Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL II, · PDF fileSarbanes-Oxley, COSO, ERM, COBIT,...
Transcript of Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL II, · PDF fileSarbanes-Oxley, COSO, ERM, COBIT,...
to ComplianceSarbanes-Oxley, COSO, ERM, COBIT,IFRS, BASEL II, OMB A-123, ASX 10,OECD Principles, Turnbull Guidance,
Best Practices, and Case Studies
ANTHONY TARANTINO
John Wiley & Sons, Inc.
Managers Guide
01_792578 ffirs.qxp 2/28/06 7:30 PM Page iii
File AttachmentC1.jpg
01_792578 ffirs.qxp 2/28/06 7:30 PM Page ii
to ComplianceManagers Guide
01_792578 ffirs.qxp 2/28/06 7:30 PM Page i
01_792578 ffirs.qxp 2/28/06 7:30 PM Page ii
to ComplianceSarbanes-Oxley, COSO, ERM, COBIT,IFRS, BASEL II, OMB A-123, ASX 10,OECD Principles, Turnbull Guidance,
Best Practices, and Case Studies
ANTHONY TARANTINO
John Wiley & Sons, Inc.
Managers Guide
01_792578 ffirs.qxp 2/28/06 7:30 PM Page iii
This book is printed on acid-free paper.
Copyright 2006 by John Wiley & Sons, Inc. All rights reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or transmit-ted in any form or by any means, electronic, mechanical, photocopying, recording, scan-ning, or otherwise, except as permitted under Section 107 or 108 of the 1976 UnitedStates Copyright Act, without either the prior written permission of the Publisher, orauthorization through payment of the appropriate per-copy fee to the CopyrightClearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for per-mission should be addressed to the Permissions Department, John Wiley & Sons, Inc.,111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online athttp://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used theirbest efforts in preparing this book, they make no representations or warranties withrespect to the accuracy or completeness of the contents of this book and specifically dis-claim any implied warranties of merchantability or fitness for a particular purpose. Nowarranty may be created or extended by sales representatives or written sales materials.The advice and strategies contained herein may not be suitable for your situation. Youshould consult with a professional where appropriate. Neither the publisher nor authorshall be liable for any loss of profit or any other commercial damages, including but notlimited to special, incidental, consequential, or other damages.
For general information on our other products and services, or technical support, pleasecontact our Customer Care Department within the United States at 800-762-2974, out-side the United States at 317-572-3993 or fax 317-572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content thatappears in print may not be available in electronic books.
For more information about Wiley products, visit our Web site at http://www.wiley.com.
Library of Congress Cataloging-in-Publication DataTarantino, Anthony, 1949-Managers guide to compliance : Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL
II, OMB A-123, ASX 10, OECD principles, Turnbull guidance, best practices, and casestudies / Anthony Tarantino.
p. cm.Includes index.ISBN-13: 978-0-471-79257-4 (cloth)ISBN-10: 0-471-79257-8 (cloth)1. AccountingLaw and legislationUnited States. 2. Auditing, InternalLaw andlegislationUnited States. 3. Disclosure of informationLaw and legislationUnitedStates. 4. AccountingStandards. 5. Auditing, InternalStandards. I. Title. KF1357.T37 2006346.73'06648--dc22
2005034272
Printed in the United States of America
10 9 8 7 6 5 4 3 2 1
01_792578 ffirs.qxp 2/28/06 7:30 PM Page iv
www.wiley.com
Dedicatedto
Ted and Allie
01_792578 ffirs.qxp 2/28/06 7:30 PM Page v
NOTE TO THE READER
In providing the information contained in this book, the author andcontributors are not engaged in rendering legal or other professionaladvice and services. As such, this text should not be used as a substi-tute for consultation with professional, legal, or other competentadvisers. All information is provided herein as is.
