IT and Information Security After Sarbanes Oxley

8/14/2019 IT and Information Security After Sarbanes Oxley

1/24

IT and Information Security after Sarbanes-Oxley

An open letter to IT and Information Security professionals

It is good to remember that nobody has promised that our financialstatements are accurate

we have promised adequate controls that provide reasonableassurance that we do not have material misstatements, and can prevent(notwill prevent) or detect material misstatements on a timely basis.

Dear IT and Information Security professional,

Have you ever visited EDGAR?

No, not Mr. J. Edgar Hoover, the former director of the FBI. EDGARstands for Electronic Data Gathering, Analysis, and Retrieval. It is thedatabase of the Securities and Exchange Commission (SEC), the systemthrough which the SEC accepts electronic transmission of submissionsfrom filers (www.sec.gov/edgar/searchedgar/webusers.htm).

This is the first step, a great opportunity to learn what is happening inyour company. No kidding! All companies disclose to the public much

more information than they disclose to their employees. You will be ableto research your companys financial information and operations and toreview registration statements, prospectuses and periodic reports filedon Forms 10-K and 10-Q. Sometimes you can find important informationabout recent corporate events reported on Form 8-K.

1

And which is the second step? To understand your companysdisclosures. You will readwhat exactly you have promised to the public,because this is what you are supposed to do. No, you will not read wordslike information security, security breach, hacker, cyber attack, virus,

worm, computer attack, computer security, network intrusion, data theft,cyber fraud. You may find the words interruption, disruption, failure. Forexample, you may read that system interruption and the lack ofredundancy in our systems may affect our sales. You will alsounderstand why information security is not any more so important for

your organization. Of course, companies avoid explaining somethinglike that, it is simply out of the scope of the projects, there are no


2/24

auditors that ask questions, there are no deadlines, so we just do veryfew things.

You dont believe me? Please continue to read

What your CEO and CFO has signed - 302 Certification

CERTIFICATION OF CHIEF EXECUTIVE OFFICER PURSUANTTO SECTION 302

I, (name of the CEO), certify that:

1. I have reviewed this annual report on Form 10-K;

2. Based on my knowledge (A), this report does not contain any untrue

statement of a material fact (B) or omit to state a material fact (B)

necessary to make the statements made, in light of the circumstances

under which such statements were made, not misleading with respect to

the period covered by this report;

3. Based on my knowledge (A), the financial statements, and other

financial information included in this report, fairly present in all materialrespects (B) the financial condition, results of operations and cash flows

of the registrant as of, and for, the periods presented in this report;

4. The registrants other certifying officer and I are responsible for

establishing and maintaining disclosure controls and procedures (as

defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal

control over financial reporting (as defined in Exchange Act Rules 13a-15(f) and 15d-15(f)) for the registrant and have:

2

a) Designed such disclosure controls and procedures, or caused such

disclosure controls and procedures to be designed under our

supervision, to ensure that material information (B) relating to the


3/24

registrant, including its consolidated subsidiaries, is made known to us

by others within those entities, particularly during the period in which

this report is being prepared;

b) Designed such internal control over financial reporting, or caused

such internal control over financial reporting to be designed under our

supervision, to provide reasonable assurance (C) regarding the reliability

of financial reporting and the preparation of financial statements for

external purposes in accordance with generally accepted accounting

principles;

c) Evaluated the effectiveness of the registrants disclosure controls and

procedures and presented in this report our conclusions about the

effectiveness of the disclosure controls and procedures, as of the end of

the period covered by this report based on such evaluation; and

d) Disclosed in this report any change (D) in the registrants internal

control over financial reporting that occurred during the registrants

most recent fiscal quarter (the registrants fourth fiscal quarter in thecase of an annual report) that has materially affected (B), or is

reasonably likely to materially affect (B), the registrants internal control

over financial reporting; and

5. The registrants other certifying officer and I have disclosed, based on

our most recent evaluation (A) of internal control over financial

reporting, to the registrants auditors and the audit committee of

registrants Board of Directors (or persons performing the equivalent

functions):

3

a) All significant deficiencies and material weaknesses (E) in the design

or operation of internal control over financial reporting which are


4/24

reasonably likely to adversely affect the registrants ability to record,

process, summarize and report financial information; and

b) Any fraud, whether or not material, that involves management or

other employees who have a significant role in the registrants internal

control over financial reporting.

Date

Lets understand better what we have just read:

(A) Based on my knowledge or based on our most recent (?) evaluation:We do not promise that the financial information we disclose is accurate,

we just state thatwe do not know that it is not accurate. With otherwords, we will kill the messenger of the bad news.

Try to stand in the shoes of your CEO. His fate depends heavily on thecompanys stock performance, and stock performance depends onshareholders perception and the external auditors opinion, notinformation security or better IT governance.

