Podcasts about sarbanes oxley sox

Innovation comes in many areas, and compliance professionals must be ready to embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, host Tom Fox visits Mike Whitmire, Co-founder & CEO at FloQast, on his journey in accounting and compliance. In this episode, Tom is in a riveting conversation with Mike Whitmire, Co-founder & CEO at FloQast. They dive into Mike's professional journey, starting from his early days at Ernst & Young, navigating the complexities of Sarbanes-Oxley (SOX) compliance, and eventually founding FloQast. Mike shares his firsthand experiences with the challenges in accounting and compliance, such as the talent gap and behavior change within organizations, and explains how FloQast's closed management and compliance software addresses these issues. The discussion deeply delves into risk orchestration and its critical role in modern compliance strategies. Additionally, Mike provides insights into his passion for podcasting and touches on his book, ‘Shift Happens,' co-authored to highlight the rise of the operational accountant. The episode wraps up with a focus on FloQast's innovative solutions that integrate daily accounting tasks with compliance requirements, thus simplifying processes for finance professionals. Tune in to hear how a common pain point in the accounting world led to the creation of a transformative software solution. Key highlights: Challenges in Accounting and Compliance Risk Orchestration and Compliance Mike's Podcast and Book Resources: Mike Whitmire on LinkedIn FloQast Purchase Shift Happens on Amazon.com. Tom Fox Instagram Facebook YouTube Twitter LinkedIn

Topics include:  DC and profession news  Technical updates  Discussion on innovation, transformation and evolving business models    Speakers:   Barry Melancon, President and CEO, AICPA  Erik Asgeirsson, President and CEO, CPA.com  Lisa Simpson, VP, Firm Services, AICPA  Lindsay Stevenson, Chief Transformation Officer, BPM   Okorie Ramsey, VP, Sarbanes/Oxley (SOX), Kaiser Permanente 

As humans we are driven by risks and threats, and where we are continually weighing-up costs and benefits. A threat is an actual thing that could actually cause harm, loss or damage, whereas a risk is the likelihood of a specific threat happening. In our lives, too, we expose ourselves through vulnerabilities, and which are our weaknesses and which could be exploited by others. Within Cyber intelligence we must thus need to continually understand our threats and vulnerabilities and weigh up the risks involved. With finite budgets for computer security, and we must thus focus on those things which will bring the most benefit to the organisation. A major challenge is always to carefully define costs and benefits. A CEO might not want to invest in a new firewall if the justification is that it will increase the throughput of traffic. Whereas a justification around the costs of a data breach and an associated loss of brand reputation might be more acceptable for investment. Threat analysis is a growing field and involves understanding the risks to the business, how likely they are to happen, and their likely cost to the business. Figure 1 shows a plot of the cost of risks against the likelihood. If there are low costs, it is likely to be worth defending against. Risks which are not very likely, and which have a low cost, and also a risk which has a high cost, but is highly likely, are less likely to be defended against. At the extreme, a high risk which has a low likelihood and which has high costs to mitigate against is probably not worth defending against. The probabilities of the risks can be analysed either using previous experience, estimates, or from standard insurance risk tables. Figure 2 outlines an example of this. Loss Expectancy Any investment in cybersecurity must often be justified, especially in the benefits that it brings to an organisation. For audit/compliance reasons, a company must often prove that the match the key regulatory requirements within its market place. Regulations such as GDPR, and acts such as Gramm-Leach-Bliley (GLB), Sarbanes-Oxley (SOX), and the Computer Fraud and Abuse, are often a key drivers for investments in cybersecurity, as a failure to comply with these can lead to significant fines or even criminal charges. The GLB Act outlines the mechanisms that financial intuitions can use to share customer data. And, due to the financial scandals of Enron, WorldCom, and Tyco, SOX was passed in 2002, and which defines the methods used to implement corporate governance and accountability. One driver for cyber intelligence is thus the ability to gather the required information for auditors to review. As previously defined, there are many other costs that an organisation may face, including the loss of business, brand damage, and a reduction in shareholder confidence. One method of understanding the cost of risk is to determine the single loss expectancy, which is calculated from: ALE = AV x ARO and Where ALE is the Annual Loss Expectancy, ARO is the Annualized Rate of Occurrence, and V is the value of the particular asset. For example, if the likelihood of a denial-of-service on a Web-based database is once every three years, and the loss to sales is $100K, the ALE will be: ALE = $100K x 1/3 = $33K per annum This formula assumes that there is a total loss for the asset, and for differing levels of risk, an EF (Exposure Factor) can be defined as the percentage of the asset damage. The formula can then be modified as: ALE = AV x ARO x EF Figure 1 Figure 2 Risk management/avoidance The major problem in defining risk — and in implementing security policies — is that there is often a lack of communication on security between business analysts and information professionals, as they both tend to look at risk in different ways. Woloch [1] highlights this with: Get two risk management experts in a room, one financial and the other IT, and they will NOT be able to discuss risk. Each puts risk into a different context … different vocabularies, definitions, metrics, processes and standards. At the core of Cyber intelligence is a formalisation of the methodology used to understand and quantify risks. One system for this is CORAS (A Framework for Risk Analysis of Security Critical Systems) and which has been developed to understand the risks involved. A key factor of this framework is to develop an ontology (as illustrated in Figure 3) where everyone speaks using the same terms. For example: A THREAT may exploit a VULNERABILITY of an ASSET in the TARGET OF INTEREST in a certain CONTEXT, or a THREAT may exploit a VULNERABILITY opens for a RISK which contains a LIKELIHOOD of an UNWANTED INCIDENT. In this way, all of those in an organisation, no matter their role, will use the same terminology in describing threats, risks and vulnerabilities. For risk management, it is understood that not all threats can be mitigated against, and they will be carefully managed and monitored. Figure 4 shows the methodology used by CORAS in managing risks, and where a risk might be accepted if the cost to mitigate against it is too high. Network sensors can thus then be set up to try and detect potential threats, and to deal with them as they occur. For risk avoidance, systems are set up so that a threat does not actually occur on the network. An example of risk management is where a company might not setup their firewalls to block a denial-of-service (DoS) attack, as it might actually block legitimate users/services, and could thus install network sensors (such as for Intrusion Detection Systems) to detect when a DoS occurs. With risk avoidance, the company might install network devices which make it impossible for a DoS attack to occur. Figure 3 Figure 4 The importance of clearly defining threats allows us to articulate both the threat itself and also define clearly the entities involved with an incident. Figure 5 shows an example of defining the taxonomy used within a security incident, and where: A [Threat] is achieved with [Attack Tools] for [Vulnerabilities] with [Results] for given [Objectives]. Figure 5 Kill chain model Within cybersecurity, we see many terms used within military operations, including demilitarized zones (DMZs), defence-in-depth and APT (Advanced Persistent Threat). Another widely used term is the kill chain where military operations would attack a specific target, and then look to destroy it. A defender will then look to break the kill chain and understand how it might be attacked. An example of the kill chain approach is “F2T2EA”, where we Find (a target), Fix (on the location of the target), Track (the movement of the target), Engage (to fix the weapon onto the target), Assess (the damage to the target). A core of this approach is the provision of intelligence around the finding, tracking and assessment of the target. One of the most used cybersecurity models to understand threats is the kill chain model and was first proposed by Lockheed Martin. Yadav et al [2] define the technical nature of key stages of an attack, including Reconnaissance, Weaponize, Delivery, Exploitation, Installation, and Act on Objective (Figure 6). So let's say that Eve wants to steal the academic records of a university student (Carol). She might perform a reconnaissance activity and find out that Bob is an academic related to Carol's programme of study. Eve might then determine that Bob runs Windows 10 on his computer and will then move to weaponization. For this Eve selects a backdoor trojan which fakes the login process for his university site. Eve does this by scrapping the university login system. Next, she picks a suitable delivery mechanism and decides that a spear phishing method which will trick Bob into logging into the fake Web site. Eve then tries a different phishing email each day and for each attempt, she monitors for any activity of Bob putting in his university login details and his password. Once he is fooled into putting in his username and password, Eve then logs the IP address of his computer and remotely logs into it. She then installs a backdoor program, and which captures his keystrokes. Eve then monitors his activities until she sees him logging into the university results system, and where she can capture his login details for this system, and then she can act on her objective and steal Carol's results. Figure 6: Cyber Kill Chain Model © [2] Reconnaissance The first stages of an attack is likely to involve some form of reconnaissance, and which can either be passive scanning or active scanning. Within active reconnaissance, an attack may use discovery tools to determine servers, networking devices, IP address ranges, and so on. These tools will typically leave a trace on the network, and which could be detected for reconnaissance activities. Typically an organization would have standard signature detection methods to detect the scanning of IP addresses, TCP ports, and in the discovery of networked services. A company could then black-list, or lock down, the IP address which sourced the scan. With passive scanning, an attacker might use open source information to better understand their target. This increasingly involves Open-Source Intelligence (OSINT) Reconnaissance. Increasingly, too, we all leave traces of our activities across the Internet, and as we do, we leak information that could be useful for an attacker. A spear-phishing attack may thus be targeted against a person who has leaked information about their next-of-kin or on their normal work times. Eve, for example, might know that Carol has a friendship with Trent, and that Carol also uses Pinterest. She then finds out that Carol always starts work at 9am, and that she has been associated with a given IP address. On checking her Twitter account, Eve sees that Carol attended a rock concert the night before. Eve then sends Carol an email just before 9am of: Hi Carol, Trent here. Hope you had a great time at the concert. Here are some photos from that I took [here]. — Trent Eve then sets up a fake Pinterest site, and which asks for Carol's login details. Carol then enters her password, but it is rejected, and then Eve's fake Web page forwards Carol to the correct Pinterest site, and she logs in. Everything looks okay, and Carol just thinks that she has entered the wrong password in the first login attempt. But Eve now sees Carol's username, password and IP address. If Carol uses the same password for many of her accounts, Eve can then move through sites that she is likely to use, and use the Pinterest-sourced password. Thus Eve has used a targeted spear-phishing attack, and where she had determined something about Carol, and then targeted her with something that she thought Carol will be tricked with. MITRE ATT&CK (TM) Framework Many criticise the kill chain model in cybersecurity as it does not cover all of the possible attacks, and is limited number in the number of stages. The MITRE ATT&CK(TM) extends these phases into: Reconnaissance, Resource Deployment, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact, and splits these up into techniques used in each phase [3]. Figure 7 outlines that the initial access phase could be achieved through methods such as Drive-by Compromise and Exploit Public-Facing Application, and which can then be used as a knowledge base for the tactics and techniques used. Within each of the techniques, the framework outlines real-life examples, detection methods, and possible mitigations. Figure 7: Mitre [2][here] In reconnaissance (Figure 8), we can see there are 10 basic techniques (active scanning, gathering victim host information, and so on). These techniques then split into sub-techniques (such as Scanning IP Blocks for Active Scanning). Figure 8: Defining sub-techniques [link] Each sub-technique then has mitigations and detection methods (Figure 9). Figure 9: Sub-techniques [link] Unified Kill Chain (UKC) model Peter Polis [4] then brought together the approaches of the kill chain model and the MITRE ATT&CK(TM) knowledge base to create the Unified Kill Chain (UKC) model, and which defines 18 unique attack phrases. These are split into stages of an initial foothold and which pivots to network propagation and then with access to an action (Figure 8). The reconnaissance phases involve: Weaponization; Delivery; Social Engineering; Exploitation; Persistence; Defense Evasion and Command & Control (Figure 9); the network discovery phase involves Discovery; Privilege Escalation; Execution; Credential Access; and Lateral Movement, with an action phrase of Collection; Exfiltration; Target Manipulation; and Objectives. Figure 8 [Link] Figure 9 [Link] Conclusions I repeat, at the core of cybersecurity are: risks, costs, benefits and threat models. We need common definitions for our definitions and in defining a common knowledge base. The Unified Kill Chain model goes some way to achieving this. References [1] B. Woloch, “New dynamic threats requires new thinking: moving beyond compliance”,” Computer Law & Security Review, vol. 22, no. 2, pp. 150–156, 2006. [2] T. Yadav and A. M. Rao, Technical aspects of cyber kill chain,” in International Symposium on Security in Computing and Communication. Springer, 2015, pp. 438–452. [3] MITRE, Mitre's attack,” 2019. [Online]. Available: https://attack.mitre.org/. Link. [4] P. Pols, Unifed kill chain (ukc),” 2019. [On-line]. Available: https://www.csacademy.nl/images/scripties/2018/Paul-Pols — -The-Unied-Kill-Chain.

