copyright © 2001, sas institute inc. all rights reserved. compliance with new government...

Copyright © 2001 , SAS Institute Inc. All rights reserved.

COMPLIANCE WITH NEW GOVERNMENT REGULATIONS

WHAT DOES IT MEAN TO US?

Wayne Embry Systems EngineerIT Management Solutions SpecialistSAS Customer Care9401 Indian Creek PkwyOverland Park, Ks 66210913-663-3264 x [email protected]

KCCMG

February 18, 2004


Regulatory intrusion is rewriting the rules of business. Sarbanes- Oxley, HIPAA, Patriot Act and new SEC rules mandate changes in the way you capture, understand, retrieve and analyze enterprise information. Sarbanes-Oxley Act and other new regulations have made compliance a corporate imperative. The question is how do you develop an effective compliance program? Further, how do you choose from among the confusing array of technologies aimed at compliance? This presentation will explore the details of the most important content compliance challenges facing corporations today. I will also explore specific technologies and how they address high-priority compliance needs and demands.


Quote from “A History of the American People”, Paul Johnson, writes that J.P. Morgan believed that

The tendency of economic activity in a free society was to produce primeval chaos, in which men fought savagely for supremacy and countless sins were committed. Freedom was needed for economic society to function efficiently, but the resulting chaos generated inefficiency as well as sin. He reasoned that some degree of order was needed, and that order could best be brought about by forms of economic concentration that imposed a degree of order without inhibiting freedom to the point where efficiency was again endangered. This valuable concentration was achieved by the corporation and trust.


One of the most famous examples of fraud was the South Sea bubble of 1720.

The South Sea Company was chartered in England in 1711 and granted a

monopoly of British trade with South America and the islands of the Pacific

Ocean. During the next several years, the monopoly rewarded investors

handsomely. With the company’s stock appreciation rapidly, the task of

persuading new investors was easy. Between January and July of 1720, the

stock grew eight times in value, attracting all manner of speculators and

inspiring no end of imitators. By November, however, nearly nine-tenths of

the value of the stock of the company had vanished, disgracing the directors

of the company (who proved to have collaborated in assorted shenanigans

with the company’s accounts), ruining thousands of investors and wreaking

havoc on the finances of the entire British Empire. To many, this sounds

quite familiar when reflecting on the market activities of the early 2000s.

source: Corporate Governance published by McGraw

DOES HISTORY REPEAT ITSELF?


GOVERNMENT COMPLIANCE ACTS

Securities Exchange Act of 1934. First, the rules require a company to disclose whether it has at least one "audit committee financial expert" serving on its audit committee, and if so, the name of the expert and whether the expert is independent of management.

Federal Deposit Insurance Corporation Improvement Act of 1991(FDICIA) developed innovative approaches for compliance. While there are some differences, there are many parallels between FDICIA and Section 404 of SOA, including similar requirements, goals and frameworks.


GOVERNMENT COMPLIANCE ACTS (cont) HIPPA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was designed to protect health insurance coverage for workers and their families when they change or lost their jobs.


GOVERNMENT COMPLIANCE ACTS (cont)

PATRIOT ACT To satisfy the PATRIOT Act, financial services firms must

define by Dec.31, 2002, a solution to spot patterns of behavior likely to reveal money laundering. This Act requires financial institutions with accounts in the United States to establish “due diligence” policies and procedures to prevent, detect and report possible instances of money laundering. Other requirements include designating an internal compliance officer and establishing an ongoing employee-training program related to anti-money laundering.


GOVERNMENT COMPLIANCE ACTS (cont)

Sarbanes-Oxley Act

Sarbanes-Oxley Act, signed into law in July, 2002 requires CEOs and CFOs of all publicly traded companies in the United States, and any companies outside the U.S. that are listed on the New York Stock Exchange or NASDAQ, to certify the accuracy of corporate financial reports.


