SlideShare a Scribd company logo

Session One Forces For Regulatory Change Anthony Wong

A
anthonywong

The document discusses the rise of regulatory compliance requirements for organizations, especially regarding information technology (IT). It notes that regulation differs by industry and jurisdiction, and that both Australia and the US have increased regulation in response to corporate scandals. IT now plays a major role in meeting compliance rules relating to areas like financial reporting, risk management, privacy, and records retention. Chief information officers must ensure IT systems support compliance requirements and internal controls.

BusinessEconomy & Finance
1 of 48
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Forces for regulatory change –examining the rise of the compliance colossus Anthony Wong ICT Counsel, Aequitas Attorneys LLB, LLM (Technology), BSc (Computer Science), MACS email: [email_address] This presentation is intended to provide a summary of the subject matter covered. It does not purport to render legal advice. Professional advice should be sought before applying the information to specific circumstances. Opening Presentation IntegrIT 2005 26 May 2005
Introduction Origins of the corporate form Incorporation creates a legal persona Unlike a natural person, a company relies on corporate actors to carry out and manage the operations of the company Regulators going behind the “Corporate Veil” to protect investors and employees from unscrupulous management
Regulation is Industry & Jurisdiction specific No simple universal formula for governance rules, regulation and practices Differs between countries Sources include statute law and case law Includes duties of directors Australian companies need to adhere to a complex network of compliance rules and regulations Which are designed to fulfil specific roles in a given industry and sector
Regulation is Industry & Jurisdiction specific US approach tends to be prescriptive and rules-based Australia has relied on a principles approach using a mixture of hard law-regulation, self regulation and soft laws Numerous soft laws – standards, guidelines and collections of best practices are available to best assist IT Compliance of organizations
Set of Governance Principles for federal government agencies created by the Information Management Strategy Committee (IMSC) supported by the CIO Committee (CIOC) Australian Government Use of Information and Communications Technology: A New Governance and Investment Framework report Implemented by Australia as a member of OECD OECD Corporate Governance Principles 2004 Compliance Programs AS 3806 Corporate Governance of ICT AS 8015 Corporate Governance Standards Set AS 8000 Scope Standards & Principles
Regulation is Industry & Jurisdiction specific The two common themes that run through these regulations are: Accuracy, Transparency and Reliability of information or data Processes Presentation is not intended to raise every statutory and common law provision that could apply in a given situation Focus here is only on the regulatory sections which are of particular relevance to IT Compliance
Corporate Governance Self regulation has been undermined by recent collapses in US: Enron and WorldCom and in Europe Parmalat To restore shareholder and investor confidence, regulators worldwide have reacted by introducing a profusion of legislation and regulation US Sarbanes Oxley Act 2002 have implications in other economies and nations With impacts on related groups of companies in different countries Australia is not immune with corporate collapses including One.Tel, Ansett and HIH
Corporate Governance Technology is now so pervasive and critical to the execution and delivery of many organisations’ product and services Organisations are becoming more reliant on IT even for the most basic business functions Few businesses can exist effectively and competitively today without an effectively managed IT environment
Corporate Governance > IT Governance Definition of IT Governance is more than: ensuring a return on IT investments the strategic alignment of IT with business performance of IT projects identification and management of IT risks IT resource management
Corporate Governance > IT Governance > IT Compliance Definition of IT Governance includes: Compliance of the increasing varieties of IT related legislation and regulations which are paramount to achieve IT Governance
IT Governance an integral and essential part of Corporate Governance IT Compliance an aspect of
Some Key Observations The challenge for CIOs is no longer just to keep the IT systems running but to ensure that every piece of business information is maintain with integrity and transparency Executives who initially view compliance as a business/ finance issue are recognising that it is also an IT systems issue It is not “just an auditor’s problem” but impacts the whole of the organisation as IT is now so pervasive and critical to the competitive success and survival in the business environment C-suite executives - CEOs, CFOs, COOs, CIOs, board members, directors, officers, staff, accountants, auditors all have roles to play
Some Key Observations In many instances, using IT solutions may be the only way an organisation can meet regulatory and legal compliance cutting the risks of error rather than relying on manual processes IT professionals will need to develop: a solid understanding of proper control theory and structure an ongoing risk assessment process in IT management and bringing business and IT practices and processes into a cohesive whole! It is a myth that there is a IT “solution” to compliance out-of-a-box
IT plays a major role in: Internal Controls on Financial Reporting & Disclosure for companies Operational Risks in the Banking Sector Protection of Electronic Information Security Management Privacy Cybercrime and Spam Records Retention & Management Other IT related Compliance legislation
Internal Controls on Financial Reporting & Disclosure US Sarbanes Oxley Act 2002 Corporations Act 2001 (CLERP 9) Australian Stock Exchange (ASX) Listing Rules & ASX Corporate Governance Principles Statements of Accounting Practice Financial Services Reform Act (FSRA) e-Compliance hub Investment and Financial Services Association (IFSA) Guidelines on Corporate Governance
US Sarbanes-Oxley Act 2002 (SOX) Act was passed by US Congress July 2002 to restore investor confidence in companies registered with the US Securities and Exchange Commission (SEC) after a series of business scandals and lapses in corporate governance Applies to US subsidiaries operating in Australia and also Australian companies listed in the US Penalty for non-compliance is not just significant fines – it is jail time!
