Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2001, SAS Institute Inc. All rights reserved. COMPLIANCE WITH NEW GOVERNMENT REGULATIONS WHAT DOES IT MEAN TO US? Wayne Embry Systems Engineer.

Similar presentations


Presentation on theme: "Copyright © 2001, SAS Institute Inc. All rights reserved. COMPLIANCE WITH NEW GOVERNMENT REGULATIONS WHAT DOES IT MEAN TO US? Wayne Embry Systems Engineer."— Presentation transcript:

1 Copyright © 2001, SAS Institute Inc. All rights reserved. COMPLIANCE WITH NEW GOVERNMENT REGULATIONS WHAT DOES IT MEAN TO US? Wayne Embry Systems Engineer IT Management Solutions Specialist SAS Customer Care 9401 Indian Creek Pkwy Overland Park, Ks 66210 913-663-3264 x 1362 wayne.embry@sas.com KCCMG February 18, 2004

2 Copyright © 2001, SAS Institute Inc. All rights reserved. Regulatory intrusion is rewriting the rules of business. Sarbanes- Oxley, HIPAA, Patriot Act and new SEC rules mandate changes in the way you capture, understand, retrieve and analyze enterprise information. Sarbanes-Oxley Act and other new regulations have made compliance a corporate imperative. The question is how do you develop an effective compliance program? Further, how do you choose from among the confusing array of technologies aimed at compliance? This presentation will explore the details of the most important content compliance challenges facing corporations today. I will also explore specific technologies and how they address high- priority compliance needs and demands.

3 Copyright © 2001, SAS Institute Inc. All rights reserved. Quote from “A History of the American People”, Paul Johnson, writes that J.P. Morgan believed that The tendency of economic activity in a free society was to produce primeval chaos, in which men fought savagely for supremacy and countless sins were committed. Freedom was needed for economic society to function efficiently, but the resulting chaos generated inefficiency as well as sin. He reasoned that some degree of order was needed, and that order could best be brought about by forms of economic concentration that imposed a degree of order without inhibiting freedom to the point where efficiency was again endangered. This valuable concentration was achieved by the corporation and trust.

4 Copyright © 2001, SAS Institute Inc. All rights reserved. One of the most famous examples of fraud was the South Sea bubble of 1720. The South Sea Company was chartered in England in 1711 and granted a monopoly of British trade with South America and the islands of the Pacific Ocean. During the next several years, the monopoly rewarded investors handsomely. With the company’s stock appreciation rapidly, the task of persuading new investors was easy. Between January and July of 1720, the stock grew eight times in value, attracting all manner of speculators and inspiring no end of imitators. By November, however, nearly nine-tenths of the value of the stock of the company had vanished, disgracing the directors of the company (who proved to have collaborated in assorted shenanigans with the company’s accounts), ruining thousands of investors and wreaking havoc on the finances of the entire British Empire. To many, this sounds quite familiar when reflecting on the market activities of the early 2000s. source: Corporate Governance published by McGraw DOES HISTORY REPEAT ITSELF?

5 Copyright © 2001, SAS Institute Inc. All rights reserved. GOVERNMENT COMPLIANCE ACTS n Securities Exchange Act of 1934. First, the rules require a company to disclose whether it has at least one "audit committee financial expert" serving on its audit committee, and if so, the name of the expert and whether the expert is independent of management. n Federal Deposit Insurance Corporation Improvement Act of 1991(FDICIA) developed innovative approaches for compliance. While there are some differences, there are many parallels between FDICIA and Section 404 of SOA, including similar requirements, goals and frameworks.

6 Copyright © 2001, SAS Institute Inc. All rights reserved. GOVERNMENT COMPLIANCE ACTS (cont ) HIPPA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was designed to protect health insurance coverage for workers and their families when they change or lost their jobs.

7 Copyright © 2001, SAS Institute Inc. All rights reserved. GOVERNMENT COMPLIANCE ACTS (cont) PATRIOT ACT To satisfy the PATRIOT Act, financial services firms must define by Dec.31, 2002, a solution to spot patterns of behavior likely to reveal money laundering. This Act requires financial institutions with accounts in the United States to establish “due diligence” policies and procedures to prevent, detect and report possible instances of money laundering. Other requirements include designating an internal compliance officer and establishing an ongoing employee-training program related to anti-money laundering.

