Outsourcing & Regulatory Compliance Risks
|
|
- Augustus Henderson
- 8 years ago
- Views:
Transcription
1 Outsourcing & Regulatory Compliance Risks By Matthew Sullivan Today s marketplace dictates that Financial Services Institutions (FSIs) consider using offshore IT services to remain competitive. However, in light of the continuing focus on regulatory compliance, some FSIs have begun to worry about the risk of outsourcer regulatory compliance failures. This article, focusing on Sarbanes-Oxley (SOX) and the Gramm-Leach- Bliley Act (GLBA) (1), explores strategies to decrease compliance risk when using offshore IT vendors. Typically, regulatory compliance risks are adequately addressed if a vendor follows the directions of its FSI client, and the FSI s directions are in compliance with relevant regulations. Indeed, Federal banking agencies have implicitly acknowledged the benefits of outsourcing by providing guidance for outsourcing internal auditors and for managing third party relationships (2). However, those same regulations have also stated that FSIs cannot delegate their compliance obligations under SOX and the GLBA to their outsourced software vendors. Ultimately, an FSI increases the risk of regulatory compliance violations only if its vendors take less care to prevent violations than the company does, so each FSI must monitor and manage the compliance risk of its vendors. Outsourcing Reduced costs and increased productivity have driven the growth in software services outsourcing and FSIs have been some of its largest buyers. As outsourcing has grown, FSIs and outsourcers alike have been forced to clearly define processes and services in order to make sure each party understands its obligations under their agreements, and can measure its benefits from the arrangement. The result has been improved process workflows, definitions and measurements which let companies and their vendors clearly define and transact a standard measure of service output. Increasingly, the standard measure of service output, such as an hour of programmer time, includes terms of delivery that require vendors to meet a set of standards. These standards 1 The U.S. Public Company Accounting Reform and Investor Protection Act of 2002 is commonly known as Sarbanes-Oxley; the Financial Services Modernization Act of 1999 is commonly known as the Gramm-Leach-Bliley Act. 2 Interagency Policy Statement On The Internal Audit Function And Its Outsourcing, March 17, 2003 and Office of the Comptroller of the Currency, Administrator of National Banks, OCC Bulletin on Third-Party Relationships, November 21, Kanbay Incorporated. All rights reserved. Kanbay and the Kanbay logo are registered trademarks of Kanbay Incorporated. Other trademarks are the property of their respective owners.
2 are subject to audits and governed by a relationship between the parties. Increasingly, FSIs are requiring their vendors to deliver services in a manner that meets appropriate regulatory compliance standards for their industry. The Regulations Concurrent with the growth in outsourcing, FSIs have become subject to increasing regulation from such legislation as Sarbanes-Oxley and the GLBA. Sarbanes-Oxley contains numerous provisions, including sections 302 and 404. Section 302 requires public company CEOs and CFOs to certify the adequacy of internal controls and that SEC reports fairly represent the financial positions and results of the company. Section 404 requires that annual SEC reports contain an internal control report assessing the effectiveness of the company s internal controls. Similarly, the GLBA contains privacy provisions which include the Financial Privacy Rule, the Safeguards Rule and the Pretexting Provisions. The Financial Privacy Rule requires financial institutions to give their customers privacy notices that explain the FSI s information collection and sharing practices, give their customers the right to limit some sharing of their information, and limit some FSI uses of consumer information received from other FSIs. The Safeguards Rule requires financial institutions to have a security plan to protect the confidentiality and integrity of personal consumer information. The Pretexting Provisions prohibit the use of false pretenses, including fraudulent statements and impersonation, to obtain consumers personal financial information, such as bank balances. The Risks As indicated previously, FSIs cannot delegate their compliance obligations under SOX and the GLBA to their outsourced software vendors (3). Therefore, financial firms face outsourcerrelated compliance violations if the manner in which their vendors deliver services does not meet applicable laws or regulations. Therefore, the compliance risk of a given vendor may be related to the regulatory sensitivity of the services provided by the outsourced vendor. For example, outsourcers could expose FSIs to SOX 302 and SOX 404-related compliance risks if they provide services that are critical to, or may become critical to, the FSI s control over its financial reporting. Similarly, outsourcers could expose FSIs to GLBA-related compliance risks when they provide services that give them access to systems that could violate the confidentiality and integrity of personal consumer information. In both cases, the regulations are designed to protect against threats of disclosure and/or alteration of information. Because FSIs are responsible for outsourcer violations, FSIs must manage the regulatory compliance risks from outsourcers by applying the tools used for other aspects of the outsourcing relationship: standards, audits and relationship governance. 3 See Footnote Kanbay Incorporated. All rights reserved. Page 2