1 st CEO and CIO charged under SOX CEO Richard Scrushy, HealthSouth Corporation was indicted on more than 85 counts that include fraud and signing off on false corporate statements that overstated earnings by at least US$1.4 billion CIO Kenneth Livesay has pleaded guilty
US Sarbanes-Oxley Act 2002 (SOX) Section 404: Evaluation (governance, measurement and recordkeeping) which deals with management’s assertion regarding the operating effectiveness of its internal control over financial reporting Section 302: Control (internal controls) requires CEO/CFO to do more than simply pledge that the company’s finances are correct; they have to vouch for the processes used to add up the numbers; personally sign off on the financial statement Section 409: Disclosure (reporting and certification) requires “rapid and current” disclosure of material changes to the internal control structure or financial condition
The importance of IT in the Design, Implementation and Sustainability of internal control over finanical reporting and disclosure Impact on the IT department is immense as material change in operational state of the organisation has to be reported in a timely manner IT is inherently tied to the manner in which accounting transactions are initiated, recorded, processed and reported IT is crucial to establish, evaluate and monitor the effectiveness of internal control over financial reporting Act demands a greater transparency not only in reporting financial figures but also showing how these figures were arrive – the audit trail It demands ongoing risk measurement process into IT management activities
What are some of the IT controls required? Mapping the IT systems that support internal control and the financial reporting process to the financial statements Ensuring that IT controls are updated and changed to correspond with changes in internal control of financial reporting processes A key control objective is the authorisation and safeguarding of assets and access to IT systems to ensure security, confidentiality and privacy Possible IT control methodologies and framework: Control Objectives for Information and related Technology (COBIT®) Information Technology Infrastructure Library (ITIL)
Corporate Law Economic Reform Program (CLERP 9) Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004 (CLERP 9) became law on 1 July 2004 CLERP 9 amends a number of Acts including Corporations Act 2001 Introduces significant changes to the regulation of corporate governance in Australia to give effect to reforms aimed at restoring public confidence in corporate Australia Australia had already been moving down that direction – not just because of US Sarbanes Oxley Act
Corporate Law Economic Reform Program (CLERP 9) Section 295A: requires CEO/CFO sign off; that the financial records of the listed entity: gives a “true and fair view” have been properly maintained in accordance with applicable laws; and complies with Accounting Standards CIO parallels the CFO to ensure that technology is in place to support the financial reporting to enable the CEO/CFO to provide declarations
ASX – Principles of Good Corporate Governance Contain 10 core principles and practice recommendations Principle 4: Safeguard integrity in financial reporting – have a structure to independently verify and safeguard the integrity of the company’s financial reporting Principle 7: Recognise and manage risk – establish a sound system of risk oversight and management and internal control Recommendation 7.2: the CEO/CFO to provide written assurance to the board that risk management and internal compliance systems were operating effectively
Operational Risks in the Banking Sector Basel II or “New Basel Capital Accord” covers three type of risks – credit, market and operational risks to ensure a more stable global financial system and greater protection for depositors Australian Prudential Regulatory Authority (APRA) is the regulator of the Australian financial services industry In Australia, all authorised deposit-taking institutions ( ADIs) will be required to implement the Basel II Framework Proposed implementation starting point from year end 2007
Basel II – APRA Implementation “ Operational risks” broadly defined as “The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events” Operational risk centres around breakdowns in internal controls and corporate governance Such breakdowns can lead to financial loss through error (manual or IT) and fraud, or cause the interests of the bank to be compromised, through staff exceeding their authority Some of the other events that could lead to operation risk include: Damage to physical assets Business disruption Legal risks Events and security Transaction risk
Basel II – APRA Implementation National Australia Bank have survived significant operational risk events recently with foreign currency losses of $360 million but the events have been quite damaging to the bank, as well as resulting in significant loss to shareholders Others like Barings have not been so lucky Improvements in technology have allowed banks to better identify, measure and manage operational risks
Basel II – APRA Implementation One of the key IT implications is the collection and management of historical data required to implement Basel II Historical data will have to be pooled from disparate systems, cleaned and stored in a central repository to be used by a system with the updated risk model
Basel II – APRA Implementation Improving IT Risk Management: taking risk out of the IT component as problems in one can be quickly transmitted to other institutions due to the inter-networking of global financial systems Business Continuity Planning: to ensure that the institution can continue to function and meet its obligations – regulatory or otherwise – in the event of a disruption AS/NZS 4360  Risk Management Set HB 221 Business Continuity Management
Protection of Electronic Information The increased efficiency, capacity of computers and the interconnectivity of computer systems especially with the Internet has allowed easier access to electronic information Electronic information is now pervasive if not vital for the essential operation of a modern day organisation CIO has increasing accountability for integrity and consistency of information within the organisation To secure information effectively, it needs to be secured from all perceivable threats
Protection of Electronic Information From Unauthorised Access From Unauthorised Use & Disclosure From Interception From Piracy & Copying From Unauthorised Modification (alteration, deletion or addition)
