going to information technology projects. • According to analyst John Hagerty of AMR Research, which released the survey on the impact of the law, $2.5 billion is just the tip of the iceberg. • As companies update their business systems to help them comply with the law, they could "kick-start" corporate spending on IT the same way the much-feared Y2K bug spurred companies to install or update software programs in time for the year 2000 date change, AMR said. Source: Enterprise Software
Updated AMR Research surveying more than 70 companies, updates the estimates that 2004’s SOA spending will be $5.5 billion, with more than half – nearly $3 billion – in hard expenditures that could affect companies' bottom-line performance. Source: AMR Research
AMR RESEARCH ANTICIPATES THE BUDGET BREAKDOWN • Internal labor/headcount – 44 percent • Outsourced services (advisors and consultants) – 33 percent • Technology – 19 percent • Other – 4 percent Source: AMR Research
Putting the systems in place to "ensure compliance with Sarbanes-Oxley will boost investor confidence in the company," says Mattel CIO Joe Eckroth. Source: CIO
SARBANSE/OXLEY Section 409 One section of the Sarbanes-Oxley Act that has broad technology implications is Section 409, which calls for real-time disclosure of "material changes." Like most of the act, Section 409 is vaguely worded and never actually defines material changes, but most experts think it could be anything from a stock sale by a corporate officer to the loss of a large account—basically anything that could impact a company's perceived market value. Section 409 can clearly be traced to the Enron, WorldCom, Adelphia and Imclone scandals, where the well-connected cashed out shortly before companies collapsed.
Aligning IT Operations with Corporate Goals IT and Business Alignment is a Highest Priority • All of the major consulting organizations consistently rank • IT and business alignment as one of the top five concerns • of their clients. • CIO.com rated expertise in aligning and leveraging • technology for the advantage of the enterprise as one of • the top skills required for an effective CIO. • However… the ability to establish and maintain a close alignment between IT and the business continues to be an elusive goal.
Aligning IT Operations with Corporate Goals IT and Business Alignment is a Highest Priority (cont) Recent survey illustrates the lack of effectiveness that still exists in many organizations…
Aligning IT Operations with Corporate Goals What factors have contributed to alignment failures? • Corporate Planning Issues • Missing or poorly conceived corporate-level business plan • Planning is extensive at the line of business (LOB) level but not • tightly integrated between LOB groups – leading to conflicting • requirements • IT Planning Issues • IT and business alignment methodology poorly conceived • Focus of alignment is too limited or too tactical (e.g., focused • on cost control issues or the “squeaky wheel” syndrome) • And…
Aligning IT Operations with Corporate Goals What factors have contributed to alignment failures?(cont) • IT Planning Issues • Too often the alignment process fails to consider the IT • operations group as a STRATEGIC PARTNER. Focus directed at • the development side on: • Application enhancements • New application development • Obviously, the need to align the IT application portfolio to the needs of the business is a critical and essential issue, but it is only part of the equation…
Aligning IT Operations with Corporate Goals What factors have contributed to alignment failures? (cont) • IT Planning Issues • Even when the IT operations organization is “fully engaged” in the alignment process, it tends to focus on efficiency issues surrounding: • Cost control • Cost avoidance • Service availability • These are very important issues and will always be critical in measuring the success of the IT operations organization… • but they may not tell the whole story.
Aligning IT Operations with Corporate Goals What factors have contributed to alignment failures?(cont) • If the IT operations organization is to fully support the needs of its customer base, the alignment strategy must also consider the strategic value or effectiveness of the services provided. • This starts with developing a solid alignment foundation that addresses several key elements…
Aligning IT Operations with Corporate Goals IT Alignment Elements (cont) • Key Foundation Elements: • BUSINESS PLAN - A fully developed “corporate business plan” that includes explicit BUSINESS IMPERATIVES that must be met in order for the success and survival of the corporation. • IT OPERATIONAL OBJECTIVES - The translation of the business imperatives into IT operational requirements or objectives that support the business plan – this will require a significant amount of effort and skill. • SLM - Translation of the IT operational objectives into service level management criteria – this is no slam dunk either!