3 A first step to adequately manage vendor regulatory compliance risk is to determine which outsourcers pose regulatory compliance risks. Compliance Critical Outsourcing Vendors (CCOVs) are those that provide services that pose regulatory compliance-related risks for FSIs.» Sarbanes-Oxley CCOVs are those that provide software or services that are critical to financial reporting, or software that, when implemented, will be critical to financial reporting. For example, your vendor may be a CCOV if it provides production support to an enterprise data warehouse that s used for monthly financial reporting.» GLBA CCOVs are those that provide software or services that give the vendor access to personal consumer information. For example, your vendor may be a CCOV if it is building your new customer billing system. The potential for serious or frequent compliance violations exists when an FSI s vendor management processes do not include appropriate standards, audit features or governance controls. To help confirm that outsourcers are capable of meeting appropriate compliance standards, FSIs should involve their compliance management function in selection and due diligence when services to be outsourced present a potential significant risk to regulatory compliance (4). Managing Outsourcers The process of evaluating potential service outsourcers begins with a Needs Assessment. Armed with an assessment, an FSI can then determine whether or not outsourcing is appropriate and, if so, plan processes for outsourcer selection and due diligence, contracting, and managing outsourcing governance. During each of these processes, FSIs can take specific steps to incorporate regulatory compliance provisions into» the standards outsourcers will be required to meet,» the processes to be audited, and» the governance relationship between the parties. VENDOR SELECTION & DUE DILIGENCE In addition to the typical vendor considerations concerning the mix of quality, service and price, clients often require vendors to meet minimum thresholds for financial stability, size and service infrastructure. For CCOVs, the ability to meet regulatory compliance considerations may be an appropriate additional minimum threshold. During due diligence, one standard many clients use is whether or not outsourced vendors have conducted proper risk assessments of their own processes, systems and people. Outsourcers that have implemented such standards as CMM level 5, ISO 9001, and Six Sigma process improvement have indicated a commitment to customer quality and service. Similarly, those that have implemented ISO have indicated an interest in mitigating the risk in their processes, systems and people. ISO 17799:2005 establishes guidelines and general principles for control objectives and controls to improve information security management. 4 See Footnote Kanbay Incorporated. All rights reserved. Page 3
4 Generally, outsourcers that have implemented ISO will have considered the initiatives required to safeguard their processes and systems in a way consistent with SOX and GLBA regulatory requirements. Another important consideration is the type of relationship the FSI seeks with its outsourcer. Increasingly FSIs are choosing strategic partnerships with outsourcing firms instead of standard company-vendor relationships. Strategic partnerships align the culture and governance of the FSI and the outsourcer, resulting in decreased risks of regulatory compliance violations because the partners share both investments and risks. CONTRACTING A contract legally embodies the agreement between the parties and its accompanying terms and conditions. In addition to standard contract terms, CCOV contracts should include specific requirements for the vendor based on FSI consultation with its legal team to help confirm that such requirements are consistent with applicable regulations (5). In addition, contracts should» define standards (e.g. quality and service levels),» allow FSIs to audit outsourcers, and» define a governance model between the FSI and the outsourcer. Because a contract outlines duties, obligations and responsibilities of the parties it should be reviewed by legal counsel. FSIs can audit outsourcers using either their internal or external auditors. Alternatively, an FSI can secure an audit from the outsourcer s external auditor. For large agreements, where the risk is greater, FSIs have traditionally audited outsourced vendors and required periodic controls reports. Among FSIs, the trend is to require outsourcers to provide SAS70 examinations from the outsourcer s auditors. SAS70 (6) is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A SAS70 examination signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. A contract is a useful statement of the parties responsibilities, but it should not substitute for a strong governance model to monitor, communicate and resolve disputes with a vendor. FSI/vendor relationships are more often mutually beneficial when contract terms are clear and the parties have provided a robust mechanism to manage the day-to-day activities and a procedure for dispute resolution. OUTSOURCING GOVERNANCE After an outsourcer is selected and a contracted executed, the parties usually want to enjoy a long, mutually-beneficial relationship. To successfully navigate such a relationship, the parties 5 This article is not legal advice. The reader is solely responsible for obtaining his/her own legal advice. 6 Statement on Auditing Standards (SAS) No. 70, Service Organizations 2005 Kanbay Incorporated. All rights reserved. Page 4