There are labor shortages in a variety of industries—especially manufacturing. The National Association of Manufacturers predicts there may be a gap of 2.1 million workers amounting to one trillion dollars by 2030. Clearly, something is stirring in the manufacturing industry economy. But what is the forecast for the immediate future?On today's episode of Location3, a Weaver: Beyond the Numbers podcast, Hosts Howard Altshuler, Partner-in-Charge of Real Estate Services, and Rob Nowak, Partner in Tax Services at Weaver, are joined by partners Colby Horn, Partner-in-Charge of Manufacturing, Distribution, and Retail Services at Weaver and Jody Allred, Partner-in-Charge of Manufacturing, Distribution, and Retail Services at Weaver, to talk about their new podcast launch and trends impacting warehouse space and leasing.Altshuler, Nowak, Horn, and Allred also talked about…1. Horn and Allred's impending launch of the On the Shop Floor manufacturing podcast series 2. Vacancies increased in the second half of 2022, indicating a softening in the leasing market3. The outlook for the manufacturing market's economy in 2023 Horn explained why warehousing space was at a premium due to the pandemic. “Obviously, during COVID, people weren't able to attend concerts, sports events and other activities. Their spending shifted to more to tangible things like buying clothes or furniture. That switch definitely created stress on the supply chain. It's been forcing a lot of our clients or people in our industry to over purchase, and with that over purchasing, warehouse space is at a premium.” However, that premium is eroding with vacancies up across the warehouse leasing market.The slowdown in activity is not affecting the market at the same rate or velocity. Allred provided some projections on what is in store for the manufacturing economy based on recent surveys. “I think what we're seeing depends on geography, it depends on what industry within manufacturing distribution retail you're in.”What the market is really telling us is that uncertainty has returned and we all hope for a soft landing recession but need to continue contingency planning that will allow for nimble market response.Colby Horn is Partner-in-Charge of Manufacturing, Distribution, and Retail Services at Weaver and has more than 17 years of experience in auditing, accounting, and consulting. Colby's practice emphasis has been focused on providing financial statement attestation for both non-public and public clients, employee benefit plan audits, as well as advising clients in all aspects of mergers, acquisitions, divestitures and due diligence activities. He attended the University of North Texas, where he earned a BS in Accounting. Jody Allred is Partner-in-Charge of Manufacturing, Distribution, and Retail Services at Weaver and has more than 20 years of experience in public accounting, a deep background in both financial statement audit and advisory services, and a passion for client service. His current professional emphasis is on internal audit (both outsourced and co-sourced), enterprise risk management, Sarbanes-Oxley (SOX) compliance, business process improvement consulting, joint interest auditing, and accounting standard adoption consulting. Jody holds a BA and MA in Accounting from Abilene Christian University. Jody specializes in governance, risk, and compliance management for various sectors such as manufacturing, distribution, oil and gas, and construction.