Aligning IT Operations with Corporate Goals IT Alignment Elements (cont) • The process of mapping service level criteria to the key operations engineering disciplines necessary for the creation and ongoing management of an effective and efficient data center can now begin... • Operational Engineering Disciplines • Organization (People) • Technology • Process
Aligning IT Operations with Corporate Goals IT Alignment Elements(cont.) Operational Engineering Disciplines (Sub Elements) • Organizational Engineering • Personnel Management • Departmental Structure • Skills & Training • Technology Engineering • Networks • Systems & Tools • Applications • Infrastructure • Process Engineering • IT Operational Processes • Implementation Management • Change Management • Problem Management • Performance Management • Workload Management • Recovery Management • Security Management • Asset Management • IT Management Processes • Service Level Mgmt • Customer Mgmt • Vendor Mgmt • Personnel Mgmt • Budget Mgmt • Procurement Mgmt
Aligning IT Operations with Corporate Goals IT Process and Business Alignment • IT OPERATIONS PROCESSES - Effectively integrating your IT operational processes into your alignment strategy can be a major factor in its overall success… But, how much emphasis is placed on managing these processes? How effective are you in managing your IT operational processes today? Very Effective Adequate Not Effective • Implementation Mgmt 34% 39% 27% • Change Mgmt 27% 48% 25% • Problem Mgmt 16% 53% 31% • Performance Mgmt 12% 53% 35% • Workload Mgmt 16% 44% 40% • Recovery Mgmt 47% 41% 12% • Security Mgmt 41% 53% 6% • Asset Mgmt 34% 38% 28% Source: Computer Economics survey of over 50 midsize to large data centers – 4Q02
Aligning IT Operations with Corporate Goals IT Process and Business Alignment (cont.) Are your IT operational processes governed by well defined policies and procedures? Formal Written Policies & Procedures Some Written Policies & Procedures No Formal Written Policies & Procedures • Implementation Mgmt 40% 36% 24% • Change Mgmt 45% 30% 25% • Problem Mgmt 31% 48% 21% • Performance Mgmt 19% 47% 34% Workload Mgmt 32% 42% 26% • Recovery Mgmt 56% 30% 14% Security Mgmt 50% 40% 10% • Asset Mgmt 43% 37% 20% Computer Economics Survey of over 50 midsize to large data centers – 4Q02
Aligning IT Operations with Corporate Goals IT Process and Business Alignment (cont.) What is your current “style” for controlling your IT operational processes today? Maintain Tight Control Maintain Loose Control • Implementation Mgmt 59% 41% • Change Mgmt 51% 49% • Problem Mgmt 50% 50% • Performance Mgmt 21% 79% • Workload Mgmt 29% 71% • Recovery Mgmt 74% 26% • Security Mgmt 74% 26% • Asset Mgmt 53% 47% Computer Economics Survey of over 50 midsize to large data centers – 4Q02
BUSINESS PERFORMANCE MANAGEMENT (BPM) Business performance management enables individuals to quickly assess the performance of a business process or function, focus on activities that are below expectations and take action to turn behavior around. The online trade show entitled Business Performance Management will give you guidelines to help you discern what is important in today's world of information overload.
BPM solutions allow an organization's processes to be fully documented and accompanied by transaction audit trails, putting business managers in a better position to make decisions. BPM also documents the policies that state exactly what needs to be done as well as the procedures that specify how policies should be implemented. Organizations can use this information to continuously improve their processes through the adoption of a full life-cycle process management practice (along the lines of Six Sigma), which, in turn, helps maintain competitive advantage.
User and Resource Provisioning - adding, moving, and modifying resources or configurations to enable or enhance the performance of mission-critical applications, customers, partners or employees on a priority and demand basis • Infrastructure Availability - ensuring consistent and readily available access to key business resources by managing availability, loss prevention and recovery • Security Management - establishing identities and managing security of key business resources
THE SEVEN HABITS OF WILDLY UNSUCCESSFUL CIOs There's plenty of information out there about what it takes to be a successful CIO. But sometimes, it's more effective to learn from others‘ mistakes. Many CIOs are guilty of a surprisingly common list of poor managerial habits. The simple truth is that while these bad habits are easy to spot from a distance (and even easier in hindsight), CIOs themselves rarely realize they're making these fatal blunders until after significant damage has been done. Both current and aspiring CIOs should take a good, long look in the mirror and see if any of these seven deadly managerial sins are a part of their routine.
THE SEVEN HABITS OF WILDLY UNSUCCESSFUL CIOs (cont) 1. Acquire technology simply because it's new. 2. Exhibit a knee-jerk reaction against open source. 3. Create solutions in search of a problem. 4. Eagerly reach beyond competency level. 5. Act as CMOs--chief marketing officers. 6. Fail to understand relationship between technology and business. 7. Don't communicate well with nontechs.
See why CIOs fail by making these painfully common mistake find out how successful CIOs approach the same situation, and learn how you can avoid these missteps.
HAVING AN IT GOVERNANCE COUNCIL DOES NOT EQUAL IT GOVERNANCE Every Information Technology (IT) organization we speak with shares the goal of running IT like a business. All agree that a strong IT governance process is essential in this strategy. The Bottom Line: The key to successful IT governance is instilling it at all levels and giving IT staff the authority and responsibility to make decisions. source AMR Research January 2004
LEADING IT ORGANIZATIONS EMPLOY THREE STRATEGIES THAT HELP PUSH BUSINESS AND IT ALIGNMENT DOWN INTO THE TRENCHES: • IT portfolio management--Not just for the big-ticket projects, but using this discipline to mitigate risk and optimize investment at all levels. • Service-Level Management (SLM)--Aligning the delivery of IT services to the needs of the business, and the mechanisms to track performance against goals. Service-Level Agreements (SLAs) help the IT organization track their performance and make objective decisions about the trade-offs between improved availability and cost. • Formal account/relationship managers. source AMR Research January 2004
2004 Financial Strategic Source: IDC Financial Insights