| The Sarbanes Oxley Act
|
- The Need
- US federal legislation: Financial reporting or corporate
governance?
- The Sarbanes-Oxley Act of 2002: Key Sections
- SEC, EDGAR, PCAOB, SAG
- The Act and its interpretation by SEC and PCAOB
- PCAOB Auditing Standards: What we need to know
- Management's Testing
- Management's Documentation
- Reports used to Validate SOX Compliant IT Infrastructure
- Documentation Issues
- Sections 302, 404, 906 and the three certifications
- Sections 302, 404, 906: Examples and case studies
- Management's Responsibilities
- Committees and Teams
- Project Team - Section 404: Reports to Steering Committee
- Steering Committee - Section 404: Reports to Certifying
Officers and cooperates with Disclosure Committee
- Disclosure Committee: Reports to Certifying Officers and
cooperates with Audit Committee
- Certifying Officers and Audit Committee: Report to the
Board of Directors
- Control Deficiency
- Deficiency in Design
- Deficiency in Operation
- Significant Deficiency
- Material Weakness
- Is it a Deficiency, or a Material Weakness?
- Reporting Weaknesses and Deficiencies
- Examples
- Case Studies
- Public Disclosure Requirements
- Real Time Disclosures on a rapid and current basis?
- Whistleblower protection
- Rulemaking process
- Companies Affected
- International companies
- Foreign Private Issuers (FPIs)
- American Depository Receipts (ADRs)
- Types of ADR programs
- Employees Affected
- Effective Dates
|
| The Bank for International
Settlements (BIS) |
- The Basel Committee on Banking Supervision
- From the Young Plan (1930) to Basel II
- Regulatory supervision of internationally active banks
- The failure of the Bankhaus Herstatt and the crisis of
confidence
|
| First Basel Capital Accord |
- Formulating broad supervisory standards and guidelines
- Regulatory and economic capital
- Important objectives
- 1980s: The capital ratios of the main international banks
are deteriorating
- Credit Risk
- Assets are weighted by factors
- On-balance sheet engagements
- Off-balance sheet engagements
- Examples of capital requirements
- December 1987: The Basel Capital Accord approved by the
G10
- Basel I amendments
|
| The New Basel Capital
Accord (Basel II) |
- Realigning the regulation with the economic realities
of the global banking markets
- New capital adequacy framework replaces the 1988 Accord
- Improving risk and asset management to avoid financial
disasters
- "Sufficient assets" to offset risks
- The technical challenges for both banks and supervisors
- How much capital is necessary to serve as a sufficient
buffer?
- The three-pillar regulatory structure
- Purposes of Basel II
- Scope of the application
- Pillar 1: Minimum capital requirements
- Credit Risk - 3 approaches
- The standardized approach to credit risk
- Claims on sovereigns
- Claims on banks
- Claims on corporates
- The two internal ratings-based (IRB) approaches to credit
risk
- Some definitions: PD - The probability of default, LGD
- The loss given default, EAD - Exposure at default, M -
Maturity
- 5 classes of assets
- Pillar 2: Supervisory review
- Key principles
- Aspects and issues of the supervisory review process
- Pillar 3: Market discipline
- Disclosure requirements
- Qualitative and Quantitative disclosures
- Guiding principles
- Employees Affected
- Effective Dates
|
| Framework for internal
control systems in banking organizations - Basel Committee on
Banking SupervisionI |
- The 13 Principles for the Assessment of Internal Control
Systems
- The 13 Principles and COSO
- The control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring
- Types of control breakdowns typically seen in problem
bank cases
- The objectives and role of the internal controls framework
- The major elements of an internal control process
- Evaluation of internal control systems by supervisory
authorities
- Role and responsibilities of external auditors
- Supervisory lessons learned from internal control failures
|
| Internal Controls - COSO
|
- The Internal Control - Integrated Framework by the COSO
committee
- Using the COSO framework effectively
- The Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
- Effectiveness and Efficiency of Operations
- Reliability of Financial Reporting
- Compliance with applicable laws and regulations
- IT Controls
- Program Development and Program Change
- Deterrent, Preventive, Detective, Corrective, Recovery,
Compensating, Monitoring and Disclosure Controls
- Layers of overlapping controls
|
| Operational Risk |
- Is What is operational risk
- Legal risk
- Information Technology operational risk
- Operational, operations and operating risk
- The evolving importance of operational risk
- Quantification of operational risk
- Loss categories and business lines
- Operational risk measurement methodologies
- Identification of operational risk
- The Delphi method
|
| Operational Risk Approaches |
- Basic Indicator Approach (BIA)
- Standardized Approach (SA)
- Alternative Standardized Approach (ASA)
- Advanced Measurement Approaches (AMA)
- Internal Measurement Approach (IMA)
- Loss Distribution (LD)
- Standard Normal Distribution
- "Fat Tails" in the normal distribution
- Expected loss (EL), Unexpected Loss (UL)
- Value-at Risk (VaR)
- Value-at Risk and Basel I amendment, 1996
- Value-at Risk and Basel II
- Calculating Value-at Risk
- Monte Carlo simulations
- Monte Carlo limitations
- Extreme Value theory
- Scoreboards
- Stress Testing
- Stress testing and Basel
- (AMA) Advantages / Disadvantages
- Recognition of the firms' own modelling of operational
risk losses
- "Weak banks", internal and external audit and
sound practices for operational risk
- Self assessment
- Key Risk Indicators
- Operational Risk Measurement Issues
- The game theory
- The prisoner's dilemma - and the connection with operational
risk measurement and management
- Operational risk management
- Operational Risk Management Office
- Key functions of Operational Risk Management Office
- Key functions of Operational Risk Managers
- Key functions of Department Heads
- Internal and external audit
- Operational risk sound practices
- Operational risk mitigation
- Insurance to mitigate operational risk
|
| COBIT - the framework
that focuses on IT |
- Is COBIT needed for compliance?