4

Every three months, the CEO has to disclose to the companysshareholders that based on his knowledge, the financial statements and

other financial information, fairly present in all material respects thefinancial condition, results of operations and cash flows of the company.Does he have any reason to pay six figure fees to penetration testers andethical hackers, in order to take a very scary report that describes everyconceivable hole in the companys systems? After reading this report,based on his knowledge, there are massive problems to the internalcontrols that protect the financial information from unauthorizedmodification, and to make things worse, the companys staff cannothandle them. He has the obligation to disclose the problems to the

public, and this disclosure will definitely not increase shareholder valueor his compensation. In fact, he will lose money, as he has stock optionsthat give him the right to buy a stock from the company at a certain priceat a future date. And, according to Senator Carl Levin (D-Mich.):Virtually every corporate disaster that has struck in recent years has hada stock option component.


5/24

(B) The information disclosed presents in all material respects thefinancial conditions of the company: We can read the word materialfour times in the above 302 certification. Yes, we can not provideabsolute assurance to the shareholders. But, disclosing materialinformation only, whatever it means to anybody, gives opportunities tomislead the public. Material information is any information that mustbe given to shareholders, in order to make informed decisions.

Dear IT and Information Security professional, do you have to discloseall hacking attacks and information security risks? Definitely not, asthese is not material information for the financial conditions of thecompany. What about software bugs, zero day attacks, buffer overflows,cross-site scripting? No. Avoid speaking about all these risks to theauditors. It is out of the scope of Sarbanes-Oxley.

(C) The CEO has designed controls that provide reasonable assuranceregarding the reliability of financial reporting: If you promise to your life

partner (or your significant other) that you will disclose all yourmaterial affairs with other persons, he/she will not feel that you have

provided reasonable assurance that you are honest with him/her, asthere is no excuse for any infidelity. (I do not believe that you can

persuade your significant other that is adequate to comply withSarbanes-Oxley principles for your personal life too)

(D) The CEO has disclosed any change in the internal control overfinancial reporting that has materially affected or is reasonably likely tomaterially affect the registrants internal control:Which is the ugliest

word after Sarbanes-Oxley? The word change. IT professionals hate thisword and all change management procedures, as they believe thatdocumentation is not the real job.

So, we have to disclose all changes that may affect our ability to havetested, documented and effective internal controls.

(E) The CEO has disclosed all significant deficiencies and materialweaknesses and any fraud. So, although there is a zero toleranceapproach for fraud, there is some tolerance for other deficiencies and

weaknesses. But, what is a significant deficiency or a material weakness?

5

According to the Auditing Standard No. 5 a significant deficiency is adeficiency, or a combination of deficiencies, in internal control over


6/24

financial reporting that is less severe than a material weakness, yetimportant enough to merit attention by those responsible for oversight ofthe company's financial reporting.

According to the same Auditing Standard a material weakness is a

deficiency, or a combination of deficiencies, in internal control overfinancial reporting, such that there is a reasonable possibility that amaterial misstatement of the company's annual or interim financialstatements will not be prevented or detected on a timely basis

What is reasonable possibility? The Financial Accounting StandardsBoard Statement No. 5, Accounting for Contingencies (FAS 5) describesthe likelihood of a future event occurring as probable, reasonably

possible, or remote. According to the Auditing Standard No. 2, everytime there is more than remote likelihood of a misstatement, themisstatement is reasonably possible.There is some fun there, as we tryto calculate the probability of each event, something that is verysubjective and very difficult. I still remember one of the slides during aSarbanes-Oxley training session for process owners: We can define asub-set of n favorable elements, where n is less than or equal to N.Probability is defined as the rapport of the favorable cases over totalcases, or calculated as: p=n/N

Welcome to the new world, where mathematicians have become risk

managers.

What your CEO and CFO have signed - 404 Certification

The Sarbanes-Oxley 404 certification and the 404 http error messages arevery similar in something: Both do not explain what we should do.

The 404 http standard response code indicates that the client was able tocommunicate with the server but either the server can not find what wasrequested, or it is configured not to fulfill the request and not reveal thereason why.

6

After reading section 404 of the Sarbanes-Oxley Act, we feel that eitherwe do not find what was requested, or it is configured to give usopportunities not to fulfill the request and not to reveal the reason why.


7/24

Section 404 is small, just 173 words. The CEOs spent $6.1 billion oncomplying with it during 2005, just to explain to the shareholders thatthey take the Sarbanes-Oxley Act seriously. These 173 words put U.S.capital markets at a competitive disadvantage, driving initial publicofferings away from the New York Stock Exchange to the Londonexchange that is advertising that is SOX free.

Lets read a 404 certification:

CERTIFICATION OF CHIEF EXECUTIVE OFFICER PURSUANTTO SECTION 404

MANAGEMENTS ANNUAL REPORT ON INTERNAL

CONTROLS OVER FINANCIAL

REPORTING

The management of (companys name) is responsible for establishing

and maintaining adequate internal control over financial reporting (as

defined in Rules 13a-15(f) and 15d-15(f) under the Securities Exchange

Act of 1934) for the company. The companys internal controls over

financial reporting is designed to provide reasonable assurance

regarding the reliability of financial reporting and the preparation of

financial statements for external purposes in accordance with generally

accepted accounting principles.

