to ComplianceSarbanes-Oxley, COSO, ERM, COBIT,IFRS, BASEL II, OMB A-123, ASX 10,OECD Principles, Turnbull Guidance,

Best Practices, and Case Studies

ANTHONY TARANTINO

John Wiley & Sons, Inc.

Managers Guide

01_792578 ffirs.qxp 2/28/06 7:30 PM Page iii

File AttachmentC1.jpg

01_792578 ffirs.qxp 2/28/06 7:30 PM Page ii

to ComplianceManagers Guide

01_792578 ffirs.qxp 2/28/06 7:30 PM Page i

01_792578 ffirs.qxp 2/28/06 7:30 PM Page ii

to ComplianceSarbanes-Oxley, COSO, ERM, COBIT,IFRS, BASEL II, OMB A-123, ASX 10,OECD Principles, Turnbull Guidance,

Best Practices, and Case Studies

ANTHONY TARANTINO

John Wiley & Sons, Inc.

Managers Guide

01_792578 ffirs.qxp 2/28/06 7:30 PM Page iii

This book is printed on acid-free paper.

Copyright 2006 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmit-ted in any form or by any means, electronic, mechanical, photocopying, recording, scan-ning, or otherwise, except as permitted under Section 107 or 108 of the 1976 UnitedStates Copyright Act, without either the prior written permission of the Publisher, orauthorization through payment of the appropriate per-copy fee to the CopyrightClearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for per-mission should be addressed to the Permissions Department, John Wiley & Sons, Inc.,111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online athttp://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used theirbest efforts in preparing this book, they make no representations or warranties withrespect to the accuracy or completeness of the contents of this book and specifically dis-claim any implied warranties of merchantability or fitness for a particular purpose. Nowarranty may be created or extended by sales representatives or written sales materials.The advice and strategies contained herein may not be suitable for your situation. Youshould consult with a professional where appropriate. Neither the publisher nor authorshall be liable for any loss of profit or any other commercial damages, including but notlimited to special, incidental, consequential, or other damages.

For general information on our other products and services, or technical support, pleasecontact our Customer Care Department within the United States at 800-762-2974, out-side the United States at 317-572-3993 or fax 317-572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content thatappears in print may not be available in electronic books.

For more information about Wiley products, visit our Web site at http://www.wiley.com.

Library of Congress Cataloging-in-Publication DataTarantino, Anthony, 1949-Managers guide to compliance : Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL

II, OMB A-123, ASX 10, OECD principles, Turnbull guidance, best practices, and casestudies / Anthony Tarantino.

p. cm.Includes index.ISBN-13: 978-0-471-79257-4 (cloth)ISBN-10: 0-471-79257-8 (cloth)1. AccountingLaw and legislationUnited States. 2. Auditing, InternalLaw andlegislationUnited States. 3. Disclosure of informationLaw and legislationUnitedStates. 4. AccountingStandards. 5. Auditing, InternalStandards. I. Title. KF1357.T37 2006346.73'06648--dc22

2005034272

Printed in the United States of America

10 9 8 7 6 5 4 3 2 1

01_792578 ffirs.qxp 2/28/06 7:30 PM Page iv

www.wiley.com

Dedicatedto

Ted and Allie

01_792578 ffirs.qxp 2/28/06 7:30 PM Page v

NOTE TO THE READER

In providing the information contained in this book, the author andcontributors are not engaged in rendering legal or other professionaladvice and services. As such, this text should not be used as a substi-tute for consultation with professional, legal, or other competentadvisers. All information is provided herein as is.