Impact of the Misuse of Electronically Stored Information Has a range of consequences that depends on the sensitivity and nature of the information
Protection of Electronic Information Using Privacy Laws Using Technical & Physical Means Using Common Law Using Copyright & Other IP Legislation Using Spam & Cybercrime Laws
Protection of Electronic Information Using Technical & Physical Means IT Governance Compliance & Risk Management
Guidance to Australian Government agencies on protecting their information systems Australian Communications Electronic Security Instruction 33 by the Defence Signals Directorate Commonwealth protective security policies, principles, standards and procedures Protective Security Manual issued by the Attorney-General's Department Information Security Management Information security risk management guidelines AS 7799 HB231 Guidelines for the management of IT Security AS ISO/IEC 13335 Code of practice for information security management AS/NZS ISO/IEC 17799 Scope Security Management Standards (not exhaustive)
Protection of Electronic Information Using Privacy Laws IT Governance Compliance & Risk Management
JetBlue Airways Corporation and Acxiom Corporation JetBlue and Acxiom disclosed 5 million passenger records to a military contractor at the request of the US Department of Defense without the knowledge or consent of the affected passengers Military contractor specializes in information mining and developed pattern recognition technology Prior to September 2002, military contractor was hired to determine how information might be analyzed for an antiterrorism study to track high-risk passengers or suspected terrorists JetBlue faces class-action lawsuits filed by outraged customers CIO had unwittingly assumed the role of privacy compliance One of the lessons learned: CIOs would be wise to play a central role in the proactive shaping and enforcing of data privacy policies as guardians of data
Privacy Compliance The Privacy Act 1988 (Cth) sets out 11 Information Privacy Principles (IPPs) protects privacy of person dealing with the Federal Government It has also been extended to regulate the way private sector organisations can collect, use, keep secure and disclose personal information stored whether electronic or not It only protects “Personal Information” and NOT Commercial Information
Privacy Compliance There are 10 National Privacy Principles (NPPs) of application in the private sector. The following are more pertinent to the “Protection of Electronic Information”: NPP2 – the use and disclosure of personal information NPP 4 – data security; where reasonable steps to protect personal information from misuse and loss and unauthorised access, modification or disclosure NPP 7 – prohibit the use of Federal government identifiers in the private sector eg. Tax File Number NPP9 – the transfer of data to another country NPP 10 – the use and disclosure of sensitive information (about individual racial, political or religious beliefs, health, membership etc)
Other Privacy laws including: Applies personal privacy to the public sector in NSW Privacy and Personal Information Act 1998 (NSW) Where telecommunications service providers are required to maintain confidentiality ( eg. ISPs in relation to internet logs of access to websites and time of access, copy of web contents accessed) where disclosure may be permitted with a subpoena Telecommunications Act 1991 (Fed) – Part 13 Protects privacy by prohibiting interception of communications passing over telecommunications systems. Interception may be permitted under warrant issued to eg. Police and ASIO Telecommunications (Interception) Act 1979 (Fed)
Other Privacy laws including: Regulates data matching between particular Federal departments eg. Tax Office and Social Security Data-Matching Program (Assistance and Tax) Act 1990 (Fed) Governs the handling of health information in both the public and private sectors in NSW including hospitals doctors, and other health care organisations Health Records and Information Privacy Act 2002 (NSW) Covers privacy of personal information collected from Health Medicare claims and Pharmaceutical benefits National Health Act 1953 (Fed)
Industry Privacy Codes: The NPPs set the baseline standards for privacy protection Organisations can create their own codes For participants in Communications Industry Protection of Personal Information of Customers of Telecommunications Providers Code of Practice (PPIC) For the Internet Industry Internet Industry Association (IIA) Provisions Code of Conduct
Industry Privacy Codes: Protects customer privacy by contract as adjunct to the banker-customer relationship Code of Banking Practice Applicable to privacy, security, loss and misuse of smart cards Asia Pacific Smart Card Industry ATM, EFTPOS, telephone or internet banking, credit card, stored value smart cards Electronic Funds Transfer For participants in Direct Marketing Australian Direct Marketing Association Provisions Code of Conduct
Cybercrime There are at least 13 Federal Acts which have some relevance to cybercrime States and territories have their own legislation which is not uniform, either in offence provision or in penalties The State and Territory offences apply within each jurisdiction and Commonwealth offences target unlawful access to Commonwealth computers and data, and offences committed using a telecommunications service or carrier The main legislation includes Cybercrime Act 2001 (Federal) and Crimes Amendment (Computer Offences) Act 2001 (NSW)
Cybercrime Generally, the Australian provisions make it an offence for a person to do or attempt to do the following: unauthorised access to a computer system unauthorised access or modification of data impairment of electronic data and communication impeding access to computers; and possession of data with intent to commit serious offence
Spam Act 2003 Australian Spam Act 2003 came into effect 11 April An article covering “The impact of Australia's anti-spam legislation” is available from the ZDnet website on http://www.zdnet.com.au/insight/business/0,39023749,39116020,00.htm
Records Retention & Managment Records Retention and Management State and Commonwealth Archives Acts AS ISO 15489 - Records Management Standard State and Commonwealth Evidence Acts Freedom of Information legislation Tax Obligations Other record retention obligations imposed by various legislation depending on the organisation environment in which it operates
Other IT related Compliance Legislation Electronic Transactions Act 1999 Trade Practices legislation (eg. eCommerce & Websites) Occupational Health & Safety Workplace Surveillance Bill 2005 (NSW) Other State and Commonwealth laws
Thank you Anthony Wong ICT Counsel Aequitas Attorneys

