Callidus Software
Vendor of on-premise and on-demand Sales Performance Management software. See Callidus Software books
iTDW
Information Technology Data Warehouse See iTDW books
"King, Elizabeth
Associate Director, Division of Market Regulation -
U.S. Securities and Exchange Commission See King, Elizabeth books "
nCircle
What they SaynCircle is the leading provider of agentless security risk and compliance management solutions. More than 3,500 enterprises, government agencies and service providers around the world rely on nCircle's proactive security solutions to identify, measure, manage and reduce security risk and automate compliance on their networks. nCircle has won numerous awards for growth, innovation and technology leadership and has been ranked among the top 100 best places to work in the San Francisco Bay Area. nCircle is headquartered in San Francisco, CA, with regional offices throughout the USA and in London, Toronto and Tokyo. Additional information about nCircle is available at www.ncircle.com. See nCircle books
Passlogix
Vendor of Secure Sign-On solutions. See Passlogix books
SonicWALL
Vendor of Network Security Solutions See SonicWALL books
ZixCorp
Email Encryption Vendor See ZixCorp books
Showing newest 27 of 47 posts from April 2007. Show older posts
Showing newest 27 of 47 posts from April 2007. Show older posts
Monday, 30 April 2007
Reconnex Award for iGuard 2600
Info Security Products Guide, a Silicon Valley Communications publication and the world's leading publication on security-related products and technologies, has named the Reconnex iGuard 2600 a winner of the 2007 Global Excellence Customer Trust Awards in Data Leak Protection and HIPPA Compliance.
The Reconnex iGuard 2600 is a high-performance, appliance-based information protection system that enables organizations to protect all information assets on the network without requiring up-front knowledge of what needs to be protected, and regardless of how that information is stored, secured, or communicated. As a result, IT can protect against both known and emerging threats. The iGuard 2600 also provides pre-configured policies to address key security requirements such as Payment Card Industry (PCI) compliance and the Health Insurance Portability and Accountability Act (HIPAA).
The Reconnex iGuard 2600 is a high-performance, appliance-based information protection system that enables organizations to protect all information assets on the network without requiring up-front knowledge of what needs to be protected, and regardless of how that information is stored, secured, or communicated. As a result, IT can protect against both known and emerging threats. The iGuard 2600 also provides pre-configured policies to address key security requirements such as Payment Card Industry (PCI) compliance and the Health Insurance Portability and Accountability Act (HIPAA).
Mobius Joins Interop Vendor Alliance
Mobius Management Systems, Inc. (NASDAQ:MOBI) , a vendor of integrated solutions for enterprise archiving and records management, has joined the Interop Vendor Alliance. As a participant in the Alliance, Mobius will work with Microsoft and a cross-industry group of members that share the goal of making technologies work better together. Mobius, a Microsoft Gold Certified Partner and Windows Vista and 2007 Office system launch partner, delivers capabilities that enable users of Microsoft Office SharePoint Server 2007 to search for, access and manage information stored anywhere in the enterprise.
Integration of Mobius's flagship products, ViewDirect and Total Content Integrator (TCI), with Microsoft Office SharePoint Server 2007 delivers a comprehensive solution for enterprise-level content creation, management and archiving:
-- Total Content Integrator (TCI), with Microsoft Office SharePoint Server
2007, delivers maximum flexibility for storing and accessing all
enterprise information. TCI, the premier solution for connecting any
content source with any content user or application, provides seamless
access to information stored anywhere in the enterprise. Built on an
open, standards-based architecture that ensures interoperability and is
J2EE-compliant and .NET-enabled, TCI reduces the complexity, costs, and
operational inefficiencies faced by end users, system integrators, and
independent software vendors.
-- ViewDirect, the world's most scalable, full-featured archiving
platform, manages billions of items a year as the "archive of record"
for leading organizations around the world. Migrating static content
to ViewDirect for long-term retention facilitates compliance with
support for read-only storage and minimizes costs with support for the
full range of storage media.
Integration of Mobius's flagship products, ViewDirect and Total Content Integrator (TCI), with Microsoft Office SharePoint Server 2007 delivers a comprehensive solution for enterprise-level content creation, management and archiving:
-- Total Content Integrator (TCI), with Microsoft Office SharePoint Server
2007, delivers maximum flexibility for storing and accessing all
enterprise information. TCI, the premier solution for connecting any
content source with any content user or application, provides seamless
access to information stored anywhere in the enterprise. Built on an
open, standards-based architecture that ensures interoperability and is
J2EE-compliant and .NET-enabled, TCI reduces the complexity, costs, and
operational inefficiencies faced by end users, system integrators, and
independent software vendors.
-- ViewDirect, the world's most scalable, full-featured archiving
platform, manages billions of items a year as the "archive of record"
for leading organizations around the world. Migrating static content
to ViewDirect for long-term retention facilitates compliance with
support for read-only storage and minimizes costs with support for the
full range of storage media.
Fuwei Films Auditor Change
Fuwei Films (Holdings) Co., Ltd. (NASDAQ:FFHL) ("Fuwei") today announced that the audit committee of its Board of Directors had appointed Murrell, Hall, Mcintosh & Co PLLP ("MHM") as its independent auditor effective April 24, 2007. MHM had previously been retained earlier this year by Fuwei to advise regarding the requirements of Section 404 of the Sarbanes-Oxley Act of 2002.
Fuwei deny that the change in auditor has been due to any disagreement with its previous auditing firm "any matter of accounting principles or practice, financial statement disclosure, or auditing scope or practice.".
In addition, Fuwei announced that Tullius Taylor Sartain & Sartain (TTS&S) has been engaged as consultants to assist with its compliance with Section 404 and to facilitate improvements in Fuwei's internal controls over financial reporting.
Fuwei deny that the change in auditor has been due to any disagreement with its previous auditing firm "any matter of accounting principles or practice, financial statement disclosure, or auditing scope or practice.".
In addition, Fuwei announced that Tullius Taylor Sartain & Sartain (TTS&S) has been engaged as consultants to assist with its compliance with Section 404 and to facilitate improvements in Fuwei's internal controls over financial reporting.
Sunday, 29 April 2007
Atmel
Atmel is a worldwide leader in the design and manufacture of microcontrollers, advanced logic, mixed-signal, nonvolatile memory and radio frequency (RF) components. Leveraging one of the industry's broadest intellectual property (IP) technology portfolios, Atmel is able to provide the electronics industry with complete system solutions. Focused on consumer, industrial, security, communications, computing and automotive markets, Atmel ICs can be found Everywhere You Are(R).
Internal Controls Jargon
New Internal Controls Jargon
Callidus Software
Vendor of on-premise and on-demand Sales Performance Management software. See Callidus Software books
CDO
Collateralised Debt Obligation See CDO books
Credient
A global credit risk management and control solution delivered via an application service provider (ASP) framework. Produced by http://www.sungard.com See Credient books
FICO
Fair Isaac Credit Organization See FICO books
FICO Score
Credit rating based on a scoring system developed by the Fair Isaac Corporation. See FICO Score books
"King, Elizabeth
Associate Director, Division of Market Regulation -
U.S. Securities and Exchange Commission See King, Elizabeth books "
Passlogix
Vendor of Secure Sign-On solutions. See Passlogix books
SonicWALL
Vendor of Network Security Solutions See SonicWALL books
ZixCorp
Email Encryption Vendor See ZixCorp books
Callidus Software
Vendor of on-premise and on-demand Sales Performance Management software. See Callidus Software books
CDO
Collateralised Debt Obligation See CDO books
Credient
A global credit risk management and control solution delivered via an application service provider (ASP) framework. Produced by http://www.sungard.com See Credient books
FICO
Fair Isaac Credit Organization See FICO books
FICO Score
Credit rating based on a scoring system developed by the Fair Isaac Corporation. See FICO Score books
"King, Elizabeth
Associate Director, Division of Market Regulation -
U.S. Securities and Exchange Commission See King, Elizabeth books "
Passlogix
Vendor of Secure Sign-On solutions. See Passlogix books
SonicWALL
Vendor of Network Security Solutions See SonicWALL books
ZixCorp
Email Encryption Vendor See ZixCorp books
Active Power
What Active Power says about itself
Active Power provides efficient, reliable, and green critical power solutions and Uninterruptible Power Supply (UPS) systems to enable business continuity in the event of power disturbances. Founded in 1992, Active Power's flywheel-based UPS systems protect critical operations in data centers, healthcare facilities, manufacturing plants, broadcast stations, and governmental agencies in over 40 countries. Active Power also offers CoolAir, the only solution that provides both backup power and backup cooling. With expert power system engineers and worldwide service and support, Active Power provides turnkey solutions that ensure organizations have the power to perform. For more information, please visit http://www.activepower.com/ .
Active Power provides efficient, reliable, and green critical power solutions and Uninterruptible Power Supply (UPS) systems to enable business continuity in the event of power disturbances. Founded in 1992, Active Power's flywheel-based UPS systems protect critical operations in data centers, healthcare facilities, manufacturing plants, broadcast stations, and governmental agencies in over 40 countries. Active Power also offers CoolAir, the only solution that provides both backup power and backup cooling. With expert power system engineers and worldwide service and support, Active Power provides turnkey solutions that ensure organizations have the power to perform. For more information, please visit http://www.activepower.com/ .
Paisley
What Paisley says about itself
Paisley is an industry-leading software vendor that provides solutions for governance, risk and compliance including financial controls management, internal audit, operational risk management, compliance, IT governance and enterprise risk management. For more than a decade, Paisley has delivered superior software and services to both large enterprise and mid-market organizations. Governance, risk and compliance software has always been and continues to be the company's focus.
Leveraging industry best practices, standards-based technology, and a choice of software platforms and deployment options, Paisley customers are empowered to improve the accuracy, consistency and efficiency associated with internal audit, financial controls management, enterprise risk management, operational risk management, IT governance and compliance initiatives. Developed for companies of every size and across multiple industries, Paisley's solutions enable organizations to streamline governance, risk and compliance processes, reduce costs of compliance, manage and mitigate risks, and provide visibility, oversight and assurance.
Paisley is an industry-leading software vendor that provides solutions for governance, risk and compliance including financial controls management, internal audit, operational risk management, compliance, IT governance and enterprise risk management. For more than a decade, Paisley has delivered superior software and services to both large enterprise and mid-market organizations. Governance, risk and compliance software has always been and continues to be the company's focus.
Leveraging industry best practices, standards-based technology, and a choice of software platforms and deployment options, Paisley customers are empowered to improve the accuracy, consistency and efficiency associated with internal audit, financial controls management, enterprise risk management, operational risk management, IT governance and compliance initiatives. Developed for companies of every size and across multiple industries, Paisley's solutions enable organizations to streamline governance, risk and compliance processes, reduce costs of compliance, manage and mitigate risks, and provide visibility, oversight and assurance.