Show Notes Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cyber security leader.  My name is G. Mark Hardy, and today we're going to offer tips and tools for briefing your executive leadership team, including the four major topics that you need to cover.  As always, please follow us on LinkedIn, and make sure you subscribe so you can always get the latest updates. Imagine you have been in your role as the Chief Information Security Officer for a while and it is now time to perform your annual brief to the Executive Leadership Team.  What should you talk about?  How do you give high level strategic presentations in a way that provides value to executives like the CEO, the CIO, the CFO, and the Chief Legal Officer? Story about Kim Jones at Vantiv – things have changed Let's first talk about how you make someone satisfied -- in this case your executives. Fredrick Herzberg (1923-2000) introduced Motivator-Hygiene theory, which was somewhat like Maslow's hierarchy of needs, but focused more on work, not life in general. What a hygiene factor basically means is people will be dissatisfied if something is NOT there but won't be motivated if that thing IS there, e.g., toilet paper in employee bathroom. Or, said more concisely, satisfaction and dissatisfaction are not opposites.  The opposite of Satisfaction is No Satisfaction.  The opposite of Dissatisfaction is No Dissatisfaction. According to Herzberg, the factors leading to job satisfaction are "separate and distinct from those that lead to job dissatisfaction." For example, if you have a hostile work environment, giving someone a promotion will not make him or her satisfied. So, what makes someone satisfied or dissatisfied? Factors for Satisfaction Achievement Recognition The work itself Responsibility Advancement Growth Factors for Dissatisfaction Company policies Supervision Relationship with supervisor and peers Work conditions Salary Status Security So, what will make a board member satisfied?  Today, cyber security IS a board-level concern.  In the past, IT really was only an issue if something didn't work right – a hygiene problem.  If we learn from Herzberg, we may not be able to make the board satisfied with the state of IT security, but we can try to ensure they are not dissatisfied.  Hopefully you now have context for what might otherwise be considered splitting hairs on terminology – essentially, we want our executive audience to not think negatively of your IT security program and how you lead it. Remember, boards of directors generally come from a non-IT backgrounds .  According to the 2021 U.S. Spencer Stuart Board Index, of the nearly 500 independent directors who joined S&P 500 boards in 2021, less than 4% have experience leading cybersecurity, IT, software engineering, or data analytics teams.  And that 4% is mostly confined to tech-centric companies or businesses facing regulatory scrutiny. So, there is essentially a mismatch between a board member's background and a CISO's background.  That extends to your choice of language and terminology as well.  Never go geeky with your executives – unless you have the rare situation where your entire leadership team are all IT savvy.  Otherwise, you will tune them out by talking about bits and bytes and packets and statistics. Instead, communicate by telling stories – show how other companies in similar industries have encountered security issues and what they did about them (either successfully or unsuccessfully).  Show how your cybersecurity initiatives and efforts reduce multiple forms of risk:  financial risk, reputational risk, regulatory risk, legal risk, operational risk, and strategic risk.  You can show that the threat landscape has changed – nation states and organized crime has supplanted lone hackers and disgruntled employees as the major threats  .  Regulatory environment changes such as the California Consumer Privacy Act (CCPA) and ultimately the follow-on legislation from 49 other states will impact strategic business planning.  Show your board how to avoid running afoul of these emerging requirements.  And, of course, there is the ever-present threat of ransomware, which has evolved from denial-of-access attacks to loss of customer and internal data confidentiality.  That threat requires top-level policy and response plans in advance of an incident -- it's too late to be making things up as you go along. Now, before we go into the Four Major Topics executives need to hear (after all, that's what I promised at the beginning of the show), let's ask, "Why are we briefing executives on our cyber program?"  Any company that is publicly traded falls under the scope of the Securities and Exchange Commission or SEC. The SEC has published Cybersecurity Guidance that offers suggestions for investment companies and investment advisors.  They recommend investment firms "create a strategy that is designed to prevent, detect, and respond to cybersecurity threats". The creation of a security strategy and education of employees on the strategy is at the core of what CISOs do.  So, a translation of the SEC's guidance is to hire a CISO, have that individual create and execute a cybersecurity strategy.  In fact, the SEC's quote above calls out three of the Five Functions of the NIST Cybersecurity Framework which are: (1) identify, (2) protect (prevent), (3) detect, (4) respond, and (5) recover. Our second question is, how often should we be updating the Executive leadership team?  Since the SEC requires companies to disclose risks in their 10-K statements on a yearly basis then you should be briefing cyber updates to the Executive Leadership team at least on an annual basis.  We recommend quarterly or semi-annual updates to give more touch points on important topics.  You can draw parallels to quarterly financial statements. Let's say the Risk Committee chaired by the CEO has agreed to hear the status of the Cyber Program twice a year.  What should we brief the executive leadership team? Let's look at what's required by law. The State of New York requires financial services organizations to follow New York Department of Financial Services (NYDFS) regulations.  Section 500.04 provides additional information about CISOs.  It states: Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity's cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, "Chief Information Security Officer" or "CISO"). The regulations also state: The CISO of each Covered Entity shall report in writing at least annually to the Covered Entity's board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a Senior Officer of the Covered Entity responsible for the Covered Entity's cybersecurity program. The CISO shall report on the Covered Entity's cybersecurity program and material cybersecurity risks. These types of requirements aren't confined to Wall Street.  The Bermuda Monetary Authority requires insurance companies to follow their Cyber Risk Management Code of Conduct.  It states that: The board of directors and senior management team must have oversight of cyber risks. The board of directors must approve a cyber risk policy document at least on an annual basis. So, both the State of New York and the Bermuda Monetary Authority want CISOs to provide risk management and perform at least yearly reporting on material cyber security risks.  Many more regulatory bodies do; these are just offered as examples. If you are going to function effectively as a leader, you should find some way to create a win-win from most any situation.  You likely have a regulatory requirement to brief your board or leadership on a periodic basis.  That's fine.  But have you ever asked yourself, what do I want in return? Hmm. What you want is for your board to set the security culture from the top.  Boards hold senior leadership (think C-level executives) accountable, and you want the board to ensure the CEO makes cybersecurity a priority for the organization.  ISO 27001 has a nice tool – the Information Security Management System (ISMS) Policy Statement – which is senior leadership's declaration of the importance of cybersecurity within the organization. One example I found is that of GS1 India, a standards organization that helps Indian industry align with global best practices.  Their ISMS Policy statement begins with: The Management of GS1 India recognizes the importance of developing and implementing an Information Security Management System (ISMS) and considers security of information and related assets as fundamental for the successful business operation. Therefore, GS1 India is committed towards securing the Confidentiality, Integrity, and availability of information for the day-to-day business and operations. If you can get a formal declaration of support from the top, your job is going to be a whole lot better.  Otherwise, you might just end up being the Chief Scapegoat Officer. Now let's define the four things that an executive leadership team should hear from their security leader that will convey the message that you have a handle on your scope of authority and are executing your responsibilities correctly.  Those four focuses are: Cyber Risks and Responses Cyber Metrics A Cyber Roadmap that Identifies High Profile Programs and Projects Cyber Maturity Assessment Let's dig in.  With respect to "cyber risks and responses," create a slide for executives that shows the top cyber risks.  Examples may include things like ransomware, business email compromise, phishing attacks, supply chain attacks, third party compromise, and data privacy issues. As a practical matter when briefing cyber risks, never just share a risk and walk away.  Executives hate that.  Be sure to talk about what you are doing as a CISO to mitigate this risk.  Usually in Risk Meetings executives look for a few things about any risk. What is it? What is the likelihood of it to occur? What is the impact if it does occur? What are we doing about it? How much does it cost to fix? However, this isn't a risk approval meeting where we need to go into that level of detail.  So, let's keep our cyber risk reporting at an executive level by identifying our top three to five material risks and showing our cyber responses to each risk. For example, if you believe phishing is your number one cyber risk, then highlight it and talk about how you have created a phishing education program that lowers click rates and increases phishing reporting to the Cyber Incident Response Team.  When phishing attacks are reported, your team has a Service Level Agreement (SLA) to respond to phishing reports within four hours to minimize any potential harm.  You can also highlight that your organization also has email protection tools in place such as Proofpoint that stopped thousands of phishing attacks during the last quarter. In summary you are acknowledging that your company has Cyber Risks which can harm the organization.  You are protecting the organization the best you can given the resources available to your team.  If someone doesn't like your four-hour SLA, then you might offer up that you could decrease the response time to a one-hour SLA if you had one additional headcount.  This creates a business decision to give you additional headcount, which is a great discussion to have. Once you have talked about the top three to five risks your organization faces, we recommend talking about key metrics to measure the Cyber Program.  You could call these the metrics that matter.  Essentially, they are tactical metrics that you measure month to month because they show risks that could result in major cyber-attacks.  Our favorite place for metrics that matter is the OWASP Threat and Safeguard Matrix or TaSM (pronounced like Tasmanian Devil).  Please note we have a link to it in our show notes.  Please, please, please read about the OWASP Threat and Safeguard Matrix.  It's a short five-minute read, and you will be glad that you did. What does the Threat and Safeguard Matrix teach us about cyber metrics?  It says all good metrics show a status, a trend, and a goal. Status shows where we are right now Trends show if the project, program, or company is getting better or worse Goals show the end state so we know when we are done and if we should be happy with our current progress The OWASP Threat and Safeguard Matrix then categorizes cyber metrics into four major areas:  technology, people, process, and environment. Technology-based metrics show things like how fast we are patching devices and how well are our servers and laptops configured.  Think about it, if you have servers that are internet-facing which are not patched then it's just a matter of time until bad actors will cause your company (and you) a really bad day.  This isn't something that you can wait on.  So, your organization needs to continually track progress and burn these numbers down as quickly as possible.  So, let's do something about it.  Start by looking at your company's security policy that defines the patch timelines for high and critical vulnerabilities.  It might say something such as we require critical vulnerabilities to be patched in 15 days and high vulnerabilities to be patched in 30 days.  From that security policy you create a Service Level Agreement for the IT department to meet.  So, you measure the percentage of your servers that have zero high and critical vulnerabilities greater than that 15 or 30-day window.  Yeah, it's going to look terrible in the beginning when your IT department shows that only 30% of its servers are patched according to the enterprise service level agreements.  But transparency brings reform.  When the CIO sees that these metrics are routinely being briefed to the CEO and executive leadership team, then things will change.  The CIO will say "not on my watch" and usually lead the IT team to make the changes needed to improve patching. Another metric category we see from the OWASP TaSM is People.  When we think about cyber threats to people we usually think about phishing.  So, during your monthly phishing exercises record your click rates and your reporting rates.  Since each phishing exercise is different you should benchmark your organization against other organizations who took the same phishing exercise.  You can say we had 5% click-through compared to our industry vertical that scored 7%.  If you are doing better than your peers, then you can show you are following best practices and meeting the legal term of due care.  These metrics might lower your cyber insurance costs.  These metrics could also be extremely helpful if your company were sued as a result of a data breach that begin with successful phishing attacks.  So, measure them each month and make good progress. The third metric category is Process-based metrics.  Here you can monitor things like your third-party risks by looking at your processes that track how many of your third parties pass a review, have active ISO 27001 or SOC 2 Type 2 reports, and have recently passed penetration tests.  Another process you might look at is what percentage of your critical applications performed adequately during both a Disaster Recovery exercise and a Business Continuity Plan exercise.  These metrics are helpful during Sarbanes-Oxley (SOX) attestations and other regulatory reviews. The fourth and last metric category defined by the OWASP TaSM is Environment-based metrics.  This refers to things outside of your organization that you don't control.  Even though you don't control them they can have a substantial impact on your organization.  You can think of countries passing new cyber or data privacy laws, regulators asking for new information and compliance activities, and malicious actors and fraudsters taking interest in your company all as examples of environment-based factors.  Please don't confuse environmental factors with saving the Earth.  This is not the context you are looking for.  Environment metrics could be used to show how many legitimate phishing attacks your organization stopped when someone reported a phishing attack, and the Incident Response Team confirmed it wasn't a false positive.  Note these are actual phishing attacks not phishing exercises.  This is an important metric because it shows that despite email protection tools in place, things got passed it.  If you notice a 500% increase in confirmed phishing attacks you might need to buy additional tooling to interdict them.  Another metric you might look at is how many reported help-desk tickets your organization responded to that were caused by a cyber incident.  These types of metrics can help inform management just how big the malicious attacker threat is and can be used by you to justify additional resources. Well, that's a good overview on Cyber Metrics that you can look at each month, but we still have two more categories to go over in our cyber update.  Remember if you want to learn more on cyber metrics, please look at the OWASP Threat and Safeguard Matrix. The third broad category of slides to include in your board deck is A Cyber Roadmap that Identifies High Profile Programs and Projects.  Executives want to see the big picture on how you are evolving the program.  So, show them a roadmap that says over the next three years here is the big picture. For example, in 2022 we are focusing on improving ransomware defenses by enhancing our backup and data recovery process.  We will also improve our ability to prevent malware execution in our environment by adding new Windows group policies. In 2023, we will shift our focus towards improving our website security.  We will be launching a bug bounty program that allows smart and ethical hackers to find vulnerabilities in our websites before malicious actors do.  We will be upgrading our Web Application Firewall after we finish our three-year contract with our current vendor.  We will also be adding a botnet protection tool to our internet-facing websites given the recent attacks we have been experiencing. In 2024, we will then shift our focus to improving our software development process.  We will be purchasing a tool to gamify secure software development amongst developers.  This should lower the cost of vulnerability management.  We will also be building custom courses in house that teach developers our company's requirements to build, test, and retire applications correctly. When you present this type of Cyber Roadmap you might show a single slide with a Gantt chart view of when high profile projects occur with the executive summary of the points previously mentioned. The last major category is a Cyber Maturity Assessment.  Essentially you want something that independently measures the effectiveness of the entire Cyber Program.  For example, many organizations use the NIST Cybersecurity Framework, ISO 27001, the FFIEC Cyber Assessment Tool, or HiTrust to benchmark their program.  Consider hiring an independent auditing company to measure your organization's security maturity.  You will get something that says here's the top fifteen domains of cyber security.  Today, on a scale of one to five, your organization measures between a two and four on most of the domains.  Most companies in your same industry benchmark are at a level three compliance so you are currently underperforming vs your peers in four domains.  You can take that independent assessment and say we really want to improve all level two scoring opportunities to be at least a three.  This can be something you show in a spider graph or radar chart.  You can show the top five activities needed to improve these measurements and provide timelines for when those will be fixed.  This shows the executive leadership team that security is never perfect, how you benchmark against your peers, and provides them with the same confidence that they would get from an audit to confirm you are working effectively. So, let's summarize. We talked about Herzberg's hygiene factors, things that aren't perceived as satisfactory when present but are dissatisfactory when absent.  Remember, satisfaction and dissatisfaction are not opposites.  The opposite of dissatisfaction is no dissatisfaction. That helps us understand that when briefing management, we will not be able to delight them with the overall state of our cybersecurity program, but we can cause them not to worry about it.  Focus on risk reduction, and how your program is helping your organization work toward that goal. We talked about why we need to brief management and how often.  Different regulations require executive teams to articulate a cybersecurity strategy and empower the appropriate individuals to execute it.  In addition, most rules require at least annual security briefings; you may want to strive for more frequent meetings to keep your leadership team well-informed. Your goal is to have your board set the security culture from the top and hold C-level executives accountable for funding and maintaining cybersecurity initiatives. We covered the four things you should include in your executive briefings:  cyber risks and responses, cyber metrics, a cyber roadmap that identifies high-profile programs and projects, and a cyber maturity assessment. By addressing risk in multiple forms, showing that you can measure and track your progress toward your security goals, that you have a solid plan for the next couple of years, and that you can demonstrate your maturity relative to peer companies, you will go a long way toward keeping your board happy, or more precisely, not unhappy. Lastly, don't forget to look up the OWASP TaSM model.  It's a really useful tool for mapping threat categories to the NIST cybersecurity framework and showing where you may have gaps in your program (represented by blank cells in the matrix.)  The link to that is in our show notes. Well, we hope that you have enjoyed today's episode on Updating the Executive Leadership team on the Cyber Program and we thank you again for listening to us at CISO Tradecraft.  Please leave us a review (hopefully five stars) if you enjoyed this podcast and share us with your peers on LinkedIn.  We would love to help others with their cyber tradecraft. Thanks again and until next time, stay safe.   References https://www.mindtools.com/pages/article/herzberg-motivators-hygiene-factors.htm  https://threataware.com/a-cisos-guide-to-cybersecurity-briefings-to-the-board/  https://www.spencerstuart.com/-/media/2021/october/ssbi2021/us-spencer-stuart-board-index-2021.pdf https://www.spencerstuart.com/research-and-insight/cybersecurity-and-the-board  https://www.sec.gov/investment/im-guidance-2015-02.pdf  https://piregcompliance.com/ciso-as-a-service/what-regulations-require-the-designation-of-a-chief-information-security-officer-ciso/  https://proteuscyber.com/privacy-database/ny-dfs-section-50004-chief-information-security-officer  https://www.bma.bm/viewPDF/documents/2020-10-06-09-27-29-Insurance-Sector-Cyber-Risk-Management-Code-of-Conduct.pdf  https://www.gs1india.org/media/isms-policy-statement.pdf  https://owasp.org/www-project-threat-and-safeguard-matrix/ 