More Related Content

PPT
Sox Compliance Solution
guest586cf0
 
PPSX
IT Control Objectives Framework, A Relationship Between COSO Cobit and ITIL
Alfid Ardyanto
 
PPT
SOX compliance - Understanding Sarbanes-Oxley
Amarnath Gupta
 
PPTX
Total compliance | Statutory Compliance - Alphabricks Technologies
AlphaBricks Technologies
 
PPT
Sox Compliance Presentation
Skye Rogers
 
PDF
Ethics in accounting and the reliability of financial information
Alexander Decker
 
PPT
Corporate Compliance Management
Pavan Kumar Vijay
 
PPT
Sarbanes Oxley Act
les561
 
Sox Compliance Solution
guest586cf0
 
IT Control Objectives Framework, A Relationship Between COSO Cobit and ITIL
Alfid Ardyanto
 
SOX compliance - Understanding Sarbanes-Oxley
Amarnath Gupta
 
Total compliance | Statutory Compliance - Alphabricks Technologies
AlphaBricks Technologies
 
Sox Compliance Presentation
Skye Rogers
 
Ethics in accounting and the reliability of financial information
Alexander Decker
 
Corporate Compliance Management
Pavan Kumar Vijay
 
Sarbanes Oxley Act
les561
 

What's hot (20)

PDF
Report on IT Auditing and Governance_Ta_Hoang_Thang
Thang Ta Hoang
 
PDF
Sox compliance services brochure 2013
Rahul Bhan (CA, CIA, MBA)
 
PDF
Ethical practices of the professional accountant in nigeria
Alexander Decker
 
PDF
Sox compliance
G Madhusudhan
 
PDF
Regulatory Reporting - Key considerations for Fund Managers and Service Provi...
GECKO Governance
 
PDF
NEMEA Compliance Automation
NEMEA Security Services
 
PPT
Corporate Compliance Management (CCM) : A Systematic Approach
Pavan Kumar Vijay
 
PPT
Corporate Complience Management : A Risk Management
Pavan Kumar Vijay
 
PDF
Sarbanes-Oxley Compliance and the RFI/RFP Process
CXT Group
 
PPTX
PracticeLeague Tax Litigation Management System
Parimal Chanchani
 
PPTX
Lecture 13 oveview of etichs, fraud, and internal control- james a. hall boo...
Habib Ullah Qamar
 
PDF
Broker-Dealer Outsourcing: Key Regulatory Issues and Strategies for Compliance
Broadridge
 
PDF
Enterprise Strategy Group, IBM's System Storage DR550: Enabling Compliance in...
IBM India Smarter Computing
 
