IT Governance, Risk, and Compliance » Foreign Corrupt Practices Act

Application Protection – Part IV

Robert Davis — Mon, 22 Jun 2009 20:41:36 +0000

The FCPA impacts IT control requirements of U.S. publicly held enterprises. Section 78m (b), in particular, documents the legislative rules and compliance requirements of internal control evaluation reporting with regard to management’s assessment of internal controls. Section 78m (b) (2) through (5) applies to Securities Exchange Act of 1934 filers. Therefore, the FCPA can affect an organization’s internal control environment by indirectly imposing management’s assurance of an adequate IT control environment with adequate information protection. Based on the Public Company Accounting Oversight Board’s interpretation, the SOX IT control parameter, in effect, is the same as that of the FCPA. Therefore, U.S. Securities Exchange Act of 1934 filers may not be aware of FCPA legal requirements — yet, they should have been performing the necessary FCPA control self-assessments and remedial actions since 1977. Similarly, European Union, OAS, and OECD member countries should be engaging in control self-assessments and remediation of internal accounting controls as they relate to safeguarding information assets to ensure compliance with legal mandates.

“View Part I of the Application Protection series here”

Application Protection – Part III

Robert Davis — Fri, 19 Jun 2009 13:09:53 +0000

FCPA control measures for an adequate system of internal accounting controls include maintaining appropriate segregation of duties, allowing only authorized transaction execution, controlling access to assets, and reconciling documented assets to actual assets regularly. Completeness, accuracy, authorization, and accessibility are considered key internal accounting information protection controls that fulfill FCPA legal requirements. These control measures most often interact with — or are deployed through — IT financial applications, thus justifying information security management’s involvement in assessing compliance with the FCPA.

To dispatch FCPA information reliability requirements, an information security manager should identify, understand, test, and document internal accounting security controls for information assets. Essentially, an information security manager should assume responsibility for assessing financial applications for FCPA safeguarding compliance. Technically, application safeguarding controls should be present during input, processing, and output. IT procedures are expected to provide information protection throughout the life cycle of earmarked FCPA financial application systems. Key internal accounting controls can be mapped to information security confidentiality, integrity, and availability control measures. For instance, information security application accuracy controls include input edit and validation routines that ensure information integrity.

“View Part I of the Application Protection series here“

Application Protection – Part II

Robert Davis — Tue, 16 Jun 2009 19:06:50 +0000

The FCPA codifies bribery of foreign officials as a criminal offense for U.S. publicly held companies, requires accurate financial-transactions accounting, and amends the Securities Exchange Act of 1934. With regard to accounting, FCPA Section 78m (b) (2) documents managerial responsibility for generating and retaining financial information while presenting transactions accurately and fairly, as well as deploying a “system of internal accounting controls.” Furthermore, FCPA Section 78m (b) (5) has been interpreted as requiring U.S. businesses to create and sustain adequate internal accounting controls regardless of an organization’s cost-benefit analysis ratio. This section of the FCPA therefore decrees preventive and detective controls to avoid financial statement fraud or misrepresentation.

“View Part I of the Application Protection series here“

Application Protection – Part I

Robert Davis — Fri, 12 Jun 2009 18:36:47 +0000

Legacy law or regulation replacement is a common occurrence within most governments when circumstances appear to discredit legal mandate enforcement. However, the U.S. Sarbanes-Oxley Act (SOX) of 2002 does not supersede the U.S. Foreign Corrupt Practices Act (FCPA) of 1977. In fact, though tagged legacy enterprise governance legislation by some officials, the FCPA has thrived as the basis for enactment of various internationally recognized legal edicts addressing internal accounting controls that indirectly impact information security management requirements.

Contextually, the FCPA applies to U.S. publicly held companies and was adopted in the 1990s by the Organization of American States (OAS), the Organisation for Economic Co-operation and Development (OECD), and the Council of Europe (COE). Concerning international relevance, the FCPA is a frame of reference for most current IT financial application security best practices. Specifically, details demonstrating this law’s influence are well documented in IT financial application assurance and internal accounting control literature.

Legal Compliance Alignment – Part IV

Robert Davis — Mon, 23 Feb 2009 21:26:02 +0000

When exploring links between national and international arenas, the information security manager will discover international developments decisively impact national laws. Specifically, regional coalitions have enacted IAP related edicts that subsequently were codified in national laws and regulations. Procedurally, most regional coalition IAP decrees are presented as directives to member nations for federal ratification. For this reason, with the assistance of legal counsel, it is strongly recommended that information security managers evaluate all relevant statutory and regulatory mandates; in whatever judicial divisions the entity operates. Beneficially, multiple legal compliance requirements assessments enable entity-centric standard practices for satisfying other expected behavior. Exercises in legal due care can also equip an entity to build a compliance culture where standardization is the norm, and conditionally produce an environment conducive to training employees in IAP.

Predicatively, laws will continue to be enacted and the regulatory environment will become more complex due to unacceptable conduct remediation. Consequently, entities will continue to be compelled to demonstrate compliance with legal mandates – especially laws governing data retention and privacy – that can differ by hemisphere, country, province, county, city, as well as industry. In this increasingly complex regulatory environment, most entities should balance their focus on compliance imperatives without diminishing anticipated response quality to governmental edicts.

Legal Compliance Alignment – Part III

Robert Davis — Thu, 19 Feb 2009 20:47:57 +0000

There are numerous global, regional as well as national laws and regulations focusing on information assets protection (IAP) requiring professional consideration. In particular, at the global level, the World Intellectual Property Organization (WIPO) and World Trade Organization (WTO) have constructed legally binding derivative IAP agreements. While regionally, trans-border coalitions adopting or enacting IAP related laws include the Asia-Pacific Economic Co-operation (APEC), the Council of Europe (COE), the European Union (EU), the Organization of American States (OAS), and the Organization for Economic Cooperation and Development (OECD). Lastly, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the U.K. Data Protection Act, the U.S. Digital Millennium Copyright Act (DMCA), and the U.S. Federal Information Security Management Act (FISMA) are clear examples of IAP national legislation that may affect an entity’s control framework.

Legal Compliance Alignment – Part II

Robert Davis — Mon, 16 Feb 2009 20:00:15 +0000

Simultaneous compliance with multiple laws and regulations can create unique challenges for most entities. Selectively, potential compliance hurdles include distinct internal management groups pursuing equivalent goals; diverse audit perspectives, priorities, and requirements; as well as confusion resulting from redundant controls. For instance, cross-compliance with the Foreign Corrupt Practices Act (FCPA), Sarbanes Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA), and Gramm-Leach-Bliley Act (GLBA) may generate muddled responses regarding the importance of certain security controls for a U.S. based ‘publicly held’ corporation. To decrease potential negative effects of cross-compliance, management should seek assurance that relevant statutory, regulatory, and contractual requirements are adequately defined and documented for each information system.

Legal Compliance Alignment – Part I

Robert Davis — Thu, 12 Feb 2009 22:22:20 +0000

Institutionalized information security governance defines the information assets safeguarding perimeter inside which an entity should operate. Whereas, legal compliance management ensures structural boundary segments are sturdy and the entity consistently fulfills its mission within externally imposed demarcation lines. Generally, determining an entity’s legal mandates exceeds the security function’s ambit. Nonetheless, overseeing the design, implementation and monitoring of applicable legal requirements is a security function imperative. Aligning information security governance with legal compliance management allows an entity to enhance cultural ethics while concurrently reducing judicial risks.