Because of its inherent limitations, internal control over financial

reporting may not prevent or detect misstatements (A). Also, projections

of any evaluation of effectiveness to future periods are subject to the risk

that controls may become inadequate (B) because of changes in

condition or the deterioration of compliance with procedures or policies.

7

The management of (our companys name) performed an evaluation as

of December 31, 2007 of the effectiveness of the companys internal


8/24

control over financial reporting based on the Committee of Sponsoring

Organizations of the Treadway Commissions (COSOs) Internal Control

Integrated Framework(C). Based on the review performed,

management believes that as of December 31, 2007 (our companysname) internal control over financial reporting was effective.

The independent registered public accounting firm (one of the big four)

as auditors of the consolidated financial statements of (our companys

name) has issued an attestation report on managements assessment of

(our companys name) internal control over financial reporting.

Ohh!

(A) Because of its inherent limitations, internal control over financialreporting may not prevent or detect misstatements: It is quite funny, we

promise very few things.

On one hand,the CEO accepts responsibility for establishing andmaintaining adequate internal control over financial reporting.

On the other hand,the CEO explains that these internal controls haveinherent limitations, so they may not prevent or detect misstatements. Itmeans that the financial statements may be accurate, but perhaps not.

8

How can he do something like that? After March 2004, we can read atthe Auditing Standard No 2: Internal control over financial reportingcannot provide absolute assurance of achieving financial reportingobjectives because of its inherent limitations. Internal control overfinancial reporting is a process that involves human diligence andcompliance and is subject to lapses in judgment and breakdowns

resulting from human failures. Internal control over financial reportingalso can be circumvented by collusion or improper managementoverride. Because of such limitations, there is a risk that materialmisstatements may not be prevented or detected on a timely basis byinternal control over financial reporting.


9/24

We can find exactly the same paragraph at the Auditing Standard No. 5.This standard agrees also with the previous ones about the ability of theauditors to find what is wrong: Just as there are inherent limitations onthe assurance that effective internal control over financial reporting can

provide, there are limitations on the amount of assurance the auditor canobtain as a result of performing his or her audit of internal control overfinancial reporting. Limitations arise because an audit is conducted on atest basis and requires the exercise of professional judgment.

(B) Projections of any evaluation of effectiveness to futureperiods aresubject to the risk that controls may become inadequate: The CEO signsthat the controls are adequate today. Tomorrow is another day; he cannot promise that the controls will continue to be effective. So, if there is amaterial misstatement, perhaps has happened after the day he signed

that the controls were adequate.

Do you know that future plans are not controls, soplans are out of theScope of Sarbanes-Oxley?

According to the Auditing Standard No 2: Management's plans thatcould potentially affect financial reporting in future periods are notcontrols. For example, a company's business continuity or contingency

planning has no effect on the company's current abilities to initiate,authorize, record, process, or report financial data. Therefore, a

company's business continuity or contingency planning is not part ofinternal control over financial reporting.

Be careful: Futureplans, business continuityplans anddisaster recoveryplans are out of the scope of Sarbanes-Oxley, but other elements ofbusiness continuity are in the scope. Backups and off-site storage oftapes are very important internal controls that must be tested anddocumented.

9

(C) The management performed an evaluation of the effectiveness of the

companys internal control over financial reporting based on theCommittee of Sponsoring Organizations of the Treadway Commissions(COSOs) Internal Control Integrated Framework: COSO stands forthe "Committee Of Sponsoring Organizations" (the American

Accounting Association, the American Institute of Certified PublicAccountants, the Financial Executives International, the Institute ofInternal Auditors, and the National Association of Accountants, now the


10/24

Institute of Management Accountants). They developed in 1992 theleading framework for evaluating the effectiveness of internal controls.

From the technical risk assessment to the COSO business risk

assessmentDo you know which is the first word that pops up in mind after the

words Sarbanes-Oxley? The word control. The COSO paper repeatsthis word 1368 times (in 163 pages!). We have been brainwashed.

Frequency analysis is a great tool in cryptanalysis (code breaking), but itis also useful to feel a document. (Sorry! I started my career as amathematician and I can not resist the temptation to use frequencyanalysis).

The word internal appears 846 times, about eight times the frequencyof the word external (123 times). It is obvious that COSO has shiftedthe focus from network security and external threats to internal threatsand internal fraud.

The word objective appears in the COSO document 452 times. Theword business 124 times.The words attack or defense 0 times. Itis not encouraging that you will find the word hacker twice. Lets readCOSO:

Effective access security controls can protect the system, preventinginappropriate access and unauthorized use of the system. If welldesigned, they can intercept hackers and other trespassers" and

Former or disgruntled employees can be more of a threat to a systemthan hackers; terminated employee passwords and user IDs should berevoked immediately. By preventing unauthorized use of and changes tothe system, data and program integrity are protected

If only it was that simple!