5 should generally have an Outsourcing Governance Framework (7). By implementing and monitoring a governance model, an FSI can oversee the vendor and activities that may have a material affect on FSI regulatory compliance (8). Kanbay s governance framework, called Spectrum6, helps build partnerships as opposed to standard vendor-client relationships. The key governance practices in Kanbay s Spectrum6 Governance Framework are» managing relationships to bridge cultural gaps,» collaboratively identifying and assessing outsourcing risks,» creating teams and communication channels to build structural alignment,» creating effective contracts which allow for flexibility,» managing service levels to help confirm on-going service measurement, and» implementing change management practices to facilitate cultural alignment and participation. These practices are implemented after first insuring that both the FSI and the vendor have a common understanding of the objectives for an engagement. This understanding is used to help confirm that expectations, goals and deliverables are managed effectively. Kanbay s Spectrum6 governance framework also encourages the development of peer relationships among various stakeholders in order to foster a collaborative engagement approach. Among governance practices, some of the keys to regulatory compliance are» collaboratively identifying and assessing outsourcing risks,» creating teams and communication channels to build structural alignment, and» managing service levels to ease on-going service measurement. The practice of identifying and assessing outsourcing risk is important to defining the standards by which an outsourcing relationship is governed. By collaboratively identifying the risks associated with an engagement, the parties can help monitor and control these risks by incorporating them into the service level agreements. The practice of creating teams and communication channels to build structural alignment facilitates coordinated activity and compliance with common objectives. The practice of managing service levels to ease on-going service measurement is effectively a microcosm of the overall governance process. Service level monitoring begins with an identification of metrics to be monitored. It also includes the creation of a framework to define, measure, and monitor those metrics. When service level metrics include regulatory-compliance-related measures, the communication channels set up during the engagement serve as a monitoring system for compliance-related issues. They can also be used to benchmark vendors, make periodic process improvements, and build periodic reports which can be tied to vendor compensation. Overall, outsourcing governance is a critical mechanism to help confirm that outsourcing vendors meet their commitments, including those related to regulatory compliance. 7 See Governance: Building Successful Outsourcing Engagements, by Aparna Umakant Katre, July See Footnote Kanbay Incorporated. All rights reserved. Page 5
6 Summary An FSI s level of regulatory compliance risk is not necessarily increased due to outsourcing. The level of risk varies based on an outsourcing vendor s ability to prevent compliance violations, and can be mitigated by FSIs working with their legal counsel to determine their regulatory requirements, and documenting those requirements in the vendor contract. Thus FSIs increase their risk of regulatory compliance violations only if they do not properly identify and document their regulatory requirements, or if they outsource to vendors who fail to fulfill their contractual obligations. An FSI that enters into a software services agreement with an offshore outsourcer does not generally incur increased risk of regulatory compliance violations simply because it is working with an offshore outsourcer. Outsourcers, particularly those that serve FSIs, generally have the same ability and incentive as any FSI to promote secure systems, controlled processes, and employee honesty. The key is to use business incentives for both FSIs and vendors, both onshore and offshore, to set, monitor and enforce proper standards. Standards, audits and a robust governance model provide tools for FSIs and outsourcers around the globe to collaboratively nurture lasting business relationships. A governance model such as Kanbay s Spectrum6 framework helps vendor-client relationships mature into global sourcing partnerships. ABOUT THE AUTHOR Matthew Sullivan leads Kanbay s Risk Management and Regulatory Compliance Practice. He has more than 17 years experience working with financial institutions in the capacities of attorney, management consultant and software product manager. Mr. Sullivan holds degrees in computer science, management, and law. ABOUT KANBAY Founded in 1989, Kanbay (NASDAQ: KBAY) is a global IT services firm focused on the financial services industry. With over 4,700 associates, Kanbay provides its services primarily to banking institutions, insurance companies, credit service companies and capital markets firms. The company uses a global delivery model to provide application development, maintenance and support, software package selection and integration, business process and technology advice, and specialized services. Kanbay is a CMM Level 5 assessed company headquartered in greater Chicago with offices in the U.S., Canada, U.K., Australia, Hong Kong, Japan, Singapore and India Kanbay Incorporated. All rights reserved. Page 6
White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA
White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial
More informationGUIDANCE FOR MANAGING THIRD-PARTY RISK
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
More informationCredit Union Liability with Third-Party Processors
World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with
