From regulatory compliance to corporate governance structure, everyone is involved
Sign up now and get the best business technology insights direct to your inbox.
Topic: Cost Containment
Lora Bentley
says:
Thanks for reading, and thanks for the clarification, Patrick.
Jeff Ryall
says:
Hi Lora,
Yes, it does seem counter-intuitive.
I would offer the following perspectives:
1. We all agree that automated controls offer improvements in both cost (subject to initial payback calcs) and effectiveness. However, the controls MUST be targeted to risks, and I wonder if execs truly understand the nexus between compliance and risk management. Controls effectiveness is therefore reliant on a comprehensive operational assessment of risks, across multiple consequence perspectives. The output of such an assessment typically numbers in the thousands. I think that this is what the COSO framework is pointing to, but I'm not sure it is widely understood; perhaps it all seems too hard...
2. Here in Australia, Standard AS 3806 for Compliance Programs highlights that compliance management is ultimately a behavoural system, supported by technology and automated/manual internal controls. Here is the dilemma: to achieve effectiveness, it requires BEHAVIOURAL change at the top, deployed throughout the organisation.
Hope this adds something to the debate. Keep up the great work.
J
MitchatGWAVA
says:
I think that part of the confusion for many organisations bent on eliminating fraud and theft is the vagueness of the verbiage in the legislation.
It appears to me that as texting, email and other forms of electronic communication have become the defacto tools of business, today, legislators have recognized that they need to be able to access all of this.
What this does to organisations is muddy the waters as to what they need to do and what they do not need to do in terms of retention and compliance to SOX, FINRA HIPPA etc. As we reach out to many organisations it is suprising how many simply cannot get their arms around this, get definitive legal opinions and interpretations and simply do what they feel is appropriate
Topic: Sarbanes-Oxley
Controversial compliance legislation drives spending, creates headaches for business
Blog: A Step Closer to Sarbox 404 Exemption for SMBs
Article: Surviving Sarbox 404(b) for Small Business
White Paper: Core Sarbanes-Oxley Act (SOX) Requirements for Microsoft Windows and Active Directory
Related Topics
Cost Containment, External and Internal Audits
Software Forum: Information On Demand Virtual ExperienceThis interactive virtual forum presents leading IT experts providing the insights you need to turn your information into a strategic driver for innovation, business optimization and competitive differentiation.
Performance Under Pressure: The State of Enterprise Web Application Quality and AvailabilityThis research study finds that Web application issues are an all-too-common problem and examines these Web-based enterprise application issues from two perspectives: that of an online customer and that of a site manager.
Indispensable technologies and best practices to maintain your organization's most valuable asset.
Hardware and software tools to create an enterprise infrastructure for data and business optimization.
Products, management tools, and industry insights that enhance the value of virtualization for your business.
Best-practice tools, strategies and technologies for determining and managing the data you need to make better business decisions.
Budget & Finance Toolkit for IT - 2010 EditionWhat kind of year are you planning in 2010? Growth or continued "survival mode"? Download a comprehensive collection of templates, forms, instruction and advice that will help you to plan and submit your 2010 IT Budget.
Windows 7 Upgrade Project KitMoving to Windows 7? The Windows 7 Upgrade Project Kit is the ideal support tool for managing all phases of an organizational upgrade to Windows 7. The tools and templates in this kit will help you develop a strategy and map out the implementation tactics which link your Windows 7 deployment to your company's bottom line.
Lora-
Thanks for your very thoughtful assessment of our recent survey report. Id like to clarify the seeming contradiction you bring up in the final paragraph of your post. I think the confusion you mention comes, first, when inferring that more accurate necessarily means the improvement was due to a reduction in fraud (as opposed to an improvement in processes that resulted in a reduction in errors, for example). Further, the inference that tighter controls are all it takes to reduce fraud risk is called into question by the SEC directive issued last year that specifically states: "ICFR ('internal control over financial reporting') cannot provide absolute assurance due to its inherent limitations; it is a process that involves human diligence and compliance and is subject to lapses in judgment and breakdowns resulting from human failures. ICFR also can be circumvented by collusion or improper management override. Because of such limitations, ICFR cannot prevent or detect all misstatements, whether unintentional errors or fraud. (Source: SEC Release No. 33-8810, June 27, 2007). At the risk of overstating the case, this is where an automation technology like continuous transaction monitoring can close the gap. In any case, this is how and why its possible for these executives to feel (and rightly so) that they have made great progress in SOX compliance, without feeling that these compliance efforts have sufficiently decreased their risk of fraud.