10


11/24

Why hackers are no more that important?

After Sarbanes-Oxley, every time I try to explain that external fraud andhackers are not that important for shareholders and the public, there are

persons that protest:

How could it be possible?

Can they understand the potential for fraud and criminal activities?

Well, no, they can not understand and they dont even try. To be honest,we do not help them understand. In order to comply with Sarbanes-Oxley we have to disclose to the public what has happened, not whatcould happen. So, they never learn the potential for fraud, loss and

problems.

It is interesting to compare some incidents:

1. Vladimir Levin was a hacker from St. Petersburg, Russia. He hackedinto Citibank and stole more than $10 million. In March 1995 he wasarrested at London's Stansted Airport by Scotland Yard officers. Levin

was tried in New York. He was convicted and sentenced to three years injail. Citibank said that all but US$400,000 of the stolen money have beenrecovered. Shareholders did not bother to learn more about the incident.

2. Senior executives of Mercury Finance Company, a subprime lendingcompany, tried to do exactly what Vladimir Levin did: To make somemoney using their knowledge and experience. But, there is a difference.

Vladimir Levins fraud was external, he was not a corporate officer.When senior executives commit fraud, shareholders take it veryseriously. The market capitalization of this company decreased by nearly$2 billion in one day after the fraud was made public. The former CEO,treasurer and accounting manager each pleaded guilty and weresentenced to 10 years, 20 months, and 12 months, respectively. The

former CFO admitted his role and cooperated, but died before beingcharged.

11

3. The Chaos Computer Club (CCC), based in Germany, is one bighacker organization. They support the hacker ethics (!!!) and fight forfree access to computers and the technological infrastructure. Investorsdont know them.


12/24

The hackers Achilles heel is the love for publicity. The members and thefriends of the Chaos Computer Club were no different, so they becamefamous when they hacked a bank in Hamburg, Germany, and took DM134,000. The money was returned the next day in front of the press.Veryfew investors had learned about them.

In 1989, Karl Koch, who was affiliated with the Chaos Computer Club,and some other hackers, crossed the line from looking for money tosharing secrets with the Soviets. They were hired by the Soviet KGB tobreak into US and western government and corporate computers and sellsecrets including operating system source code to the KGB. The GermanIntelligence authorities announced that this is a new quality ofespionage and that they had awaited something similar but arenevertheless surprised that it happened so soon and with such broad

effects.

Espionage and business intelligence incidents are very serious, and havefar-reaching consequences to shareholders value. Companies losebillions of dollars each year through information leaks. Investors didntunderstand and were not scared.

4. Charles Prince III was the Chairman and Chief Executive Officer ofCitigroup Inc. (NYSE:C). He was a very good and experienced leader.

The first days of November, 2007, he elected to retire from Citi, after the

unexpected write-down of up to $11 billion in assets. Mr. Princecommented that " Given the size of the recent losses in our mortgage-backed securities business, the only honorable course for me to take asChief Executive Officer is to step down

The same month, a lawsuit was filed on behalf of Stephen Gray, aparticipant in Citigroup's 401(k) Plan. According to the lawsuit,Citigroup failed to prudently manage the Plan's assets, failed to providePlan participants with important information regarding Citigroup'sfinancial condition and failed to appoint and monitor the performance of

other fiduciaries. Some of the information that was not disclosed wasimportant to give shareholders the opportunity to make informeddecisions, like information about the degree of losses that Citigroupfaced.

12

The suit seeks class action status for participants in Citigroup'sretirement plans from January 1, 2007 to the present. Citigroup also faces


13/24

lawsuits from shareholders who accuse the group that has recklesslyspent money purchasing sub-prime loans. Citigroup has lost billions ofdollars doing so, but most other major banks had exactly the same

problems. Citigroup's share price has dropped from $54.26 in June 2007to $37.73 in November 2007.

If you compare the money public companies and shareholders losebecause of external fraud and hacking (some millions of dollars) with themoney they lose from internal fraud and wrong decisions (some billionsof dollars) it is easy to understand why shareholders do not really careabout good information security and IT governance.

Although we continue to insist that computers and systems areincreasingly vulnerable to hackers attempting to infiltrate networks, andthat most incidents can be prevented if the company has adequateknowledge that the vulnerability exists, all these incidents do not seemso important to shareholders. For them, information security protects thecompany from cyber-vandalism and the defacement of the corporate websites, not from white collar crime and money sent offshore to SPVs(Special Purpose Vehicles). What about cyber-war and massive attackson critical infrastructure? They just ignore this risk.