More informationWhite Paper Achieving SOX Compliance through Security Information Management. White Paper / SOX
White Paper Achieving SOX Compliance through Security Information Management White Paper / SOX Contents Executive Summary... 1 Introduction: Brief Overview of SOX... 1 The SOX Challenge: Improving the
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationTO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel
AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,
More informationRisk Management of Outsourced Technology Services. November 28, 2000
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
More informationRISK MANAGEMENT PROGRAM THAT WORKS FOUR KEYS TO CREATING A VENDOR. HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655
FOUR KEYS TO CREATING A VENDOR RISK MANAGEMENT PROGRAM THAT WORKS HEADQUARTERS 33 Bradford Street Concord, MA 01742 PHONE: 978-451-7655 FOUR KEYS TO CREATING A VENDOR RISK MANAGEMENT PROGRAM THAT WORKS
More informationVendor Risk Management in the New Regulatory Environment. kpmg.com
Vendor Risk Management in the New Regulatory Environment kpmg.com Vendor Risk Management in the New Regulatory Environment 2 Vendor Risk Management in the New Regulatory Environment Background Regulators
More informationkamai Technologies Inc. Commonly Accepted Security Practices and Recommendations (CASPR)
kamai Technologies Inc. Commonly Accepted Security Practices and Recommendations (CASPR) June 2015 Table of Contents CASPR... 2 FIPS 140-2: Security Requirements For Cryptographic Modules... 2 Federal
More informationCASPR Commonly Accepted Security Practices and Recommendations
hhhhhhhhhhhhhh CASPR Commonly Accepted Security Practices and Recommendations CASPR is an open-source project aimed at documenting the information security common body of knowledge through commonly accepted
More informationOutsourcing Technology Services A Management Decision
Outsourcing Technology Services A Management Decision A Telephone Seminar for National Banks Tuesday, July 20, 2004 And again on Wednesday, July 21, 2004 Agenda Outsourcing activities and relationships
More informationSEC Adopts Rules on Compliance Programs for Funds & Advisers
Investment Management Group Legal Update: SEC Adopts Rules on Compliance Programs for Funds & Advisers If you have questions or would like additional information on the material presented herein, please
More informationMASSIVE NETWORKS Online Backup Compliance Guidelines... 1. Sarbanes-Oxley (SOX)... 2. SOX Requirements... 2
MASSIVE NETWORKS Online Backup Compliance Guidelines Last updated: Sunday, November 13 th, 2011 Contents MASSIVE NETWORKS Online Backup Compliance Guidelines... 1 Sarbanes-Oxley (SOX)... 2 SOX Requirements...
More informationCFPB Readiness Series: Compliant Vendor Management Overview
CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the
More informationAny business relationship between a bank and another entity, by contract or otherwise
An Overview for Bank Directors Managing the Third Party Relationship Patrick Neuman Boardman & Clark LLP Madison, Wisconsin Any business relationship between a bank and another entity, by contract or otherwise
More informationFraud-Related Compliance
Fraud-Related Compliance Areas of Compliance, Part 1: FCPA, SOX, PCAOB, Dodd-Frank 2015 Association of Certified Fraud Examiners, Inc. Foreign Corrupt Practices Act (FCPA) Enacted to prohibit corrupt payments
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationAPPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES
APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES Ethical Leadership and Corporate Citizenship The board should provide effective leadership based on ethical foundation. that the company
More informationA Guide to Corporate Governance for QFC Authorised Firms
A Guide to Corporate Governance for QFC Authorised Firms January 2012 Disclaimer The goal of the Qatar Financial Centre Regulatory Authority ( Regulatory Authority ) in producing this document is to provide
More informationCHARTER PEOPLE S UNITED FINANCIAL, INC. AUDIT COMMITTEE
CHARTER PEOPLE S UNITED FINANCIAL, INC. AUDIT COMMITTEE Purpose and Authority: The Audit Committee (the Committee ) of People s United Financial, Inc. (together with its subsidiary People s United Bank
More informationAPPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2014
WOOLWORTHS HOLDINGS LIMITED CORPORATE GOVERNANCE PRINCIPLES 2014 CORPORATE GOVERNANCE PRINCIPLES 2014 CORPORATE GOVERNANCE PRINCIPLES 2014 This table is a useful reference to each of the King III principles
More informationRackspace Archiving Compliance Overview
Rackspace Archiving Compliance Overview Freedom Information Act Sunshine Laws The federal government and nearly all state governments have established Open Records laws. The purpose of these laws is to
More informationMNsure Compliance Program Strategic Plan. December 17, 2014
MNsure Compliance Program Strategic Plan December 17, 2014 Page 2 of 12 TABLE OF CONTENTS Introduction... 3 Compliance Program Mission... 3 Compliance Department Mission... 3 Regulatory Profile... 4 Key
More informationVendor Compliance Management Series: Performing an Effective Risk Assessment
Vendor Compliance Management Series: Performing an Effective Risk Assessment Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must
More informationAchieving Regulatory Compliance through Security Information Management
www.netforensics.com NETFORENSICS WHITE PAPER Achieving Regulatory Compliance through Security Information Management Contents Executive Summary The Compliance Challenge Common Requirements of Regulations
More informationNATIONAL AMERICAN UNIVERSITY HOLDINGS, INC.