PPT
Khazi Sox A
ahmedjeelani
 
PDF
Compliance in Manufacturing: A Very Personal Affair (2013)
Melih ÖZCANLI
 
PPT
477 10 (5)
saramkhan5
 
PPT
Legal Audit Power Point
dja2law
 
PPTX
Other legal audits
R & A Associates
 
PDF
Impact of Accounting Ethics on the Practice of Accounting Profession In Nigeria.
IOSR Journals
 
PPT
Cs
teachwell
 
Report on IT Auditing and Governance_Ta_Hoang_Thang
Thang Ta Hoang
 
Sox compliance services brochure 2013
Rahul Bhan (CA, CIA, MBA)
 
Ethical practices of the professional accountant in nigeria
Alexander Decker
 
Sox compliance
G Madhusudhan
 
Regulatory Reporting - Key considerations for Fund Managers and Service Provi...
GECKO Governance
 
NEMEA Compliance Automation
NEMEA Security Services
 
Corporate Compliance Management (CCM) : A Systematic Approach
Pavan Kumar Vijay
 
Corporate Complience Management : A Risk Management
Pavan Kumar Vijay
 
Sarbanes-Oxley Compliance and the RFI/RFP Process
CXT Group
 
PracticeLeague Tax Litigation Management System
Parimal Chanchani
 
Lecture 13 oveview of etichs, fraud, and internal control- james a. hall boo...
Habib Ullah Qamar
 
Broker-Dealer Outsourcing: Key Regulatory Issues and Strategies for Compliance
Broadridge
 
Enterprise Strategy Group, IBM's System Storage DR550: Enabling Compliance in...
IBM India Smarter Computing
 
Khazi Sox A
ahmedjeelani
 
Compliance in Manufacturing: A Very Personal Affair (2013)
Melih ÖZCANLI
 
477 10 (5)
saramkhan5
 
Legal Audit Power Point
dja2law
 
Other legal audits
R & A Associates
 
Impact of Accounting Ethics on the Practice of Accounting Profession In Nigeria.
IOSR Journals
 
Cs
teachwell
 
Ad

Similar to Session One Forces For Regulatory Change Anthony Wong (20)

PPTX
Topic 1 - Lecture PowerPoint File 2021.pptx
ShivSookun
 
DOCX
There are regulatory rules that must be met as well as organizatio.docx
randymartin91030
 
PPT
S O X In Telecom Industry
ravindra sharma
 
PDF
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
 
PPT
Sox In Telecom Industry
Mahesh Panchal
 
PPTX
ACC 497 Final Exam - Assignment
Aaren Addison
 
PDF
The Sarbanes-Oxley Act Summary
April Charlton
 
PDF
Cost benefits of sox compliance
Alok Singh
 
PDF
Eurosec'2008 christophe feltus
Luxembourg Institute of Science and Technology
 
PPTX
rethinking marketing
Navneet Singh
 
PPTX
IT Governance Vs IT Management Presentation V0.1
Richard Willis
 
PPT
This one cobit_introduction cobit notes.ppt
kong100
 
PPT
Data Management Strategies
Micheal Axelsen
 
PDF
13 internal controls
CA. (Dr.) Rajkumar Adukia
 
PPTX
future technology in ai and whats are the new technogies used by the government
manonit047
 
PDF
NIIT Technologies regulatory reporting
NIIT Technologies
 
PDF
Technology Facilitating the Regulatory Reporting
NIIT Technologies
 
PPTX
7.3 automation of company registry (lesotho)
Corporate Registers Forum
 
PPT
IT Governance - Core Concepts for Business Managers
Walter Adamson
 
PPTX
1 of 2--Policies & Procedures Intro to Internal Controls Sp 2010
alfredo99
 
Topic 1 - Lecture PowerPoint File 2021.pptx
ShivSookun
 
There are regulatory rules that must be met as well as organizatio.docx
randymartin91030
 
S O X In Telecom Industry
ravindra sharma
 
Control and audit of information System (hendri eka saputra)
Hendri Eka Saputra
 
Sox In Telecom Industry
Mahesh Panchal
 
ACC 497 Final Exam - Assignment
Aaren Addison
 
The Sarbanes-Oxley Act Summary
April Charlton
 
Cost benefits of sox compliance
Alok Singh
 
Eurosec'2008 christophe feltus
Luxembourg Institute of Science and Technology
 
rethinking marketing
Navneet Singh
 
IT Governance Vs IT Management Presentation V0.1
Richard Willis
 
This one cobit_introduction cobit notes.ppt
kong100
 
Data Management Strategies
Micheal Axelsen
 
13 internal controls
CA. (Dr.) Rajkumar Adukia
 
future technology in ai and whats are the new technogies used by the government
manonit047
 
