Compliance

Views:
 
Category: Education
     
 

Presentation Description

Compliance

Comments

Presentation Transcript

The Sustainability Series Compliance:

The Sustainability Series Compliance The Advocacy Foundation, Inc. Atlanta Philadelphia (878) 222-0100 Voice | Data | SMS www.TheAdvocacy.Foundation © The Advocacy Foundation, Inc. 2016 (All Rights Reserved)

Biblical Authority:

Biblical Authority Romans 13 Zephaniah 2:3 Philemon 1:21 James 3:17 2

Introduction:

Introduction In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws and regulations. Due to the increasing number of regulations and need for operational transparency, organizations are increasingly adopting the use of consolidated and harmonized sets of compliance controls. 3

Introduction:

Standards and Regulations The International Organization for Standardization (ISO) produces international standards such as ISO/IEC_27002. The International Electro-technical Commission (IEC) produces international standards in the electro-technology area. The ISO 19600:2014 standard provides a reminder of how compliance and risk should operate together, as “colleagues” sharing a common framework with some nuances to account for their differences. Some local or international specialized organizations such as the American Society of Mechanical Engineers (ASME) also develop standards and regulation codes. They thereby provide a wide range of rules and directives to ensure compliance of the products to safety, security or design standards. There are a number of other regulations which apply in different fields, such as PCI-DSS, GLBA, FISMA, Joint Commission and HIPAA. In some cases other compliance frameworks (such as COBIT) or standards (NIST) inform on how to comply with the regulations. 4 Introduction

Introduction:

5 Corporate scandals and breakdowns such as the Enron case of reputational risk in 2001 have highlighted the need for stronger compliance and regulations for publicly listed companies. The most significant regulation in this context is the Sarbanes–Oxley Act developed by two U.S. congressmen, Senator Paul Sarbanes and Representative Michael Oxley in 2002 which defined significantly tighter personal responsibility of corporate top management for the accuracy of reported financial statements. Introduction

Introduction:

6 Compliance in the USA generally means compliancy with laws and regulations. These laws can have criminal or civil penalties or can be regulations. The definition of what constitutes an effective compliance plan has been elusive. Most authors, however, continue to cite the guidance provided by the United States Sentencing Commission in Chapter 8 of the Federal Sentencing Guidelines. Introduction

Introduction:

7 On October 12, 2006, the U.S. Small Business Administration re-launched Business.gov (new Business.USA.gov) which provides a single point of access to government services and information that help businesses comply with government regulations. Introduction

Introduction:

8 Challenges Data retention is a part of regulatory compliance that is proving to be a challenge in many instances. The security that comes from compliance with industry regulations can seem contrary to maintaining user privacy. Data retention laws and regulations ask data owners and other service providers to retain extensive records of user activity beyond the time necessary for normal business operations. These requirements have been called into question by privacy rights advocates. Compliance in this area is becoming very difficult. Laws like the CAN-SPAM Act and Fair Credit Reporting Act in the U.S. require that businesses give people the “right to be forgotten.” In other words, they must remove individuals from marketing lists if it is requested, tell them when and why they might share personal information with a third party, or at least ask permission before sharing that data. Introduction

Governance, Risk Management & Compliance:

Governance, Risk Management & Compliance 9 Governance, Risk Management, and Compliance (GRC) are three pillars that work together for the purpose of assuring that an organization meets its objectives. Governance is the combination of processes established and executed by the board of directors that are reflected in the organization's structure and how it is managed and led toward achieving goals. Risk management is predicting and managing risks that could hinder the organization to achieve its objectives. Compliance with the company's policies and procedures, laws and regulations, strong and efficient governance is considered key to an organization's success.

Governance, Risk Management & Compliance:

10 GRC is a discipline that aims to synchronize information and activity across governance, risk management and compliance in order to operate more efficiently, enable effective information sharing, more effectively report activities and avoid wasteful overlaps. Although interpreted differently in various organizations, GRC typically encompasses activities such as corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations. Governance, Risk Management & Compliance

Governance, Risk Management & Compliance:

11 Organizations reach a size where coordinated control over GRC activities is required to operate effectively. Each of these three disciplines creates information of value to the other two, and all three impact the same technologies, people, processes and information. Governance, Risk Management & Compliance

Governance, Risk Management & Compliance:

12 Substantial duplication of tasks evolves when governance, risk management and compliance are managed independently. Overlapping and duplicated GRC activities negatively impact both operational costs and GRC metrics. For example, each internal service might be audited and assessed by multiple groups on an annual basis, creating enormous cost and disconnected results. A disconnected GRC approach will also prevent an organization from providing real-time GRC executive reports. Governance, Risk Management & Compliance