01_792578 ffirs.qxp 2/28/06 7:30 PM Page vi

vii

Contents

PREFACE XIACKNOWLEDGMENT XVII

CHAPTER 1U.S. SOX Section 401: Off-Balance Sheet Arrangements 1

CHAPTER 2U.S. SOX Section 404: Internal Controls 21

CHAPTER 3U.S. SOX Section 406: Code of Ethics 32

CHAPTER 4U.S. SOX Section 409: Real-Time Reporting of Material Changes 35

CHAPTER 5U.S. SOX Impact on Privately Held Companies and Nonprofits 39

CHAPTER 6U.S. SOX Impact on Small U.S. Companies 44

CHAPTER 7U.S. SOX Impact on Foreign Companies 49

CHAPTER 8U.S. Governments Version of U.S. SOX: OMB Circular A-123 53

CHAPTER 9U.S. Healthcare Efforts to Improve Internal Controls: U.S. HIPAA 69

02_792578 ftoc.qxp 2/28/06 7:33 PM Page vii

CHAPTER 10Bankers and Insurers Efforts to Improve Internal Controls 71

CHAPTER 11Australia, Canada, and UK Efforts to Improve Internal Controls 79

CHAPTER 12EU Efforts to Improve Internal Controls: OECD Principles 91

CHAPTER 13Global GAAP (IFRS) and Global Reporting Language (XBRL) 96

CHAPTER 14Compliance and Internal Controls Impact on Outsourcing 106

CHAPTER 15Civil and Criminal Penalties for Noncompliance 108

CHAPTER 16Business Penalties for Noncompliance: A Material Weakness 121

CHAPTER 17Revenue Recognition Requirements: U.S. SAB 101 and 104 125

CHAPTER 18Data Retention Requirements 135

CHAPTER 19Compliance and Internal Control Software 139

CHAPTER 20Auditing Internal Controls 147

CHAPTER 21Best Practices in Internal Controls: Enterprise Risk Management 178

viii MANAGERS GUIDE TO COMPLIANCE

02_792578 ftoc.qxp 2/28/06 7:33 PM Page viii

CHAPTER 22Best Practices in Internal Controls: IT Risk Management & SDLC (NIST 800-30) 185

CHAPTER 23Best Practices in Internal Controls: Mapping COBIT to COSO I, COSO II, & PCAOB 190

CHAPTER 24Best Practices in Internal Controls: COBIT IT Control Objectives 194

CHAPTER 25Best Practices in Compliance and Internal Controls: ASX 10 Principles 200

CHAPTER 26Best Practices in Internal Controls: Segregation of Duties (SOD) 228

CHAPTER 27Best Practices in Internal Controls: Case Studies 242

CHAPTER 28Best Practices in Compliance Project Management 254

CHAPTER 29Best Practices in Governance and Ethics 261

CHAPTER 30Costs versus Benefits and the Business Reaction 266

APPENDIX A Frequently Asked P2P Questions 278

APPENDIX B Links to Referenced Organizations and Documents 290

GLOSSARY 292

INDEX 304

Contents ix

02_792578 ftoc.qxp 2/28/06 7:33 PM Page ix

02_792578 ftoc.qxp 2/28/06 7:33 PM Page x

xi

Preface

The massive U.S. corporate scandals of the last several years have ledto a huge change in the way organizations are governed. At its heartwas a failure of leadership, ethics, and morality on several levels,which led to a breakdown in investor confidence. The failuresoccurred among corporate executives, boards of directors, regulatoryagencies, rating agencies, and the press. One could argue this wascaused by a lack of virtue and a breaking of a social contract betweenorganizations (public and private) and those who invest in and relyon them. These are age-old concepts. In his Analects, the greatChinese sage Confucius (551479 B.C.) argued virtue was the keycharacteristic of superior leadership. Virtue provides a moral powerthat allows one to win a following without resorting to physical forceand enables a leader to maintain good order. Mencius (372289 B.C.),is often referred to as the second great Chinese sage, and he devel-oped the notion of a social contract in which one rules by a mandateof heaven. If a leader broke the social contract, then his followerswould be absolved of all loyalty and might be required to overthrowhim. Enron, WorldCom, Parmalat, Ahold, and others broke the man-date of heaven in corporate America and Europe and exposed thelack of virtue in those entrusted with good corporate governance.

These events have spawned a move toward more robust compli-ance on a global level, which will require much improved internalcontrols and will change the nature of business in fundamental ways.The struggle for improved compliance is nothing new. Investors havealways sought greater transparency as organizations have sought tolimit transparency to protect competitive information. Scandals havealways acted as a catalyst to force improved corporate governanceand transparency. The South Sea Bubble scandal in the early 1700sfostered improved accounting standards in British companies. U.S.states began enacting blue-sky laws in the early 1900s as the result ofshady stock promotions. Of course, the greatest reforms came as a

03_792578 flast.qxp 2/28/06 7:33 PM Page xi

result of the great stock market crash of 1929 and depression duringthe 1930s. This led to the passage of federal security legislation in1933 and 1934 and the creation of the Securities and ExchangeCommission (SEC).1 Reforms have continued, but were greatly accel-erated by scandals of the late 1990s. So there is little chance for a sig-nificant rollback in compliance requirements, especially when mostinvestors do not place much faith in corporate boards to provideviable oversight. A Wall Street Journal/Harris poll found about two-thirds of investors expressing doubts in the ability of corporateboards of directors to provide effective oversight.2

Many skept