5. Sarbanes-Oxley was not the only effort to prevent corporate fraud. ThePresidents Corporate Fraud Task Force has been trying to restore public

and investor confidence in Americas corporations following the wave ofmajor corporate scandals since July, 2002. The Task Force includessenior Department of Justice officials, seven U.S. Attorneys and the headof the Securities and Exchange Commission. In five years they have

yielded amazing results with 1,236 total corporate fraud convictions,including 214 chief executive officers and presidents, 53 chief financialofficers, 23 corporate counsels or attorneys and 129 vice presidents. The

Task Force has brought charges for accounting fraud, securities fraud,insider trading, market manipulation, wire fraud, obstruction of justice,false statements, money laundering, Foreign Corrupt Practices Act

violations, stock option backdating and conspiracy, among others.

Hackers, you have lost the battle of publicity. Sophisticated internalfraud artists are much better than you. They not only hack the company,they are paid from the same company to do it as well!

13


14/24

Epilogue

With how many Sarbanes-Oxley like Acts do you have to comply today?

No kidding! If you are listed in 4 different countries, perhaps you have to

comply with 4 similar but different SOX flavors and interpretations.

Sarbanes-Oxley is here to stay. I have heard several times that the Actwill be definitely relaxed, is not any more needed, or even that it will berewritten to meet international standards.Well, the opposite ishappening.

Not only thousands of international foreign companies try hard tocomply with the US Sarbanes-Oxley, but also many countries develop alocal version of this Act!We will have a flat world for public companies,and Sarbanes-Oxley will be the common framework.

Although the 8th Company Law Directive is considered the Europeanpost Sarbanes-Oxley regulatory retaliation, it is in fact a Europeanversion of the Sarbanes-Oxley Act.

You may wonder why we speak about retaliation.

After the passage of the US Sarbanes-Oxley Act in 2002, US and non-UScompanies listed in a US stock exchange have the difficult task tocomply with the Sarbanes-Oxley Act.

After the passage of the European Unions 8th Company Law Directiveon Statutory Audit (Directive 2006/43/EC), European and non-European companies listed in any country of the European Union haveto comply with the 8th company law directive. Now, the Americanauditors have to be registered with the European national boards, justlike the European Unions auditors, that had to be registered with the USPublic Company Accounting Oversight Board. EU Member States must

transpose the directive into national law before 29 June 2008.

14

And, like in the US SOX, there are extremely important extraterritorialconsequences.All the non EEA (European Economic Area) countries,the USA included, must prove that they have an equivalent level ofregulation, to protect their auditors that audit offshore companies withEU listings from being subject to a tough European oversight regime.Otherwise, auditors and audit firms from third countries have to be


15/24

registered in the EU and to be subject to oversight, quality assuranceand sanctions.

Companies listed in EU are directly affected. From the changes in theaudit committee and the role of the board of directors to the new internal

controls requirements, professionals in EU listed companies will face thesame or similar challenges with their American colleagues that have tocomply with the US SOX.

The Financial Instruments and Exchange Law is theJapanese versionof Sarbanes-Oxley. It is unofficially called J-SOX and it is reallyverysimilar to SOX. There are requirements similar to the Sarbanes-Oxley

Act Sections 302 and 404 (management certification and managementevaluation and report on internal controls). Companies have to complyon or after April 1, 2008.

In Canada, Bill 198 is known as the Canadian Sarbanes and Oxley Actor CSOX. The date of full application is for the financial years ending onor after June 30, 2006.

The moral of the story:You will not get rid of it! Learn how to providereasonable assurance to shareholders, and forget hackers, at least untilthe next major corporate scandal that involves external fraud.

Sincerely,

George LekatisGeneral Manager and Chief Compliance ConsultantCompliance LLC

15


16/24

Our web sites

A. Basel ii

Basel ii TrainingCourses designed to provide with the knowledge and skills needed tounderstand and support Basel ii compliance.

www.basel-ii-training.com

Basel ii Training for the Board of Directors

The members of the Board of Directors not only need to exerciseoversight, but also to direct the organization to use Basel ii complianceas a competitive advantage.

www.basel-ii-board-directors.com

Capital Requirements Directive TrainingCourses designed to provide with the knowledge and skills for theimplementation of Basel ii in the European Union

www.capital-requirements-directive-training.com

Basel ii Accord(Information and documents used in our compliance training classes)Basel ii: The sections of the accord in an easy to read format.

www.basel-ii-accord.com

Capital Requirements Directive(Information and documents used in our compliance training classes)

The common framework for the implementation of Basel ii in theEuropean Union. The directive in an easy to read format.

www.capital-requirements-directive.com

16
http://www.basel-ii-training.com/http://www.basel-ii-training.com/http://www.basel-ii-board-directors.com/http://www.basel-ii-board-directors.com/http://www.capital-requirements-directive-training.com/http://www.capital-requirements-directive-training.com/http://www.basel-ii-accord.com/http://www.basel-ii-accord.com/http://www.capital-requirements-directive.com/http://www.capital-requirements-directive.com/http://www.capital-requirements-directive.com/http://www.capital-requirements-directive.com/http://www.basel-ii-accord.com/http://www.basel-ii-accord.com/http://www.capital-requirements-directive-training.com/http://www.capital-requirements-directive-training.com/http://www.basel-ii-board-directors.com/http://www.basel-ii-board-directors.com/http://www.basel-ii-training.com/http://www.basel-ii-training.com/