What happens when controls are continually overridden? Does that necessarily mean that companies are engaging in activities which violate the FCPA or some other law such as Sarbanes-Oxley (SOX). Cristina Revelo said she would start out with some basic questions such as “How often would something be manually approved? How often are controls skipped, what are the level of approvals that you have and what is your documentation? What are the reasons, and are you documenting how often a certain department is requiring those overrides?” While it could indicate a company lacks a culture of compliance or everything is an emergency, it might mean something else. It might mean that your internal controls need to be evaluated and then recalibrated. The Department of Justice calls this continuous monitoring leading to continuous improvement. Joe Oringel, co-founder of Visual Risk IQ, calls it continuous controls monitoring.  However, many compliance professionals, and particularly lawyers think once a control is in place, it's set in stone, and it's there forever. This derives from the unfortunate fact that once again many compliance professionals and most lawyers do not understand internal controls. Yet, internal controls, much like the rest of a compliance program can and should be continually monitored and continually improved based upon the information about such things as the number of overrides. Such a review can be evidence of a management problem or a culture of non-compliance at the organization. However, it could be that perhaps the controls need to be adjusted.  3 Key Takeaways 1. An internal control override is not necessarily a bad thing if proper procedure is followed. 2. Internal controls are not set in stone. 3. The key is to have a process for monitoring the controls, taking input, literally from each line of defense. Learn more about your ad choices. Visit megaphone.fm/adchoices

Sarbanes-Oxley (SOX) has been in place for nearly two decades, but many organizations still struggle to understand how it fits into their internal controls programs and end-to-end processes. In this podcast, APQC's Principal Research Lead for Financial Management, Rachele Collins, talks with finance processes expert and author Chris Doxey about the implications of SOX for today's finance teams. Subscribe to us on iTunes or wherever you get your podcasts!

The Dodd Frank Act and other government regulations, like Sarbanes-Oxley (SOX), the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA) impose many restrictions on financial institutions, including which documents must be retained and for how long, and additional safeguards for consumer private information. Financial institutions continue to be hit hard with fines for violating these laws, to the tune of $36 billion in the last ten years. There has to be an easier way for companies to automate the classification of their unstructured data to meet regulatory standards and avoid millions in fines. In today's episode, Darryl Richardson, Aparavi's Chief Product Evangelist, explains how Aparavi's out-of-the-box, pre-defined classification policies can help banks, insurance agencies, mortgage brokers, lenders and other financial institutions: Find what they need when they need it across any location; Comply with financial regulations; Automate data retention policies; and Protect their customers personal financial information.