SEC Rule 17a-4 states that broker-dealers must preserve all electronic records "exclusively in a nonrewritable, non-erasable format." It goes without saying that these, and all other corporate records, be retained only as long as legally required, after which time they are destroyed. The rule also requires, however, that broker-dealers be able to produce those records in a timely manner in the event of an audit or regulatory investigation. This combination of requirements places enormous demands on a financial institution that can only be met with specific technologies.

GOVERNMENT COMPLIANCE RULES


1. Material changes must be reported at light speed.Most CFOs are aware that they now must provide the SEC with an 8-K form within five business days if their company issues an earnings release.

2. "Internal Controls" could mean much more than getting the numbers right.On the face of it, Sarbox seems to refer only to finance when it talks about the need for management to report on and assess internal company controls.

3. Sarbox doesn't stop at the shoreline.Laws governing exports and imports and foreign-based bribes and money laundering don't seem to have much to do with the domestically focused act.


4. Executive mobility just got a whole lot tougher.Remember the home loans that employers made to company managers, either to relocate an executive or to lure new talent to a different part of the country?

5. Private companies aren't immune to Sarbox.The Sarbox loan ban also figures into problems that nonpublic companies can encounter under the act. Officer loans are common practice in private companies, particularly in single-owner outfits


Risks of Non Compliance:

CEO’s and CFO’s are held personally accountable for the validity of financial reports

CIO’s and other executives may also be held liable

Possible class action suits

Reduction of investor confidence

Significant loss of market capitalization

Fraud litigation


PENALTIES OF NON COMPLIANCE

Section 906 Penalties

• CEO or CFO signs statement not meeting requirements: -Up to $1MM fine, up to 10 years in prison -Escalates to $5MM and 20 years for willful false certification

• General penalties: -Up to 25 years in prison for knowingly defrauding shareholders of public companies


Former Enron accountant surrenders to FBI

Enron Corp.'s former top accountant surrendered early today and was taken in handcuffs to the courthouse to face six federal fraud charges related to the disgraced energy giant's 2001 collapse.

Richard A. Causey, 44, accompanied by a pair of attorneys, walked into the Houston offices of the FBI just before daybreak. They had no comment as they entered the building. Less than an hour later, Causey arrived at the courthouse to await an appearance before a federal judge.

Causey was described in the six-count indictment unsealed today as "a principal architect and operator of the scheme to manipulate Enron's reported earnings."

Enron imploded in late 2001 in a sea of hidden debt, inflated profits and accounting tricks.


GRAND JURY TO REVIEW SKILLING EVIDENCE

Federal prosecutors are preparing criminal charges against former Enron Corp. chief executive Jeffrey Skilling for an indictment expected to be handed up this month, perhaps as early as next week.

The two sources, who spoke on condition of anonymity, confirmed that Skilling, 50, was in the government's crosshairs on the heels of securing a guilty plea to two counts of conspiracy from former Enron finance chief Andrew Fastow last month. But they said the process was delicate and public revelation of the new case could be delayed.

So far in the Justice Department's investigation into Enron's collapse, launched more than two years ago, 27 individuals have been charged.

Source KC Star


A former xxxxx on Thursday pleaded guilty in federal court to a criminal charge of obstruction of justice in a case related to a $1 billion accounting scandal at the software maker. xxxx , a 16-year veteran at xxx who last held the position of senior vice president of finance, faces up to five years in prison and a $250,000 fine. Meanwhile, the Securities and Exchange Commission also filed civil charges against xxx, who was ousted by the software maker last October along with two other executives, including its chief financial officer. The SEC complaint alleges that xxxxx has participated in practices that led to early recognition of more than $1 billion in revenue from at least 95 contracts in fiscal 2000.

ANOTHER FRAUD PENALITY


Paths to Compliance: Evaluate existing controls

Identify high risk areas

Determine appropriate level of control

Establish and enhance controls

Ensure documentation passes 3rd party review

Communicate and train

Monitor via disclosure committee

Establish continuous improvement process

Certify with confidence


KEY PROVISIONS

Section 302:

Provides for executive certifications of financial reports

Must include Management's certification of financial reporting controls

Effective for all filings on or after 8/29/2002


KEY PROVISIONS (cont)

SECTION 404:

Provides for internal controls for financial reporting

Must include Management's evaluation of internal controls

Effective for all annual reports on or after 9/15/2003

The final rules the SEC approved an update regarding Section 404 of the Sarbanes-Oxley Act say companies must comply with the rules for the fiscal year ending after June 15, 2004, rather than the previous deadline of Sept. 15, 2003.