17/24

Basel iii Accord(Information and documents used in our compliance training classes)Basel iii: What is wrong in Basel ii What will be included in the evenmore sensitive accord, Basel iii.

www.basel-iii-accord.com

Basel ii, Structured Products and Securitization(Information and documents used in our compliance training classes)Basel II and the securitization markets. What is different. The efforts tominimize exposure to sub-investment grade tranches, to avoid thesignificant amount of regulatory capital banks have to hold

www.basel-ii-securitization.com

B. Sarbanes Oxley

Sarbanes Oxley TrainingCourses designed to provide with the knowledge and skills needed tounderstand and support Sarbanes-Oxley compliance.

www.sarbanes-oxley-training.com

J-SOX Training in JapanCourse: "From SOX to J-SOX: Lessons Learned from theImplementation of Sarbanes Oxley Act in the USA and the World"

www.j-sox-training.com

Sarbanes Oxley Act(Information and documents used in our compliance training classes)

Sarbanes-Oxley Compliance: The Act in an easy to read format, AuditingStandards, resources.

www.sarbanes-oxley-act.biz

17
http://www.basel-iii-accord.com/http://www.basel-iii-accord.com/http://www.basel-ii-securitization.com/http://www.basel-ii-securitization.com/http://www.sarbanes-oxley-training.com/http://www.sarbanes-oxley-training.com/http://www.j-sox-training.com/http://www.j-sox-training.com/http://www.sarbanes-oxley-act.biz/http://www.sarbanes-oxley-act.biz/http://www.sarbanes-oxley-act.biz/http://www.sarbanes-oxley-act.biz/http://www.j-sox-training.com/http://www.j-sox-training.com/http://www.sarbanes-oxley-training.com/http://www.sarbanes-oxley-training.com/http://www.basel-ii-securitization.com/http://www.basel-ii-securitization.com/http://www.basel-ii-securitization.com/http://www.basel-ii-securitization.com/http://www.basel-iii-accord.com/http://www.basel-iii-accord.com/http://www.basel-iii-accord.com/http://www.basel-iii-accord.com/


18/24

C. EU - Financial Services Action Plan

MiFID TrainingTraining and Presentations. From the four-level approach (theLamfalussy process) to the MiFID implementation, the differences andthe opportunities for competitive advantage in the EU and offshore.

www.mifid-training.net

MiFID Training for the Board of DirectorsThe members of the Board of Directors not only need to exercise

oversight, but also to direct the organization to use the Markets inFinancial Services Directive (MiFID) compliance as a competitiveadvantage.

www.mifid-board-directors.com

8th Company Law TrainingThe European Sarbanes Oxley: Similarities and differences between 8thCompany Law Directive of the European Union and the Sarbanes-Oxley

Act of the USA. Implementation and compliance training andpresentations.www.8th-company-law-training.com

Risk Committee TrainingPresentations and training for the Risk Committee of the Board ofDirectors that increase awareness and effectiveness. Specialconsideration is given to the new need to provide evidence and keeprecords and documents for years, and to new regulatory and legal

obligations.www.risk-committee-training.com

Solvency ii Training

18

Courses and presentations designed to provide with the knowledge andskills needed to understand and support compliance with the Solvency ii
http://www.mifid-training.net/http://www.mifid-training.net/http://www.mifid-board-directors.com/http://www.mifid-board-directors.com/http://www.8th-company-law-training.com/http://www.8th-company-law-training.com/http://www.risk-committee-training.com/http://www.risk-committee-training.com/http://www.solvency-ii-training.com/http://www.solvency-ii-training.com/http://www.risk-committee-training.com/http://www.risk-committee-training.com/http://www.8th-company-law-training.com/http://www.8th-company-law-training.com/http://www.mifid-board-directors.com/http://www.mifid-board-directors.com/http://www.mifid-training.net/http://www.mifid-training.net/


19/24

and the Reinsurance directives of the European Union. Theimplementation of the Solvency II regime can benefit greatly from theexperience and lessons learned during the Basel II projects in the world.

www.solvency-ii-training.comReinsurance Directive TrainingCourses and presentations designed to provide with the knowledge andskills needed to understand and support compliance with theReinsurance Directive of the European Union.

www.reinsurance-directive-training.comUCITS iii training

From the Management Directive and the Product Directive, to UCITS iiicompliant funds, sophisticated UCITS, hedge funds and alternativeinvestments, onshore and offshore legal structures and productsauthorized under different regimes.

