Course Synopsis:

The Sarbanes Oxley Act 

• The Need
• US federal legislation: Financial reporting or corporate governance?
• The Sarbanes-Oxley Act of 2002: Key Sections
• SEC, EDGAR, PCAOB, SAG
• The Act and its interpretation by SEC and PCAOB
• PCAOB Auditing Standards: What we need to know
• Management's Testing
• Management's Documentation
• Reports used to Validate SOX Compliant IT Infrastructure
• Documentation Issues
• Sections 302, 404, 906 and the three certifications
• Sections 302, 404, 906: Examples and case studies
• Management's Responsibilities
• Committees and Teams
• Project Team – Section 404: Reports to Steering Committee
• Steering Committee – Section 404: Reports to Certifying Officers and cooperates with Disclosure Committee
• Disclosure Committee: Reports to Certifying Officers and cooperates with Audit Committee
• Certifying Officers and Audit Committee: Report to the Board of Directors
• Control Deficiency
• Deficiency in Design
• Deficiency in Operation
• Significant Deficiency
• Material Weakness
• Is it a Deficiency, or a Material Weakness?
• Reporting Weaknesses and Deficiencies
• Examples
• Case Studies
• Public Disclosure Requirements
• Real Time Disclosures on a rapid and current basis?
• Whistleblower protection
• Rulemaking process
• Companies Affected
• International companies
• Foreign Private Issuers (FPIs)
• American Depository Receipts (ADRs)
• Types of ADR programs
• Employees Affected
• Effective Dates

The Bank for International Settlements (BIS)

• The Basel Committee on Banking Supervision
• From the Young Plan (1930) to Basel II
• Regulatory supervision of internationally active banks
• The failure of the Bankhaus Herstatt and the crisis of confidence

First Basel Capital Accord

• Formulating broad supervisory standards and guidelines
• Regulatory and economic capital
• Important objectives
• 1980s: The capital ratios of the main international banks are deteriorating
• Credit Risk
• Assets are weighted by factors
• On-balance sheet engagements
• Off-balance sheet engagements
• Examples of capital requirements
• December 1987: The Basel Capital Accord approved by the G10
• Basel I amendments

The New Basel Capital Accord (Basel II)

• Realigning the regulation with the economic realities of the global banking markets
• New capital adequacy framework replaces the 1988 Accord
• Improving risk and asset management to avoid financial disasters
• "Sufficient assets" to offset risks 
• The technical challenges for both banks and supervisors
• How much capital is necessary to serve as a sufficient buffer?
• The three-pillar regulatory structure
• Purposes of Basel II
• Scope of the application
• Pillar 1: Minimum capital requirements
• Credit Risk – 3 approaches
• The standardized approach to credit risk
• Claims on sovereigns
• Claims on banks
• Claims on corporates
• The two internal ratings-based (IRB) approaches to credit risk
• Some definitions: PD - The probability of default, LGD - The loss given default, EAD - Exposure at default, M – Maturity
• 5 classes of assets
• Pillar 2: Supervisory review
• Key principles
• Aspects and issues of the supervisory review process
• Pillar 3: Market discipline
• Disclosure requirements
• Qualitative and Quantitative disclosures
• Guiding principles
• Employees Affected
• Effective Dates

Framework for internal control systems in banking organizations - Basel Committee on Banking Supervision

• The 13 Principles for the Assessment of Internal Control Systems
• The 13 Principles and COSO
• The control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring
• Types of control breakdowns typically seen in problem bank cases
• The objectives and role of the internal controls framework
• The major elements of an internal control process
• Evaluation of internal control systems by supervisory authorities
• Role and responsibilities of external auditors
• Supervisory lessons learned from internal control failures  

Internal Controls - COSO 

• The Internal Control — Integrated Framework by the COSO committee
• Using the COSO framework effectively
• The Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring
• Effectiveness and Efficiency of Operations
• Reliability of Financial Reporting
• Compliance with applicable laws and regulations
• IT Controls
• Program Development and Program Change
• Deterrent, Preventive, Detective, Corrective, Recovery, Compensating, Monitoring and Disclosure Controls
• Layers of overlapping controls

Operational Risk

• What is operational risk
• Legal risk
• Information Technology operational risk
• Operational, operations and operating risk
• The evolving importance of operational risk
• Quantification of operational risk
• Loss categories and business lines
• Operational risk measurement methodologies
• Identification of operational risk
• The Delphi method

