Wednesday, August 22, 2007

Compliance in Product Design.

For companies looking to strengthen internal controls or stay compliant with applicable statutes, the best approach would be ensure that all new software that is being purchased by your company’s IT deparment is already ‘Statute (SOX, HIPAA,etc) compliant’. Products don’t have to come with a certificate that says ‘Our product is SOX compliant’. Even if none of these laws are applicable (lucky you!) it is in your best interests to ensure that basic principles such as Confidentiality, Integrity and Availability are the key cornerstones of every product that you seek to install in your IT or business environment.

Any product that
• truly enforces segregation of duties thereby avoiding conflicting responsibilities,
• has proper authorizations/workflow management in place
• Adequate management reporting capabilities
• Audit log capabilities
can be considered a compliant product.

Obviously, there are other internal control considerations. In addition, the many principles set down in COBIT or any other industry standard can be studied and applied to these products in greater detail. Besides this, the company’s control environment and risk appetite will also determine how many compliance features the product should ideally be ‘loaded’ with.

Look for my next post on compliance and “must-have” internal control features for product companies.

Monday, July 23, 2007

Mobile entertainment goes another step forward in India.

Stuck in the traffic? Facing a longish train journey? Bored of hearing the same old songs? Wouldn’t it be nice to be able to see a short movie on your ride home?
This is exactly the kind of service that will soon be available to mobile phone users in India. A tie up between BPL ( a leading Indian mobile phone service provider) and Shemaroo ( an online store of Bollywood movies) was recently announced to provide streaming 15 minute movies on your mobile phone. Key scenes of a movie will be picked and condensed into an abridged 15 minute version. The real challenge, of course, will be to ensure that the essence of the movie is not lost through the abridged version.
The cost to the viewer is Rs 5 per minute taking the total cost of watching the 15 minute movie to Rs 75 (around $2). The movie can be stopped at anytime and the viewer will be charged only for the portion of the movie watched.

Thursday, June 14, 2007

New Self Regulatory Body for IT Companies in India.

NASSCOM, which is India's trade body and chamber of Commerce for the IT industry, announced plans to form an independent self regulatory body to monitor information security among member IT companies in India. Called the Data Security Council of India (DSCI), it is formed especially to combat security lapses within companies offering outsourcing services.This body aims to offer security policies, bring about increased governance to the hiring process and offer accreditation/certification services.

According to Shymal Ghosh, chairman of DSCI, 'it will be an independent organization, at arms length from NASSCOM.'

What is important in order to combat inadequate controls surrounding information security, is to ensure that there is a body of information security standards that companies are expected to follow. This ensures process standardization, industry comparisons as well as enables accreditations/certifications. These standards would encompass

  1. encryption standards,
  2. physical controls,
  3. logical controls (especially user access controls, interface controls, restriction over the use of Instant Messaging etc.)
  4. other infrastructure related standards.

Best practices dictate establishing an information security policy and a data classification policy. Data that has been classified as critical, sensitive or public data, automatically becomes much more organized and it is easy to see which data should be given priority for security.

Although we have seen incidents of internal control violations (data theft, cheating, passing on confidential information) in recent years, the core of the outsourcing business in India stays strong. Today’s Wall Street Journal reports another U.S. investment bank outsourcing work to an Indian research firm.

Maybe, an initiative like DSCI will be the first successful step towards achieving formal governance in corporate India.

Monday, June 4, 2007

New PCAOB standard aimed to increase efficiency in Internal Control audits.

The board adopted AS 5 to supersede AS 2. This will apply to all companies required to conduct internal control audits as required by the SEC.

Key reasons for the change:

1. The Board’s inspection of the internal control audits conducted as well as public roundtable discussions revealed that the audits took greater than necessary effort.
2. The Board also felt that adoption of AS 5 would make it easier for smaller companies to comply with the Act’s internal control requirements.

Key Features of the new Standard:

1. Emphasizes fraud-risk and fraud related controls in the process of risk assessment.
2. The effectiveness of the company’s entity level controls may reduce the amount of testing in the underlying process controls.
3. The new standard permits the auditors to restrict their own testing by letting them use the control testing of others.
4. The Audit committee should pre-approve any internal controls related non-audit services provided by the company’s auditor. In fact, Rule 3525 requires a registered public accounting firm that seeks to provide such service to provide details such as scope of the internal control related non-audit service, the potential effects of the proposed service on the firm’s independence and also document the discussions that are held with the audit committee.

This may reduce some of the economic and operational burden currently being experienced by many companies. This is true because increased auditor reliance on the work of others and stronger entity level controls may translate into a reduction in the auditor’s testing time and effort.

Saturday, June 2, 2007

PCAOB Approves New Audit Standard for Internal Control over Financial Reporting.

On May 24th, the Public Company Accounting Oversight Board approved a new audit standard for Internal Control over Financial Reporting.

Details:As per the PCAOB, 'the auditing standard adopted by the Board today is principles-based. It is designed to increase the likelihood that material weaknesses in internal control will be found before they result in material misstatement of a company's financial statements, and, at the same time, eliminate procedures that are unnecessary.' The final standard also focuses on the procedures necessary to perform a high quality audit that is tailored to the company’s facts and circumstances. The Board worked closely with the Securities and Exchange Commission to coordinate Auditing Standard No. 5 .

Applicability: 'The final standard may be used by auditors immediately following SEC approval, and it, along with Rule 3525, and the conforming amendments, would be required for all audits of internal control for fiscal years ending on or after November 15, 2007.

Coming soon~ Auditopia's analysis on the new audit standard.

Friday, April 20, 2007

Increased reliance on Internal Audit- the means to increased compliance and reduced cost burden.

In an interview with, retired Senator Oxley is reported to have said that he is unhappy with the implementation of the Sarbanes-Oxley Act especially Section 404, by the PCAOB through Accounting Standard 2 (An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements). He felt it was far too prescriptive and much more expensive than anyone anticipated.

With Senator Oxley as the new non executive vice chairman of NASDAQ, one can only hope that this will translate into substantial changes to reduce the financial burden and at the same time maintain the level of compliance required by the Act.

This is definitely achievable and can happen through increased reliance on the work performed by Internal Audit groups for the purposes of complying with the Sarbanes Oxley Act particularly section 404. Internal audit departments whether in-house or outsourced are staffed by competent and experienced professionals with as much subject matter expertise as an external auditor. Additionally, they possess a certain level of independence through a direct reporting line to the Corporate Audit Committee.

Wednesday, April 11, 2007

Sarbanes-Oxley ripples felt on the Indian sub-continent.

Good news for those with business ties in the Indian sub continent. Last week, the DNA ( details on the Ernst and Young India CFO survey.

It appears that out of the 125 CFO’s who were interviewed, 43% wanted the country to follow a SOX like model for internal controls. In fact, 56% felt that the benefit from corporate governance requirement outweighs the compliance cost.

Note that of these 125 CFO’s, 78% represented listed companies.

There was also an overwhelming support (81%) for the existing regime of corporate governance certification by CFO/CEO, despite its perceived high level of risk. About 60% of the CFOs believed that regulatory compliance is not a burden.

There maybe growing opposition to the rigorous demands of Sarbanes-Oxley in the U.S but it is surely gaining positive momentum elsewhere. With a large number of financial and other operations being offshored to India, increased corporate governance in the sub continent is a welcome phenomenon.