www.ucits-iii-training.comEuropean Exchange Traded Funds Training (ETFs)UCITS iii and MiFID Training and Presentations. Providing FinancialServices to the European Clients, Training and Presentations. ETFs

based on alternative assets such as commodities with UCITS iii status.ETFs that are UCITS iii compliant domiciled in EEA countries.www.etf-training.comHedge Funds Compliance TrainingHedge Funds, Collective Investments, Structured Products, and thedirectives of the European Union. UCITS iii, MiFID, 8th Company Law,Capital Requirements Directive, legal structures, marketing of funds,management and administration at the 30 countries of the European

Economic Areawww.hedge-funds-compliance.com

19

Financial Conglomerates Directive Training and Presentations
http://www.solvency-ii-training.com/http://www.reinsurance-directive-training.com/http://www.reinsurance-directive-training.com/http://www.ucits-iii-training.com/http://www.ucits-iii-training.com/http://www.etf-training.com/http://www.etf-training.com/http://www.hedge-funds-compliance.com/http://www.hedge-funds-compliance.com/http://www.financial-services-action-plan.com/Presentations.htmhttp://www.financial-services-action-plan.com/Presentations.htmhttp://www.hedge-funds-compliance.com/http://www.hedge-funds-compliance.com/http://www.etf-training.com/http://www.etf-training.com/http://www.ucits-iii-training.com/http://www.ucits-iii-training.com/http://www.ucits-iii-training.com/http://www.reinsurance-directive-training.com/http://www.reinsurance-directive-training.com/http://www.solvency-ii-training.com/


20/24

We can help your organization understand better the FinancialConglomerates Directive in the context of the Financial Services ActionPlan of the European Union.Common elements with the Capital Requirements Directive (Basel ii inthe EU) and the Financial Services Action Plan.

www.financial-conglomerates-directive.com/Presentations.htm

The Financial Services Action PlanThere are 42 original measures: Some are non-legislative, a few areregulations, and there are almost 30 directives. Over 20 of the originalmeasures are likely to affect the financial sector.www.financial-services-action-plan.com

The Markets in Financial Instruments Directive (MiFID)(Information and documents used in our compliance training classes)MiFID is a very important part of the European Union's FinancialServices Action Plan. The directive in an easy to read format.

www.markets-in-financial-instruments-directive.com

European Savings Tax Directive (ESD)(Information and documents used in our compliance training classes)

Tax competition and the European Union. The G-7 and the offshorefinancial centers (OFCs). Basel ii and the European Savings TaxDirective (ESD). The directive in an easy to read format.

www.savings-tax-directive.com

EuropeanSavings Tax Directive Training and Presentations

The Savings Tax Directive in the context of the Financial ServicesAction Plan of the European Union.The tax competition: Higher-tax nations and the offshore financial

centers. From the "automatic exchange of information" option to the"withholding tax" option. Opportunities for a competitive advantage.

www.savings-tax-directive.com/Presentations.htmThe 8th Company Law Directive

20

(Information and documents used in our compliance training classes)
http://www.financial-conglomerates-directive.com/Presentations.htmhttp://www.financial-services-action-plan.com/http://www.financial-services-action-plan.com/http://www.markets-in-financial-instruments-directive.com/http://www.markets-in-financial-instruments-directive.com/http://www.savings-tax-directive.com/http://www.savings-tax-directive.com/http://www.savings-tax-directive.com/Presentations.htmhttp://www.savings-tax-directive.com/Presentations.htmhttp://www.savings-tax-directive.com/Presentations.htmhttp://www.8th-company-law-directive.com/http://www.8th-company-law-directive.com/http://www.savings-tax-directive.com/Presentations.htmhttp://www.savings-tax-directive.com/Presentations.htmhttp://www.savings-tax-directive.com/Presentations.htmhttp://www.savings-tax-directive.com/http://www.savings-tax-directive.com/http://www.markets-in-financial-instruments-directive.com/http://www.markets-in-financial-instruments-directive.com/http://www.financial-services-action-plan.com/http://www.financial-services-action-plan.com/http://www.financial-conglomerates-directive.com/Presentations.htm


21/24

The 8th Company Law Directive is similar to the US Sarbanes Oxley Act.This directive is called the European Sarbanes Oxley. Although there areimportant similarities, there are also very important differences.

The directive in an easy to read format.www.8th-company-law-directive.com

European Sarbanes Oxley(Information and documents used in our compliance training classes)

After the US Sarbanes-Oxley Act, we have the Japanese Sarbanes-OxleyAct (J-SOX) and the European Sarbanes Oxley Act (8th Directive in thecontext of the European Unions Financial Services Action Plan).

www.european-sarbanes-oxley.com

Financial Conglomerates Directive(Information and documents used in our compliance training classes)

The Financial Conglomerates Directive tries to introduce supplementarysupervision of financial conglomerates on a group-wide basis, inaddition to both the prudential supervision of regulated entities on astandalone basis and consolidated supervision on a sectoral basis.