Security Glossay
ABA
American Bar Association See ABA books
ABC
Automated Business Controls See ABC books
Activity Level
One of two levels at which internal controls can operate. The control is applied at the point of an activity. An example is a bank reconciliation to control cash movements. See Activity Level books
AICPA American Institute of Certified Public Accountants See AICPA books
Application Access
Access to an application via direct connection, Web services or a terminal. See Application Access books
Application Controls
A type of control activity. Typically involve controls over processing of individual applications, ensure transactions are valid, properly authorized, completely and accurately processed. See Application Controls books
Arbor Netwoks
provider of network security and operational performance See Arbor Netwoks books
ArcSight
Enterprise Security and Compliance Management solutions See ArcSight books
Automated User Enrollment
Process to move user identity information over a network from a data source to a directory where it is needed. See Automated User Enrollment books
BaFin Germany: financial regulator See BaFin books
By-name Authorization
From an individual username, connecting authorized access to a data target. See By-name Authorization books
Callidus Software
Vendor of on-premise and on-demand Sales Performance Management software. See Callidus Software books
CISSP
Certified Information Systems Security Professional See CISSP books
CODIS
Combined DNA Index System See CODIS books
Control Activities
One of five components of internal control according to the COSO Internal Control Framework. Also known as Control procedures. See Control Activities books
Control policies and procedures to ensure actions identified as necessary for risk assessment are carried out. They have to be both established and executed for their effectiveness to be established. Control activities are made up of two elements, policies and procedures. See Control Activities books
Control Environment
One of five components of internal control according to the COSO Internal Control Framework See Control Environment books
Senior management have to set the tone at the top, that positively influences the control consciousness of entity personnel. Discipline and structure are generated by the control environment and is the central building block for the other components of internal control. See Control Environment books
COSO
Committee Of Sponsoring Organizations of the Treadway Commission See COSO books
COSO Framework
Most widely used framework to assess the effectiveness of internal control. See COSO Framework books
See CPAB books
CPCAF
The Center for Public Company Audit Firms See CPCAF books
CPIC Coalition of Private Investment Companies See CPIC books
CPPI
Constant Proportion Portfolio Insurance See CPPI books
CPS
Crown Prosecution Service See CPS books
Data Field Access
Access to one or more selected fields in a database. See Data Field Access books
Data Governance
The process by which companies govern appropriate access to and the use and transmission of their critical data by measuring operational risk and controlling security exposures. See Data Governance books
Data Integrity
Accuracy and reliability of published and non-published information maintenance. See Data Integrity books
Database Access
Access to one or more data entries in a database. See Database Access books
DHS
Department of Homeland Security See DHS books
Directory-enabled access controls
Controls over access to digital resources that is controlled by entries in a service directory See Directory-enabled access controls books
Disclaimed Opinion
Report by an auditor that it is unable to express an opinion regarding a company's internal control over financial reporting. See Disclaimed Opinion books
An example is from Deloitte And Touche at Cray "Because of the limitation on the scope of our audit described in the second paragraph of this report, the scope of our work was not sufficient to enable us to express, and we do not express an opinion o management's assessment referred to above." See Disclaimed Opinion books
Distributed Enrollment
Process of enrollment conducted by persons at one or more remote locations acting as agents for enrolling end users. See Distributed Enrollment books
DNS
Domain Name System See DNS books
Donaldson, William
Former chairman of the Securities and Exchange Commission See Donaldson, William books
DTI
Department of Trade and Industry See DTI books
Dynamo
A public Constant Proportion Portfolio Insurance product BNP See Dynamo books
ECM
Enterprise Content Management See ECM books
EEA
European Economic Area See EEA books
Entity Level
One of two levels at which internal controls can operate. Controls are implemented at the entity level if they have a pervasive effect on the control environment. An example is the recruitment and training policies of the company. See Entity Level books
FASAC Financial Accounting Standards Advisory Council See FASAC books
FASB Financial Accounting Standards Board See FASB books
FFS
South Korea: Financial Supervisory Service See FFS books
File Access
Access to the contents of a digital file. See File Access books
Financial Accounting Standards Advisory Council Overseer of the Financial Accounting Standards Board. See Financial Accounting Standards Advisory Council books
Financial Reporting Defined by the COSO Framework as:- See Financial Reporting books
The preparation of reliable published financial statements, including interim and condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly. See Financial Reporting books
Financial Supervisory Commission Taiwan: financial regulator See Financial Supervisory Commission books
Finite Access Control
Control of end-user access for one username to specific resources. See Finite Access Control books
Firm Infrastructure
Support activity in the value chain analysis. General management, planning, finance, accounting, legal, government affairs and quality management are all activities. See Firm Infrastructure books
GAO
Government Accountability Office See GAO books
Gen2
RFID standard setting interoperability and bandwidth technologies See Gen2 books
Group-membership Access
Assignment to a group sharing similar access rights. See Group-membership Access books
IISP
Institute of Information Security Professionals See IISP books
Inbound Logistics
Element in primary activities dealing with receiving, storing and disseminating inputs to the product. Materials handling, warehousing, inventory control and supplier returns. First stage in the value chain analysis. See Inbound Logistics books
Information and Communication
One of five components of internal control according to the COSO Internal Control Framework See Information and Communication books
Systems surrounding the control activities. The accounting system counts as information and communication. Information needed to manage, control and conduct operations are captured by the entity. See Information and Communication books
Information Processing
In the context of Control Activities and Sec 404, performed to check accuracy, completeness and authorization of transactions. Broadly break down into two groups:- Application controls and general controls. See Information Processing books
Information Systems Audit and Control Association
Publisher with Information Technology Governance Institute of the IT Control Objectives for Sarbanes-Oxley. See Information Systems Audit and Control Association books
Information Technology Governance Institute
Publisher with Information Systems Audit and Control Association of the IT Control Objectives for Sarbanes-Oxley. See Information Technology Governance Institute books
Integrity and Ethics Reside under the Control Environment. The senior management need to set the tone for the company. Whilst they might be considered "soft" and "intangible" concepts, they affect the design, administration and monitoring of other internal controls. According to COSO, the actions of management is more important than having them written down. See Integrity and Ethics books
Negative examples of integrity and ethics are the infamous Enron and WorldCom scandals. See Integrity and Ethics books
A positive example is BP which sets a high bar for ethical behaviour by employees. To back this policy up they make mention of it and its effectiveness in financial reports. See Integrity and Ethics books
Internal Control - Integrated Framework
Formal name of the COSO Framework See Internal Control - Integrated Framework books
Internal Control Deficiency
Occurs when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. See Internal Control Deficiency books
ISACA
Information Systems Audit and Control Association See ISACA books
ISDA International Swaps and Derivatives Association See ISDA books
ITA
Information Technology Architecure See ITA books
ITGI
Information Technology Governance Institute See ITGI books
Livedoor
Japanese company at the centre of a corporate governance scandal. Can be seen as the equivalent of World-Com or Enron as it is used as evidence of the need for a Japanese Sarbanes-Oxley type legislation on internal controls over financial reporting. See Livedoor books
Monitoring
One of five components of internal control according to the COSO Internal Control Framework See Monitoring books
The means through which the control process is monitored and improved via modification. See Monitoring books
NBA
Network Behavior Analysis See NBA books
nCircle
What they SaynCircle is the leading provider of agentless security risk and compliance management solutions. More than 3,500 enterprises, government agencies and service providers around the world rely on nCircle's proactive security solutions to identify, measure, manage and reduce security risk and automate compliance on their networks. nCircle has won numerous awards for growth, innovation and technology leadership and has been ranked among the top 100 best places to work in the San Francisco Bay Area. nCircle is headquartered in San Francisco, CA, with regional offices throughout the USA and in London, Toronto and Tokyo. Additional information about nCircle is available at www.ncircle.com. See nCircle books
Network Access
Access to network connected resources. See Network Access books
NIST
National Institute of Standards and Technology See NIST books
NNSP
National Nuclear Security Administration See NNSP books
Nonrepudiation
Reducing an end-users ability to deny he was the one who authorized an action or sent a message. See Nonrepudiation books
NSA
National Security Agency See NSA books
Objectives
The COSO Framework defines three broad categories:- compliance with laws and regulations, financial reporting and operations. In relation to Sarbanes-Oxley the important one is financial reporting. See Objectives books
Password Reset
Replacing an existing password with a new one. The old password is cancelled. Task performed by the end user, help desk or an administrator See Password Reset books
Password Synchronisation
Moving passwords and sometimes usernames from one repository to another using automated processes. See Password Synchronisation books
PCI Data Security Standard
Requires merchants that accept credit and debit cards over the Internet to increase card data protection on their internal and external payment networks in order to avoid security breaches in which customer records are exposed and misused. See PCI Data Security Standard books
Physical Controls
A type of control activity. They involve the physical security of assets. They ensure adequate safeguards over access to assets and records. See Physical Controls books
Privacy Protection
Creating and maintaining digital and/or physical barriers around an individual's personal information to prevent unauthorized access. See Privacy Protection books
Procedure
1) Actions of people to implement the stated policies. See Procedure books
Procurement
Support activity in value chain analysis. Mainly the purchase of inputs throughout the value chain. Encompasses elements throughout the primary and support activities. See Procurement books
Public Company Accounting Oversight Board Organization set up under Sarbanes-Oxley Act 2002 to regulate auditing of public companies and auditors. See Public Company Accounting Oversight Board books
Reduced sign-on
Using the same username/password combination to access every resource over multiple logon events. See Reduced sign-on books
RFID
Radio Frequency Identification See RFID books
Risk Assessment One of five components of internal control according to the COSO Internal Control Framework See Risk Assessment books
Risks faced by the company have to be recognized. Objectives have to be set, integrated into the value-chain. To achieve the objectives, risks have to be identified, analyzed and develop methods to manage them. See Risk Assessment books
Role Definition
Access authorization based on the job or work performed. Typically applied to a single person or a group sharing the same work. See Role Definition books
Role-based access control
Controlling access bas only on the role definitios See Role-based access control books
RSA Conference
Conference organised every year by security giant RSA. See RSA Conference books
SCSE Society of Corporate Compliance and Ethics See SCSE books
SEC Securities and Exchange Commission. See SEC books
Section 104
Section of the Sarbanes-Oxley Act requiring the PCAOB to inspect registered public accounting firms on a regular basis See Section 104 books
Section 302
Section of the Sarbanes-Oxley Act of 2002 requiring a certification to accompany each quarterly and annual report filed with the SEC. See Section 302 books
Section 404
Section of the Sarbanes-Oxley Act of 2002 mandating CEOs and CFOs of public companies to evaluate and report on the effectiveness of an entity's internal control over financial reporting. See Section 404 books
Segregation of Duties
A type of control activity. Different people are assigned responsibilities for authorizing transactions, recording transactions and maintaining custody of assets. The purpose is to inhibit the perpetration and concealment errors or irregularities, by reducing the opportunity to do so in the course of people's everyday work. See Segregation of Duties books
Seibu Railway Co.