Governance, Risk Management & Compliance:

13 The three most common individual headings are considered to be Financial GRC, IT GRC, and Legal GRC. Financial GRC relates to the activities that are intended to ensure the correct operation of all financial processes, as well as compliance with any finance-related mandates. IT GRC relates to the activities intended to ensure that the IT (Information Technology) organization supports the current and future needs of the business, and complies with all IT-related mandates. Legal GRC focuses on tying together all three components via an organization's legal department and chief compliance officer. Governance, Risk Management & Compliance

Compliance and Ethics:

Compliance and Ethics 14 Since about 1970, several major business and government excesses were seen in the United States to generate subsequent legal, public and political reaction. The Foreign Corrupt Practices Act is perhaps the legislation with the most significant impact and influence in the development of ethics and compliance programs; similar ideas are encoded in the Committee of Sponsoring Organizations, and the Federal Sentencing Guidelines.

Compliance and Ethics:

15 The Foreign Corrupt Practices Act (FCPA) marked the early beginnings of compliance programs in the United States. In the mid-1970s, United States Securities and Exchange Commission (SEC) investigations discovered that a significant number of American companies participated in bribery overseas. “Over 400 U.S. Companies admitted to making questionable or illegal payments to foreign government officials, politicians and political parties.” (United States Department of Justice 2006). Compliance and Ethics

Compliance and Ethics:

16 In an effort to restore faith in American business, in December 1977 the Foreign Corrupt Practices Act was signed into law. This anti-bribery provision makes it “unlawful for a U.S. person, and certain foreign issuers of securities, to make a corrupt payment to a foreign official for the purpose of obtaining or retaining business for or with, or directing business to, any person.” (United States Department of Justice 2006) The law also requires publicly traded companies “to maintain records that accurately and fairly represent the company’s transactions. Additionally, it requires these companies to have an adequate systems of internal accounting controls.” (United States Department of Justice 2006) Compliance and Ethics

Compliance and Ethics:

17 Following the passage of the FCPA, in 1988, the Congress became concerned that American companies were operating at a disadvantage because their foreign counterparts were, as a matter of practice, paying bribes to foreign officials and deducting those bribes as business expenses on their taxes. (United States Department of Justice 2006) Subsequently, the Executive Branch began negotiations with the Organization for Economic Co-operation and Development (OECD), a 34-member nation coalition consisting of the United States and 33 other countries, to enact legislation similar to FCPA. In 1997, the OCED signed the Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. Compliance and Ethics

Compliance and Ethics:

18 In response to the FCPA and its requirement to implement internal control programs, in 1985 a private-sector initiative was formed called the National Committee on Fraudulent Financial Reporting (commonly known as the Treadway Commission ). This Commission recommended that its organizational sponsors work together to develop guidance on internal controls. Subsequently, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed, and in conjunction with the CPA firm Coopers & Lybrand, COSO authored and published in 1992 the “Internal Control-Integrated Framework“. Compliance and Ethics

The Audit:

The Audit 19 Auditing refers to a systematic and independent examination of books, accounts, documents and vouchers of an organization to ascertain how far the financial statements present a true and fair view of the concern. It also attempts to ensure that the books of accounts are properly maintained by the concern as required by law.

The Audit:

20 Any subject matter may be audited. Audits provide third party assurance to various stakeholders that the subject matter is free from material misstatement. The term is most frequently applied to audits of the financial information relating to a legal person. Other areas which are commonly audited include: internal controls, quality management, project management, water management, and energy conservation. As a result of an audit, stakeholders may effectively evaluate and improve the effectiveness of risk management, control, and the governance process over the subject matter. The Audit

The Audit:

21 Financial audits are performed to ascertain the validity and reliability of information, as well as to provide an assessment of a system's internal control. As a result of this, a third party can express an opinion of the person / organization / system (etc.) in question. The opinion given on financial statements will depend on the audit evidence obtained. Due to constraints, an audit seeks to provide only reasonable assurance that the statements are free from material error. The Audit

The Audit:

22 In most nations, an audit must adhere to generally accepted standards established by governing bodies. These standards assure third parties or external users that they can rely upon the auditor's opinion on the fairness of financial statements, or other subjects on which the auditor expresses an opinion. The most commonly used external audit standards are the US GAAS of the American Institute of Certified Public Accountants; and the ISA International Standards on Auditing developed by the International Auditing and Assurance Standards Board of the International Federation of Accountants. The Audit

The Audit:

23 Projects can undergo 2 types of Project audits: Regular Health Check Audits : The aim of a regular health check audit is to understand the current state of a project in order to increase project success. Regulatory Audits : The aim of a regulatory audit is to verify that a project is compliant with regulations and standards. Best practices of NEMEA Compliance Center describe that, the regulatory audit must be accurate, objective, and independent while providing oversight and assurance to the organization. The Audit

Evaluation:

Evaluation 24 Evaluation is a systematic determination of a subject's merit, worth and significance, using criteria governed by a set of standards. It can assist an organization, program, project or any other intervention or initiative to assess any aim, realizable concept/ proposal, or any alternative, to help in decision-making; or to ascertain the degree of achievement or value in regard to the aim and objectives and results of any such action that has been completed. The primary purpose of evaluation, in addition to gaining insight into prior or existing initiatives, is to enable reflection and assist in the identification of future change.

Evaluation:

25 Evaluation is often used to characterize and appraise subjects of interest in a wide range of human enterprises, including the arts, criminal justice, foundations, non-profit organizations, government, health care, and other human services. Evaluation is the structured interpretation and giving of meaning to predicted or actual impacts of proposals or results. It looks at original objectives, and at what is either predicted or what was accomplished and how it was accomplished. Evaluation

Evaluation:

26 Evaluation can be Formative , that is taking place during the development of a concept or proposal, project or organization, with the intention of improving the value or effectiveness of the proposal, project, or organization. It can also be Assumptive , drawing lessons from a completed action or project or an organization at a later point in time or circumstance. Evaluation

Evaluation:

27 Evaluation has been defined as: A systematic, rigorous, and meticulous application of scientific methods to assess the design, implementation, improvement, or outcomes of a program. It is a resource-intensive process, frequently requiring resources, such as, evaluate expertise, labor, time, and a sizable budget "The critical assessment, in as objective a manner as possible, of the degree to which a service or its component parts fulfills stated goals" (St Leger and Wordsworth-Bell). The focus of this definition is on attaining objective knowledge, and scientifically or quantitatively measuring predetermined and external concepts. "A study designed to assist some audience to assess an object's merit and worth" (Shuffleboard). In this definition the focus is on facts as well as value laden judgments of the programs outcomes and worth. Evaluation

Evaluation:

28 The main purpose of a program evaluation can be to "determine the quality of a program by formulating a judgment" Marthe Hurteau , Sylvain Houle , Stéphanie Mongiat (2009). An alternative view is that "projects, evaluators, and other stakeholders (including funders) will all have potentially different ideas about how best to evaluate a project since each may have a different definition of 'merit'. The core of the problem is thus about defining what is of value. Evaluation

The Society of Corporate Compliance & Ethics:

The Society of Corporate Compliance & Ethics 29 The Society of Corporate Compliance and Ethics (SCCE) is a nonprofit, individual membership association which provides resources for ethics and compliance professionals from various industries. It serves over 4,500 members through publications, education programs, conferences and professional networking, including an online social network called SCCEnet , which has over 13,000 registered users. SCCE also helps individuals become Certified Compliance and Ethics Professionals.

The Society of Corporate Compliance & Ethics:

30 The first National Symposium on Corporate Responsibility: Compliance & Ethics Programs was held on November 21-22, 2002, sponsored by the Health Care Compliance Association (HCCA) in association with Microsoft Corporation in Redmond, Washington. The conference drew 100 attendees from some of the top corporations in the nation including DuPont, PricewaterhouseCoopers, Amazon.com, Boeing, Starbucks, the University of Texas and many more. The keynote speaker was William C. Powers Jr. who served as Chairman of the Special Investigative Committee of the Board of Directors of Enron Corporation. The Society of Corporate Compliance & Ethics

The Society of Corporate Compliance & Ethics:

31 Requests for a second Symposium were answered in 2003. More than 250 attendees filled the room to hear speakers such as James Sheehan, Associate United States Attorney for Civil Programs; Ron James, CEO, Center for Ethical Business Cultures; Honorable Michael E. Horowitz, Commissioner, United States Sentencing Commission; and Colleen Rowley, Special Agent, Federal Bureau of Investigation. Their mission was clear, there needed to be a forum for business professionals working in the compliance and ethics field. The Compliance and Ethics Institute now attracts approximately 1000 attendees annually and the SCCE has grown to over 3,000 members. The Society of Corporate Compliance & Ethics

The Society of Corporate Compliance & Ethics:

32 Education, Publications and Events The SCCE addresses regulatory topics such as sexual harassment, antitrust/anti-competition, Foreign Corrupt Practices Act/anti-bribery, export control and more, as well as the broad challenge of managing a program designed to meet the United States Federal Sentencing Guidelines definition of an effective compliance program. SCCE’s members enjoy access to a repository of over 2,600 electronic documents including white papers and government memorandum. The Society of Corporate Compliance & Ethics