Compliance Services

Provide an independent “no conflict" Gap Analysis assessment Provide a clear, concise roadmap to compliance

Recommend solutions - products and services "Best Practice" policy and procedure development

Assess the 3 “A’s” of IT internal control: • Audit trails

• Authentication

• Access control


Compliance Services (cont)

Provide advanced financial and technical expertise

Project management capabilities

Security architecture development

IT strategic planning

Risk analysis

Independent review of vulnerabilities

Implement corrective actions, policies, and process improvements


Can Sarbanes-Oxley rekindle IT spending? AMR Research Survey Results: U.S. companies are expected to spend more than $2.5 billion to comply with

new accounting rules required by the Sarbanes-Oxley Act, with a significant chunk going to information technology projects.

According to analyst John Hagerty of AMR Research, which released the survey on the impact of the law, $2.5 billion is just the tip of the iceberg.

As companies update their business systems to help them comply with the law, they could "kick-start" corporate spending on IT the same way the much-feared Y2K bug spurred companies to install or update software programs in time for the year 2000 date change, AMR said.

Source: Enterprise Software


Updated AMR Research surveying more than 70 companies, updates the estimates that 2004’s SOA spending will be $5.5 billion, with more than half – nearly $3 billion – in hard expenditures that could affect companies' bottom-line performance.

Source: AMR Research


AMR RESEARCH ANTICIPATES THE BUDGET BREAKDOWN

Internal labor/headcount – 44 percent

Outsourced services (advisors and consultants) – 33 percent

Technology – 19 percent

Other – 4 percent

Source: AMR Research


Putting the systems in place to "ensure compliance with Sarbanes-Oxley will boost investor confidence in the company," says Mattel CIO Joe Eckroth.

Source: CIO


SARBANSE/OXLEY Section 409

One section of the Sarbanes-Oxley Act that has broad technology implications is Section 409, which calls for real-time disclosure of "material changes." Like most of the act, Section 409 is vaguely worded and never actually defines material changes, but most experts think it could be anything from a stock sale by a corporate officer to the loss of a large account—basically anything that could impact a company's perceived market value. Section 409 can clearly be traced to the Enron, WorldCom, Adelphia and Imclone scandals, where the well-connected cashed out shortly before companies collapsed.


Aligning IT Operations with Corporate Goals

• All of the major consulting organizations consistently rank IT and business alignment as one of the top five concerns of their clients.• CIO.com rated expertise in aligning and leveraging technology for the advantage of the enterprise as one of the top skills required for an effective CIO.

However… the ability to establish and maintain a close alignment between IT and the business continues to be an elusive goal.

IT and Business Alignment is a Highest Priority



Recent survey illustrates the lack of effectiveness that still exists in many organizations…

IT and Business Alignment is a Highest Priority (cont)



Corporate Planning Issues• Missing or poorly conceived corporate-level business plan• Planning is extensive at the line of business (LOB) level but not tightly integrated between LOB groups – leading to conflicting requirements

IT Planning Issues• IT and business alignment methodology poorly conceived• Focus of alignment is too limited or too tactical (e.g., focused on cost control issues or the “squeaky wheel” syndrome)

And…

What factors have contributed to alignment failures?



IT Planning Issues• Too often the alignment process fails to consider the IT operations group as a STRATEGIC PARTNER. Focus directed at the development side on:

Application enhancementsNew application development

Obviously, the need to align the IT application portfolio to the needs of the business is a critical and essential issue, but it is only part of the equation…

What factors have contributed to alignment failures? (cont)



IT Planning Issues Even when the IT operations organization is “fully engaged” in the alignment process, it tends to focus on efficiency issues surrounding:

Cost control Cost avoidance Service availability

These are very important issues and will always be critical in measuring the success of the IT operations organization… but they may not tell the whole story.