NIIT Technologies regulatory reporting
NIIT Technologies
 
Technology Facilitating the Regulatory Reporting
NIIT Technologies
 
7.3 automation of company registry (lesotho)
Corporate Registers Forum
 
IT Governance - Core Concepts for Business Managers
Walter Adamson
 
1 of 2--Policies & Procedures Intro to Internal Controls Sp 2010
alfredo99
 
Ad

More from anthonywong (7)

PPT
4th World Chinese Economic Forum Melb Anthony Wong Nov 2012
anthonywong
 
PPT
Security Regulatory Framework
anthonywong
 
PPT
Legal Perspective on Information Management “New Social Media – The New Recor...
anthonywong
 
PPT
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
anthonywong
 
PPT
Social Media and Legal Ethics
anthonywong
 
PPT
E Discovery Presentation Nov 19 2008
anthonywong
 
PPT
Money Laundering Risk Technological Perspective Fina Lv1
anthonywong
 
4th World Chinese Economic Forum Melb Anthony Wong Nov 2012
anthonywong
 
Security Regulatory Framework
anthonywong
 
Legal Perspective on Information Management “New Social Media – The New Recor...
anthonywong
 
Legal Framework for Cloud Computing Cebit May 31 2011 Sydney
anthonywong
 
Social Media and Legal Ethics
anthonywong
 
E Discovery Presentation Nov 19 2008
anthonywong
 
Money Laundering Risk Technological Perspective Fina Lv1
anthonywong
 

Recently uploaded (20)

PPTX
Slide gioi thieu VietinBank Quy 2 - 2025
hoadm5190
 
PDF
NISM Series V-A MFD Workbook v December 2024.khhhjtgvwevoypdnew one must use ...
RoopaSherkar
 
PDF
Charisse Litchman: A Maverick Making Neurological Care More Accessible
The lifescience magaizne
 
PDF
Solaris Resources Presentation - Corporate August 2025.pdf
pchambers2
 
PDF
NEW - FEES STRUCTURES (01-july-2024).pdf
priyansubarmanwork
 
PPTX
Astra-Investor- business Presentation (1).pptx
diksha27bhardwaj
 
PDF
Susan Semmelmann: Enriching the Lives of others through her Talents and Bless...
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
PPTX
CTG - Business Update 2Q2025 & 6M2025.pptx
HcTrSoros
 
PDF
Technical Architecture - Chainsys dataZap
Chainsys SEO
 
PDF
Daniels 2024 Inclusive, Sustainable Development
CMassociates
 
PDF
Tata consultancy services case study shri Sharda college, basrur
nityanema19
 
PPTX
Project Management_ SMART Projects Class.pptx
ravindra661395
 
PDF
Nante Industrial Plug Factory: Engineering Quality for Modern Power Applications
gdhdgee963
 
PPTX
Sales & Distribution Management , LOGISTICS, Distribution, Sales Managers
efranciscaantoinette
 
PPTX
2025 Product Deck V1.0.pptxCATALOGTCLCIA
AndreaRominaHoyosSur2
 
PDF
Satish NS: Fostering Innovation and Sustainability: Haier India’s Customer-Ce...
red402426
 
PPTX
operations management : demand supply ch
JayeshJaiswal23
 
PDF
Module 2 - Modern Supervison Challenges - Student Resource.pdf
OmoobaOrun1
 
PDF
Module 3 - Functions of the Supervisor - Part 1 - Student Resource (1).pdf
OmoobaOrun1
 
PPTX
Board-Reporting-Package-by-Umbrex-5-23-23.pptx
Pars Six Sigma Excellence
 
Slide gioi thieu VietinBank Quy 2 - 2025
hoadm5190
 
NISM Series V-A MFD Workbook v December 2024.khhhjtgvwevoypdnew one must use ...
RoopaSherkar
 
Charisse Litchman: A Maverick Making Neurological Care More Accessible
The lifescience magaizne
 
Solaris Resources Presentation - Corporate August 2025.pdf
pchambers2
 
NEW - FEES STRUCTURES (01-july-2024).pdf
priyansubarmanwork
 
Astra-Investor- business Presentation (1).pptx
diksha27bhardwaj
 
Susan Semmelmann: Enriching the Lives of others through her Talents and Bless...
CIO WOMEN MAGAIZNE CIO WOMEN MAGAIZNE
 
CTG - Business Update 2Q2025 & 6M2025.pptx
HcTrSoros
 
Technical Architecture - Chainsys dataZap
Chainsys SEO
 
Daniels 2024 Inclusive, Sustainable Development
CMassociates
 
Tata consultancy services case study shri Sharda college, basrur
nityanema19
 
Project Management_ SMART Projects Class.pptx
ravindra661395
 
Nante Industrial Plug Factory: Engineering Quality for Modern Power Applications
gdhdgee963
 