Japanese company at the centre of a corporate governance scandal. Can be seen as the equivalent of World-Com or Enron as it is used as evidence of the need for a Japanese Sarbanes-Oxley type legislation on internal controls over financial reporting. See Seibu Railway Co. books
Self-Enrollment
End-user is permitted to enter his own identity information using an online process See Self-Enrollment books
Service
Business process activities dealing with providing service to enhance or maintain the value of the product, once obtained by the buyer. Installation, repair and supplying parts are all covered. Considered to be a primary activity in the value chain analysis. Lies last after market and sales. See Service books
Service Directories
Directories used to provide identity information and authorization data to a gatekeeper device or application. See Service Directories books
Significant Deficiency
An internal control deficiency that adversely affects the entity's ability to initiate, record, process, or report external financial data reliably in accordance with generally accepted accounting principles (GAAP). A significant deficiency could be a single deficiency or a combination of deficiencies, that results in more than a remote likelihood that a misstatement of the annual or interim financial statements that is more than inconsequential in amount will not be prevented or detected. See Significant Deficiency books
SMTP
Simple Mail Transfer Protocol See SMTP books
SonicWALL
Vendor of Network Security Solutions See SonicWALL books
SOX Shorthand for Sarbanes-Oxley. See SOX books
Web Access Control
Internal controls limiting Web server and Web application access. See Web Access Control books
American Bar Association See ABA books
ABC
Automated Business Controls See ABC books
Activity Level
One of two levels at which internal controls can operate. The control is applied at the point of an activity. An example is a bank reconciliation to control cash movements. See Activity Level books
AICPA American Institute of Certified Public Accountants See AICPA books
Application Access
Access to an application via direct connection, Web services or a terminal. See Application Access books
Application Controls
A type of control activity. Typically involve controls over processing of individual applications, ensure transactions are valid, properly authorized, completely and accurately processed. See Application Controls books
Arbor Netwoks
provider of network security and operational performance See Arbor Netwoks books
ArcSight
Enterprise Security and Compliance Management solutions See ArcSight books
Automated User Enrollment
Process to move user identity information over a network from a data source to a directory where it is needed. See Automated User Enrollment books
BaFin Germany: financial regulator See BaFin books
By-name Authorization
From an individual username, connecting authorized access to a data target. See By-name Authorization books
Callidus Software
Vendor of on-premise and on-demand Sales Performance Management software. See Callidus Software books
CISSP
Certified Information Systems Security Professional See CISSP books
CODIS
Combined DNA Index System See CODIS books
Control Activities
One of five components of internal control according to the COSO Internal Control Framework. Also known as Control procedures. See Control Activities books
Control policies and procedures to ensure actions identified as necessary for risk assessment are carried out. They have to be both established and executed for their effectiveness to be established. Control activities are made up of two elements, policies and procedures. See Control Activities books
Control Environment
One of five components of internal control according to the COSO Internal Control Framework See Control Environment books
Senior management have to set the tone at the top, that positively influences the control consciousness of entity personnel. Discipline and structure are generated by the control environment and is the central building block for the other components of internal control. See Control Environment books
COSO
Committee Of Sponsoring Organizations of the Treadway Commission See COSO books
COSO Framework
Most widely used framework to assess the effectiveness of internal control. See COSO Framework books
See CPAB books
CPCAF
The Center for Public Company Audit Firms See CPCAF books
CPIC Coalition of Private Investment Companies See CPIC books
CPPI
Constant Proportion Portfolio Insurance See CPPI books
CPS
Crown Prosecution Service See CPS books
Data Field Access
Access to one or more selected fields in a database. See Data Field Access books
Data Governance
The process by which companies govern appropriate access to and the use and transmission of their critical data by measuring operational risk and controlling security exposures. See Data Governance books
Data Integrity
Accuracy and reliability of published and non-published information maintenance. See Data Integrity books
Database Access
Access to one or more data entries in a database. See Database Access books
DHS
Department of Homeland Security See DHS books
Directory-enabled access controls
Controls over access to digital resources that is controlled by entries in a service directory See Directory-enabled access controls books
Disclaimed Opinion
Report by an auditor that it is unable to express an opinion regarding a company's internal control over financial reporting. See Disclaimed Opinion books
An example is from Deloitte And Touche at Cray "Because of the limitation on the scope of our audit described in the second paragraph of this report, the scope of our work was not sufficient to enable us to express, and we do not express an opinion o management's assessment referred to above." See Disclaimed Opinion books
Distributed Enrollment
Process of enrollment conducted by persons at one or more remote locations acting as agents for enrolling end users. See Distributed Enrollment books
DNS
Domain Name System See DNS books
Donaldson, William
Former chairman of the Securities and Exchange Commission See Donaldson, William books
DTI
Department of Trade and Industry See DTI books
Dynamo
A public Constant Proportion Portfolio Insurance product BNP See Dynamo books
ECM
Enterprise Content Management See ECM books
EEA
European Economic Area See EEA books
Entity Level
One of two levels at which internal controls can operate. Controls are implemented at the entity level if they have a pervasive effect on the control environment. An example is the recruitment and training policies of the company. See Entity Level books
FASAC Financial Accounting Standards Advisory Council See FASAC books
FASB Financial Accounting Standards Board See FASB books
FFS
South Korea: Financial Supervisory Service See FFS books
File Access
Access to the contents of a digital file. See File Access books
Financial Accounting Standards Advisory Council Overseer of the Financial Accounting Standards Board. See Financial Accounting Standards Advisory Council books
Financial Reporting Defined by the COSO Framework as:- See Financial Reporting books
The preparation of reliable published financial statements, including interim and condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly. See Financial Reporting books
Financial Supervisory Commission Taiwan: financial regulator See Financial Supervisory Commission books
Finite Access Control
Control of end-user access for one username to specific resources. See Finite Access Control books
Firm Infrastructure
Support activity in the value chain analysis. General management, planning, finance, accounting, legal, government affairs and quality management are all activities. See Firm Infrastructure books
GAO
Government Accountability Office See GAO books
Gen2
RFID standard setting interoperability and bandwidth technologies See Gen2 books
Group-membership Access
Assignment to a group sharing similar access rights. See Group-membership Access books
IISP
Institute of Information Security Professionals See IISP books
Inbound Logistics
Element in primary activities dealing with receiving, storing and disseminating inputs to the product. Materials handling, warehousing, inventory control and supplier returns. First stage in the value chain analysis. See Inbound Logistics books
Information and Communication
One of five components of internal control according to the COSO Internal Control Framework See Information and Communication books
Systems surrounding the control activities. The accounting system counts as information and communication. Information needed to manage, control and conduct operations are captured by the entity. See Information and Communication books
Information Processing
In the context of Control Activities and Sec 404, performed to check accuracy, completeness and authorization of transactions. Broadly break down into two groups:- Application controls and general controls. See Information Processing books
Information Systems Audit and Control Association
Publisher with Information Technology Governance Institute of the IT Control Objectives for Sarbanes-Oxley. See Information Systems Audit and Control Association books
Information Technology Governance Institute
Publisher with Information Systems Audit and Control Association of the IT Control Objectives for Sarbanes-Oxley. See Information Technology Governance Institute books
Integrity and Ethics Reside under the Control Environment. The senior management need to set the tone for the company. Whilst they might be considered "soft" and "intangible" concepts, they affect the design, administration and monitoring of other internal controls. According to COSO, the actions of management is more important than having them written down. See Integrity and Ethics books
Negative examples of integrity and ethics are the infamous Enron and WorldCom scandals. See Integrity and Ethics books
A positive example is BP which sets a high bar for ethical behaviour by employees. To back this policy up they make mention of it and its effectiveness in financial reports. See Integrity and Ethics books
Internal Control - Integrated Framework
Formal name of the COSO Framework See Internal Control - Integrated Framework books
Internal Control Deficiency
Occurs when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis. See Internal Control Deficiency books
ISACA
Information Systems Audit and Control Association See ISACA books
ISDA International Swaps and Derivatives Association See ISDA books
ITA
Information Technology Architecure See ITA books
ITGI
Information Technology Governance Institute See ITGI books
Livedoor
Japanese company at the centre of a corporate governance scandal. Can be seen as the equivalent of World-Com or Enron as it is used as evidence of the need for a Japanese Sarbanes-Oxley type legislation on internal controls over financial reporting. See Livedoor books
Monitoring
One of five components of internal control according to the COSO Internal Control Framework See Monitoring books
The means through which the control process is monitored and improved via modification. See Monitoring books
NBA
Network Behavior Analysis See NBA books
nCircle
What they SaynCircle is the leading provider of agentless security risk and compliance management solutions. More than 3,500 enterprises, government agencies and service providers around the world rely on nCircle's proactive security solutions to identify, measure, manage and reduce security risk and automate compliance on their networks. nCircle has won numerous awards for growth, innovation and technology leadership and has been ranked among the top 100 best places to work in the San Francisco Bay Area. nCircle is headquartered in San Francisco, CA, with regional offices throughout the USA and in London, Toronto and Tokyo. Additional information about nCircle is available at www.ncircle.com. See nCircle books
Network Access
Access to network connected resources. See Network Access books
NIST
National Institute of Standards and Technology See NIST books
NNSP
National Nuclear Security Administration See NNSP books
Nonrepudiation
Reducing an end-users ability to deny he was the one who authorized an action or sent a message. See Nonrepudiation books
NSA
National Security Agency See NSA books
Objectives
The COSO Framework defines three broad categories:- compliance with laws and regulations, financial reporting and operations. In relation to Sarbanes-Oxley the important one is financial reporting. See Objectives books
Password Reset
Replacing an existing password with a new one. The old password is cancelled. Task performed by the end user, help desk or an administrator See Password Reset books
Password Synchronisation
Moving passwords and sometimes usernames from one repository to another using automated processes. See Password Synchronisation books
PCI Data Security Standard
Requires merchants that accept credit and debit cards over the Internet to increase card data protection on their internal and external payment networks in order to avoid security breaches in which customer records are exposed and misused. See PCI Data Security Standard books
Physical Controls
A type of control activity. They involve the physical security of assets. They ensure adequate safeguards over access to assets and records. See Physical Controls books
Privacy Protection
Creating and maintaining digital and/or physical barriers around an individual's personal information to prevent unauthorized access. See Privacy Protection books
Procedure
1) Actions of people to implement the stated policies. See Procedure books
Procurement
Support activity in value chain analysis. Mainly the purchase of inputs throughout the value chain. Encompasses elements throughout the primary and support activities. See Procurement books
Public Company Accounting Oversight Board Organization set up under Sarbanes-Oxley Act 2002 to regulate auditing of public companies and auditors. See Public Company Accounting Oversight Board books
Reduced sign-on
Using the same username/password combination to access every resource over multiple logon events. See Reduced sign-on books
RFID
Radio Frequency Identification See RFID books
Risk Assessment One of five components of internal control according to the COSO Internal Control Framework See Risk Assessment books
Risks faced by the company have to be recognized. Objectives have to be set, integrated into the value-chain. To achieve the objectives, risks have to be identified, analyzed and develop methods to manage them. See Risk Assessment books
Role Definition
Access authorization based on the job or work performed. Typically applied to a single person or a group sharing the same work. See Role Definition books
Role-based access control
Controlling access bas only on the role definitios See Role-based access control books
RSA Conference
Conference organised every year by security giant RSA. See RSA Conference books
SCSE Society of Corporate Compliance and Ethics See SCSE books
SEC Securities and Exchange Commission. See SEC books
Section 104
Section of the Sarbanes-Oxley Act requiring the PCAOB to inspect registered public accounting firms on a regular basis See Section 104 books
Section 302
Section of the Sarbanes-Oxley Act of 2002 requiring a certification to accompany each quarterly and annual report filed with the SEC. See Section 302 books
Section 404
Section of the Sarbanes-Oxley Act of 2002 mandating CEOs and CFOs of public companies to evaluate and report on the effectiveness of an entity's internal control over financial reporting. See Section 404 books
Segregation of Duties
A type of control activity. Different people are assigned responsibilities for authorizing transactions, recording transactions and maintaining custody of assets. The purpose is to inhibit the perpetration and concealment errors or irregularities, by reducing the opportunity to do so in the course of people's everyday work. See Segregation of Duties books
Seibu Railway Co.
Japanese company at the centre of a corporate governance scandal. Can be seen as the equivalent of World-Com or Enron as it is used as evidence of the need for a Japanese Sarbanes-Oxley type legislation on internal controls over financial reporting. See Seibu Railway Co. books
Self-Enrollment
End-user is permitted to enter his own identity information using an online process See Self-Enrollment books
Service
Business process activities dealing with providing service to enhance or maintain the value of the product, once obtained by the buyer. Installation, repair and supplying parts are all covered. Considered to be a primary activity in the value chain analysis. Lies last after market and sales. See Service books
Service Directories
Directories used to provide identity information and authorization data to a gatekeeper device or application. See Service Directories books
Significant Deficiency
An internal control deficiency that adversely affects the entity's ability to initiate, record, process, or report external financial data reliably in accordance with generally accepted accounting principles (GAAP). A significant deficiency could be a single deficiency or a combination of deficiencies, that results in more than a remote likelihood that a misstatement of the annual or interim financial statements that is more than inconsequential in amount will not be prevented or detected. See Significant Deficiency books
SMTP
Simple Mail Transfer Protocol See SMTP books
SonicWALL
Vendor of Network Security Solutions See SonicWALL books
SOX Shorthand for Sarbanes-Oxley. See SOX books
Web Access Control
Internal controls limiting Web server and Web application access. See Web Access Control books
Friday, 27 April 2007
Centive Award
Technology Marketing Corporation (TMC)'s Customer Interaction Solutions(R) magazine (www.cismag.com) has named Centive Compel(R) - as a recipient of their CRM Excellence Award.
Centive Compel is an, on-demand solution for modeling, managing and optimization sales compensation. Centive claims Compel offers strategic value by providing sales representatives and managers with real-time visibility into sales attainment and performance data. In addition, Compel offers a flexible system for modeling and forecasting various compensation scenarios, and it provides a complete audit trail and the security and process controls needed to support Sarbanes-Oxley compliance initiatives.
Centive Compel is an, on-demand solution for modeling, managing and optimization sales compensation. Centive claims Compel offers strategic value by providing sales representatives and managers with real-time visibility into sales attainment and performance data. In addition, Compel offers a flexible system for modeling and forecasting various compensation scenarios, and it provides a complete audit trail and the security and process controls needed to support Sarbanes-Oxley compliance initiatives.