8 Copyright © 2001, SAS Institute Inc. All rights reserved. GOVERNMENT COMPLIANCE ACTS (cont) Sarbanes-Oxley Act Sarbanes-Oxley Act, signed into law in July, 2002 requires CEOs and CFOs of all publicly traded companies in the United States, and any companies outside the U.S. that are listed on the New York Stock Exchange or NASDAQ, to certify the accuracy of corporate financial reports.

9 Copyright © 2001, SAS Institute Inc. All rights reserved. SEC Rule 17a-4 states that broker-dealers must preserve all electronic records "exclusively in a nonrewritable, non- erasable format." It goes without saying that these, and all other corporate records, be retained only as long as legally required, after which time they are destroyed. The rule also requires, however, that broker-dealers be able to produce those records in a timely manner in the event of an audit or regulatory investigation. This combination of requirements places enormous demands on a financial institution that can only be met with specific technologies. GOVERNMENT COMPLIANCE RULES

10 Copyright © 2001, SAS Institute Inc. All rights reserved. n 1. Material changes must be reported at light speed. Most CFOs are aware that they now must provide the SEC with an 8-K form within five business days if their company issues an earnings release. n 2. "Internal Controls" could mean much more than getting the numbers right. On the face of it, Sarbox seems to refer only to finance when it talks about the need for management to report on and assess internal company controls. n 3. Sarbox doesn't stop at the shoreline. Laws governing exports and imports and foreign-based bribes and money laundering don't seem to have much to do with the domestically focused act.

11 Copyright © 2001, SAS Institute Inc. All rights reserved. n 4. Executive mobility just got a whole lot tougher. Remember the home loans that employers made to company managers, either to relocate an executive or to lure new talent to a different part of the country? n 5. Private companies aren't immune to Sarbox. The Sarbox loan ban also figures into problems that nonpublic companies can encounter under the act. Officer loans are common practice in private companies, particularly in single-owner outfits

12 Copyright © 2001, SAS Institute Inc. All rights reserved. Risks of Non Compliance: n CEO’s and CFO’s are held personally accountable for the validity of financial reports n CIO’s and other executives may also be held liable n Possible class action suits n Reduction of investor confidence n Significant loss of market capitalization n Fraud litigation

13 Copyright © 2001, SAS Institute Inc. All rights reserved. PENALTIES OF NON COMPLIANCE Section 906 Penalties CEO or CFO signs statement not meeting requirements: -Up to $1MM fine, up to 10 years in prison -Escalates to $5MM and 20 years for willful false certification General penalties: -Up to 25 years in prison for knowingly defrauding shareholders of public companies

14 Copyright © 2001, SAS Institute Inc. All rights reserved. Former Enron accountant surrenders to FBI Enron Corp.'s former top accountant surrendered early today and was taken in handcuffs to the courthouse to face six federal fraud charges related to the disgraced energy giant's 2001 collapse. Richard A. Causey, 44, accompanied by a pair of attorneys, walked into the Houston offices of the FBI just before daybreak. They had no comment as they entered the building. Less than an hour later, Causey arrived at the courthouse to await an appearance before a federal judge. Causey was described in the six-count indictment unsealed today as "a principal architect and operator of the scheme to manipulate Enron's reported earnings." Enron imploded in late 2001 in a sea of hidden debt, inflated profits and accounting tricks.