The directive in an easy to read format.www.financial-conglomerates-directive.com

The EU Reinsurance Directive(Information and documents used in our compliance training classes)Reinsurance allows direct insurance undertakings have a higherunderwriting capacity and reduce their capital costs. The Directiveforms part of the European Unions Financial Services Action Plan,

which aims to create a single market in financial services in theEuropean Union.

www.reinsurance-directive.comUCITS iii(Information and documents used in our compliance training classes)UCITS stands for Undertakings for Collective Investments in

Transferable Securities

21

The UCITS iii directive consists of two directives that regulate fundssold across the EEA
http://www.8th-company-law-directive.com/http://www.european-sarbanes-oxley.com/http://www.european-sarbanes-oxley.com/http://www.financial-conglomerates-directive.com/http://www.financial-conglomerates-directive.com/http://www.reinsurance-directive.com/http://www.reinsurance-directive.com/http://www.ucits-iii.com/http://www.ucits-iii.com/http://www.ucits-iii.com/http://www.reinsurance-directive.com/http://www.reinsurance-directive.com/http://www.financial-conglomerates-directive.com/http://www.financial-conglomerates-directive.com/http://www.european-sarbanes-oxley.com/http://www.european-sarbanes-oxley.com/http://www.8th-company-law-directive.com/


22/24

www.ucits-iii.com

European Exchange Traded Funds (ETFs)(Information and documents used in our compliance training classes)In the European Economic Area many Exchange Traded Funds aretraded as cross border UCITS iii funds. Compliance andacknowledgement of the UCITS status is of paramount importance forthe freedom to provide services in all 30 countries of the EEA

www.european-exchange-traded-funds.com

Risk Committee of the Board of Directors(Information and documents used in our compliance training classes)

The Board of Directors has risk management responsibilities that aredefined not only by best practices and guidelines, but also by laws andregulations. The Risk Committee must assist the Boards in assessing therisks to which the organization is exposed.

www.risk-committee.com

D. Other Web Sites

Board of Directors Compliance TrainingRisks to serving directors have risen exponentially after the new BaselCapital Accord, the US Sarbanes Oxley Act, the European SarbanesOxley (8th Company Law Directive), the Japanese Sarbanes Oxley(Financial Instruments and Exchange Law, J-SOX), the EuropeanUnion's Financial services Action Plan that includes MiFID (Markets in

Financial Services Directive.www.board-of-directors-compliance-training.com

Off Balance Sheet(Information and documents used in our compliance training classes)

22

From Enron and BCCI, to the Sarbanes-Oxley Act and Basel ii.
http://www.ucits-iii.com/http://www.european-exchange-traded-funds.com/http://www.european-exchange-traded-funds.com/http://www.risk-committee.com/http://www.risk-committee.com/http://www.board-of-directors-compliance-training.com/http://www.board-of-directors-compliance-training.com/http://www.off-balance-sheet.com/http://www.off-balance-sheet.com/http://www.board-of-directors-compliance-training.com/http://www.board-of-directors-compliance-training.com/http://www.risk-committee.com/http://www.risk-committee.com/http://www.european-exchange-traded-funds.com/http://www.european-exchange-traded-funds.com/http://www.ucits-iii.com/


23/24

Off Balance Sheet Entities and items. If a company has an asset or aliability, and it's not on the balance sheet, then where is it?

www.off-balance-sheet.com

Compliance and OutsourcingResearch Project(Information and documents used in our compliance training classes)Outsourcing was a way to reduce cost. Outsourcing becomes a way totransfer complianceOutsourcing after Basel ii, Sarbanes-Oxley, and the European Union'sFinancial Services Action Plan.

www.compliance-and-outsourcing.com

Compliance LLCCompliance LCC is a leading provider of Basel ii, Sarbanes Oxley,MiFID and the European Union's Financial Services Action Plantraining, executive coaching and consulting in more than 30 countries

www.compliance-llc.com

23
http://www.off-balance-sheet.com/http://www.compliance-and-outsourcing.com/http://www.compliance-and-outsourcing.com/http://www.compliance-llc.com/http://www.compliance-llc.com/http://www.compliance-llc.com/http://www.compliance-llc.com/http://www.compliance-and-outsourcing.com/http://www.compliance-and-outsourcing.com/http://www.off-balance-sheet.com/


24/24

Compliance LCCHQ: 1220 N. Market Street Suite 804, Wilmington, DE 19801, USAMail: 1200 G Street NW Suite 800, Washington, DC 20005, USA

Tel: +1 (302) 342-8828Web:www.compliance-llc.com

Lyn Spooner: +1 (302) 342-8828 Ext. 1Email : [email protected] Lekatis: +1 (302) 342-8828 Ext. 5

Email: [email protected]
http://www.compliance-llc.com/mailto:[email protected]:[email protected]:[email protected]:[email protected]://www.compliance-llc.com/

IT and Information Security After Sarbanes Oxley

Documents

Transcript of IT and Information Security After Sarbanes Oxley