[ISN] Ten questions about Sarbanes-Oxley compliance

From: InfoSec News (isn@private)
Date: Wed Mar 30 2005 - 22:39:10 PST


Opinion by Kim Getgen
MARCH 30, 2005 

Imagine this scenario: You are a CIO at a publicly traded company in
turmoil, and your chief financial officer was forced to resign at the
end of last quarter after material weakness concerns were raised by
your external auditors. Three months ago, the Securities and Exchange
Commission got involved and launched a formal investigation, and your
company is now constantly scrutinized. It's time for your CEO to
report earnings, and it's not good news.

Now your general counsel adds more bad news. Under the Sarbanes-Oxley
Act, your management must demonstrate that adequate internal controls
have been established to safeguard confidential information from being
compromised during the "blackout." With the rumor mill running
rampant, you know the likelihood of an internal disclosure concerning
earnings information is high.

However, you have no means to detect these communications if they are
leaked in a Web mail or a post to an Internet bulletin board. Even if
you could detect this, what information should you protect? Is there a
blueprint compliance strategy that could be deployed in a way that
could detect all electronic disclosures?

There are solutions available, but first you must understand
Sarbanes-Oxley, how it affects your business and what information --
by law -- needs to be protected.

You and your CEO must know the answers to the following 10 questions
in order to prepare and prove that you have deployed the right mix of
internal controls:

1. What types of information must be protected by internal controls
according to Sarbanes-Oxley?

Information should be considered nonpublic if it isn't widely
disseminated to the general public, including electronic information.  
Unauthorized disclosure of nonpublic data is a violation of federal
securities laws. This information should be protected, but it should
also be monitored to ensure it isn't disclosed inappropriately.

Section 404 describes management's responsibility for building
internal controls around the safeguarding of assets related to the
timely detection of unauthorized acquisition, use or disposition of an
entity's assets that could have a material effect on the financial
statements. You need to demonstrate that you have the capabilities to
monitor, detect and record electronic information disclosures.

2. Since so much nonpublic information is communicated beyond e-mail
based on the Simple Mail Transfer Protocol, how can we build internal
controls to adequately detect the timely disclosure of information
flowing over Web mail, chat, or HTTP?

In today's networked world, it's not just about e-mail. Management
can't ensure the truthfulness or accuracy of financial data if it
doesn't have the means to monitor the movement of sensitive
information across the entire corporate network 24 hours a day, seven
days a week.

Demand more from technology. New products are available that can
monitor electronic disclosure of nonpublic information and aren't
limited to SMTP-based e-mail. These technologies can monitor, record
and provide alerts on electronic disclosures by analyzing all
information flowing over the corporate network from Web mail and chat
to file transfer protocol and HTTP. This type of monitoring technology
combined with a storage system that allows forensic searches into
stored information can prove invaluable if an investigation is

3. What are the penalties for exposing nonpublic information?

The use of nonpublic information concerning a company or any of its
affiliates (a.k.a. "inside information") in securities transactions
("insider trading"), may violate federal securities laws. Penalties
can include:

* Exposure to investigations by the SEC.

* Criminal and civil prosecution.

* Relinquishing profits realized or losses avoided through use of the

* Penalties up to $1 million or three times the amount of any profits
  or losses, whichever is greater.

* Prison terms of up to 10 years.

4. What action should a company take if nonpublic information is
inappropriately exposed on its network?

If nonpublic information is inappropriately disclosed on your network,
you must rapidly execute a response program to identify the extent of
the exposure, assess the effect on the corporation and its customers,
and notify all affected parties.

Section 409 of Sarbanes-Oxley mandates that companies publicly
disclose additional information concerning material changes in the
company's financial condition or operations. While Sarbanes-Oxley
contains many reporting requirements, real-time identification of
material changes and disclosures (the consensus being 48 hours) is the
most significant challenge.

5. Who is personally liable if there is a compliance violation?

The CEO and the CFO must certify all financial statements filed with
the SEC. The maximum penalty for Securities Exchange Act violations
has increased to $5 million for individuals and $25 million for
entities, as well as imprisonment of up to 20 years.