Thursday, 26 April 2007
Trend Micro to Delist Because of Sarbanes-Oxley
Trend Micro, a Japanese IT security firm is to delist its American Depositary Shares from the NASDAQ Stock Market.
The company is the latest foreign company to delist its shares in the U.S. The reason stated is "The Company's ADRs have been listed on NASDAQ since July 1999. However, the Company's ADRs have been thinly traded on NASDAQ, and overseas investors have traded the Company's common stock primarily on the Tokyo Stock Exchange."
The press release blandly states "overall impact that the delisting and the termination of its SEC reporting obligations may have on shareholders would be limited, but will result in a reduction of fixed costs and enable the company to improve the efficiency of its IR activities".
Following the de-listing Trend Micro will no longer have to meet the SEC reporting obligations or the U.S. Securities Exchange Act of 1934. In particular, the company will no longer have to be in compliance with Section 404 of the Sarbanes-Oxley Act. Effectively, the management and its auditors will no longer have to attest to the effectiveness of the internal controls over financial reporting.
The move comes as the SEC has eased the process for foreign companies to delist from U.S. exchanges. They are also looking at reducing the requirement for foreign companies to have to comply with Section 404.
Trend Micro will maintain a presence in New York. Its ADRs program will be maintained at the Bank Of New York, Trends depositary bank for the company. The Company's ADRs are expected to continue to trade on "over-the-counter markets".
The OTC market in question might be the Pink Sheets, which last week launched a "premium" layer. The new layer is being touted as New York's riposte to the Alternative Investment Market (AIM). A number of foreign companies including the UK sugar refiner, Tate & Lyle.
Trend might not escape its internal controls obligations. Japan is currently pushing its own version of Sarbanes-Oxley, known as J-SOX.
The company is the latest foreign company to delist its shares in the U.S. The reason stated is "The Company's ADRs have been listed on NASDAQ since July 1999. However, the Company's ADRs have been thinly traded on NASDAQ, and overseas investors have traded the Company's common stock primarily on the Tokyo Stock Exchange."
The press release blandly states "overall impact that the delisting and the termination of its SEC reporting obligations may have on shareholders would be limited, but will result in a reduction of fixed costs and enable the company to improve the efficiency of its IR activities".
Following the de-listing Trend Micro will no longer have to meet the SEC reporting obligations or the U.S. Securities Exchange Act of 1934. In particular, the company will no longer have to be in compliance with Section 404 of the Sarbanes-Oxley Act. Effectively, the management and its auditors will no longer have to attest to the effectiveness of the internal controls over financial reporting.
The move comes as the SEC has eased the process for foreign companies to delist from U.S. exchanges. They are also looking at reducing the requirement for foreign companies to have to comply with Section 404.
Trend Micro will maintain a presence in New York. Its ADRs program will be maintained at the Bank Of New York, Trends depositary bank for the company. The Company's ADRs are expected to continue to trade on "over-the-counter markets".
The OTC market in question might be the Pink Sheets, which last week launched a "premium" layer. The new layer is being touted as New York's riposte to the Alternative Investment Market (AIM). A number of foreign companies including the UK sugar refiner, Tate & Lyle.
Trend might not escape its internal controls obligations. Japan is currently pushing its own version of Sarbanes-Oxley, known as J-SOX.
SEC, FSA and FRC Sign Surprise Pact
Washington, D.C., April 25, 2007 - The Securities and Exchange Commission, the United Kingdom Financial Services Authority (FSA), and the United Kingdom Financial Reporting Council (FRC) signed a protocol today for implementing the Work Plan between the SEC and the Committee of European Securities Regulators to share information on application of International Financial Reporting Standards (IFRS) by issuers listed in the UK and the U.S. (See previous announcement relating to the SEC-CESR Work Plan at http://www.sec.gov/news/press/2006/2006-130.htm.)
At separate meetings with the FSA and FRC in London, SEC Chairman Christopher Cox executed the Protocol with UK FSA Chairman Callum McCarthy and UK FRC Chief Executive Paul Boyle to facilitate implementation of the SEC-CESR Work Plan. The information to be shared concerns the application of IFRS in the financial statements of issuers listed in the UK and registered with the SEC. Full Text
At separate meetings with the FSA and FRC in London, SEC Chairman Christopher Cox executed the Protocol with UK FSA Chairman Callum McCarthy and UK FRC Chief Executive Paul Boyle to facilitate implementation of the SEC-CESR Work Plan. The information to be shared concerns the application of IFRS in the financial statements of issuers listed in the UK and registered with the SEC. Full Text
AXS-One Q1 2007 Results
AXS-One Inc. (AMEX:AXO) , a provider of Records Compliance Management (RCM) software solutions, today announced its financial results for the first quarter ended March 31, 2007.
License revenues from for the first quarter increased 343 percent to $1.8 million from $0.4 million in the first quarter of 2006, and increased 157 percent when compared with the $0.7 million for the fourth quarter of 2006. Total revenues for the first quarter were $3.7 million, an increase of $1.4 million from the first quarter 2006 revenues of $2.3 million.
Total operating expenses for the quarter were $6.5 million, a decrease of 14.2 percent compared to the first quarter of 2006. The net loss from continuing operations was $2.7 million for the first quarter, down from a loss of $5.3 million in the first quarter of last year. The Company reported a net loss after discontinued operations of $2.7 million for the first quarter, or $(0.08) per diluted share compared to a net loss of $2.7 million in the first quarter of last year, or $(0.08) per diluted share.
As a result of AXS-One's sale of its Enterprise Financials line of business at the end of October 2006, the financial statements classify the Enterprise Financials product line as a discontinued operation and, unless specified, amounts reflect only the RCM product line.
AXS-One is still riding the wave of automation of internal controls arising out of the requirement for compliance with Section 404 of the Sarbanes-Oxley Act. The flagship product is the AXS-One Compliance Platform.
License revenues from for the first quarter increased 343 percent to $1.8 million from $0.4 million in the first quarter of 2006, and increased 157 percent when compared with the $0.7 million for the fourth quarter of 2006. Total revenues for the first quarter were $3.7 million, an increase of $1.4 million from the first quarter 2006 revenues of $2.3 million.
Total operating expenses for the quarter were $6.5 million, a decrease of 14.2 percent compared to the first quarter of 2006. The net loss from continuing operations was $2.7 million for the first quarter, down from a loss of $5.3 million in the first quarter of last year. The Company reported a net loss after discontinued operations of $2.7 million for the first quarter, or $(0.08) per diluted share compared to a net loss of $2.7 million in the first quarter of last year, or $(0.08) per diluted share.
As a result of AXS-One's sale of its Enterprise Financials line of business at the end of October 2006, the financial statements classify the Enterprise Financials product line as a discontinued operation and, unless specified, amounts reflect only the RCM product line.
AXS-One is still riding the wave of automation of internal controls arising out of the requirement for compliance with Section 404 of the Sarbanes-Oxley Act. The flagship product is the AXS-One Compliance Platform.
SEC and German Regulator Agree Deal
Washington, D.C., April 26, 2007 - The Securities and Exchange Commission and the German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht, or BaFin) today signed a comprehensive arrangement to facilitate their supervision of internationally active firms and their oversight of markets.
At a meeting in Berlin, SEC Chairman Christopher Cox and BaFin President Jochen Sanio executed a memorandum of understanding (MOU) that provides clear mechanisms for consultation, cooperation, and exchanges of information between their agencies. The MOU sets forth the terms and conditions for the sharing of information about regulated entities and financial groups that operate in the United States and Germany and, in view of the growing trend toward cross-border exchange affiliations, outlines a framework for cooperation in the oversight of markets in both countries.
Chairman Cox said, "The SEC and BaFin share a commitment to keeping our markets open, fair and transparent in an ever-changing and increasingly global marketplace. We must continue working together to facilitate the seamless and efficient regulation of internationally active firms in the United States and Germany. This arrangement helps the SEC and BaFin have access to the information necessary to supervise global securities firms and oversee markets." Full Details
At a meeting in Berlin, SEC Chairman Christopher Cox and BaFin President Jochen Sanio executed a memorandum of understanding (MOU) that provides clear mechanisms for consultation, cooperation, and exchanges of information between their agencies. The MOU sets forth the terms and conditions for the sharing of information about regulated entities and financial groups that operate in the United States and Germany and, in view of the growing trend toward cross-border exchange affiliations, outlines a framework for cooperation in the oversight of markets in both countries.
Chairman Cox said, "The SEC and BaFin share a commitment to keeping our markets open, fair and transparent in an ever-changing and increasingly global marketplace. We must continue working together to facilitate the seamless and efficient regulation of internationally active firms in the United States and Germany. This arrangement helps the SEC and BaFin have access to the information necessary to supervise global securities firms and oversee markets." Full Details
Callidus 2007 Q1 Results
Callidus Software Inc. (NASDAQ:CALD) , a vendor of Sales Performance Management (SPM) software and services, today announced financial results for the first quarter ended March 31, 2007.
Total first quarter revenues at $24.8 million, are an increase of 46% compared to the first quarter 2006. First quarter license revenues were $8.3 million, an increase of 20% compared to the first quarter of 2006. First quarter maintenance and service revenues were $16.5 million, an increase of 65% compared to the first quarter of 2006. In addition, hosted on-demand bookings were $2.6 million in the first quarter compared to zero in the first quarter of 2006.
First quarter expenses were higher than guidance as a result of additional investments in the Company's sales organization and sales channels as well as its services business, including 'on-demand' services, along with some seasonal and unanticipated charges for Sarbanes-Oxley compliance costs and severance payments.
Total first quarter revenues at $24.8 million, are an increase of 46% compared to the first quarter 2006. First quarter license revenues were $8.3 million, an increase of 20% compared to the first quarter of 2006. First quarter maintenance and service revenues were $16.5 million, an increase of 65% compared to the first quarter of 2006. In addition, hosted on-demand bookings were $2.6 million in the first quarter compared to zero in the first quarter of 2006.
First quarter expenses were higher than guidance as a result of additional investments in the Company's sales organization and sales channels as well as its services business, including 'on-demand' services, along with some seasonal and unanticipated charges for Sarbanes-Oxley compliance costs and severance payments.
Wednesday, 25 April 2007
Fremont Finally Appoints Auditor
Fremont General Corporation (the "Company") (NYSE:FMT) , doing business primarily through its wholly-owned industrial bank, Fremont Investment & Loan, today announced that the Audit Committee of the Board of Directors has engaged Squar, Milner, Peterson, Miranda & Williamson, LLP ("Squar Milner") as its independent registered public accounting firm.
In a very public spat, Fremont had split with its previous public accounting firm, Grant Thornton.
The company became embroiled in the heated discussions about the risky subprime residential mortgage business.
In a very public spat, Fremont had split with its previous public accounting firm, Grant Thornton.
The company became embroiled in the heated discussions about the risky subprime residential mortgage business.
Tuesday, 24 April 2007
Apple General Counsel Charged Over Options
The U.S. Securities and Exchange Commission has filed charges against two former senior executives of Apple, Inc. Improper stock option backdating, subject of a long running scandal is the basis of the charges.
The Commission accused former General Counsel Nancy R. Heinen of participating in the fraudulent backdating of options granted to Apple's top officers that caused the company to underreport its expenses by nearly $40 million. The Commission's complaint alleges that Heinen, of Portola Valley, Calif., caused Apple to backdate two large options grants to senior executives of Apple — a February 2001 grant of 4.8 million options to Apple's Executive Team and a December 2001 grant of 7.5 million options to Apple Chief Executive Officer Steve Jobs — and altered company records to conceal the fraud.
Former Apple CFO, Fred Anderson has settled charges against him by paying $3.5m in disgorgements and penalties. The charges related to his not noticing that Heinen's efforts and that the financial statements were correct.
Linda Chatman Thomsen, Director of the SEC's Division of Enforcement, stated, "The Apple case demonstrates the Commission's ongoing commitment to take action against stock options backdating and other executive compensation abuses. When corporate officers enrich themselves at the expense of a company's shareholders, the Commission will hold the responsible individuals accountable, particularly where, as here, the responsible individuals are among those obligated to ensure that the company complies with all applicable securities laws and that its financial statements are accurate."
