Sarbanes-Oxley Compliance: Time to Pull Your SOX Up

I was surprised – and a bit concerned – at the results of a recent Protiviti study that looked at planned implementation of the revised COSO framework.

In our 2014 Sarbanes-Oxley Compliance Survey, we asked companies how far along they were in transitioning to the updated framework. A surprising number said they hadn’t made much progress. I’m hoping it was a timing issue. The framework was released in May 2013; we conducted the survey in early 2014, which may have been too early in the transition process to provide an accurate gauge as to where companies really are.

That said, the numbers are interesting, and we’re continuing to track this issue as 2014 progresses. I believe that companies should understand the level of effort required to implement the new control framework. Our experience is that for some companies, there may be a significant amount of work required to complete the transition.  For others, the effort is not as much – particularly if their existing risks and controls documentation is up to date.

The COSO Board has stated that users should transition to the updated framework as soon as it is feasible given their particular circumstances. COSO will continue to make available the original 1992 framework through December 15, 2014; after this date, it will consider the framework superseded. This suggests that calendar-year companies must transition to the updated framework no later than calendar year 2014, while companies reporting on a non-calendar-year schedule would be expected to complete their transition at their first year-end following December 15, 2014. That said, there are unmistakable signs in the marketplace that some companies are not planning to meet this timetable for purposes of complying with Sarbanes-Oxley Section 404.

This is not a surprise. COSO is not a regulator, therefore it cannot mandate actions by issuers. However, as time goes on, it will be difficult for an issuer to take the position that the superseded 1992 version of the COSO framework qualifies under the SEC’s criteria as a “suitable framework” for purposes of complying with Section 404 of Sarbanes-Oxley. The SEC has elected not to rule on this matter as it has far bigger irons in the fire, but SEC staff has said they will watch developments on this front closely and monitor the transition for issuers continuing to use the 1992 framework, to evaluate whether and if any further action is appropriate at some point in the future.

We encourage companies to complete the transition in accordance with COSO’s guidance. For those companies choosing to defer the transition, we encourage them to consult with legal counsel and with their accounting firm and review their decision and supporting rationale with the audit committee. In addition, we recommend that they be prepared for a comment letter from the SEC. While we don’t think the SEC staff will issue a comment letter for 2014 calendar-year companies (but who really knows?), the risk clearly increases with the passage of time. If the company receives advice from the external auditor that it can delay the transition until next year, management should inquire of the auditor if the audit staff will use the principles and points of focus provided by the 2013 new framework in auditing the effectiveness of ICFR of audit clients electing to continue using the 1992 framework.

With respect to the level of effort, the most significant change in the new framework is the explicit articulation of 17 principles representing the fundamental concepts associated with each of the five components of internal control. Given the stakes, I’d expect most organizations to have already responded with a project-management-type approach to the transition, designating roles, responsibilities and authorities to proceed with the transition plan to the new structure provided by the updated framework.

My colleague Brian Christensen, the global leader in Protiviti’s Internal Audit and Financial Advisory practice, recently said that “a surprising number of companies underestimate how much time and effort goes into the implementation process to apply the new COSO framework to internal controls. The survey findings suggest a large number of companies are not being attentive enough to these changes and may be behind where they should be in the process.”

I hope your organization isn’t one of them. If it is, there’s guidance available. Protiviti has published extensive guidance on the new framework, what it means and how to start implementing it. Especially valuable is the Third Edition of Protiviti’s “Frequently Asked Questions” document. We also have hosted a series of webinars on the new framework, recordings of which are available here.

Implementing the new COSO framework could represent a major undertaking for the issuer community accessing the U.S. capital markets; I hope your enterprise is well on its way as the end of 2014 is on the horizon. And whether you are or not, let us know how you are handling or planning the transition.


Six Reasons Why Directors Should Care about COSO 2013

December 15 will be here before we know it. The updated COSO Internal Control – Integrated Framework already has been out for more than a year. For those companies with fiscal year-end dates beginning on or after December 15, 2014, COSO recommends transitioning to the updated 2013 framework. Thus, calendar year reporting companies should transition in 2014. While some companies are deferring the transition to the following year, most companies are proceeding with their transition process. Those companies that decide to defer must consider how they will disclose their use of the 1992 framework; these companies run the risk of possibly receiving a comment letter from the SEC staff.

A recent issue of Board Perspectives: Risk Oversight gives six good reasons why directors should care about COSO’s updated framework.

Pages from Board-Perspectives-Risk-Oversight-Issue58-COSO-2013-Protiviti UL-2

Internal controls have always been important to the success of any company, as they provide reasonable assurance that risks to the achievement of objectives are reduced to an acceptable level. That is why they are important to the governance process.

You’ll find the newsletter and Protiviti’s The Updated COSO Internal Control Framework: Frequently Asked Questions on our website. I encourage you to subscribe to Board Perspectives: Risk Oversight, register for upcoming webinars of interest and share your thoughts in this forum.

Note that the Board Perspectives: Risk Oversight article is also available on my blog for the National Association of Corporate Directors:

Developing an Effective, Scalable Third-Party Anti-Corruption Program

Scott Moritz - Protiviti NY 2013 (hi res) Scott Wisniewski - Protiviti Chicago -hi res 2012




by Scott Moritz and Scott Wisniewsk

Scott Moritz and Scott Wisniewski are Managing Directors with Protiviti. Moritz leads the firm’s Investigations and Fraud Risk Management practice, while Wisniewski is the head of Protiviti’s Risk Technologies group.