If the IT operations organization is to fully support the needs of its customer base, the alignment strategy must also consider the strategic value or effectiveness of the services provided.

This starts with developing a solid alignment foundation that addresses several key elements…




Key Foundation Elements:

• BUSINESS PLAN - A fully developed “corporate business plan” that includes explicit BUSINESS IMPERATIVES that must be met in order for the success and survival of the corporation.

• IT OPERATIONAL OBJECTIVES - The translation of the business imperatives into IT operational requirements or objectives that support the business plan – this will require a significant amount of effort and skill.

• SLM - Translation of the IT operational objectives into service level management criteria – this is no slam dunk either!

IT Alignment Elements (cont)



The process of mapping service level criteria to the key operations engineering disciplines necessary for the creation and ongoing management of an effective and efficient data center can now begin...

Operational Engineering Disciplines• Organization (People)• Technology• Process

IT Alignment Elements (cont)



IT Alignment Elements (cont.)

• Organizational Engineering• Personnel Management• Departmental Structure• Skills & Training

• Process Engineering

IT Operational Processes• Implementation Management• Change Management• Problem Management• Performance Management• Workload Management• Recovery Management• Security Management• Asset Management

•Technology Engineering• Networks• Systems & Tools• Applications• Infrastructure

• IT Management Processes• Service Level Mgmt• Customer Mgmt• Vendor Mgmt• Personnel Mgmt• Budget Mgmt• Procurement Mgmt

Operational Engineering Disciplines (Sub Elements)



• IT OPERATIONS PROCESSES - Effectively integrating your IT operational processes into your alignment strategy can be a major factor in its overall success… But, how much emphasis is placed on managing these processes?

Implementation Mgmt 34% 39% 27%Change Mgmt 27% 48% 25%Problem Mgmt 16% 53% 31%Performance Mgmt 12% 53% 35%Workload Mgmt 16% 44% 40%Recovery Mgmt 47% 41% 12%Security Mgmt 41% 53% 6%Asset Mgmt 34% 38% 28%

Very Effective Adequate Not Effective

How effective are you in managing your IT operational processes today?

Source: Computer Economics survey of over 50 midsize to large data centers – 4Q02

IT Process and Business Alignment



IT Process and Business Alignment (cont.)

Formal Written Policies & Procedures

Are your IT operational processes governed by well defined policies and procedures?

Computer Economics Survey of over 50 midsize to large data centers – 4Q02

Some Written Policies & Procedures

No Formal Written Policies & Procedures

Implementation Mgmt 40% 36% 24%Change Mgmt 45% 30% 25%Problem Mgmt 31% 48% 21%Performance Mgmt 19% 47% 34% Workload Mgmt 32% 42% 26%Recovery Mgmt 56% 30% 14% Security Mgmt 50% 40% 10%Asset Mgmt 43% 37% 20%



Implementation Mgmt 59% 41% Change Mgmt 51% 49% Problem Mgmt 50% 50% Performance Mgmt 21% 79% Workload Mgmt 29% 71% Recovery Mgmt 74% 26% Security Mgmt 74% 26% Asset Mgmt 53% 47%

Maintain Tight Control Maintain Loose Control

What is your current “style” for controlling your IT operational processes today?

Computer Economics Survey of over 50 midsize to large data centers – 4Q02

IT Process and Business Alignment (cont.)


IT CORPORATE COMPLIANCE RESPONSIBILITIES


BUSINESS PERFORMANCE MANAGEMENT (BPM)

Business performance management enables individuals to quickly assess the performance of a business process or function, focus on activities that are below expectations and take action to turn behavior around. The online trade show entitled Business Performance Management will give you guidelines to help you discern what is important in today's world of information overload.


BPM solutions allow an organization's processes to be fully documented and accompanied by transaction audit trails, putting business managers in a better position to make decisions. BPM also documents the policies that state exactly what needs to be done as well as the procedures that specify how policies should be implemented. Organizations can use this information to continuously improve their processes through the adoption of a full life-cycle process management practice (along the lines of Six Sigma), which, in turn, helps maintain competitive advantage.