Section 802 of Sarbanes-Oxley states, "Whoever knowingly alters,
destroys, mutilates, conceals, covers up, falsifies, or makes a false
entry in any records, documents, or tangible object with the intent to
impede, obstruct, or influence the investigation or proper
administration of any department or agency of the U.S. ... or
contemplation of any such matter or case, shall be fined ...  
imprisoned not more than 20 years, or both."

6. How long is the "reach back" on compliance violations?

Section 804 of Sarbanes-Oxley extends the statute of limitations in
private securities fraud actions to the earlier of two years after the
discovery of the facts constituting the violation or five years from
the violation.

7. Are there compliance strategies I can deploy to help prove due
diligence if our company is investigated?

Today, an offensive rather than a defensive compliance program is

Deploy strategies that provide you with the evidentiary support you
need when things go wrong. New network security appliances designed to
capture and record all electronic communication can provide forensic
capabilities with automated reporting that corresponds to compliance

These solutions must be deployed within an overarching compliance
strategy that aligns with the business to continuously:

* Identify and monitor risks.

* Establish effective internal controls.

* Test the validity of the controls.

* Support CEO and CFO certifications.

* Conduct third-party audits.

* Monitor for changes in risks, controls and compliance needs.

* Adjust proactively, as needed.

8. What role should external auditors play in compliance?

The Public Company Accounting Oversight Board was created through the
Sarbanes-Oxley Act to oversee the auditors of public companies. The
board recently approved Auditing Standard No. 2, an audit of internal
control over financial reporting conducted with an audit of financial
statements. The new standard highlights the benefits of strong
internal controls over financial reporting and furthers the objectives
of Sarbanes-Oxley.

9. Will I need to prevent electronic disclosures from occurring?

No compliance program can ever prevent 100% of misconduct by corporate
employees. Nor do the regulations state that you must prevent internal
disclosures --including electronic disclosures -- from happening.

If investigated, you will need to show due diligence that you have the
ability for an appropriate and rapid response to detect and deter
misconduct that exposes your company to operational risk that may have
a material effect on your business.

10. What happens if I am investigated?

Compliance programs should be designed to detect the particular types
of operational risks most likely to occur in a corporation's lines of
business. Management must be able to answer two fundamental questions:

1. Is the corporation's compliance program well-designed?

2. Does the corporation's compliance program work?

How does your story end?

Because you understood the connection between electronic disclosure
and the need to monitor disclosure across your corporate network, you
deployed technology that could monitor, analyze and store all
communications for after-the-fact investigations. Every session
traversing every network egress point was analyzed. The monitoring
system that was put in place stored terabytes of information during
the blackout period -- all retained in the event of an audit.

Your company sent an e-mail from the CEO to all employees specifically
stating that the disclosure of earnings information during the
blackout period wouldn't be tolerated.

On the first day, you detected 129 occurrences of the CEO's internal
memo being leaked. Further investigation revealed that 16 employees
also disclosed inappropriate information or traded stock during the
blackout. You communicated with the general counsel, who was able to
take the appropriate action to remediate the situation and report it
according to compliance mandates. Your CEO kept his job.

A walk on the wild side?

Believe it or not, this case study wasn't just a walk on the wild
side; it's based on events that are occurring inside many
organizations. If you haven't evaluated the effectiveness of your
internal controls in light of the new reality of electronic
disclosure, start thinking about it. Don't wait for the first
Sarbanes-Oxley convictions or for Standard & Poor's to downgrade your
company's credit rating. These controls can be the difference between
companies that recover from material weaknesses and companies that go
bankrupt trying to bounce back. Don't just ask yourself the 10
questions above; take the answers to heart and begin applying them to
your organization before it's too late.

Kim Getgen is vice president of strategy at Reconnex Corp., a provider
of risk management and security products in Mountain View, Calif.

Network Security - http://www.auditmypc.com
Free vulnerability test - How secure is your computer?

This archive was generated by hypermail 2.1.3 : Thu Mar 31 2005 - 09:36:56 PST