NATIONAL AMERICAN UNIVERSITY HOLDINGS, INC. AUDIT COMMITTEE OF THE BOARD OF DIRECTORS CHARTER I. PURPOSE The primary function of the Audit Committee (the Committee ) of the Board of Directors (the Board
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationKeeping watch over your best business interests.
Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation
More informationCompliance Management, made easy
Compliance Management, made easy LOGPOINT SECURING BUSINESS ASSETS SECURING BUSINESS ASSETS LogPoint 5.1: Protecting your data, intellectual property and your company Log and Compliance Management in one
More informationSajan, Inc. and Its Subsidiaries. Audit Committee Charter. As of August 1, 2014
Sajan, Inc. and Its Subsidiaries Audit Committee Charter As of August 1, 2014 I. PURPOSE The purpose of the Audit Committee (the Committee ) of the Board of Directors (the Board ) of Sajan, Inc. (the Company
More informationWhite Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI
White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:
More informationVendor Management Best Practices
23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion
More informationCISM (Certified Information Security Manager) Document version: 6.28.11
CISM (Certified Information Security Manager) Document version: 6.28.11 Important Note About CISM PDF techexams CISM PDF is a comprehensive compilation of questions and answers that have been developed
More informationQUANTUM MATERIALS CORP. AUDIT COMMITTEE CHARTER
QUANTUM MATERIALS CORP. AUDIT COMMITTEE CHARTER Purpose The role of the Audit Committee is to oversee the accounting and financial reporting processes of the Company and the audits of the financial statements
More informationCALADRIUS BIOSCIENCES, INC. AUDIT COMMITTEE CHARTER
I. STATEMENT OF POLICY CALADRIUS BIOSCIENCES, INC. AUDIT COMMITTEE CHARTER The Audit Committee shall assist the Board of Directors (the "Board") of Caladrius Biosciences, Inc. ("Caladrius ") in fulfilling
More informationQuestion: 1 Which of the following should be the FIRST step in developing an information security plan?
1 ISACA - CISM Certified Information Security Manager Exam Set: 1, INFORMATION SECURITY GOVERNANCE Question: 1 Which of the following should be the FIRST step in developing an information security plan?
More informationThere are a number of reasons why more and more organizations
Christopher G. Nickell and Charles Denyer Statement on Auditing Standard No. 70 (SAS 70) is an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants
More informationRegulatory Practice Letter December 2012 RPL 12-24
Regulatory Practice Letter December 2012 RPL 12-24 CFPB Nonbank Supervision - Larger Participants for Debt Collection and Credit Reporting Final Rules Executive Summary In February 2012, the Bureau of
More informationCHARTER FOR THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS PERVASIVE SOFTWARE INC.