The Society of Corporate Compliance & Ethics:

33 Code of Professional Ethics On August 29, 2007, The Society of Corporate Compliance and Ethics (SCCE) adopted a Code of Professional Ethics for Compliance and Ethics Professionals. The Code’s purpose is to provide guidance and rules to all Compliance and Ethics Professionals (CEP) in the performance of their professional responsibilities. In creating the Code of Professional Ethics, the SCCE establishes both overarching principles to guide compliance officials and rules of conduct, which represent specific standards that prescribe the minimum level of professional conduct expected of CEPs. The Society of Corporate Compliance & Ethics

The Sarbanes-Oxley Act of 2002:

The Sarbanes-Oxley Act of 2002 34 The Sarbanes–Oxley Act of 2002 ( Pub.L . 107–204, 116 Stat. 745, enacted July 30, 2002), also known as the "Public Company Accounting Reform and Investor Protection Act" (in the Senate) and "Corporate and Auditing Accountability and Responsibility Act" (in the House) and more commonly called Sarbanes–Oxley , Sarbox or SOX , is a United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms. There are also a number of provisions of the Act that also apply to privately held companies, for example the willful destruction of evidence to impede a Federal investigation.

The Sarbanes-Oxley Act of 2002:

35 The bill, which contains eleven sections, was enacted as a reaction to a number of major corporate and accounting scandals, including Enron and Worldcom . The sections of the bill cover responsibilities of a public corporation’s board of directors, adds criminal penalties for certain misconduct, and required the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law. The Sarbanes-Oxley Act of 2002

The Sarbanes-Oxley Act of 2002:

36 Sarbanes–Oxley was named after sponsors U.S. Senator Paul Sarbanes (D-MD) and U.S. Representative Michael G. Oxley (R-OH). As a result of SOX, top management must individually certify the accuracy of financial information. In addition, penalties for fraudulent financial activity are much more severe. Also, SOX increased the oversight role of boards of directors and the independence of the outside auditors who review the accuracy of corporate financial statements. The bill, which contains eleven sections, was enacted as a reaction to a number of major corporate and accounting scandals, including those affecting Enron, Tyco International, Adelphia, Peregrine Systems, and WorldCom. These scandals cost investors billions of dollars when the share prices of affected companies collapsed, and shook public confidence in the US securities markets. The Sarbanes-Oxley Act of 2002

The Sarbanes-Oxley Act of 2002:

37 Harvey Pitt, the 26th chairman of the SEC, led the SEC in the adoption of dozens of rules to implement the Sarbanes–Oxley Act. It created a new, quasi-public agency, the Public Company Accounting Oversight Board, or PCAOB, charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The act also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure. The nonprofit arm of Financial Executives International (FEI), Financial Executives Research Foundation (FERF), completed extensive research studies to help support the foundations of the act. The Sarbanes-Oxley Act of 2002

The Sarbanes-Oxley Act of 2002:

38 The act was approved by the House by a vote of 423 in favor, 3 opposed, and 8 abstaining and by the Senate with a vote of 99 in favor and 1 abstaining. President George W. Bush signed it into law, stating it included: "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt. The era of low standards and false profits is over; no boardroom in America is above or beyond the law." In response to the perception that stricter financial governance laws are needed, SOX-type regulations were subsequently enacted in Canada (2002), Germany (2002), South Africa (2002), France (2003), Australia (2004), India (2005), Japan (2006), Italy (2006), Israel, and Turkey. The Sarbanes-Oxley Act of 2002

The Sarbanes-Oxley Act of 2002:

39 Major Elements Public Company Accounting Oversight Board (PCAOB) Auditor Independence Corporate Responsibility Enhanced Financial Disclosures Analyst Conflicts of Interest Commission Resources and Authority Studies and Reports Corporate and Criminal Fraud Accountability White Collar Crime Penalty Enhancement Corporate Tax Returns Corporate Fraud Accountability The Sarbanes-Oxley Act of 2002

The Sarbanes-Oxley Act of 2002:

40 The Sarbanes-Oxley Act of 2002

Questions & Answers:

41 Questions & Answers 41

Thank You!:

Thank You! The Advocacy Foundation, Inc. Atlanta Philadelphia (878) 222-0100 Voice | Data | SMS www.TheAdvocacy.Foundation © The Advocacy Foundation, Inc. 2016 (All Rights Reserved) 42

authorStream Live Help