15 Copyright © 2001, SAS Institute Inc. All rights reserved. GRAND JURY TO REVIEW SKILLING EVIDENCE Federal prosecutors are preparing criminal charges against former Enron Corp. chief executive Jeffrey Skilling for an indictment expected to be handed up this month, perhaps as early as next week. The two sources, who spoke on condition of anonymity, confirmed that Skilling, 50, was in the government's crosshairs on the heels of securing a guilty plea to two counts of conspiracy from former Enron finance chief Andrew Fastow last month. But they said the process was delicate and public revelation of the new case could be delayed. So far in the Justice Department's investigation into Enron's collapse, launched more than two years ago, 27 individuals have been charged. Source KC Star

16 Copyright © 2001, SAS Institute Inc. All rights reserved. A former xxxxx on Thursday pleaded guilty in federal court to a criminal charge of obstruction of justice in a case related to a $1 billion accounting scandal at the software maker. xxxx, a 16-year veteran at xxx who last held the position of senior vice president of finance, faces up to five years in prison and a $250,000 fine. Meanwhile, the Securities and Exchange Commission also filed civil charges against xxx, who was ousted by the software maker last October along with two other executives, including its chief financial officer. The SEC complaint alleges that xxxxx has participated in practices that led to early recognition of more than $1 billion in revenue from at least 95 contracts in fiscal 2000. ANOTHER FRAUD PENALITY

17 Copyright © 2001, SAS Institute Inc. All rights reserved. Paths to Compliance: n Evaluate existing controls n Identify high risk areas n Determine appropriate level of control n Establish and enhance controls n Ensure documentation passes 3rd party review n Communicate and train n Monitor via disclosure committee n Establish continuous improvement process n Certify with confidence

18 Copyright © 2001, SAS Institute Inc. All rights reserved. KEY PROVISIONS Section 302: n Provides for executive certifications of financial reports n Must include Management's certification of financial reporting controls n Effective for all filings on or after 8/29/2002

19 Copyright © 2001, SAS Institute Inc. All rights reserved. KEY PROVISIONS (cont) SECTION 404: n Provides for internal controls for financial reporting n Must include Management's evaluation of internal controls n Effective for all annual reports on or after 9/15/2003 The final rules the SEC approved an update regarding Section 404 of the Sarbanes-Oxley Act say companies must comply with the rules for the fiscal year ending after June 15, 2004, rather than the previous deadline of Sept. 15, 2003.

20 Copyright © 2001, SAS Institute Inc. All rights reserved. Compliance Services n Provide an independent “no conflict" Gap Analysis assessment Provide a clear, concise roadmap to compliance n Recommend solutions - products and services "Best Practice" policy and procedure development n Assess the 3 “A’s” of IT internal control: Audit trails Authentication Access control

21 Copyright © 2001, SAS Institute Inc. All rights reserved. Compliance Services (cont ) n Provide advanced financial and technical expertise n Project management capabilities n Security architecture development n IT strategic planning n Risk analysis n Independent review of vulnerabilities n Implement corrective actions, policies, and process improvements

22 Copyright © 2001, SAS Institute Inc. All rights reserved. Can Sarbanes-Oxley rekindle IT spending? AMR Research Survey Results: n U.S. companies are expected to spend more than $2.5 billion to comply with new accounting rules required by the Sarbanes-Oxley Act, with a significant chunk going to information technology projects. n According to analyst John Hagerty of AMR Research, which released the survey on the impact of the law, $2.5 billion is just the tip of the iceberg. n As companies update their business systems to help them comply with the law, they could "kick-start" corporate spending on IT the same way the much-feared Y2K bug spurred companies to install or update software programs in time for the year 2000 date change, AMR said. Source: Enterprise Software

23 Copyright © 2001, SAS Institute Inc. All rights reserved. Updated AMR Research surveying more than 70 companies, updates the estimates that 2004’s SOA spending will be $5.5 billion, with more than half – nearly $3 billion – in hard expenditures that could affect companies' bottom-line performance. Source: AMR Research

24 Copyright © 2001, SAS Institute Inc. All rights reserved. AMR RESEARCH ANTICIPATES THE BUDGET BREAKDOWN n Internal labor/headcount – 44 percent n Outsourced services (advisors and consultants) – 33 percent n Technology – 19 percent n Other – 4 percent Source: AMR Research

25 Copyright © 2001, SAS Institute Inc. All rights reserved. Putting the systems in place to "ensure compliance with Sarbanes-Oxley will boost investor confidence in the company," says Mattel CIO Joe Eckroth. Source: CIO

26 Copyright © 2001, SAS Institute Inc. All rights reserved. SARBANSE/OXLEY Section 409 One section of the Sarbanes-Oxley Act that has broad technology implications is Section 409, which calls for real-time disclosure of "material changes." Like most of the act, Section 409 is vaguely worded and never actually defines material changes, but most experts think it could be anything from a stock sale by a corporate officer to the loss of a large account—basically anything that could impact a company's perceived market value. Section 409 can clearly be traced to the Enron, WorldCom, Adelphia and Imclone scandals, where the well-connected cashed out shortly before companies collapsed.