User and Resource Provisioning - adding, moving, and modifying resources or configurations to enable or enhance the performance of mission-critical applications, customers, partners or employees on a priority and demand basis

Infrastructure Availability - ensuring consistent and readily available access to key business resources by managing availability, loss prevention and recovery

Security Management - establishing identities and managing security of key business resources


THE SEVEN HABITS OF WILDLY UNSUCCESSFUL CIOs

There's plenty of information out there about what it takes to be a successful CIO. But sometimes, it's more effective to learn from others‘ mistakes. Many CIOs are guilty of a surprisingly common list of poor managerial habits. The simple truth is that while these bad habits are easy to spot from a distance (and even easier in hindsight), CIOs themselves rarely realize they're making these fatal blunders until after significant damage has been done. Both current and aspiring CIOs should take a good, long look in the mirror and see if any of these seven deadly managerial sins are a part of their routine.


THE SEVEN HABITS OF WILDLY UNSUCCESSFUL CIOs (cont)

1. Acquire technology simply because it's new.

2. Exhibit a knee-jerk reaction against open source.

3. Create solutions in search of a problem.

4. Eagerly reach beyond competency level.

5. Act as CMOs--chief marketing officers.

6. Fail to understand relationship between technology and business.

7. Don't communicate well with nontechs.


See why CIOs fail by making these painfully common mistake find out how successful CIOs approach the same situation, and learn how you can avoid these missteps.


HAVING AN IT GOVERNANCE COUNCIL DOES NOT EQUAL IT GOVERNANCE

Every Information Technology (IT) organization we speak with shares the goal of running IT like a business. All agree that a strong IT governance process is essential in this strategy.

The Bottom Line: The key to successful IT governance is instilling it at all levels and giving IT staff the authority and responsibility to make decisions.

source AMR Research January 2004


LEADING IT ORGANIZATIONS EMPLOY THREE STRATEGIES THAT HELP PUSH BUSINESS AND IT

ALIGNMENT DOWN INTO THE TRENCHES:

IT portfolio management--Not just for the big-ticket projects, but using this discipline to mitigate risk and optimize investment at all levels.

Service-Level Management (SLM)--Aligning the delivery of IT services to the needs of the business, and the mechanisms to track performance against goals. Service-Level Agreements (SLAs) help the IT organization track their performance and make objective decisions about the trade-offs between improved availability and cost.

Formal account/relationship managers.

source AMR Research January 2004


2004 Financial Strategic

Source: IDC Financial Insights


IT MANAGEMENT VENDORS


IT MANAGEMENT FUNCTONS


SUMMARY

A Business Process Management Institute poll indicated that only 27 percent of those organizations polled are taking steps to comply with SOX, and only 11.5 percent are taking action to do something about HIPAA.

Here are some basic recommendations:

Know your regulations. This includes both those related to public and private companies in general, and those that are specific to your industry.

Develop your enterprise strategy and plan for compliance. Make sure your strategy encompasses both processes and content, since both are necessary to ensure compliance.


Summary (cont) Document your retention policies, procedures and schedules.

This is important not only to prove to the regulatory bodies that you have them, but also to communicate these policies, procedures and schedules to your employees so they can follow them.

Determine your specific requirements for a technology solution to enable you to implement your enterprise compliance plan and support your retention policies and your processes.

Assess your current technology to determine if it meets your requirements and where gaps may exist.

Research the additional technology needed and procure and implement it as required.


QUESTIONS?


THANK YOU!!!!!!!! Additional non vendor info available at:

www.bettermanagement.com

Wayne Embry Systems EngineerIT Management Solutions SpecialistSAS Customer Care9401 Indian Creek PkwyOverland Park, Ks 66210913-663-3264 x [email protected]

copyright © 2001, sas institute inc. all rights reserved. compliance with new government...

Documents

sas institute

new investors

new regulations

high priority compliance

effective compliance

south sea company

new government regulations

economic society