Marc J. Fagel, Associate Regional Director of the SEC's San Francisco Regional Office, stated, "Apple's shareholders relied on Heinen and Anderson, as respected legal and accounting professionals, to ensure the accurate reporting of the company's executive compensation. Instead, they failed in their duties as gatekeepers and caused Apple to conceal millions of dollars in stock option expenses."
Heinen is charged with violating the anti-fraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934.
Anderson, without admitting or denying the allegations in the Commission's complaint, has agreed to a permanent injunction from further violations of the antifraud, reporting, internal controls, and other provisions of the federal securities laws.
Apple, as a company has completely escaped any charges relating to the options back-dating issue.
The Commission accused former General Counsel Nancy R. Heinen of participating in the fraudulent backdating of options granted to Apple's top officers that caused the company to underreport its expenses by nearly $40 million. The Commission's complaint alleges that Heinen, of Portola Valley, Calif., caused Apple to backdate two large options grants to senior executives of Apple — a February 2001 grant of 4.8 million options to Apple's Executive Team and a December 2001 grant of 7.5 million options to Apple Chief Executive Officer Steve Jobs — and altered company records to conceal the fraud.
Former Apple CFO, Fred Anderson has settled charges against him by paying $3.5m in disgorgements and penalties. The charges related to his not noticing that Heinen's efforts and that the financial statements were correct.
Linda Chatman Thomsen, Director of the SEC's Division of Enforcement, stated, "The Apple case demonstrates the Commission's ongoing commitment to take action against stock options backdating and other executive compensation abuses. When corporate officers enrich themselves at the expense of a company's shareholders, the Commission will hold the responsible individuals accountable, particularly where, as here, the responsible individuals are among those obligated to ensure that the company complies with all applicable securities laws and that its financial statements are accurate."
Marc J. Fagel, Associate Regional Director of the SEC's San Francisco Regional Office, stated, "Apple's shareholders relied on Heinen and Anderson, as respected legal and accounting professionals, to ensure the accurate reporting of the company's executive compensation. Instead, they failed in their duties as gatekeepers and caused Apple to conceal millions of dollars in stock option expenses."
Heinen is charged with violating the anti-fraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934.
Anderson, without admitting or denying the allegations in the Commission's complaint, has agreed to a permanent injunction from further violations of the antifraud, reporting, internal controls, and other provisions of the federal securities laws.
Apple, as a company has completely escaped any charges relating to the options back-dating issue.
The Apple Stock Options Charges
According to the Commission's complaint, filed in the Northern District of California, Apple granted 4.8 million options to six members of its executive team (including Heinen and Anderson [Apple's Former General Counsel and CFO respectively]) in February 2001. Because the options were in-the-money when granted (i.e. could be exercised to purchase Apple shares at a below market price), Apple was required to report a compensation charge in its publicly filed financial statements.
The Commission alleges that, in order to avoid reporting this expense, Heinen caused Apple to backdate options to January 17, 2001, when Apple's share price was substantially lower. Heinen is also alleged to have directed her staff to prepare documents falsely indicating that Apple's Board had approved the Executive Team grant on January 17. As a result, Apple failed to record approximately $18.9 million in compensation expenses associated with the option grant.
Anderson , who should have realized the implications of Heinen's actions, failed to disclose key information to Apple's auditors and neglected to ensure that the company's financial statements were accurate. Both Heinen and Anderson personally received millions of dollars in unreported compensation as a result of the backdating.
The Commission's complaint also alleges improprieties in connection with a December 2001 grant of 7.5 million options to CEO Steve Jobs. Although the options were in-the-money at that time, Heinen — as with the Executive Team grant — caused Apple to backdate the grant to October 19, 2001, when Apple's share price was lower. As a result, the Commission alleges that Heinen caused Apple to improperly fail to record $20.3 million in compensation expense associated with the in-the-money options grant. The Commission further alleges that Heinen then signed fictitious Board minutes stating that the Board had approved the grant to Jobs on October 19 at a "Special Meeting of the Board of Directors" — a meeting that, in fact, never occurred.
The Commission alleges that, in order to avoid reporting this expense, Heinen caused Apple to backdate options to January 17, 2001, when Apple's share price was substantially lower. Heinen is also alleged to have directed her staff to prepare documents falsely indicating that Apple's Board had approved the Executive Team grant on January 17. As a result, Apple failed to record approximately $18.9 million in compensation expenses associated with the option grant.
Anderson , who should have realized the implications of Heinen's actions, failed to disclose key information to Apple's auditors and neglected to ensure that the company's financial statements were accurate. Both Heinen and Anderson personally received millions of dollars in unreported compensation as a result of the backdating.
The Commission's complaint also alleges improprieties in connection with a December 2001 grant of 7.5 million options to CEO Steve Jobs. Although the options were in-the-money at that time, Heinen — as with the Executive Team grant — caused Apple to backdate the grant to October 19, 2001, when Apple's share price was lower. As a result, the Commission alleges that Heinen caused Apple to improperly fail to record $20.3 million in compensation expense associated with the in-the-money options grant. The Commission further alleges that Heinen then signed fictitious Board minutes stating that the Board had approved the grant to Jobs on October 19 at a "Special Meeting of the Board of Directors" — a meeting that, in fact, never occurred.
Vimicro Moves From PwC to Ernst and Young
Vimicro International Corporation (NASDAQ:VIMC) , a fabless semiconductor company that designs and develops multimedia semiconductor products and solutions, today announced a change of its independent auditors from PricewaterhouseCoopers Zhong Tian CPAs Limited Company ("PwC") to Ernst & Young Hua Ming ("E&Y") for the fiscal year ended December 31, 2007. PwC previously audited the Company's financial statements for each of the three years ended December 31, 2003, 2004 and 2005. PwC is currently auditing the Company's financial statements for the fiscal year ended December 31, 2006.
On April 23, 2007, the Company's Audit Committee authorized and approved:
-- the non-renewal of the engagement with PwC as the Company's independent
registered public accounting firm; and
-- the appointment of E&Y as Vimicro's independent registered public
accounting firm, beginning with the fiscal year ending December 31,
2007
On April 24, 2007, the Company and E&Y signed an engagement letter appointing E&Y as Vimicro's independent registered public accounting firm beginning with the fiscal year ended December 31, 2007.
Vimicro's reasoning is "The Board believes that this transition is necessary to enhance efficiency within the auditing process.".
On April 23, 2007, the Company's Audit Committee authorized and approved:
-- the non-renewal of the engagement with PwC as the Company's independent
registered public accounting firm; and
-- the appointment of E&Y as Vimicro's independent registered public
accounting firm, beginning with the fiscal year ending December 31,
2007
On April 24, 2007, the Company and E&Y signed an engagement letter appointing E&Y as Vimicro's independent registered public accounting firm beginning with the fiscal year ended December 31, 2007.
Vimicro's reasoning is "The Board believes that this transition is necessary to enhance efficiency within the auditing process.".
Monday, 23 April 2007
Regulation Eroding U.S. Competiveness?
Commissioner Paul Atkins has commented on the question of whether excessive regulation and litigation is eroding U.S. competiveness.
"Take, for example, the debate around the implementation of Sarbanes-Oxley section 404. Most people have now concluded that Audit Standard 2 of the PCAOB has been a failure — the costs exceed the benefits, especially to smaller companies. However, I still hear people say in this debate that "If you cannot afford to do a real 404 review, you should not be a public company." If that is true, who should make that decision? Politicians, regulators, or bureaucrats? Or investors? In fact, our actions in calibrating the standards for management, accountants, and lawyers in performing internal control reviews and assessments create barriers to entry to some number of companies. Some may decide that going public is not worth it and others may decide to go public elsewhere. Is that good for investors? Is this not similar to the merit regulation of the Apple Computer IPO? Keeping this in mind, we must apply stringent cost-benefit analysis in setting regulatory standards."
http://www.sec.gov/news/speech/2007/spch042007psa.htm.
"Take, for example, the debate around the implementation of Sarbanes-Oxley section 404. Most people have now concluded that Audit Standard 2 of the PCAOB has been a failure — the costs exceed the benefits, especially to smaller companies. However, I still hear people say in this debate that "If you cannot afford to do a real 404 review, you should not be a public company." If that is true, who should make that decision? Politicians, regulators, or bureaucrats? Or investors? In fact, our actions in calibrating the standards for management, accountants, and lawyers in performing internal control reviews and assessments create barriers to entry to some number of companies. Some may decide that going public is not worth it and others may decide to go public elsewhere. Is that good for investors? Is this not similar to the merit regulation of the Apple Computer IPO? Keeping this in mind, we must apply stringent cost-benefit analysis in setting regulatory standards."
http://www.sec.gov/news/speech/2007/spch042007psa.htm.
Arbor Expands In Japan with Net One Systems
Arbor Networks, a provider of core-to-core network security and operational performance software, has formed a strategic partnership with Japan networking and systems integration leader Net One Systems. Net One Systems will offer the complete range of Arbor Peakflow products to provide its customers with increased security offerings and improved network security through network-wide data collection, data analysis, anomaly detection and threat mitigation. Arbor Networks currently generates forty percent of revenue from international markets, much of it through strategic partner relationships with companies like Net One Systems.
Headquartered in Tokyo, Japan, Net One Systems is a networking and systems integration provider in Japan. Net One Systems has experience in 4 integration business sectors: Network Integration, Network Computing, Service Integration and Media Integration.
"Further penetration in the Japanese market is a very important part of Arbor's growth plans going forward and we want to work with the highest quality partners in terms of their reputations and relationships," said Jack Boyle, Arbor's chief executive officer. "System integration is such a major concern for service providers and enterprises that we felt it was very important to partner with a company the calibre of Net One Systems."
"Arbor Networks Peakflow product suite addresses some of the most critical requirements of our service provider and enterprise customers, namely the need to improve security and operational performance," said Mr. Tomohiro Iwamoto, general manager of network technology operations at Net One Systems. "Together, we can provide these companies a comprehensive, turn-key solution from which they will be able to realize rapid return on their investment."
Headquartered in Tokyo, Japan, Net One Systems is a networking and systems integration provider in Japan. Net One Systems has experience in 4 integration business sectors: Network Integration, Network Computing, Service Integration and Media Integration.
"Further penetration in the Japanese market is a very important part of Arbor's growth plans going forward and we want to work with the highest quality partners in terms of their reputations and relationships," said Jack Boyle, Arbor's chief executive officer. "System integration is such a major concern for service providers and enterprises that we felt it was very important to partner with a company the calibre of Net One Systems."
"Arbor Networks Peakflow product suite addresses some of the most critical requirements of our service provider and enterprise customers, namely the need to improve security and operational performance," said Mr. Tomohiro Iwamoto, general manager of network technology operations at Net One Systems. "Together, we can provide these companies a comprehensive, turn-key solution from which they will be able to realize rapid return on their investment."
Whistleblowing Guidelines
A few simple steps are required to ensure with the whistleblowing or internal reporting system requirements of the Sarbanes-Oxley Act. The claim is made that Enron or Tyco type scandals can be avoided.
The steps are
Training and mentoring to make the organization's reporting system user-friendly to a variety of employees,
top management encouragement for full participation
carefully selected specialists and ombudsmen
are the recommendations by Dr. Brent MacNab, faculty member with the University of Sydney's School of Business.
"Several options are available," explains Dr. MacNab. "Organizations can train employees to build specific individual empowerment for using the internal reporting system." This can include training with scenarios of misconduct to help employees understand what needs to be reported and how to do this.
Dealing with issues correctly through an internal process, would remove a lot of pressure to externally expose bad practice. The research also indicates that individuals who are directly part of the internal reporting system, like an ombudsman, should have high levels of self-efficacy (or individual empowerment). This involves appropriate employee selection techniques. "There are simple tests organizations can use as a first indicator of individual empowerment for selection of personnel in these key positions," says Dr. MacNab.
"Legitimate encouragement for using the system, communicated from upper levels of the organization, can also be an effective part of the solution," states Dr. MacNab.