As leaders adapt to and anticipate emerging risks, evolving regulatory pressures and new accounting standards, Jason Sammons and Sabrina Serafin discuss current trends in Sarbanes-Oxley (SOX) compliance.  Learn more: https://www.frazierdeeter.com/services/advisory/sarbanes-oxley-reporting/

Among the many flights that CFO Stefan Schulz has taken between Minneapolis and Houston over the years, few are etched in his memory better than a certain return flight to Minneapolis—during which he created an ambitious list of Sarbanes-Oxley (SOX) action items. The list that Schultz created in the air that day was long and detailed, and while he may not have ever used it as such, the list was the muscle behind an ultimatum. "I was thinking about all that I would need in order to get things fixed. Basically, I was thinking, 'If I don't get these, then you need to find somebody else,'" explains Schulz, who at the time had not yet been a month into a new job with Lawson Software when he determined that it was time to alert Lawson's board and upper management to its snowballing SOX compliance challenge. "To my surprise, they told me, 'We want you to do exactly what you said' and 'We've got your back.' This really changed how I approached problems and how I would recommend solutions going forward," explains Schulz, who had earlier earned his SOX street cred while a controller at BMC Software. Fourteen years and multiple tours of duty as a CFO later, Schulz is still flying back and forth between Houston and Minneapolis and still making lists. These days, his action items are more likely to highlight the priorities of a SaaS CFO for whom the new rules of customer-centric finance loom large and customer success is increasingly top-of-mind. –Jack Sweeney

On Silicon Valley Insider this month host Keith Koo has had a series of interviews on Artificial Intelligence. First was with Beena Ammanath, Global VP of Innovation (AI, Data, IoT, Blockchain) and Founder of the non-profit Humans for AI: https://omny.fm/shows/the-silicon-valley-insider-show/sv-insider-10-12-18-podcast Next was Professor Gary Smith of Pomona College on his book the "The AI Delusion" which he said AI is good for some repetitive tasks but will not become cognitive to the point where they have common sense. https://omny.fm/shows/the-silicon-valley-insider-show/sv-insider-10-19-18-podcast The series continues with how AI technology can be used effectively to transform an industry and profession like accounting without losing jobs. Jotham Ty the CEO of Gappify a technology company commmitted to transformation the accounting industry automating thousands of mundane tasks through the use of Bots utlizing Artificial Intelligence (AI) and Machine Learning (ML). Hear how Jotham and team started with a successful consulting firm during the Sarbanes-Oxley (SoX) ear to determining the need to make accounting tasks and the accountants' function less boring and mundane. There are 1000s of accounting tasks that can be automated without losing jobs. Gappify is a an AI technology that the accounting world can embrace. More info on www.gappify.com For the Cyber/Privacy-Tip of the week, Keith talks about how your identity can be revealed using DNA even if you never have taken a DNA exam. In next week's show, Keith will intereview Jenny Dearborn, EVP of People for SAP. Jenny is considered one of the "Top 50" women in technology. First airing is 1-2pm on 1220AM KDOW Download the podcast at 2pm Friday's For questions or comments, email: info@svin.biz Be sure to subscribe and listen to the podcast. You can also listen to past podcasts here: Non-iTunes: https://omny.fm/shows/the-silicon-valley-insider-show iTunes: https://itunes.apple.com/us/podcast/the-silicon-valley-insider-show/id1282637717?mt=2 Email us at info@svin.biz or find us here: www.svin.biz https://stitchengine.drishinfo.com/index.jsp?sId=15540&source=sh Arifitical Intelligence, AI, Blockchain, Big Data, Data Analytics, Cyberrisk, Information security, VC, Venture Capital, Angel Investments, Fundraising, Capital Raising, Investor, Human Rights, Technology for Good, UN SDGs, Emerging Technology

SAP Customer Data Cloud solutions from Gigya is the industry’s only solution based on a consent-based data model. The solution helps businesses nurture trusted relationships with customers by providing them more transparency and control over the use of their personal data.   Patrick Salyer, General Manager of SAP Customer Data Cloud, previously the CEO of Gigya discusses how one of the overlooked goals that shows the true value of GDPR preparation is earning the consumer’s trust. It’s a lesson learned from another regulatory watershed moment: Sarbanes Oxley (SOX) and the banking crisis of 2002.   Patrick argues that we’re currently in a Sarbanes-Oxley moment, but people just aren’t thinking about it yet. Consider the similarities: Both protections seek to enhance transparency as a means to curb poor business practices and build trust Both are “regional” regulations that have global consequences   Both regulations created a need for holistic solutions that span the entire organization Like the reaction to SOX, many companies are using GDPR compliance initiatives as an opportunity to gain a competitive advantage The past offers insight into how businesses should react to GDPR: directly address the trigger point of waning customer trust to comply with new regulations and take your business to the next level.

In this special five-podcasts series, Matt Kelly and I are exploring the future of internal audit, compliance and analytics. In today’s Part II, we go through the three steps of evolution that an internal audit function must traverse so that it can move beyond its traditional audit duties under Sarbanes-Oxley (SOX) compliance and testing of financial controls. Learn more about your ad choices. Visit megaphone.fm/adchoices

The updated Framework retained the core definition of internal controls; those being control environment, risk assessment, control activities, information and communication, and monitoring activities. However, it built up Objectives. The 17 principles represent fundamental concepts associated with the five components of internal control. Together, the Objectives and Principles constitute the criteria will guide companies in assessing whether the components of internal controls are present, functioning and operating together within their organization. I.         Objective-Control Environment  The first of the five objectives is Control Environment and it sets the tone for the implementation and operation of all other components of internal control. It begins with the ethical commitment of senior management, oversight by those in governance, and a commitment to competent employees. The five principles of the Control Environment object are as follows:  Principle 1 - The organization demonstrates a commitment to integrity and ethical values. Principle 2 - The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Principle 3 - Management establishes with board oversight, structures, reporting lines and appropriate authorizes and responsibility in pursuit of the objectives. Principle 4 - The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with the objectives. Principle 5 - The organization holds individuals accountable for their internal control responsibilities in the pursuit of the objective. A.        Principle 1 - Commitment to integrity and ethical values  What are the characteristics of this Principle? First, and foremost, is that an entity must have the appropriate tone at the top for a commitment to ethics and doing business in compliance. It also means that an organization establishes standards of conduct through the creation of a Code of Conduct or another baseline document. The next step is to demonstrate adherence to this standard of conduct by individual employees and throughout the organization. Finally, if there are any deviations, they would be addressed by the company in a timely manner. From the auditing perspective, this requires an auditor to be able to assess if a company has the met its requirements to ethics and compliance and whether that commitment can be effectively measured and assessed. B.        Principle 2 - Board independence and oversight  This Principle requires that a company’s Board of Directors establish oversight of a compliance function, separate and apart from the company’s senior management so that it operates independently in the compliance arena. Next there should be compliance expertise at the Board level which allows it actively to manage its function. Finally, and perhaps most importantly, a Board must actively provide oversight on all compliance control activities, risk assessments, compliance control activities, information, compliance communications and compliance monitoring activities. Here, internal auditors must interact with a Board’s Compliance Committee (or other relevant committee such as the Audit Committee) to determine independence. There must also be documented evidence that the Board’s Compliance Committee provides sufficient oversight of the company’s compliance function. C.        Principle 3 - Structures, reporting lines, authority and responsibility  This may not seem as obvious but it is critical that a compliance reporting line go up through and to the Board. Under this Principle, you will need to consider all the structures of your organization and then move to define the appropriate roles of compliance responsibility. Finally, this Principle requires establishment of the appropriate authority within the compliance function. Here your auditors must be able to assess whether compliance responsibilities are appropriately assigned to establish accountability. D.        Principle 4 - Attracting, developing and retaining competent individuals  This Principle gets into the nuts and bolts of doing compliance. It requires that a company establish compliance policies and procedures. Next there must be an evaluation of the effectiveness of those compliance policies and procedures and that any demonstrated shortcomings be addressed. This Principle next turns the human component of a compliance program. A company must attract, develop and retain competent employees in the compliance function. Lastly, a company should have a demonstrable compliance succession plan in place. An auditor must be able to demonstrate, through its compliance policies and, equally importantly its actions, that it has a commitment to attracting, developing and retaining competent persons in the compliance function and more generally employees who accept the company’s general principle of doing business ethically and in compliance. E.        Principle 5 - Individuals held accountable  This is the ‘stick’ Principle. A company must show that it enforces compliance accountability through its compliance structures, authorities and responsibilities. A company must establish appropriate compliance performance metrics, incentives to do business ethically and in compliance and, finally, clearly reward such persons through the promotion process in an organization. Such reward is through an evaluation of appropriate compliance measures and incentives. Interestingly a company must consider pressures that it sends through off-messaging. Finally, each employee must be evaluated in his or her compliance performance; coupled with both rewards and discipline for employee actions around compliance. This Principle requires evidence that can demonstrate to an auditor there are processes in place to hold employees accountable to their compliance objectives. Conversely, if an employee does not fulfill the compliance objectives there must be identifiable consequences. Lastly, if this accountability is not effective, the internal controls should be able to identify and manage the compliance risks that are not effectively mitigated. II.        Discussion  Both Board of Directors’ independence and Compliance Committee (or other applicable committee) oversight issue are essential to this Objective because the Compliance Committee needs to be actively engaged to be comfortable that the company has implemented the internal controls under Sarbanes-Oxley (SOX) 404(a); as required under Principles 1 & 2. The external auditors must then be comfortable this requirement is met. Finally, there must be evidence the company has appropriate disclosure controls in place because that is central to the Objective itself. This is all tested against Board independence and Compliance Committee oversight over those activities that management has undertaken and their engagement and conversations with their external auditor.  Howell related that under Principle 3, “structures in reporting lines, authority and responsibility are essential to the recognition of revenue. An entity’s internal controls or financial reporting details there are processes, there are policies, there is documentation, the authority and documentation of the judgments are being made, the review of those in responsibility for making those ultimate judgments about the recognition of revenue and the recognition or timing of the revenue and the expenses, that those need to be in place.”  Under Principle 4, a business must attract and develop, then retaining competent talent. Of course, this is good business as well.  But it is more than simply some appropriate levels of staffing, as Howell stated, “One of the big reasons that companies have said do not have money to invest again the deep dive study and process improvement necessary to implement it [the 2013 Framework], is that it comes down to both to commitment level from the top and the tone at the top that this important and these financial disclosures are critical to the ability of the investors to rely on the company's disclosures.” You must only “put in place the right team, give the team the right tools, but also ensure the team has the ability to access the right level of technical accounting talent and business process and controls talent to make the judgments.”  All these leads of course ties into Principle 5, which mandates individuals being held responsible. This requires someone to document that they have made a judgment based upon the evidence that they have been able to accumulate, that the company has analyzed that evidence and has gone through the process of comparing this to the COSO 2013 Framework and to the spirit of the standard. Howell said, “those individuals are being held responsible for having done that properly. I think when you tie all that back together, when you get to the control environment, that the COSO principle number one is it can be completely tied back to what is being required.”  Three Key Takeaways What controls do you have in place to measure conduct at the top? Reporting lines must be clear and functioning. You must provide the right personnel with the right resources. For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com Learn more about your ad choices. Visit megaphone.fm/adchoices