CHARTER FOR THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF PERVASIVE SOFTWARE INC. PURPOSE: The purpose of the Audit Committee of the Board of Directors of Pervasive Software Inc. (the Company ) shall
More informationHealthcare Payment Processing: Managing Data Security and Privacy Risks
Moderator: Linda A. Malek Chair, Healthcare Moses & Singer LLP Healthcare Payment Processing: Managing Data Security and Privacy Risks Thursday, September 13, 2012 Panelists: Beth L. Rubin Senior Counsel
More informationPrioritizing Regulatory Compliance in the Financial Services Industry
Prioritizing Regulatory Compliance in the Financial Services Industry 1185 Sanctuary Parkway Suite 250 Alpharetta, GA 30004 Tel: 678.992.0262 www.compliance360.com A Regulatory Perfect Storm What do these
More informationSupporting Effective Compliance Programs
October 2015 Supporting Effective Compliance Programs The Oversight Roles of the Board Audit and Risk Committees in Regulatory Compliance By Paul Osborne, CPA, CAMS, AMLP, and Peggy Sepp, CIA To be effective,
More informationAddressing SOX compliance with XaitPorter. Version 1.0 Sept. 2014
Addressing SOX compliance with XaitPorter Version 1.0 Sept. 2014 Table of Contents 1 Addressing Compliance... 1 2 SOX Compliance... 2 3 Key Benefits... 5 4 Contact Information... 6 1 Addressing Compliance
More informationValuing and Reporting Plan Investments
Valuing and Reporting Plan Investments PLAN ADVISORY Table of Contents Introduction 2 Your Responsibility for Reporting Plan Investments 3 Your Responsibility for Valuing Investments and Establishing
More informationThe New Third-Party Oversight Framework: Trust but Verify kpmg.com
Financial Services Regulatory Point of View The New Third-Party Oversight Framework: Trust but Verify kpmg.com The New Third-Party Oversight Framework: Trust but Verify 1 Financial services regulatory
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
More informationBroker-Dealer and Investment Adviser Compliance Programs
Lori A. Richards Principal, PricewaterhouseCoopers Financial Services Regulatory Practice Broker-Dealer and Investment Adviser Compliance Programs Regulatory Requirements, Common Minimum Elements, Other
More informationFAIRCHILD SEMICONDUCTOR INTERNATIONAL, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS (As Amended through December 11, 2013)
FAIRCHILD SEMICONDUCTOR INTERNATIONAL, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS (As Amended through December 11, 2013) I. Audit Committee Purpose The audit committee is appointed by
More informationACNB CORPORATION & SUBSIDIARIES BOARD AUDIT COMMITTEE CHARTER
ACNB CORPORATION & SUBSIDIARIES BOARD AUDIT COMMITTEE CHARTER ORGANIZATION The Audit Committee is a committee of independent members of the Board of Directors. Its function is to assist the Board in fulfilling
More informationAlign Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:
More informationSecuring Critical Information Assets: A Business Case for Managed Security Services
White Paper Securing Critical Information Assets: A Business Case for Managed Security Services Business solutions through information technology Entire contents 2004 by CGI Group Inc. All rights reserved.
More informationTHE UH OH MOMENT. Financial Services Enterprises Focus on Governance, Transparency and Supply Chain Risk
THE UH OH MOMENT Financial Services Enterprises Focus on Governance, Transparency and Supply Chain Risk By Lois Coatney, Chuck Walker and Joseph Yacura, ISG Directors www.isg-one.com INTRODUCTION A top
More informationAuditing Outsourcing Arrangements
Auditing Outsourcing Arrangements Eileen Healy Enterprise Risk Services Director 16 April 2015 Contact Details: - Email: - ehealy@deloitte.ie Mobile: - 086 164 3082 Session Objectives To provide an understanding
More informationPASSUR AEROSPACE, INC (the "Company") AUDIT COMMITTEE CHARTER. The purpose of the Audit Committee (the Committee ) shall be as follows:
Purpose PASSUR AEROSPACE, INC (the "Company") AUDIT COMMITTEE CHARTER The purpose of the Audit Committee (the Committee ) shall be as follows: 11. To oversee the accounting and financial reporting processes
More informationMISSION VALUES. The guide has been printed by:
www.cudgc.sk.ca MISSION We instill public confidence in Saskatchewan credit unions by guaranteeing deposits. As the primary prudential and solvency regulator, we promote responsible governance by credit
More informationSAS No. 70, Service Organizations
SAS No. 70, Service Organizations A standard for reporting on a service organization s controls affecting user entities' financial statements. Only for use by service organization management, existing
More informationStudies (by Equifax and others) have determined that over 90% of hospital bills contain errors most of which are overcharges.
Sent: July 19, 2006 To: Ms. Jill M. Peterson, Assistant Secretary From: Jeff Barber Affiliation: Accu-Rate Telecom, Inc. Re: File S7-11-06 A common gap in internal controls is causing approximately 1,600
More informationVendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.
Vendor Management: An Enterprise-wide Focus Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd. Why Focus on Vendor Management Increased financial regulatory scrutiny GLBA and Identity Theft Red
More informationNSW Government Digital Information Security Policy
NSW Government Digital Information Security Policy Version: 1.0 Date: November 2012 CONTENTS PART 1 PRELIMINARY... 3 1.1 Scope... 3 1.2 Application... 3 1.3 Objectives... 3 PART 2 CORE REQUIREMENTS...