Nearly 1,000 business professionals were studied in the U.S. and Canada to better understand their willingness to use an internal reporting system.
The steps are
Training and mentoring to make the organization's reporting system user-friendly to a variety of employees,
top management encouragement for full participation
carefully selected specialists and ombudsmen
are the recommendations by Dr. Brent MacNab, faculty member with the University of Sydney's School of Business.
"Several options are available," explains Dr. MacNab. "Organizations can train employees to build specific individual empowerment for using the internal reporting system." This can include training with scenarios of misconduct to help employees understand what needs to be reported and how to do this.
Dealing with issues correctly through an internal process, would remove a lot of pressure to externally expose bad practice. The research also indicates that individuals who are directly part of the internal reporting system, like an ombudsman, should have high levels of self-efficacy (or individual empowerment). This involves appropriate employee selection techniques. "There are simple tests organizations can use as a first indicator of individual empowerment for selection of personnel in these key positions," says Dr. MacNab.
"Legitimate encouragement for using the system, communicated from upper levels of the organization, can also be an effective part of the solution," states Dr. MacNab.
Nearly 1,000 business professionals were studied in the U.S. and Canada to better understand their willingness to use an internal reporting system.
Sunday, 22 April 2007
Section 404 Glossary
Activity Level
One of two levels at which internal controls can operate. The control is applied at the point of an activity. An example is a bank reconciliation to control cash movements.
Application Access
Access to an application via direct connection, Web services or a terminal.
Application Controls
A type of control activity. Typically involve controls over processing of individual applications, ensure transactions are valid, properly authorized, completely and accurately processed.
Automated User Enrollment
Process to move user identity information over a network from a data source to a directory where it is needed.
Business Accounting Council
Japan: Panel set up by the Financial Services Agency to look at financial reporting issues.
By-name Authorization
From an individual username, connecting authorized access to a data target.
CEO Chief Executive Officer
CFO Chief Financial Officer
CII Council of Institutional Investors
Circular A-123
US Federal Government version of the Sarbanes-Oxley Act. From Oct 2006, agencies will have to provide annual reports on internal controls. Agency's controls will have to be documented and tested.
Control Activities
One of five components of internal control according to the COSO Internal Control Framework. Also known as Control procedures.
Control policies and procedures to ensure actions identified as necessary for risk assessment are carried out. They have to be both established and executed for their effectiveness to be established. Control activities are made up of two elements, policies and procedures.
Control Environment
One of five components of internal control according to the COSO Internal Control Framework
Senior management have to set the tone at the top, that positively influences the control consciousness of entity personnel. Discipline and structure are generated by the control environment and is the central building block for the other components of internal control.
COSO
Committee Of Sponsoring Organizations of the Treadway Commission
COSO Framework
Most widely used framework to assess the effectiveness of internal control.
Cox, Christopher
Chairman of the Securities and Exchange Commission. Confirmed in 2005.
CPCAF
The Center for Public Company Audit Firms
Data Confidentiality
Access to data is limited to the those with a need to know. All others are denied access.
Data Field Access
Access to one or more selected fields in a database.
Data Integrity
Accuracy and reliability of published and non-published information maintenance.
Database Access
Access to one or more data entries in a database.
Deferred Prosecution
U.S. legal deal where in response for public acknowledgement and/or payment of a fine/restitution and/or co-operate in ongoing investigations, corporations can escape prosecution. Should the corporation comply with the conditions in the agreement for a specified period, the indictment is dismissed.
Directory-enabled access controls
Controls over access to digital resources that is controlled by entries in a service directory
Disclaimed Opinion
Report by an auditor that it is unable to express an opinion regarding a company's internal control over financial reporting.
An example is from Deloitte And Touche at Cray "Because of the limitation on the scope of our audit described in the second paragraph of this report, the scope of our work was not sufficient to enable us to express, and we do not express an opinion o management's assessment referred to above."
Distributed Enrollment
Process of enrollment conducted by persons at one or more remote locations acting as agents for enrolling end users.
Donaldson, William
Former chairman of the Securities and Exchange Commission
ECMA
Enterprise Content Management Association
Entity Level
One of two levels at which internal controls can operate. Controls are implemented at the entity level if they have a pervasive effect on the control environment. An example is the recruitment and training policies of the company.
EPA
Environmental Protection Agency
EPS Earnings Per Share
ERFRAG European Financial Reporting Advisory Group
ERM Enterprise Risk Management
Extranet Access
Access for employees and business partners to internal Web-enabled applications.
FASAC Financial Accounting Standards Advisory Council
FASB Financial Accounting Standards Board
Fed R Civ P
Federal Rules for Civil Procedure
File Access
Access to the contents of a digital file.
Financial Accounting Standards Advisory Council Overseer of the Financial Accounting Standards Board.
Financial Reporting Defined by the COSO Framework as:-
The preparation of reliable published financial statements, including interim and condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly.
Finite Access Control
Control of end-user access for one username to specific resources.
Firm Infrastructure
Support activity in the value chain analysis. General management, planning, finance, accounting, legal, government affairs and quality management are all activities.
GAAP Generally Accepted Accounting Principles.
GAO
Government Accountability Office
GCRM
Governance, compliance and risk management.
General Controls
A type of control activity. Typically involve controls over data center operations, system software acquisition, system maintenance and access security.
Group-membership Access
Assignment to a group sharing similar access rights.
IAPP
International Association of Privacy Professionals
IFRS International Financial Reporting Standards
IFRS 3 Accounting standard for "business combinations" or Merger and Acquisitions transactions. First standard written jointly by International Accounting Standards Board and the U.S. Financial Accounting Standards Board.
IISP
Institute of Information Security Professionals
Inbound Logistics
Element in primary activities dealing with receiving, storing and disseminating inputs to the product. Materials handling, warehousing, inventory control and supplier returns. First stage in the value chain analysis.
Information and Communication
One of five components of internal control according to the COSO Internal Control Framework
Systems surrounding the control activities. The accounting system counts as information and communication. Information needed to manage, control and conduct operations are captured by the entity.
Information Processing
In the context of Control Activities and Sec 404, performed to check accuracy, completeness and authorization of transactions. Broadly break down into two groups:- Application controls and general controls.
Information Systems Audit and Control Association
Publisher with Information Technology Governance Institute of the IT Control Objectives for Sarbanes-Oxley.
Information Technology Governance Institute
Publisher with Information Systems Audit and Control Association of the IT Control Objectives for Sarbanes-Oxley.
Integrity and Ethics Reside under the Control Environment. The senior management need to set the tone for the company. Whilst they might be considered "soft" and "intangible" concepts, they affect the design, administration and monitoring of other internal controls. According to COSO, the actions of management is more important than having them written down.
Negative examples of integrity and ethics are the infamous Enron and WorldCom scandals.
A positive example is BP which sets a high bar for ethical behaviour by employees. To back this policy up they make mention of it and its effectiveness in financial reports.
Internal Control - Integrated Framework
Formal name of the COSO Framework
Internal Control Deficiency
Occurs when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
ISACA
Information Systems Audit and Control Association
ITGI
Information Technology Governance Institute
Livedoor
Japanese company at the centre of a corporate governance scandal. Can be seen as the equivalent of World-Com or Enron as it is used as evidence of the need for a Japanese Sarbanes-Oxley type legislation on internal controls over financial reporting.
Marketing and Sales
Element in primary activities dealing with providing a mechanism for attracting buyers and enabling them to purchase the products or service. Included are, advertising, promotion, sales force, quoting and pricing. Fourth in the value chain of primary activities for business process activities, lying between outbound logistics and service.
Material Weakness
A significant deficiency that, by itself, or in combination with other significant deficiencies, results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.
MD&A Management's Disclosure and Analysis
Monitoring
One of five components of internal control according to the COSO Internal Control Framework
The means through which the control process is monitored and improved via modification.
NASPP National Association of Stock Plan Professionals
Network Access
Access to network connected resources.
Nonrepudiation
Reducing an end-users ability to deny he was the one who authorized an action or sent a message.
Operations
Element in primary activities dealing with transforming inputs into the final product. Matching, assembly, packaging, testing and facility activities are all covered. Second stage in the value chain of primary activities. Lies between inbound logistics and outbound logistics.
Outbound Logistics
Element in primary activities dealing with collected, storing and physically distributing the product to buyers. Including finished goods, warehousing, materials handling, delivery, order processing and scheduling. Third stage in the Value Chain of primary activities between operations and Marketing and sales.
Password Reset
Replacing an existing password with a new one. The old password is cancelled. Task performed by the end user, help desk or an administrator
Password Synchronisation
Moving passwords and sometimes usernames from one repository to another using automated processes.
PCAOB
Public Company Accounting Oversight Board
Physical Controls
A type of control activity. They involve the physical security of assets. They ensure adequate safeguards over access to assets and records.
Policy
1) Establishes what should be done. Part of the Control activities.
Primary Activities
Business process activities in physical creation of a company's product, sale, transfer and after-sales service to the customer. Part of the value-chain analysis. Important in the analysis of activity level controls.
Privacy Protection
Creating and maintaining digital and/or physical barriers around an individual's personal information to prevent unauthorized access.
Procedure
1) Actions of people to implement the stated policies.
Procurement
Support activity in value chain analysis. Mainly the purchase of inputs throughout the value chain. Encompasses elements throughout the primary and support activities.
PSLRA
Private Securities Litigation Reform Act of 1996
Public Company Accounting Oversight Board Organization set up under Sarbanes-Oxley Act 2002 to regulate auditing of public companies and auditors.
RCM
Records Compliance Management
Reduced sign-on
Using the same username/password combination to access every resource over multiple logon events.
Regulation FD Regulation Fair Disclosure
Rule enforced by the SEC requiring U.S. to make available to the public that they make to securities analysts. If the disclosure is intentional the release has to be simultaneous. Unintentional disclosure has to be made available to the public within 24 hours.
RFID
Radio Frequency Identification
Risk Assessment One of five components of internal control according to the COSO Internal Control Framework
Risks faced by the company have to be recognized. Objectives have to be set, integrated into the value-chain. To achieve the objectives, risks have to be identified, analyzed and develop methods to manage them.
Role Definition
Access authorization based on the job or work performed. Typically applied to a single person or a group sharing the same work.
Role-based access control
Controlling access bas only on the role definitios
Rule 13a-15 (e) SEC rule which defines Disclosure Controls and Procedures.
Rule 13a-15 (f) SEC rule which defines Internal Control over Financial Reporting
SCSE Society of Corporate Compliance and Ethics
SEC Securities and Exchange Commission.
Section 104
Section of the Sarbanes-Oxley Act requiring the PCAOB to inspect registered public accounting firms on a regular basis
Section 404
Section of the Sarbanes-Oxley Act of 2002 mandating CEOs and CFOs of public companies to evaluate and report on the effectiveness of an entity's internal control over financial reporting.
Segregation of Duties
A type of control activity. Different people are assigned responsibilities for authorizing transactions, recording transactions and maintaining custody of assets. The purpose is to inhibit the perpetration and concealment errors or irregularities, by reducing the opportunity to do so in the course of people's everyday work.
Seibu Railway Co.
Japanese company at the centre of a corporate governance scandal. Can be seen as the equivalent of World-Com or Enron as it is used as evidence of the need for a Japanese Sarbanes-Oxley type legislation on internal controls over financial reporting.
Self-Enrollment
End-user is permitted to enter his own identity information using an online process
Service
Business process activities dealing with providing service to enhance or maintain the value of the product, once obtained by the buyer. Installation, repair and supplying parts are all covered. Considered to be a primary activity in the value chain analysis. Lies last after market and sales.
Service Directories
Directories used to provide identity information and authorization data to a gatekeeper device or application.
SFAS 123R
FASB Statement of Financial Accounting Standards No. 123, Share-Based Payment. Requires companies to recognize compensation paid in the form of employee stock options as a cost in their financial statements.
Significant Deficiency
An internal control deficiency that adversely affects the entity's ability to initiate, record, process, or report external financial data reliably in accordance with generally accepted accounting principles (GAAP). A significant deficiency could be a single deficiency or a combination of deficiencies, that results in more than a remote likelihood that a misstatement of the annual or interim financial statements that is more than inconsequential in amount will not be prevented or detected.