01_792578 ffirs.qxp 2/28/06 7:30 PM Page vi
vii
Contents
PREFACE XIACKNOWLEDGMENT XVII
CHAPTER 1U.S. SOX Section 401: Off-Balance Sheet Arrangements 1
CHAPTER 2U.S. SOX Section 404: Internal Controls 21
CHAPTER 3U.S. SOX Section 406: Code of Ethics 32
CHAPTER 4U.S. SOX Section 409: Real-Time Reporting of Material Changes 35
CHAPTER 5U.S. SOX Impact on Privately Held Companies and Nonprofits 39
CHAPTER 6U.S. SOX Impact on Small U.S. Companies 44
CHAPTER 7U.S. SOX Impact on Foreign Companies 49
CHAPTER 8U.S. Governments Version of U.S. SOX: OMB Circular A-123 53
CHAPTER 9U.S. Healthcare Efforts to Improve Internal Controls: U.S. HIPAA 69
02_792578 ftoc.qxp 2/28/06 7:33 PM Page vii
CHAPTER 10Bankers and Insurers Efforts to Improve Internal Controls 71
CHAPTER 11Australia, Canada, and UK Efforts to Improve Internal Controls 79
CHAPTER 12EU Efforts to Improve Internal Controls: OECD Principles 91
CHAPTER 13Global GAAP (IFRS) and Global Reporting Language (XBRL) 96
CHAPTER 14Compliance and Internal Controls Impact on Outsourcing 106
CHAPTER 15Civil and Criminal Penalties for Noncompliance 108
CHAPTER 16Business Penalties for Noncompliance: A Material Weakness 121
CHAPTER 17Revenue Recognition Requirements: U.S. SAB 101 and 104 125
CHAPTER 18Data Retention Requirements 135
CHAPTER 19Compliance and Internal Control Software 139
CHAPTER 20Auditing Internal Controls 147
CHAPTER 21Best Practices in Internal Controls: Enterprise Risk Management 178
viii MANAGERS GUIDE TO COMPLIANCE
02_792578 ftoc.qxp 2/28/06 7:33 PM Page viii
CHAPTER 22Best Practices in Internal Controls: IT Risk Management & SDLC (NIST 800-30) 185
CHAPTER 23Best Practices in Internal Controls: Mapping COBIT to COSO I, COSO II, & PCAOB 190
CHAPTER 24Best Practices in Internal Controls: COBIT IT Control Objectives 194
CHAPTER 25Best Practices in Compliance and Internal Controls: ASX 10 Principles 200
CHAPTER 26Best Practices in Internal Controls: Segregation of Duties (SOD) 228
CHAPTER 27Best Practices in Internal Controls: Case Studies 242
CHAPTER 28Best Practices in Compliance Project Management 254
CHAPTER 29Best Practices in Governance and Ethics 261
CHAPTER 30Costs versus Benefits and the Business Reaction 266
APPENDIX A Frequently Asked P2P Questions 278
APPENDIX B Links to Referenced Organizations and Documents 290
GLOSSARY 292
INDEX 304
Contents ix
02_792578 ftoc.qxp 2/28/06 7:33 PM Page ix
02_792578 ftoc.qxp 2/28/06 7:33 PM Page x
xi
Preface
The massive U.S. corporate scandals of the last several years have ledto a huge change in the way organizations are governed. At its heartwas a failure of leadership, ethics, and morality on several levels,which led to a breakdown in investor confidence. The failuresoccurred among corporate executives, boards of directors, regulatoryagencies, rating agencies, and the press. One could argue this wascaused by a lack of virtue and a breaking of a social contract betweenorganizations (public and private) and those who invest in and relyon them. These are age-old concepts. In his Analects, the greatChinese sage Confucius (551479 B.C.) argued virtue was the keycharacteristic of superior leadership. Virtue provides a moral powerthat allows one to win a following without resorting to physical forceand enables a leader to maintain good order. Mencius (372289 B.C.),is often referred to as the second great Chinese sage, and he devel-oped the notion of a social contract in which one rules by a mandateof heaven. If a leader broke the social contract, then his followerswould be absolved of all loyalty and might be required to overthrowhim. Enron, WorldCom, Parmalat, Ahold, and others broke the man-date of heaven in corporate America and Europe and exposed thelack of virtue in those entrusted with good corporate governance.
These events have spawned a move toward more robust compli-ance on a global level, which will require much improved internalcontrols and will change the nature of business in fundamental ways.The struggle for improved compliance is nothing new. Investors havealways sought greater transparency as organizations have sought tolimit transparency to protect competitive information. Scandals havealways acted as a catalyst to force improved corporate governanceand transparency. The South Sea Bubble scandal in the early 1700sfostered improved accounting standards in British companies. U.S.states began enacting blue-sky laws in the early 1900s as the result ofshady stock promotions. Of course, the greatest reforms came as a
03_792578 flast.qxp 2/28/06 7:33 PM Page xi
result of the great stock market crash of 1929 and depression duringthe 1930s. This led to the passage of federal security legislation in1933 and 1934 and the creation of the Securities and ExchangeCommission (SEC).1 Reforms have continued, but were greatly accel-erated by scandals of the late 1990s. So there is little chance for a sig-nificant rollback in compliance requirements, especially when mostinvestors do not place much faith in corporate boards to provideviable oversight. A Wall Street Journal/Harris poll found about two-thirds of investors expressing doubts in the ability of corporateboards of directors to provide effective oversight.2
Many skept