Is a Board of Directors a compliance internal control? I think the clear answer is yes. In the FCPA Guidance, in the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board in a best practices compliance program. The first in Hallmark No. 1 states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources”, which says the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? The DOJ’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program. I believe that a Board must not only have a corporate compliance program in place but also actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward. Lawyers often speak to and advise Boards on their legal obligations and duties. If a Board’s oversight is part of effective financial controls under Sarbanes Oxley (SOX), that also includes effective compliance controls. Failure to do either may result in something far worse than bad governance. It may directly lead to a FCPA violation and could even form the basis of an independent FCPA violation. A company must not only have a corporate compliance program in place it must also actively oversee that function. A failure to perform these functions may lead to independent liability of a Board for its failure to perform its allotted tasks in an effective compliance program. Internal controls work together with compliance policies and procedures are an interrelated set of compliance control mechanisms. There are five general compliance internal controls for a Board or Board subcommittee role for compliance: Corporate Compliance Policy and Code of Conduct - A Board should have an overall governance document which will inform the company, its employees, stakeholders and third parties of the conduct the company expects from an employee. If the company is global/multi-national, this document should be translated into the relevant languages as appropriate. Risk Assessment - A Board should assess the compliance risks associated with its business. Implementing Procedures - A Board should determine if the company has a written set of procedures in place that instructs employees on the details of how to comply with the company’s compliance policy. Training - There are two levels of Board training. The first should be that the Board has a general understanding of what the FCPA is and it should also understand its role in an effective compliance program. Monitor Compliance - A Board should independently test, assess and audit to determine if its compliance policies and procedures are a ‘living and breathing program’ and not just a paper tiger.  There have been recent FCPA enforcement actions where the DOJ and SEC discussed the failure of internal controls as a basis for FCPA liability. With the questions about the Wal-Mart Board of Directors and their failure to act in the face of allegations of bribery and corruption in the company’s Mexico subsidiary, or contrasting failing to even be aware of the allegations; there may soon be an independent basis for an FCPA violation for a Board’s failure to perform its internal controls function in a best practices compliance program.   Three Key Takeaways GTE compliance internal controls are low hanging fruit, pick them. Compliance internal controls can be both detect and prevent controls. Good compliance internal controls are good for business. For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com. Learn more about your ad choices. Visit megaphone.fm/adchoices

Today, I consider some ways in which a compliance professional can work to implement internal controls in a multi-national organization. The first step is to convert your company’s compliance risks into internal control objectives. The internal control objectives are then given to each business unit with instructions to develop controls, which meet the objectives. This process should allow more of a fine tuning approach within existing systems than the development of specific controls by corporate which all business units must adopt and will give the business unit a sense of buy-in and participation in the process.  One example of how the process might work in the situation where the compliance risk is that a third-party representative may be paid for an invoiced amount before that third-party representative has gone through your company’s full third party approval process. Here your control objective is that internal controls should be in place to ensure that no vendors are added to the vendor master file until the vendor has been approved. If your company has a sophisticated ERP system such as SAP where checks are generated using the vendor master file and signed by the computer, this control objective may be met by adding a field to the vendor master file in which inserts the date the vendor is approved and by programming such a requirement the vendor information cannot be inserted into the check to pay the vendor unless the designated fields are populated. There would also be manual controls over the input of the date to ensure the data is not entered inappropriately. These internal controls would translate into form for changes to the vendor master file which is initiated by the person in charge of vendor due diligence and requires a ‘second set of eyes’ requiring sign off by a second person, such as the controller. Through this mechanism you have created a primary control through your third party approval process and validated that process if a change is made.  What if your location or business unit involved does not have a sophisticated ERP system such as SAP, for instance at another location QuickBooks is used? Then the control objective could be satisfied by using a similar form for changes to the vendor master file combined with the requirement that a report of all changes are printed and submitted to both check signers, along with the applicable approved vendor change request.  One of the banes of any compliance practitioner is the push back they inevitably receive when they attempt to institute something new or different. The same can be true of internal controls.  What happens when the compliance function receives push back and is told the controls are too burdensome and will also make operations less efficient? Many business development types will raise the hue and cry that internal controls prevent them from effectively running the business.  Finally, there are many groups in any company that may well say that a re-work of internal controls will cost too much money.  One of the areas available to a compliance professional is benchmarking from other company’s compliance experiences. However, this can be expanded into solid presentations about why it is important to assess and mitigate compliance risks using your corporate peers that have been the subject of a Foreign Corrupt Practices Act (FCPA) enforcement action. This is some of the best sources of information a compliance practitioner can avail his or herself of to provide good insight into why it was never expected that the company would be subject to FCPA enforcement and insight into the extreme disruption, cost, and anxiety which accompanied the enforcement actions.  The premise is that the cost of controls should not exceed the benefits to be obtained, so it really comes down to internally selling a cost benefit analysis. If the selling is done after at least a basic risk analysis, then it should be relatively easy to obtain concurrence that certain risks must be mitigated and that the benefits exceed the expected costs. Furthermore, there are occasions where there are no costs associated with improving controls. A good example is when re-alignment of duties using existing staff achieves an improved set of internal controls. Another example is when manual controls can be converted to electronic controls such that the only cost is the programming and re-training costs.  Another key factor, as with all compliance initiatives, is ‘Tone at the Top’. This means that you should meet with and present the case for compliance-focused internal controls to your company’s Executive Leadership Team, Audit Committee of the Board or other appropriate group of senior executives. The presentation should include, with examples, the importance of identifying and mitigating compliance and fraud risks. Some of these might include the following:  Illustrating the examples of how the controls can prevent bribery as well as many other types of occupational fraud; Illustrating that the controls needed are all sound business controls, nothing exotic or out of the ordinary; With proper control design, it may be possible to eliminate some existing detect controls in favor of more useful preventive controls or even prescriptive controls; As a result of your business changes and resulting changes in assessed risks, it may be that some procedures now being performed are no longer needed and the resources can be shifted to more necessary controls; and It may be possible to build in more electronic controls, which can replace existing manual controls.  What if your company does an assessment of the internal controls over financial reporting as part of Sarbanes Oxley (SOX) compliance and that the Chief Financial Officer (CFO), or other appropriate corporate officer, annually certifies the internal controls are effective? How should such a situation be dealt with or conversely how might a compliance professional respond?  There are two primary reasons why the assessment under SOX is not sufficient for a Compliance Officer’s purposes. One is the scope of the SOX assessment and the second is the design of the SOX assessment. This means that the SOX process addresses only the internal controls over financial reporting, that is, the controls in place to prepare the financial statements for presentation to third parties. That process does not address the risks or the control needs with respect to FCPA. Another example is internal controls over disbursements, which may be evaluated as being effective if there is a three-way match of the approved purchase order, the vendor invoice, and the receiving report. Those controls do not address the risk that an agent may submit an invoice before the agent has been vetted and the invoice will be paid. It also does not address whether the agent’s invoice was reviewed for proper description of business purpose and for being consistent with the approved contract with the agent. The second primary reason SOX certification of financial internal controls itself is not enough is the design criteria. SOX allows a materiality threshold. This means that operations outside the US may be excluded from scope due to materiality. It may also mean that some functions are operating below the financial internal controls level. Compliance professionals need to continually remind others that there is no materiality requirement in FCPA enforcement.  Good compliance internal controls are not some standalone protective measure. They can help to make a company run more efficiently as the internal controls that prevent FCPA violations are the same ones that prevent fraud in the workplace. So the presence of good internal controls saves money by preventing fraud. It is a business best practice to prevent fraud, which includes preventing corruption. I have long wondered about Ethisphere and its annual survey of the world’s most ethical companies because they seem to exceed the Standard & Poor’s (S&P) index of average profits and growth. What I have come to believe is that one of the keys ways such companies do seem to have better than average profitability is that they have better internal controls.  Three Key Takeaways Convert your compliance risks into internal control objectives. As with many components of a best practices compliance program, tone at the top is critical. If you receive pushback from the business folks, always remember, good internal controls make for a better run, more efficient and more profitable business. For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com. Learn more about your ad choices. Visit megaphone.fm/adchoices