Single sign-on
Using the same username/password combination to access every resource from a single logon event.
SMTP
Simple Mail Transfer Protocol
SOX Shorthand for Sarbanes-Oxley.
SOX Express
Sarbanes-Oxley compliance suite from OpenPages
Statement No. 123R
FASB Statement of Financial Accounting Standards No. 123, Share-Based Payment. Requires companies to recognize compensation paid in the form of employee stock options as a cost in their financial statements.
Support Activities
Part of business process activities support the primary activities in the value chain. Providing purchased inputs, human resources, technology and entity wide functions. Under value chain analysis support activities include firm infrastructure, human resource management, technology development and procurement.
Synthetic Collateralised Debt Obligations Repackaged portfolios of credit derivatives.
Information, data or a device to which an end-user or other device requires access
Technology Development
Support activity in value chain analysis. Included are basic research, product design and servicing procedures. The aim is to improve products, services and processes.
Top-Level Review
Type of Control Activity. Including actual performance against budget, forecasts and prior-period performance. Preparation of the review or report is not a control activity. Follow up by management is.
Web Access Control
Internal controls limiting Web server and Web application access.
Well-known Seasoned Issuers
Class of issuers presumed to be widely followed in the marketplace.
WKSI
Well-Known Seasoned Issuers
One of two levels at which internal controls can operate. The control is applied at the point of an activity. An example is a bank reconciliation to control cash movements.
Application Access
Access to an application via direct connection, Web services or a terminal.
Application Controls
A type of control activity. Typically involve controls over processing of individual applications, ensure transactions are valid, properly authorized, completely and accurately processed.
Automated User Enrollment
Process to move user identity information over a network from a data source to a directory where it is needed.
Business Accounting Council
Japan: Panel set up by the Financial Services Agency to look at financial reporting issues.
By-name Authorization
From an individual username, connecting authorized access to a data target.
CEO Chief Executive Officer
CFO Chief Financial Officer
CII Council of Institutional Investors
Circular A-123
US Federal Government version of the Sarbanes-Oxley Act. From Oct 2006, agencies will have to provide annual reports on internal controls. Agency's controls will have to be documented and tested.
Control Activities
One of five components of internal control according to the COSO Internal Control Framework. Also known as Control procedures.
Control policies and procedures to ensure actions identified as necessary for risk assessment are carried out. They have to be both established and executed for their effectiveness to be established. Control activities are made up of two elements, policies and procedures.
Control Environment
One of five components of internal control according to the COSO Internal Control Framework
Senior management have to set the tone at the top, that positively influences the control consciousness of entity personnel. Discipline and structure are generated by the control environment and is the central building block for the other components of internal control.
COSO
Committee Of Sponsoring Organizations of the Treadway Commission
COSO Framework
Most widely used framework to assess the effectiveness of internal control.
Cox, Christopher
Chairman of the Securities and Exchange Commission. Confirmed in 2005.
CPCAF
The Center for Public Company Audit Firms
Data Confidentiality
Access to data is limited to the those with a need to know. All others are denied access.
Data Field Access
Access to one or more selected fields in a database.
Data Integrity
Accuracy and reliability of published and non-published information maintenance.
Database Access
Access to one or more data entries in a database.
Deferred Prosecution
U.S. legal deal where in response for public acknowledgement and/or payment of a fine/restitution and/or co-operate in ongoing investigations, corporations can escape prosecution. Should the corporation comply with the conditions in the agreement for a specified period, the indictment is dismissed.
Directory-enabled access controls
Controls over access to digital resources that is controlled by entries in a service directory
Disclaimed Opinion
Report by an auditor that it is unable to express an opinion regarding a company's internal control over financial reporting.
An example is from Deloitte And Touche at Cray "Because of the limitation on the scope of our audit described in the second paragraph of this report, the scope of our work was not sufficient to enable us to express, and we do not express an opinion o management's assessment referred to above."
Distributed Enrollment
Process of enrollment conducted by persons at one or more remote locations acting as agents for enrolling end users.
Donaldson, William
Former chairman of the Securities and Exchange Commission
ECMA
Enterprise Content Management Association
Entity Level
One of two levels at which internal controls can operate. Controls are implemented at the entity level if they have a pervasive effect on the control environment. An example is the recruitment and training policies of the company.
EPA
Environmental Protection Agency
EPS Earnings Per Share
ERFRAG European Financial Reporting Advisory Group
ERM Enterprise Risk Management
Extranet Access
Access for employees and business partners to internal Web-enabled applications.
FASAC Financial Accounting Standards Advisory Council
FASB Financial Accounting Standards Board
Fed R Civ P
Federal Rules for Civil Procedure
File Access
Access to the contents of a digital file.
Financial Accounting Standards Advisory Council Overseer of the Financial Accounting Standards Board.
Financial Reporting Defined by the COSO Framework as:-
The preparation of reliable published financial statements, including interim and condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly.
Finite Access Control
Control of end-user access for one username to specific resources.
Firm Infrastructure
Support activity in the value chain analysis. General management, planning, finance, accounting, legal, government affairs and quality management are all activities.
GAAP Generally Accepted Accounting Principles.
GAO
Government Accountability Office
GCRM
Governance, compliance and risk management.
General Controls
A type of control activity. Typically involve controls over data center operations, system software acquisition, system maintenance and access security.
Group-membership Access
Assignment to a group sharing similar access rights.
IAPP
International Association of Privacy Professionals
IFRS International Financial Reporting Standards
IFRS 3 Accounting standard for "business combinations" or Merger and Acquisitions transactions. First standard written jointly by International Accounting Standards Board and the U.S. Financial Accounting Standards Board.
IISP
Institute of Information Security Professionals
Inbound Logistics
Element in primary activities dealing with receiving, storing and disseminating inputs to the product. Materials handling, warehousing, inventory control and supplier returns. First stage in the value chain analysis.
Information and Communication
One of five components of internal control according to the COSO Internal Control Framework
Systems surrounding the control activities. The accounting system counts as information and communication. Information needed to manage, control and conduct operations are captured by the entity.
Information Processing
In the context of Control Activities and Sec 404, performed to check accuracy, completeness and authorization of transactions. Broadly break down into two groups:- Application controls and general controls.
Information Systems Audit and Control Association
Publisher with Information Technology Governance Institute of the IT Control Objectives for Sarbanes-Oxley.
Information Technology Governance Institute
Publisher with Information Systems Audit and Control Association of the IT Control Objectives for Sarbanes-Oxley.
Integrity and Ethics Reside under the Control Environment. The senior management need to set the tone for the company. Whilst they might be considered "soft" and "intangible" concepts, they affect the design, administration and monitoring of other internal controls. According to COSO, the actions of management is more important than having them written down.
Negative examples of integrity and ethics are the infamous Enron and WorldCom scandals.
A positive example is BP which sets a high bar for ethical behaviour by employees. To back this policy up they make mention of it and its effectiveness in financial reports.
Internal Control - Integrated Framework
Formal name of the COSO Framework
Internal Control Deficiency
Occurs when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
ISACA
Information Systems Audit and Control Association
ITGI
Information Technology Governance Institute
Livedoor
Japanese company at the centre of a corporate governance scandal. Can be seen as the equivalent of World-Com or Enron as it is used as evidence of the need for a Japanese Sarbanes-Oxley type legislation on internal controls over financial reporting.
Marketing and Sales
Element in primary activities dealing with providing a mechanism for attracting buyers and enabling them to purchase the products or service. Included are, advertising, promotion, sales force, quoting and pricing. Fourth in the value chain of primary activities for business process activities, lying between outbound logistics and service.
Material Weakness
A significant deficiency that, by itself, or in combination with other significant deficiencies, results in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.
MD&A Management's Disclosure and Analysis
Monitoring
One of five components of internal control according to the COSO Internal Control Framework
The means through which the control process is monitored and improved via modification.
NASPP National Association of Stock Plan Professionals
Network Access
Access to network connected resources.
Nonrepudiation
Reducing an end-users ability to deny he was the one who authorized an action or sent a message.
Operations
Element in primary activities dealing with transforming inputs into the final product. Matching, assembly, packaging, testing and facility activities are all covered. Second stage in the value chain of primary activities. Lies between inbound logistics and outbound logistics.
Outbound Logistics
Element in primary activities dealing with collected, storing and physically distributing the product to buyers. Including finished goods, warehousing, materials handling, delivery, order processing and scheduling. Third stage in the Value Chain of primary activities between operations and Marketing and sales.
Password Reset
Replacing an existing password with a new one. The old password is cancelled. Task performed by the end user, help desk or an administrator
Password Synchronisation
Moving passwords and sometimes usernames from one repository to another using automated processes.
PCAOB
Public Company Accounting Oversight Board
Physical Controls
A type of control activity. They involve the physical security of assets. They ensure adequate safeguards over access to assets and records.
Policy
1) Establishes what should be done. Part of the Control activities.
Primary Activities
Business process activities in physical creation of a company's product, sale, transfer and after-sales service to the customer. Part of the value-chain analysis. Important in the analysis of activity level controls.
Privacy Protection
Creating and maintaining digital and/or physical barriers around an individual's personal information to prevent unauthorized access.
Procedure
1) Actions of people to implement the stated policies.
Procurement
Support activity in value chain analysis. Mainly the purchase of inputs throughout the value chain. Encompasses elements throughout the primary and support activities.
PSLRA
Private Securities Litigation Reform Act of 1996
Public Company Accounting Oversight Board Organization set up under Sarbanes-Oxley Act 2002 to regulate auditing of public companies and auditors.
RCM
Records Compliance Management
Reduced sign-on
Using the same username/password combination to access every resource over multiple logon events.
Regulation FD Regulation Fair Disclosure
Rule enforced by the SEC requiring U.S. to make available to the public that they make to securities analysts. If the disclosure is intentional the release has to be simultaneous. Unintentional disclosure has to be made available to the public within 24 hours.
RFID
Radio Frequency Identification
Risk Assessment One of five components of internal control according to the COSO Internal Control Framework
Risks faced by the company have to be recognized. Objectives have to be set, integrated into the value-chain. To achieve the objectives, risks have to be identified, analyzed and develop methods to manage them.
Role Definition
Access authorization based on the job or work performed. Typically applied to a single person or a group sharing the same work.
Role-based access control
Controlling access bas only on the role definitios
Rule 13a-15 (e) SEC rule which defines Disclosure Controls and Procedures.
Rule 13a-15 (f) SEC rule which defines Internal Control over Financial Reporting
SCSE Society of Corporate Compliance and Ethics
SEC Securities and Exchange Commission.
Section 104
Section of the Sarbanes-Oxley Act requiring the PCAOB to inspect registered public accounting firms on a regular basis
Section 404
Section of the Sarbanes-Oxley Act of 2002 mandating CEOs and CFOs of public companies to evaluate and report on the effectiveness of an entity's internal control over financial reporting.
Segregation of Duties
A type of control activity. Different people are assigned responsibilities for authorizing transactions, recording transactions and maintaining custody of assets. The purpose is to inhibit the perpetration and concealment errors or irregularities, by reducing the opportunity to do so in the course of people's everyday work.
Seibu Railway Co.
Japanese company at the centre of a corporate governance scandal. Can be seen as the equivalent of World-Com or Enron as it is used as evidence of the need for a Japanese Sarbanes-Oxley type legislation on internal controls over financial reporting.
Self-Enrollment
End-user is permitted to enter his own identity information using an online process
Service
Business process activities dealing with providing service to enhance or maintain the value of the product, once obtained by the buyer. Installation, repair and supplying parts are all covered. Considered to be a primary activity in the value chain analysis. Lies last after market and sales.
Service Directories
Directories used to provide identity information and authorization data to a gatekeeper device or application.
SFAS 123R
FASB Statement of Financial Accounting Standards No. 123, Share-Based Payment. Requires companies to recognize compensation paid in the form of employee stock options as a cost in their financial statements.