Sales & Distribution Management , LOGISTICS, Distribution, Sales Managers
efranciscaantoinette
 
2025 Product Deck V1.0.pptxCATALOGTCLCIA
AndreaRominaHoyosSur2
 
Satish NS: Fostering Innovation and Sustainability: Haier India’s Customer-Ce...
red402426
 
operations management : demand supply ch
JayeshJaiswal23
 
Module 2 - Modern Supervison Challenges - Student Resource.pdf
OmoobaOrun1
 
Module 3 - Functions of the Supervisor - Part 1 - Student Resource (1).pdf
OmoobaOrun1
 
Board-Reporting-Package-by-Umbrex-5-23-23.pptx
Pars Six Sigma Excellence
 

Session One Forces For Regulatory Change Anthony Wong

  • 1. Forces for regulatory change –examining the rise of the compliance colossus Anthony Wong ICT Counsel, Aequitas Attorneys LLB, LLM (Technology), BSc (Computer Science), MACS email: [email_address] This presentation is intended to provide a summary of the subject matter covered. It does not purport to render legal advice. Professional advice should be sought before applying the information to specific circumstances. Opening Presentation IntegrIT 2005 26 May 2005
  • 2. Introduction Origins of the corporate form Incorporation creates a legal persona Unlike a natural person, a company relies on corporate actors to carry out and manage the operations of the company Regulators going behind the “Corporate Veil” to protect investors and employees from unscrupulous management
  • 3. Regulation is Industry & Jurisdiction specific No simple universal formula for governance rules, regulation and practices Differs between countries Sources include statute law and case law Includes duties of directors Australian companies need to adhere to a complex network of compliance rules and regulations Which are designed to fulfil specific roles in a given industry and sector
  • 4. Regulation is Industry & Jurisdiction specific US approach tends to be prescriptive and rules-based Australia has relied on a principles approach using a mixture of hard law-regulation, self regulation and soft laws Numerous soft laws – standards, guidelines and collections of best practices are available to best assist IT Compliance of organizations
  • 5. Set of Governance Principles for federal government agencies created by the Information Management Strategy Committee (IMSC) supported by the CIO Committee (CIOC) Australian Government Use of Information and Communications Technology: A New Governance and Investment Framework report Implemented by Australia as a member of OECD OECD Corporate Governance Principles 2004 Compliance Programs AS 3806 Corporate Governance of ICT AS 8015 Corporate Governance Standards Set AS 8000 Scope Standards & Principles
  • 6. Regulation is Industry & Jurisdiction specific The two common themes that run through these regulations are: Accuracy, Transparency and Reliability of information or data Processes Presentation is not intended to raise every statutory and common law provision that could apply in a given situation Focus here is only on the regulatory sections which are of particular relevance to IT Compliance
  • 7. Corporate Governance Self regulation has been undermined by recent collapses in US: Enron and WorldCom and in Europe Parmalat To restore shareholder and investor confidence, regulators worldwide have reacted by introducing a profusion of legislation and regulation US Sarbanes Oxley Act 2002 have implications in other economies and nations With impacts on related groups of companies in different countries Australia is not immune with corporate collapses including One.Tel, Ansett and HIH
  • 8. Corporate Governance Technology is now so pervasive and critical to the execution and delivery of many organisations’ product and services Organisations are becoming more reliant on IT even for the most basic business functions Few businesses can exist effectively and competitively today without an effectively managed IT environment
  • 9. Corporate Governance > IT Governance Definition of IT Governance is more than: ensuring a return on IT investments the strategic alignment of IT with business performance of IT projects identification and management of IT risks IT resource management
  • 10. Corporate Governance > IT Governance > IT Compliance Definition of IT Governance includes: Compliance of the increasing varieties of IT related legislation and regulations which are paramount to achieve IT Governance
  • 11. IT Governance an integral and essential part of Corporate Governance IT Compliance an aspect of
  • 12. Some Key Observations The challenge for CIOs is no longer just to keep the IT systems running but to ensure that every piece of business information is maintain with integrity and transparency Executives who initially view compliance as a business/ finance issue are recognising that it is also an IT systems issue It is not “just an auditor’s problem” but impacts the whole of the organisation as IT is now so pervasive and critical to the competitive success and survival in the business environment C-suite executives - CEOs, CFOs, COOs, CIOs, board members, directors, officers, staff, accountants, auditors all have roles to play
  • 13. Some Key Observations In many instances, using IT solutions may be the only way an organisation can meet regulatory and legal compliance cutting the risks of error rather than relying on manual processes IT professionals will need to develop: a solid understanding of proper control theory and structure an ongoing risk assessment process in IT management and bringing business and IT practices and processes into a cohesive whole! It is a myth that there is a IT “solution” to compliance out-of-a-box