More informationCharter of the Audit Committee of the Board of Directors
Charter of the Audit Committee of the Board of Directors Dated as of April 27, 2015 1. Purpose The Audit Committee is a committee of the Board of Directors (the Board ) of Yamana Gold Inc. (the Company
More informationSERVICE ORGANIZATION CONTROL REPORTS SM. Formerly SAS 70 Reports
SERVICE ORGANIZATION CONTROL REPORTS SM Formerly SAS 70 Reports SAS No. 70, Service Organizations Standard for reporting on a service organization s controls affecting user entities financial statements
More informationHP business controls solutions. Reducing operational risks while gaining the benefits of outsourcing
HP business controls solutions Reducing operational risks while gaining the benefits of outsourcing There are signs that outsourcing and offshoring is being applied to business areas higher up the value
More informationThird Party Relationships
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 A B D INTRODUCTION AND PURPOSE Background Yes/No Comments 1. Does the credit union maintain a list of the third party
More informationData Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005
Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad Toronto, Ontario June 14, 2005 Outsourcing Update: New Contractual Options and Risks Lisa K. Abe June 14, 2005
More informationBOARD OF DIRECTORS MANDATE
BOARD OF DIRECTORS MANDATE Board approved: May 7, 2014 This mandate provides the terms of reference for the Boards of Directors (each a Board ) of each of Economical Mutual Insurance Company ( Economical
More informationBemis Company, Inc. Audit Committee Charter
Bemis Company, Inc. Audit Committee Charter BEMIS COMPANY, INC. AUDIT COMMITTEE CHARTER I. Purpose EXHIBIT 2 This charter establishes the responsibilities of the Audit Committee ( Committee ) of the Board
More informationBest Practices in Identity and Access Management (I&AM) for Regulatory Compliance. RSA Security and Accenture February 26, 2004 9:00 AM
Best Practices in Identity and Access Management (I&AM) for Regulatory Compliance RSA Security and Accenture February 26, 2004 9:00 AM Agenda Laura Robinson, Industry Analyst, RSA Security Definition of
More informationThe Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant
THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda
More informationEffectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com
Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased
More informationGREAT PLAINS ENERGY INCORPORATED BOARD OF DIRECTORS CORPORATE GOVERNANCE GUIDELINES. Amended: December 9, 2014
GREAT PLAINS ENERGY INCORPORATED BOARD OF DIRECTORS CORPORATE GOVERNANCE GUIDELINES Amended: December 9, 2014 Introduction The Board of Directors (the Board ) of Great Plains Energy Incorporated (the Company
More informationGovernance, Risk, and Compliance (GRC) White Paper
Governance, Risk, and Compliance (GRC) White Paper Table of Contents: Purpose page 2 Introduction _ page 3 What is GRC _ page 3 GRC Concepts _ page 4 Integrated Approach and Methodology page 4 Diagram:
More informationM-Aud. Comptroller of the Currency Administrator of National Banks. Internal and External Audits. Comptroller s Handbook. April 2003.
M-Aud Comptroller of the Currency Administrator of National Banks Internal and External Audits Comptroller s Handbook April 2003 M Management Internal and External Audits Table of Contents Introduction...1
More informationVendor Management Compliance Top 10 Things Regulators Expect
Vendor Management Compliance Top 10 Things Regulators Expect Paul M. Phillips, CFA Attorney, Adams and Reese Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay 2014 EastPay.