Significant Deficiency
An internal control deficiency that adversely affects the entity's ability to initiate, record, process, or report external financial data reliably in accordance with generally accepted accounting principles (GAAP). A significant deficiency could be a single deficiency or a combination of deficiencies, that results in more than a remote likelihood that a misstatement of the annual or interim financial statements that is more than inconsequential in amount will not be prevented or detected.
Single sign-on
Using the same username/password combination to access every resource from a single logon event.
SMTP
Simple Mail Transfer Protocol
SOX Shorthand for Sarbanes-Oxley.
SOX Express
Sarbanes-Oxley compliance suite from OpenPages
Statement No. 123R
FASB Statement of Financial Accounting Standards No. 123, Share-Based Payment. Requires companies to recognize compensation paid in the form of employee stock options as a cost in their financial statements.
Support Activities
Part of business process activities support the primary activities in the value chain. Providing purchased inputs, human resources, technology and entity wide functions. Under value chain analysis support activities include firm infrastructure, human resource management, technology development and procurement.
Synthetic Collateralised Debt Obligations Repackaged portfolios of credit derivatives.
Information, data or a device to which an end-user or other device requires access
Technology Development
Support activity in value chain analysis. Included are basic research, product design and servicing procedures. The aim is to improve products, services and processes.
Top-Level Review
Type of Control Activity. Including actual performance against budget, forecasts and prior-period performance. Preparation of the review or report is not a control activity. Follow up by management is.
Web Access Control
Internal controls limiting Web server and Web application access.
Well-known Seasoned Issuers
Class of issuers presumed to be widely followed in the marketplace.
WKSI
Well-Known Seasoned Issuers
Friday, 20 April 2007
Voting and Corporate Governance
Speech by SEC Staff:
"Shareholder Voting and Corporate Governance: Economic Perspectives":
Rutgers University Conference on "Improving Corporate Governance: Markets vs. Regulation"
by
Chester S. Spatt
Chief Economist and Director, Office of Economic Analysis
U.S. Securities and Exchange Commission
New York, New York
April 20, 2007
The corporate voting mechanism is one of the ways in which shareholders can attempt to influence corporate governance and decision-making. However, the incentive of investors to invest in assessing the appropriate vote is much less than their incentive to form an improved portfolio. In particular, the investors receive all of the benefits of forming a better portfolio, while to the extent that their votes improve the choices made by the companies in which they invest, the investors receive only the portion of the resulting benefit associated with their proportional holdings. Consequently, investors may under-invest in producing information that can help them improve their voting decisions and the production of such information can be viewed as being subject to a "free-rider" problem. This observation is related to the "paradox of voting" in which if the individual's probability of affecting the outcome is sufficiently small, then the individual will not vote given the cost of voting.2 The underinvestment in producing information also ties to some asset managers routinely handling the voting decisions along with its clearance and settlement process, rather than through it portfolio management process.
Several years ago the SEC implemented a requirement that mutual funds disclose their votes on corporate proxy issues, potentially increasing the incentives of funds to invest in decision-relevant information.3 However, the disclosure of votes to investors in the fund is accompanied by disclosure of votes to the remainder of the public. In particular, because the management and interested third parties, such as special interest groups, can observe the fund's vote and potentially punish voting behavior with which it does not approve, there can be effects from the disclosure of the voting decisions by mutual funds that could either improve or diminish the quality of their choices.4
View The Whole Speech
"Shareholder Voting and Corporate Governance: Economic Perspectives":
Rutgers University Conference on "Improving Corporate Governance: Markets vs. Regulation"
by
Chester S. Spatt
Chief Economist and Director, Office of Economic Analysis
U.S. Securities and Exchange Commission
New York, New York
April 20, 2007
The corporate voting mechanism is one of the ways in which shareholders can attempt to influence corporate governance and decision-making. However, the incentive of investors to invest in assessing the appropriate vote is much less than their incentive to form an improved portfolio. In particular, the investors receive all of the benefits of forming a better portfolio, while to the extent that their votes improve the choices made by the companies in which they invest, the investors receive only the portion of the resulting benefit associated with their proportional holdings. Consequently, investors may under-invest in producing information that can help them improve their voting decisions and the production of such information can be viewed as being subject to a "free-rider" problem. This observation is related to the "paradox of voting" in which if the individual's probability of affecting the outcome is sufficiently small, then the individual will not vote given the cost of voting.2 The underinvestment in producing information also ties to some asset managers routinely handling the voting decisions along with its clearance and settlement process, rather than through it portfolio management process.
Several years ago the SEC implemented a requirement that mutual funds disclose their votes on corporate proxy issues, potentially increasing the incentives of funds to invest in decision-relevant information.3 However, the disclosure of votes to investors in the fund is accompanied by disclosure of votes to the remainder of the public. In particular, because the management and interested third parties, such as special interest groups, can observe the fund's vote and potentially punish voting behavior with which it does not approve, there can be effects from the disclosure of the voting decisions by mutual funds that could either improve or diminish the quality of their choices.4
View The Whole Speech
Thursday, 19 April 2007
Mobius Webcast on Enterprise Archiving and Retention Management
Mobius Management Systems, Inc. (NASDAQ:MOBI) , a leading provider of integrated solutions for enterprise archiving and records management, will host a Webcast on the changing imperatives for enterprise archiving in light of regulatory and legal compliance requirements. The one-hour Webcast -- Archiving for Compliance and E-Discovery: Where Do You Keep Your "Stuff"? -- will be held Tuesday, April 24, 2007, at 2:00 p.m. ET.
Robert Markham, senior consultant for Cohasset Associates, Allen Kadlec, business systems analyst for State Auto Insurance and Mobius partner Sun Microsystems will be represented by Randal Wilson, chief compliance specialist Following these introductory presentations will be an interactive panel discussion moderated by Garth Landers, Mobius director of compliance solutions.
"Mobius is very happy to bring this panel together to address this critically important issue," said Landers. "Legal discovery may affect any content whether declared as a business record or not. That means you must have fast, reliable access to all information and you must apply retention and disposition rules to everything, not just the subset of items declared as records. In this environment, the costs and inefficiencies of isolated silos of information have become painfully evident. We anticipate a lively discussion among our panel on the best way to tackle these issues."
Robert Markham, senior consultant for Cohasset Associates, Allen Kadlec, business systems analyst for State Auto Insurance and Mobius partner Sun Microsystems will be represented by Randal Wilson, chief compliance specialist Following these introductory presentations will be an interactive panel discussion moderated by Garth Landers, Mobius director of compliance solutions.
"Mobius is very happy to bring this panel together to address this critically important issue," said Landers. "Legal discovery may affect any content whether declared as a business record or not. That means you must have fast, reliable access to all information and you must apply retention and disposition rules to everything, not just the subset of items declared as records. In this environment, the costs and inefficiencies of isolated silos of information have become painfully evident. We anticipate a lively discussion among our panel on the best way to tackle these issues."
X-Change Auditor
The X-Change Corporation (OTCBB:XCHC) today announced that its Board of Directors has engaged Dallas-based KBA Group LLP as the Company’s independent registered public accounting firm.
X-Change Corporation, through its wholly owned subsidiary, AirGATE Technologies, Inc. is a vendor of, vertical market applications utilizing RFID and wireless, intelligent sensor technology. AirGATE Technologies, a full-solution company, handles business assessment, technology selection, including proprietary AirGATE technology, integration and support.
X-Change Corporation, through its wholly owned subsidiary, AirGATE Technologies, Inc. is a vendor of, vertical market applications utilizing RFID and wireless, intelligent sensor technology. AirGATE Technologies, a full-solution company, handles business assessment, technology selection, including proprietary AirGATE technology, integration and support.
Wednesday, 18 April 2007
COX Blames PCAOB For Section 404 Costs
Chairman of the Securities and Exchange Commission (SEC), Christopher Cox has rounded on the PCAOB for its over-elaborate audit requirements for the Section 404 clause. The comments came in testimony before a Senate Committee on Small Business and Entrepreneurship.
He started off by defending the SEC's actions in relation to small companies. The requirement to meet Section 404, i.e. management attestation of internal controls over financial reporting does not have to be met. Over 6,000 companies with a market cap under $75m.
The justification was "The Commission has delayed section 404 compliance for smaller companies because of the disproportionately higher costs they face compared to larger companies. Our experience of the first three years told us that the way 404 was being implemented was too expensive for everyone - and imposing that system on the smallest companies would impose unacceptably high costs from the standpoint of the companies' investors, who would have to pay the bills."
Section 404 should still be kept in Mr Cox's opinion, "problems we've seen with 404 to date can be remedied without amending the Sarbanes-Oxley Act". He added "believe that the Act overall - including section 404 - may be fairly credited with correcting the most serious problems that beset our securities markets just a few years ago, and with restoring investor confidence in our markets."
"So as the Commission and the PCAOB move forward with our plans to make the application of section 404 workable for smaller companies, it is important to remember that Congress's focus on internal controls was not a mistake - it was, and remains, exactly the right thing to do."
According to Mr Cox, the problems came with letting the PCAOB, write the standard for companies to follow when complying with 404. However as he pointedly says, "in 2003 the PCAOB adopted its very different Auditing Standard Number 2 under section 404. The SEC approved it for use by auditors starting with 2004 internal control attestations."
The cost of compliance with Section 404, "far outstripped all expectations - including the formal estimate made by the SEC when the reporting requirements for 404 implementation were approved. ". A lot of the costs can be attributed to the bad state of internal controls prior to Sarbanes-Oxley. However he countered, "But it is also undeniable that much of the extra cost was, and continues to be, attributable to excessive, duplicative, or misdirected efforts.".
The elaborate detail meant that auditors felt they had to follow AS 2 to the letter. In effect it became the "de facto guidance for management's evaluations and assessments. "The resulting lack of flexibility for companies to design the internal controls best suited to their circumstances is one of the fundamental flaws in AS 2 that we are now working to address."
The AS 2 standard is to be re-written by the PCAOB. A new SEC authored management guidance is to be issued soon. The central point of the two documents will be to focus auditors attention on the "effectiveness of the internal control structure and procedures"
He started off by defending the SEC's actions in relation to small companies. The requirement to meet Section 404, i.e. management attestation of internal controls over financial reporting does not have to be met. Over 6,000 companies with a market cap under $75m.
The justification was "The Commission has delayed section 404 compliance for smaller companies because of the disproportionately higher costs they face compared to larger companies. Our experience of the first three years told us that the way 404 was being implemented was too expensive for everyone - and imposing that system on the smallest companies would impose unacceptably high costs from the standpoint of the companies' investors, who would have to pay the bills."
Section 404 should still be kept in Mr Cox's opinion, "problems we've seen with 404 to date can be remedied without amending the Sarbanes-Oxley Act". He added "believe that the Act overall - including section 404 - may be fairly credited with correcting the most serious problems that beset our securities markets just a few years ago, and with restoring investor confidence in our markets."
"So as the Commission and the PCAOB move forward with our plans to make the application of section 404 workable for smaller companies, it is important to remember that Congress's focus on internal controls was not a mistake - it was, and remains, exactly the right thing to do."
According to Mr Cox, the problems came with letting the PCAOB, write the standard for companies to follow when complying with 404. However as he pointedly says, "in 2003 the PCAOB adopted its very different Auditing Standard Number 2 under section 404. The SEC approved it for use by auditors starting with 2004 internal control attestations."
The cost of compliance with Section 404, "far outstripped all expectations - including the formal estimate made by the SEC when the reporting requirements for 404 implementation were approved. ". A lot of the costs can be attributed to the bad state of internal controls prior to Sarbanes-Oxley. However he countered, "But it is also undeniable that much of the extra cost was, and continues to be, attributable to excessive, duplicative, or misdirected efforts.".
The elaborate detail meant that auditors felt they had to follow AS 2 to the letter. In effect it became the "de facto guidance for management's evaluations and assessments. "The resulting lack of flexibility for companies to design the internal controls best suited to their circumstances is one of the fundamental flaws in AS 2 that we are now working to address."
The AS 2 standard is to be re-written by the PCAOB. A new SEC authored management guidance is to be issued soon. The central point of the two documents will be to focus auditors attention on the "effectiveness of the internal control structure and procedures"
Subscribe to:
Posts (Atom)