27 Copyright © 2001, SAS Institute Inc. All rights reserved. Aligning IT Operations with Corporate Goals All of the major consulting organizations consistently rank IT and business alignment as one of the top five concerns of their clients. CIO.com rated expertise in aligning and leveraging technology for the advantage of the enterprise as one of the top skills required for an effective CIO. However… the ability to establish and maintain a close alignment between IT and the business continues to be an elusive goal. IT and Business Alignment is a Highest Priority

28 Copyright © 2001, SAS Institute Inc. All rights reserved. Aligning IT Operations with Corporate Goals Recent survey illustrates the lack of effectiveness that still exists in many organizations… IT and Business Alignment is a Highest Priority (cont)

29 Copyright © 2001, SAS Institute Inc. All rights reserved. Aligning IT Operations with Corporate Goals Corporate Planning Issues Missing or poorly conceived corporate-level business plan Planning is extensive at the line of business (LOB) level but not tightly integrated between LOB groups – leading to conflicting requirements IT Planning Issues IT and business alignment methodology poorly conceived Focus of alignment is too limited or too tactical (e.g., focused on cost control issues or the “squeaky wheel” syndrome) And… What factors have contributed to alignment failures ?

30 Copyright © 2001, SAS Institute Inc. All rights reserved. Aligning IT Operations with Corporate Goals IT Planning Issues Too often the alignment process fails to consider the IT operations group as a STRATEGIC PARTNER. Focus directed at the development side on:  Application enhancements  New application development Obviously, the need to align the IT application portfolio to the needs of the business is a critical and essential issue, but it is only part of the equation… What factors have contributed to alignment failures? (cont)

31 Copyright © 2001, SAS Institute Inc. All rights reserved. Aligning IT Operations with Corporate Goals IT Planning Issues Even when the IT operations organization is “fully engaged” in the alignment process, it tends to focus on efficiency issues surrounding:  Cost control  Cost avoidance  Service availability These are very important issues and will always be critical in measuring the success of the IT operations organization… but they may not tell the whole story. What factors have contributed to alignment failures? (cont)

32 Copyright © 2001, SAS Institute Inc. All rights reserved. Aligning IT Operations with Corporate Goals If the IT operations organization is to fully support the needs of its customer base, the alignment strategy must also consider the strategic value or effectiveness of the services provided. This starts with developing a solid alignment foundation that addresses several key elements… What factors have contributed to alignment failures? (cont)

33 Copyright © 2001, SAS Institute Inc. All rights reserved. Aligning IT Operations with Corporate Goals Key Foundation Elements: BUSINESS PLAN - A fully developed “corporate business plan” that includes explicit BUSINESS IMPERATIVES that must be met in order for the success and survival of the corporation. IT OPERATIONAL OBJECTIVES - The translation of the business imperatives into IT operational requirements or objectives that support the business plan – this will require a significant amount of effort and skill. SLM - Translation of the IT operational objectives into service level management criteria – this is no slam dunk either! IT Alignment Elements (cont)

34 Copyright © 2001, SAS Institute Inc. All rights reserved. Aligning IT Operations with Corporate Goals The process of mapping service level criteria to the key operations engineering disciplines necessary for the creation and ongoing management of an effective and efficient data center can now begin... Operational Engineering Disciplines Organization (People) Technology Process IT Alignment Elements (cont)