More informationFramework for Enterprise Risk Management
Framework for Enterprise Risk Management 2013 Johnson & Johnson Contents Introduction.... 4 J&J Strategic Framework... 5 What is Risk?.......................................................... 7 J&J Approach
More informationApplication of King III Corporate Governance Principles
APPLICATION of KING III CORPORATE GOVERNANCE PRINCIPLES 2013 Application of Corporate Governance Principles This table is a useful reference to each of the principles and how, in broad terms, they have
More informationVendor Risk Management Financial Organizations
Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current
More informationFebruary 2015. Sample audit committee charter
February 2015 Sample audit committee charter Sample audit committee charter This sample audit committee charter is based on observations of selected companies and the requirements of the SEC, the NYSE,
More informationretained in a form that accurately reflects the information in the contract or other record,
AL 2004 9 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Electronic Record Keeping TO: Chief Executive Officers of All National Banks, Federal Branches and Agencies,
More informationB o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing
B o a r d of Governors of the Federal Reserve System Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing January 23, 2013 P U R P O S E This policy statement is being issued
More informationPRACTICE NOTE 1013 ELECTRONIC COMMERCE - EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS
PRACTICE NOTE 1013 ELECTRONIC COMMERCE - EFFECT ON THE AUDIT OF FINANCIAL STATEMENTS (Issued December 2003; revised September 2004 (name change)) PN 1013 (September 04) PN 1013 (December 03) Contents Paragraphs
More informationCFPB Consumer Laws and Regulations
General Principles and Introduction Supervised entities within the scope of CFPB s supervision and enforcement authority include both depository institutions and non-depository consumer financial services
More informationCONTINUOUS CONTROLS MONITORING
Clarity. Certainty. Confidence. CONTINUOUS CONTROLS MONITORING Support Regulatory Compliance Improve Cost Management Drive Operational Performance Executives today are more challenged than ever to make
More informationXBRL & GRC Future opportunities?
XBRL & GRC Future opportunities? Suzanne Janse Deloitte NL Paul Hulst Deloitte / Said Tabet EMC Presenters Suzanne Janse Deloitte Netherlands Director ERP (SAP, Oracle) Risk Management GRC software Paul
More informationDesigning an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting
Consulting and Professional Services Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting Designing an Operational Risk Program for
More informationTHIRD PARTY. T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s
MANAGING THIRD PARTY RISK T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s Experis -- a different kind of talent company. Experis Tuesday, January 08,
More informationSOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS
SOC on Amazon Web Services (AWS) What You Need To Know Understanding the regulatory roadmap for SOC on AWS Jeff Cook November 2015 Summary Service Organization Control (SOC) reports (formerly SAS 70 or
More informationSOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships
Building Trust and Confidence in Third-Party Relationships Today s businesses rely heavily on outsourcing certain business tasks or functions to service organizations, even those that are core to their
More informationA Sarbanes-Oxley Roadmap to Business Continuity
A Sarbanes-Oxley Roadmap to Business Continuity NEDRIX Conference June 23, 2004 Dr. Eric Schmidt eschmidt@controlsolutions.com Control Solutions International TECHNOLOGY ADVISORY, ASSURANCE & RISK MANAGEMENT
More informationFFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors
Overview for Chief Executive Officers and Boards of Directors In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed
More informationWEATHERFORD INTERNATIONAL plc AUDIT COMMITTEE CHARTER Approved: September 25, 2015
WEATHERFORD INTERNATIONAL plc AUDIT COMMITTEE CHARTER Approved: September 25, 2015 Purpose The purpose of the Audit Committee (the Committee ) is to assist the Board of Directors in overseeing the: 1.
More informationWhite Paper: The Sarbanes-Oxley Act Public Company Accounting Reform and Investment Protection Act
White Paper: The Sarbanes-Oxley Act Public Company Accounting Reform and Investment Protection Act Pulling It All Together: Collaboration Required Executive Overview The Sarbanes-Oxley (SOX) Act was passed
More informationApplication of King III Corporate Governance Principles
Application of Corporate Governance Principles Application of Corporate Governance Principles This table is a useful reference to each of the principles and how, in broad terms, they have been applied
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationUnderstanding Data Governance ROI: A Compliance Perspective
A DataFlux White Paper Prepared by: Gwen Thomas Understanding Data Governance ROI: A Compliance Perspective Leader in Data Quality and Data Integration www.dataflux.com 877 846 FLUX International +44 (0)
More informationEmail Archiving for the Financial Industry
jatheon technologies whitepaper hot ISSUE Email Archiving for the Financial Industry 2... I ntroduction 2... Challenges Faced b y the Financial Sector 2... Why Financial Firms Need to Comply 3... Compliance
More informationAn Oracle White Paper November 2011. Financial Crime and Compliance Management: Convergence of Compliance Risk and Financial Crime
An Oracle White Paper November 2011 Financial Crime and Compliance Management: Convergence of Compliance Risk and Financial Crime Disclaimer The following is intended to outline our general product direction.
More informationInteragency Guidelines Establishing Information Security Standards. Small-Entity Compliance Guide
Interagency Guidelines Establishing Information Security Standards Small-Entity Compliance Guide I. INTRODUCTION Purpose and Scope of the Guide This Small-Entity Compliance Guide (footnote 1) is intended
More information