- COSO or COBIT?
- Corporate governance or financial reporting?
- Executive Summary
- Management Guidelines
- The Framework
- The 34 high-level control objectives
- What to do with the 318 specific control objectives
- COBIT Cube
- Maturity Models
- Critical Success Factors (CSFs)
- Key Goal Indicators (KGIs)
- Key Performance Indicators (KPIs)
- How to use COBIT for Sarbanes Oxley and Basel II compliance
|
|
Scope of Sarbanes Oxley and Basel
II Projects
|
- The most important challenge: The scope
- Discussing the scope with the external auditors
- Assumptions
- In or out of scope?
- Is it relevant?
- Using compliance as an excuse
- Computer Forensics Investigation?
- Business Intelligence?
- Business Continuity and Disaster Recovery?
|
|
Meeting the Information Security Requirements
of Sarbanes Oxley and Basel II
|
- Information security principles and best practices
- Classification, Sarbanes Oxley and Basel II
- IT and the changes demanded by the business
- Capturing, analyzing, integrating and reducing risk
- Evaluating current systems and processes
- Change and configuration management
- Common risk indicators
|
| Software and Spreadsheets
|
- Is software necessary?
- Is software needed?
- When and why
- How large is your organization?
- Is it geographically dispersed?
- How many processes will you document?
- Are there enough persons for that?
- Selection process
- Spreadsheets
- It is just a spreadsheet…
- Certain spreadsheets must be considered applications
- Development Lifecycle Controls
- Access Control (Create, Read, Update, Delete)
- Integrity Controls
- Change Control
- Version Control
- Documentation Controls
- Continuity Controls
- Segregation of Duties Controls
- Spreadsheets - Errors
- Spreadsheets and material weaknesses
|
| Third-party service
providers and vendors |
- Redefining outsourcing
- Outsourcing services and compliance
- The new definition of outsourcing
- Outsourcing after Sarbanes Oxley and Basel II
- Offshore outsourcing is also redefined
- Key risks of outsourcing
- What is needed from vendors and service providers
- SAS 70
- Type I, II reports
- Advantages of SAS 70 Type II
- Disadvantages of SAS 70 Type II
- Working with vendors and service providers
|
| Aligning Basel II and
Sarbanes-Oxley projects |
- The general expectations around Sarbanes Oxley and Basel
- From ensuring the overall safety and soundness of banks
(Basel) to restoring investor confidence (Sarbanes Oxley)
- From the "under construction since the 1998"
approach (Basel II) to the Sarbanes Oxley deadlines
- From the choice of risk management sophistication (Basel)
to the specific SEC and PCAOB rules (Sarbanes Oxley)
- There is only one Sarbanes Oxley act but there are many
different Basel II frameworks - the issue of discretion
to individual jurisdictions for Basel II implementation
- Multinational companies and compliance issues
- US federal legislation and state law. The US constitutional
challenges
- From the 1929 Companies Act (UK) to the 1933 Securities
Act (USA) to Sarbanes Oxley: The need to avoid a federal
intrusion into state reserved matters
- Auditing in the USA and auditing in UK: Very important
differences
- Capital Requirements Directive (CRD)
- Markets in Financial Instruments Directive (MiFID)
- What will be the impact of MiFID to EU and non non EU
banks?
- MiFID (Markets in Financial Instruments Directive) and
Sarbanes Oxley and Basel
- Board review and approval
- Management responsibility
- Control objectives
- Risk identification and assessment
- Risk monitoring
- Risk mitigation
- Risk reporting
- Continuity plans
- Sufficient public disclosure
- Documentation challenges
- Effectiveness - design and operation
- Connecting the dots
- Common elements and differences of compliance projects
- New standards
|