35 Copyright © 2001, SAS Institute Inc. All rights reserved. Aligning IT Operations with Corporate Goals IT Alignment Elements (cont.) Organizational Engineering Personnel Management Departmental Structure Skills & Training Process Engineering IT Operational Processes Implementation Management Change Management Problem Management Performance Management Workload Management Recovery Management Security Management Asset Management Technology Engineering Networks Systems & Tools Applications Infrastructure IT Management Processes Service Level Mgmt Customer Mgmt Vendor Mgmt Personnel Mgmt Budget Mgmt Procurement Mgmt Operational Engineering Disciplines (Sub Elements)

36 Copyright © 2001, SAS Institute Inc. All rights reserved. Aligning IT Operations with Corporate Goals IT OPERATIONS PROCESSES - Effectively integrating your IT operational processes into your alignment strategy can be a major factor in its overall success… But, how much emphasis is placed on managing these processes? Implementation Mgmt 34%39%27% Change Mgmt 27%48%25% Problem Mgmt16%53%31% Performance Mgmt12%53%35% Workload Mgmt16%44%40% Recovery Mgmt47%41%12% Security Mgmt41%53% 6% Asset Mgmt34%38%28% Very EffectiveAdequateNot Effective How effective are you in managing your IT operational processes today? Source: Computer Economics survey of over 50 midsize to large data centers – 4Q02 IT Process and Business Alignment

37 Copyright © 2001, SAS Institute Inc. All rights reserved. Aligning IT Operations with Corporate Goals IT Process and Business Alignment (cont.) Formal Written Policies & Procedures Are your IT operational processes governed by well defined policies and procedures? Computer Economics Survey of over 50 midsize to large data centers – 4Q02 Some Written Policies & Procedures No Formal Written Policies & Procedures Implementation Mgmt40%36%24% Change Mgmt45%30%25% Problem Mgmt31%48%21% Performance Mgmt19%47%34% Workload Mgmt32%42%26% Recovery Mgmt56%30%14% Security Mgmt50%40%10% Asset Mgmt43%37%20%

38 Copyright © 2001, SAS Institute Inc. All rights reserved. Aligning IT Operations with Corporate Goals Implementation Mgmt59%41% Change Mgmt51%49% Problem Mgmt50%50% Performance Mgmt21%79% Workload Mgmt29%71% Recovery Mgmt74%26% Security Mgmt74%26% Asset Mgmt53%47% Maintain Tight ControlMaintain Loose Control What is your current “style” for controlling your IT operational processes today? Computer Economics Survey of over 50 midsize to large data centers – 4Q02 IT Process and Business Alignment (cont.)

39 Copyright © 2001, SAS Institute Inc. All rights reserved. IT CORPORATE COMPLIANCE RESPONSIBILITIES

40 Copyright © 2001, SAS Institute Inc. All rights reserved. BUSINESS PERFORMANCE MANAGEMENT (BPM) Business performance management enables individuals to quickly assess the performance of a business process or function, focus on activities that are below expectations and take action to turn behavior around. The online trade show entitled Business Performance Management will give you guidelines to help you discern what is important in today's world of information overload.

41 Copyright © 2001, SAS Institute Inc. All rights reserved. BPM solutions allow an organization's processes to be fully documented and accompanied by transaction audit trails, putting business managers in a better position to make decisions. BPM also documents the policies that state exactly what needs to be done as well as the procedures that specify how policies should be implemented. Organizations can use this information to continuously improve their processes through the adoption of a full life-cycle process management practice (along the lines of Six Sigma), which, in turn, helps maintain competitive advantage.

42 Copyright © 2001, SAS Institute Inc. All rights reserved. n User and Resource Provisioning - adding, moving, and modifying resources or configurations to enable or enhance the performance of mission-critical applications, customers, partners or employees on a priority and demand basis n Infrastructure Availability - ensuring consistent and readily available access to key business resources by managing availability, loss prevention and recovery n Security Management - establishing identities and managing security of key business resources

43 Copyright © 2001, SAS Institute Inc. All rights reserved. THE SEVEN HABITS OF WILDLY UNSUCCESSFUL CIOs There's plenty of information out there about what it takes to be a successful CIO. But sometimes, it's more effective to learn from others‘ mistakes. Many CIOs are guilty of a surprisingly common list of poor managerial habits. The simple truth is that while these bad habits are easy to spot from a distance (and even easier in hindsight), CIOs themselves rarely realize they're making these fatal blunders until after significant damage has been done. Both current and aspiring CIOs should take a good, long look in the mirror and see if any of these seven deadly managerial sins are a part of their routine.