Operational Risk Approaches

• Basic Indicator Approach (BIA)
• Standardized Approach (SA)
• Alternative Standardized Approach (ASA)
• Advanced Measurement Approaches (AMA)
• Internal Measurement Approach (IMA)
• Loss Distribution (LD)
• Standard Normal Distribution
• "Fat Tails" in the normal distribution
• Expected loss (EL), Unexpected Loss (UL)
• Value-at Risk (VaR)
• Value-at Risk and Basel I amendment, 1996
• Value-at Risk and Basel II
• Calculating Value-at Risk
• Monte Carlo simulations
• Monte Carlo limitations
• Extreme Value theory
• Scoreboards
• Stress Testing
• Stress testing and Basel
• (AMA) Advantages / Disadvantages
• Recognition of the firms’ own modelling of operational risk losses
• "Weak banks", internal and external audit and sound practices for operational risk
• Self assessment
• Key Risk Indicators
• Operational Risk Measurement Issues
• The game theory
• The prisoner’s dilemma – and the connection with operational risk measurement and management
• Operational risk management
• Operational Risk Management Office
• Key functions of Operational Risk Management Office
• Key functions of Operational Risk Managers
• Key functions of Department Heads
• Internal and external audit
• Operational risk sound practices
• Operational risk mitigation
• Insurance to mitigate operational risk

Scope of Sarbanes Oxley and Basel II Projects 

• The most important challenge: The scope
• Discussing the scope with the external auditors
• Assumptions
• In or out of scope?
• Is it relevant?
• Using compliance as an excuse
• Computer Forensics Investigation?
• Business Intelligence?
• Business Continuity and Disaster Recovery?

Meeting the Information Security Requirements of Sarbanes Oxley and Basel II 

COBIT - the framework that focuses on IT Is COBIT needed for compliance?

• COSO or COBIT?
• Corporate governance or financial reporting?
• Executive Summary
• Management Guidelines
• The Framework
• The 34 high-level control objectives
• What to do with the 318 specific control objectives
• COBIT Cube
• Maturity Models
• Critical Success Factors (CSFs)
• Key Goal Indicators (KGIs)
• Key Performance Indicators (KPIs)
• How to use COBIT for Sarbanes Oxley and Basel II compliance

Software and Spreadsheets

• Is software necessary?
• Is software needed?
• When and why
• How large is your organization?
• Is it geographically dispersed?
• How many processes will you document?
• Are there enough persons for that?
• Selection process
• Spreadsheets
• It is just a spreadsheet…
• Certain spreadsheets must be considered applications
• Development Lifecycle Controls
• Access Control (Create, Read, Update, Delete)
• Integrity Controls
• Change Control
• Version Control
• Documentation Controls
• Continuity Controls
• Segregation of Duties Controls
• Spreadsheets – Errors
• Spreadsheets and material weaknesses

Third-party service providers and vendors

• Redefining outsourcing
• Outsourcing services and compliance
• The new definition of outsourcing
• Outsourcing after Sarbanes Oxley and Basel II
• Offshore outsourcing is also redefined
• Key risks of outsourcing
• What is needed from vendors and service providers
• SAS 70
• Type I, II reports
• Advantages of SAS 70 Type II
• Disadvantages of SAS 70 Type II
• Working with vendors and service providers

Aligning Basel II and Sarbanes-Oxley projects

• The general expectations around Sarbanes Oxley and Basel
• From ensuring the overall safety and soundness of banks (Basel) to restoring investor confidence (Sarbanes Oxley)
• From the "under construction since the 1998" approach (Basel II) to the Sarbanes Oxley deadlines
• From the choice of risk management sophistication (Basel) to the specific SEC and PCAOB rules (Sarbanes Oxley)
• There is only one Sarbanes Oxley act but there are many different Basel II frameworks – the issue of discretion to individual jurisdictions for Basel II implementation
• Multinational companies and compliance issues
• US federal legislation and state law. The US constitutional challenges
• From the 1929 Companies Act (UK) to the 1933 Securities Act (USA) to Sarbanes Oxley: The need to avoid a federal intrusion into state reserved matters
• Auditing in the USA and auditing in UK: Very important differences
• Capital Requirements Directive (CRD)
• Markets in Financial Instruments Directive (MiFID)
• What will be the impact of MiFID to EU and non non EU banks?
• MiFID (Markets in Financial Instruments Directive) and Sarbanes Oxley and Basel
• Board review and approval
• Management responsibility
• Control objectives
• Risk identification and assessment
• Risk monitoring
• Risk mitigation
• Risk reporting
• Continuity plans
• Sufficient public disclosure
• Documentation challenges
• Effectiveness – design and operation
• Connecting the dots
• Common elements and differences of compliance projects
• New standards