Today I want to consider some factors which can lead to employees’ distrust of an internal reporting system. Ryan Hubbs wrote an excellent article entitled “10 Factors Leading to Reporting Mechanism Distrust”.  The guidance and mandates for companies on reporting mechanism reporting are numerous, overlapping and sometimes very broad. There are the US Sentencing Guidelines; regulations under Sarbanes-Oxley (SOX), the Dodd-Frank Act and the 2012 FCPA Guidance. There are international guidelines from the EU, US and London based stock exchanges and even the United Nations deems reporting mechanism reporting a necessary good business practice. Dodd-Frank attempted to strengthen accountability by specifically providing protections for those who come forward as whistle blowers but also allows regulators to respond to misconduct through finding some legal action. While the goal of whistleblowers and reporting mechanisms might be to identify and correct wrongdoing, they do not guarantee success and they do not even guarantee effective and trusting programs.  Trust is a primary factor as to whether an employee will come forward with a concern. Management might try a quick-fix reaction to a messy investigation with more reporting mechanisms, posters or asking a CEO to use compliance training to generally get the word out. Nevertheless, employees view it as a trust issue, and you must have that trust. If an employee chooses not to report and an outside source later discovers misconduct, the organization will certainly be subject to potential financial losses and reputational damage that could have been avoided. If the employee does report, but the culture of trust is lacking or they faced retaliation, up to and including termination, then you have a disgruntled employee who is most likely going to go to the Securities and Exchange Commission.  What are Hubbs’ 10 factors leading to distrust of internal reporting mechanisms? Number one is that employees do not understand the reporting mechanism system. Some the questions include, “who answers the reporting mechanism number? Will they know that I filed a reporting mechanism complaint if I do so anonymously? Will they tell my boss that I've reported a concern? Where does my complaint go and who reviews it?” Employee doubt and uncertainty can impede an employee's decision to report a concern. Transparency is also noted to aid in trust and the more likely an employee is to come forward.  Number two is inadequate reporting mechanism resources and poor reporting program design. Companies can demonstrate their commitment to a reporting mechanism by spending money on well-designed reporting mechanism programs and professionally trained, efficient responders and investigate, fully integrated case management systems and all necessary supported tools. Anything less, will engender employee mistrust.  Number three is the lack of personalization of employee concerns. Utilizing an internal reporting mechanism can be a very personal experience for an employee as the whistleblower might be a victim, the employee could well have witnessed significant wrongdoing. He or she may view using the reporting mechanism as simply taking a personal chance by coming forward and doing the right thing. This means that if an employee only hears a recorded message or an automated response; they may view the entire program as machine-like and indifferent. Having qualified and experienced compliance or investigative professionals who should follow a predesigned investigative protocol, should immediately follow up on reported concerns. Moreover, concerned employees need support and reassurance they have done the right thing and the organization will address their concerns and that they will be protected from retaliation. There should also be a strong written statement against retaliation.  Number four is the improper handling of whistleblower complaints and lack of training of investigators. The mishandling of complaints and poor training of reporting mechanism calls and investigations can cause reporting errors in which the company conducts an inadequate investigation and/or comes to the wrong conclusion. As noted above an investigative protocol coupled with skilled investigators early in the reporting process. Employees who experience mishandled complaints will almost certainly communicate their dissatisfaction with colleagues, and that can certainly destroy reporting mechanism morale.  Number five is the always dicey question of whether management is involved in the reporting mechanism. If local management gets involved early when they may be the problem, or complicit in allowing concerns to go forward or unaddressed. Local HR professionals might also appear to employees to be closely aligned with management, they also might be inadequately trained and show bias or favoritism. To ensure transparency and objectivity, often when it's effective to use a third-party administrator for your reporting mechanism. At the point when concern becomes part of an investigation, the organization can involve management, including internal audit, compliance, legal and HR, depending on the type of complaint.  Number six is too many reporting mechanisms. Your corporate reporting mechanism should be the primary entry point for all concerns regardless of who reports or how companies identify them. Unfortunately, companies also have avenues such as emails, web portals, writing and of course, in person. These can require companies to struggle to determine who owns the proactive and reactive assessments of reporting and responses. Many companies offer reporting mechanisms just beyond the centralized reporting mechanism, but you should have a professionalized, centralized, clearly articulated program that help streamline reporting, increase communication and awareness, and decrease confusion to help build trust.  Number seven is there is too much emphasis placed on reports which must be based solely on “credible complaints. Employees who file fictitious or malicious complaints against companies and colleagues defend pending terminations or to get others into trouble or retaliate for some perceived personal slight.” While some companies attempt to reduce meritless complaints by communicating that employees should only report credible or good-faith complaints, others might go a step further by saying employees could be subject to disciplinary action for filing complaints that are not found to be credible. However, these tactics may well deter employees from reporting any concerns.  Number eight are the twin obstacles of negative incidences and retaliation. If I have had one key theme throughout this series on reporting, and indeed, throughout this month of investigations, it is an absolute prohibition against retaliation. Companies must prevent retaliation. When an employee is mistreated for following the organization's reporting policy, the reporting mechanism can sustain severe damage to its credibility and viability as a safe and secure mechanism. The damage from mismanagement and reprisals is memorialized on the internet and court records or public documents can create a devastating silent, do-not-report culture. Companies must communicate they have a zero tolerance for retaliation and deal with any retaliation swiftly and publicly.  Number nine is the problem of inconsistent outcomes. Companies must demonstrate that consistent and fair outcomes are routine, regardless of people, relationships or scenarios. Employees will learn through the grapevine if the organization delivers fair, consistent discipline, regardless of how confidentially an organization hides such outcomes. Of course, if employees view outcomes as fair, they will be more compelled to report concerns. Employees know that inconsistency equals personal risk. Finally, number 10 is the time worn adage that actions speak louder than words. Employees critique, judge and evaluate what an organization says about its reporting mechanism reporting program by what it does, rather than what it says. Does it follow policies and procedures as assigned? Does it really have a zero-tolerance policy on retaliation? Are outcomes consistent, fair and appropriate? Does it truly allow employees to report concerns anonymously?  Three Key Takeaways             What are today's three key takeaways? Well, number one, you must not retaliate. That is probably the biggest destroyer of credibility and trust in a reporting mechanism reporting. There must be ongoing communications and there must be follow up with the employees who made the anonymous reports. Celebrate your reporting mechanism. Let employees know that it is acceptable to raise your hand because that is all you are doing at the end of the day, raising your hand. It is incredibly important and it is something that will make your reporting mechanism work much better. Learn more about your ad choices. Visit megaphone.fm/adchoices