44 Copyright © 2001, SAS Institute Inc. All rights reserved. THE SEVEN HABITS OF WILDLY UNSUCCESSFUL CIOs (cont) 1. Acquire technology simply because it's new. 2. Exhibit a knee-jerk reaction against open source. 3. Create solutions in search of a problem. 4. Eagerly reach beyond competency level. 5. Act as CMOs--chief marketing officers. 6. Fail to understand relationship between technology and business. 7. Don't communicate well with nontechs.

45 Copyright © 2001, SAS Institute Inc. All rights reserved. See why CIOs fail by making these painfully common mistake find out how successful CIOs approach the same situation, and learn how you can avoid these missteps.

46 Copyright © 2001, SAS Institute Inc. All rights reserved. HAVING AN IT GOVERNANCE COUNCIL DOES NOT EQUAL IT GOVERNANCE Every Information Technology (IT) organization we speak with shares the goal of running IT like a business. All agree that a strong IT governance process is essential in this strategy. The Bottom Line: The key to successful IT governance is instilling it at all levels and giving IT staff the authority and responsibility to make decisions. source AMR Research January 2004

47 Copyright © 2001, SAS Institute Inc. All rights reserved. LEADING IT ORGANIZATIONS EMPLOY THREE STRATEGIES THAT HELP PUSH BUSINESS AND IT ALIGNMENT DOWN INTO THE TRENCHES: n IT portfolio management--Not just for the big-ticket projects, but using this discipline to mitigate risk and optimize investment at all levels. n Service-Level Management (SLM)--Aligning the delivery of IT services to the needs of the business, and the mechanisms to track performance against goals. Service-Level Agreements (SLAs) help the IT organization track their performance and make objective decisions about the trade-offs between improved availability and cost. n Formal account/relationship managers. source AMR Research January 2004

48 Copyright © 2001, SAS Institute Inc. All rights reserved. 2004 Financial Strategic Source: IDC Financial Insights

49 Copyright © 2001, SAS Institute Inc. All rights reserved. IT MANAGEMENT VENDORS

50 Copyright © 2001, SAS Institute Inc. All rights reserved. IT MANAGEMENT FUNCTONS

51 Copyright © 2001, SAS Institute Inc. All rights reserved. SUMMARY n A Business Process Management Institute poll indicated that only 27 percent of those organizations polled are taking steps to comply with SOX, and only 11.5 percent are taking action to do something about HIPAA. Here are some basic recommendations: n Know your regulations. This includes both those related to public and private companies in general, and those that are specific to your industry. n Develop your enterprise strategy and plan for compliance. Make sure your strategy encompasses both processes and content, since both are necessary to ensure compliance.

52 Copyright © 2001, SAS Institute Inc. All rights reserved. Summary (cont) n Document your retention policies, procedures and schedules. This is important not only to prove to the regulatory bodies that you have them, but also to communicate these policies, procedures and schedules to your employees so they can follow them. n Determine your specific requirements for a technology solution to enable you to implement your enterprise compliance plan and support your retention policies and your processes. n Assess your current technology to determine if it meets your requirements and where gaps may exist. n Research the additional technology needed and procure and implement it as required.

53 Copyright © 2001, SAS Institute Inc. All rights reserved. QUESTIONS?

54 Copyright © 2001, SAS Institute Inc. All rights reserved. THANK YOU!!!!!!!! Additional non vendor info available at: www.bettermanagement.com Wayne Embry Systems Engineer IT Management Solutions Specialist SAS Customer Care 9401 Indian Creek Pkwy Overland Park, Ks 66210 913-663-3264 x 1362 wayne.embry@sas.com


Download ppt "Copyright © 2001, SAS Institute Inc. All rights reserved. COMPLIANCE WITH NEW GOVERNMENT REGULATIONS WHAT DOES IT MEAN TO US? Wayne Embry Systems Engineer."

Similar presentations


Ads by Google