Honesty and trust aren’t what we want to be thinking about when it comes to the global partner ecosystems we are building out today. We’d rather be thinking about economies of scale, increased efficiency and agility, and a time to value that blows away the competition. Unfortunately, third parties represent a major and constant risk, and are the source of the majority of violations of the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act and other international anti-corruption laws. Because of this, an effective third-party anti-corruption program is now an essential component of the overall corruption program at many companies. An effective third-party anti-corruption program helps you to understand the risk that each third party represents, identify potential bad actors, and apply a heightened standard of care to these organizations, or even terminate the business relationship.

A successful program is all about designing sustainable, consistent global processes based on an understanding of which parties should be included in the program; applying a risk-scoring methodology to group the parties into high-, medium- and low-risk categories; and applying standard due diligence processes to all parties and enhanced due diligence processes to those that fall into the high-risk group.

Implementing a successful program also requires a global technology platform that centralizes – and can scale – all third-party anti-corruption activities across the global ecosystem. This is why Protiviti has just released the Governance Portal for Third-Party Anti-Corruption v4.1, a new Protiviti Governance Portal solution that makes it simpler, faster and easier to reduce risk and ensure compliance on a global scale. From creating a centralized repository for all program data and activity, to creating the required scorecards for vendors and partners, to managing workflow and maintaining an audit trail of activities, the Governance Portal for Third-Party Anti-Corruption enables key stakeholders to identify third parties with heightened risk and track investigations and resolutions – regardless of where the stakeholders or third parties are located.

By centralizing the third-party anti-corruption program and managing the processes more effectively, companies can more confidently focus on the business benefits of their ecosystems. For more information about third-party anti-corruption programs, check out Are Third Party Vendors Putting Your Company at Risk?” a July 15, 2014, webinar featuring Chris McClean, principal analyst and research director with Forrester Research, Inc. The webinar provides a detailed account of how to effectively apply best practices to identify potentially problematic commercial partners and the importance of an enabling technology platform.

Into the Breach: Is Your Retail Data Vulnerable?


by Ryan Rubin
Managing Director – Leader, Identity & Access Management Services


The fallout from recent headline-grabbing data breaches has entered a critical phase. Retailers face hundreds of lawsuits, according to stories appearing in the Los Angeles Times and Lawyers and Settlements. Executives at some retailers hit by cybercrime have been called before congressional committees of the U.S. government to discuss the breaches.

Protiviti has made the issue of retail data security a high priority, not only in the United States but also in the United Kingdom (where I reside) and worldwide. Our security experts in the field continue to see malware targeted at the retail sector, and point-of-sale systems in particular.

You’ll find a wealth of information on the topic of retail data security on our website. For discussion purposes, let’s start with the four basic questions every director of a retail organization should ask:

  • Have we already been breached?
  • Would the information technology department know?
  • If we have not been breached, do we know that our systems can stand up to a targeted cyberattack?
  • Are we ready to respond?

The answers to these questions, and others, are the subject of our recent Protiviti point-of-view paper entitled “High-Value Targets – Retailers Under Fire,” in which we lay out a macro approach for reducing the risk of cyberattack and recommend asking these additional questions:

  • Do our contracts with strategic partners include the right to a forensic review of their systems and system logs?
  • Do we segment partner systems that don’t require access to cardholder data from the cardholder data environment?
  • Do our security professionals focus on the highest-impact controls?
  • Do we acknowledge that a breach is inevitable and ask if the cost of detailed logging outweighs that of a long investigation?

I know I’m posing a lot of questions here, but as directors and managers, you are in the question-asking business. To that end, I’ll leave you with one final list of questions, composed by my colleagues Jeffrey Sanchez and Scott Laliberte, both managing directors here at Protiviti. Answering these questions will help you devise a ground-level approach to cyber risk management as introduced in their recent webinar, “Prevention of Data Breach in the Retail Industry.”

  • Do we have controls at each phase of the “breach kill chain,” that is, when the malware is trying to get into our system, for example, or trying to sneak our data out?
  • Have we installed password management software?
  • Do we have secure remote access and administration of our systems?
  • Do we run updated point-of-sale software apps—even though it’s a challenge to push new technology out to thousands of stores?
  • Do we use hardware-based, point-to-point encryption?
  • Are our payment applications PA-DSS-compliant and installed properly?
  • Do we use the latest version of our operating system?
  • Do we use application whitelisting to prevent unknown executables (the “.exe” files that are commonly used to download and install software and patches) from executing, and have we worked around the administrative issues that whitelisting can cause?
  • Have we ensured that only preauthorized ports, services and IP addresses are communicating with our network?
  • Do we know who has privileged access to our environment and are we in control of monitoring such users?
  • Have we created strict access control lists that segment public-facing systems and back-end database systems that house payment card data?
  • Have we implemented tools to detect anomalous network traffic and anomalous behavior by legitimate users?

The market is learning that the cost of the exposure of private customer or consumer information can be crippling; for a large organization, it can reach hundreds of millions of dollars.

Is your organization doing everything it can to prevent data breaches? Do you have any best practices you’d like to share in the comment section below?

On a final note, Protiviti is exhibiting at the Black Hat Conference in Las Vegas, August 2-7, where I’m looking forward to meeting colleagues and organizations engaged in improving security and privacy measures. We’re in Booth 1064. If you plan to be at the event, please stop by!