Today, I want to consider some of the challenges you may well face during an investigation.  Beyond the basics, a company must consider the intake process as a starting point, however Marks noted one of the biggest challenges is in the intake process. Rather surprisingly, he noted there are still companies without a hotline or anonymous reporting system, stating “we still see organizations whereby there is no formal ethics hotline except for the fact that they might send an email to some member of management or some member of the board.”  The lack of an intake process immediately presents a challenge in beginning to work through an allegation of wrongdoing due to the inability to track when the allegation or information was received, who sent it, who received it, what did the company do when they received it? If a company has a formal ethics reporting system, with recordation of information “there’s some workflow, it’s a lot easier to kind of work through some of those things”, so there is an appropriate level of documentation to follow.  Yet Marks has seen failures in even these basic steps “many times people do not read their emails on a timely basis, and getting to the root of the issue quickly could be the difference between somebody allowing the company to investigate this the right way, or incentivizing an individual to go outside the organization such as to SEC whistleblower program.” This makes the intake process critical because it assures that things are not only received, “but they’re looked at on a regular and timely basis and there is a process.”  One area that still causes challenges is retaliation against whistleblowers. You might think that corporate America got the message that not only is retaliation incredibly idiotic and divisive but also illegal under both Sarbanes-Oxley (SOX) and Dodd-Frank but sadly that is not the case. Marks believes that avoiding retaliation is critical not only for an organization but also to foment a successful investigation. He stated, “Avoiding retaliation is very critical. I think there’s a real opportunity where human resources, if properly trained, can work with the rest of the team members and advise them on things that they should not be doing and things that they should be doing in order to avoid either the appearance of retaliation or the actual retaliation against the individual or individuals who reported or brought forth the potential of the alleged misconduct.”  Equally important is that a company wants to encourage a stand-up culture. When individuals are trying to do the right thing, you certainly want to inspire other to do so as well. Marks related, “When somebody reports an ethical lapse, it generally means to me that they’re doing their job. And so, the indirect impact, or sometimes the direct impact of that is sometimes people are looked at as snitches or not towing the company line or they’re just generally out of bounds can negatively impact the organization.”  An area where Marks has seen companies have difficulties in is what he termed threatened or pending litigation. Any investigation can morph into a much more serious situation and you must be ready to answer such questions as “(1) Does this gravitate itself into a class action lawsuit? Or (2) Does this gravitate to a regulatory review and subject to some punishment there?” The key is that as the investigation begins to uncover things and certain facts come to light, pending or threatened litigation is something that should always be discussed, but discussed very carefully and it should be discussed once those facts come to play. Sometimes you don’t have all those facts but sometimes it does make sense to kind of prognosticate and consider situations such as “This is what could happen. These are the issues that potentially could be uncovered.” Marks concluded, “I really do think that it’s important to think a couple of steps ahead and look at this as a chess match and never underestimate the fact that there could be pending or threatened litigation.”  Not surprisingly, another area of challenge is when the regulators will not accept the investigation or are not satisfied with the results. While I would submit that if you follow the strictures laid out by Marks, that will satisfy regulators, he noted that there must be an appropriate level of skepticism brought by the investigation. He said there can be regulator issues when “there was not proper skepticism, there was not proper independence or simply things were not looked at under the right lens.” But once again the answer is to go through the steps that Marks laid out, or any other well defined protocol and have an independent team handling the investigation. Interestingly,a similar situation can arise if a company’s own auditors refuse to accept the results of an investigation. Marks said this is usually related to some type of unexpected development arises in an investigation. Marks noted, “when auditors are involved the element of surprise is never good.” He believes it is important to keep internal audit aware of developments as “they might want to do a shadow investigation, they might want to understand the scope of your expanded investigation and most certainly they want to understand the financial impact.” The reason is that if the company auditors do not accept your investigative results, “they may send you back to the drawing board. When that happens, all types of problems could manifest themselves or come out.”            Marks noted that at times the most difficult challenge is when the company itself is reluctant to accept the results of the investigation. This comes when a company is in denial, believing it has a robust compliance program and internal controls or, worse yet, it simply believes that it is an ethical company. One or more of these indicia usually manifest themselves as a company with paper compliance program, a Chief Compliance Officer (CCO) with a title but no authority and a weak compliance culture. Marks said, “When I say the company does not respect the investigation, it’s almost like they’re fighting with you because they believe that nothing could ever go wrong. That really does send a very, very clear message, not only internally, but should it get out externally as well. It’s an indication to us that there’s a problem with the culture, there’s a problem with the compliance program, there’s generally a problem with governance overall. There are probably bigger issues there other than the matter that’s generally on the table.”  Planning your investigation, having the right team members involved and meeting the challenges which inevitably arise during an investigation can be difficult. However, beginning with the Department of Justice’s (DOJ’s) Yates Memo and the Foreign Corrupt Practices Act (FCPA) Pilot Program and the release of the DOJ’s Evaluation of Corporate Compliance Programs (Evaluation), the pressure on every CCO and company to get an investigation done quickly, efficiently and, most importantly, done right is even greater now. Jonathan Marks has laid out a concrete way for you to think through how to plan an investigation, staff it properly and meet the inevitable challenges. Three Key Takeaway The intake process may seem the most straight-forward but many companies drop the ball at this initial step. You must never retaliate against employees who come foreward in good faith. Always think several steps ahead.                 Learn more about your ad choices. Visit megaphone.fm/adchoices

Today I want to focus on incentives, looking at senior management and compensation. I thought about this inter-connectedness of compensation in a compliance program, focusing up the corporate ladder when I read a recent article in the New York Times (NYT) by Gretchen Morgenson, in her Fair Game column, entitled “Ways to Put the Boss’s Skin In the Game”. Her piece dealt with a long-standing question about how to make senior executives more responsible for corporate malfeasance? Her article had some direct application to anti-corruption compliance programs such as those based on the US Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. Morgenson said the issue was “Whenever a big corporation settles an enforcement matter with prosecutors, penalties levied in the case – and they can be enormous – are usually paid by the company’s shareholders. Yet the people who actually did the deeds or oversaw the operations rarely so much as open their wallets.”  She went on to explain that it is an economic phenomenon called “perverse incentive” which is one where “corporate executives are encouraged to take outsized risks because they can earn princely amounts from their actions. At the same time, they know that they rarely have to pay any fines or face other costly consequences from their actions.” To help remedy this situation, the idea has come to the fore about senior managers putting some ‘skin in the game’. Her article discussed three different sources for this initiative.  The first was a proxy proposal in front of Citigroup shareholders which “would require that top executives at the company contribute a substantial portion of their compensation each year to a pool of money that would be available to pay penalties if legal violations were uncovered at the bank.” Further, “To ensure that the money would be available for a long enough period – investigations into wrongdoing take years to develop  -  the proposal would require that the executives keep their pay in the pool for 10 years.”  The second came from William Dudley, the President of the Federal Reserve Bank of New York, who made a similar suggestion. His proscription involved a performance bond for the actions of bank executives. Morgenson quoted Dudley from his speech, “In the case of a large fine, the senior management and material risk takes would forfeit their performance bond. Not only would this deferred debt compensation discipline individual behavior and decision-making, but it would provide strong incentives for individuals to flag issues when problems develop.”  Morgenson reported on a third approach which was delineated in an article in the Michigan State Journal of Business and Securities Law by Greg Zipes, “a trial lawyer for the Office of the United States Trustee, the nation’s watchdog over the bankruptcy system, who also teaches at the New York University School for Professional Studies.” The article is entitled, “Ties that Bind: Codes of Conduct That Require Automatic Reductions to the Pay of Directors, Officers and Their Advisors for Failures of Corporate Governance”. Zipes proposal is to create a “contract to be signed by a company’s top executives that could be enforced after a significant corporate governance failure. Executives would agree to pay back 25 percent of their gross compensation for the three years before the beginning of improprieties. The agreement would be in effect whether or not the executives knew about the misdeeds inside their company.”  As you might guess, corporate leaders are somewhat less than thrilled at the prospect of being held accountable. Zipes was cited for the following, “Corporate executives are unlikely to sign such codes of conduct of their own volition.” Indeed Citibank went so far as to petition the Securities and Exchange Commission (SEC) “for permission to exclude the policy from its 2015 shareholder proxy.” But the SEC declined to do and at least Citibank shareholders will have the chance to vote on the proposal.   In the compliance context, these types of proposals are exactly the type of response that a company or its Board of Directors should want to put in place. Moreover, they all have the benefit of a business solution to a legal problem. In an interview for her piece, Morgenson quoted Zipes as noting, “This idea doesn’t require regulation and its doesn’t require new laws. Executives can sign the binding code of conduct or not, but the idea is that the marketplace would reward those who do.” For those who might argue that senior executives can not or should not be responsible for the nefarious actions of other; they readily take credit for “positive corporate activities in which they had little role or knew nothing about.” Moreover, under Sarbanes-Oxley (SOX), corporate executives must make certain certifications about financial statement and reporting so there is currently some obligations along these lines.  Finally, perhaps shareholders will simply become tired of senior executives claiming they could not know what was happening in their businesses; have their fill of hearing about some rogue employee(s) who went off the rails by engaging in bribery and corruption to obtain or retain business; and not accept that leaders should not be held responsible.  Three Key Takeaways Perverse incentives are named that for a reason, they really are bad. How can you create positive incentives in your organization? There is a business response to the legal issue. Employ it.  This month’s series is sponsored by Advanced Compliance Solutions and its new service offering the “Compliance Alliance” which is a three-step program that will provide you and your team a background into compliance and the FCPA so you can consider how your product or service fits into the needs of a compliance officer. It includes a FCPA and compliance boot camp, sponsorship of a one-month podcast series, and in-person training. Each section builds on the other and provides your customer service and sales teams with the knowledge they need to have intelligent conversations with compliance officers and decision makers. When the program is complete, your teams will be armed with the knowledge they need to sell and service every new client. Interested parties should contact Tom Fox. Learn more about your ad choices. Visit megaphone.fm/adchoices