  • 14. IT plays a major role in: Internal Controls on Financial Reporting & Disclosure for companies Operational Risks in the Banking Sector Protection of Electronic Information Security Management Privacy Cybercrime and Spam Records Retention & Management Other IT related Compliance legislation
  • 15. Internal Controls on Financial Reporting & Disclosure US Sarbanes Oxley Act 2002 Corporations Act 2001 (CLERP 9) Australian Stock Exchange (ASX) Listing Rules & ASX Corporate Governance Principles Statements of Accounting Practice Financial Services Reform Act (FSRA) e-Compliance hub Investment and Financial Services Association (IFSA) Guidelines on Corporate Governance
  • 16. US Sarbanes-Oxley Act 2002 (SOX) Act was passed by US Congress July 2002 to restore investor confidence in companies registered with the US Securities and Exchange Commission (SEC) after a series of business scandals and lapses in corporate governance Applies to US subsidiaries operating in Australia and also Australian companies listed in the US Penalty for non-compliance is not just significant fines – it is jail time!
  • 17. 1 st CEO and CIO charged under SOX CEO Richard Scrushy, HealthSouth Corporation was indicted on more than 85 counts that include fraud and signing off on false corporate statements that overstated earnings by at least US$1.4 billion CIO Kenneth Livesay has pleaded guilty
  • 18. US Sarbanes-Oxley Act 2002 (SOX) Section 404: Evaluation (governance, measurement and recordkeeping) which deals with management’s assertion regarding the operating effectiveness of its internal control over financial reporting Section 302: Control (internal controls) requires CEO/CFO to do more than simply pledge that the company’s finances are correct; they have to vouch for the processes used to add up the numbers; personally sign off on the financial statement Section 409: Disclosure (reporting and certification) requires “rapid and current” disclosure of material changes to the internal control structure or financial condition
  • 19. The importance of IT in the Design, Implementation and Sustainability of internal control over finanical reporting and disclosure Impact on the IT department is immense as material change in operational state of the organisation has to be reported in a timely manner IT is inherently tied to the manner in which accounting transactions are initiated, recorded, processed and reported IT is crucial to establish, evaluate and monitor the effectiveness of internal control over financial reporting Act demands a greater transparency not only in reporting financial figures but also showing how these figures were arrive – the audit trail It demands ongoing risk measurement process into IT management activities
  • 20. What are some of the IT controls required? Mapping the IT systems that support internal control and the financial reporting process to the financial statements Ensuring that IT controls are updated and changed to correspond with changes in internal control of financial reporting processes A key control objective is the authorisation and safeguarding of assets and access to IT systems to ensure security, confidentiality and privacy Possible IT control methodologies and framework: Control Objectives for Information and related Technology (COBIT®) Information Technology Infrastructure Library (ITIL)
  • 21. Corporate Law Economic Reform Program (CLERP 9) Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004 (CLERP 9) became law on 1 July 2004 CLERP 9 amends a number of Acts including Corporations Act 2001 Introduces significant changes to the regulation of corporate governance in Australia to give effect to reforms aimed at restoring public confidence in corporate Australia Australia had already been moving down that direction – not just because of US Sarbanes Oxley Act
  • 22. Corporate Law Economic Reform Program (CLERP 9) Section 295A: requires CEO/CFO sign off; that the financial records of the listed entity: gives a “true and fair view” have been properly maintained in accordance with applicable laws; and complies with Accounting Standards CIO parallels the CFO to ensure that technology is in place to support the financial reporting to enable the CEO/CFO to provide declarations
  • 23. ASX – Principles of Good Corporate Governance Contain 10 core principles and practice recommendations Principle 4: Safeguard integrity in financial reporting – have a structure to independently verify and safeguard the integrity of the company’s financial reporting Principle 7: Recognise and manage risk – establish a sound system of risk oversight and management and internal control Recommendation 7.2: the CEO/CFO to provide written assurance to the board that risk management and internal compliance systems were operating effectively
  • 24. Operational Risks in the Banking Sector Basel II or “New Basel Capital Accord” covers three type of risks – credit, market and operational risks to ensure a more stable global financial system and greater protection for depositors Australian Prudential Regulatory Authority (APRA) is the regulator of the Australian financial services industry In Australia, all authorised deposit-taking institutions ( ADIs) will be required to implement the Basel II Framework Proposed implementation starting point from year end 2007
  • 25. Basel II – APRA Implementation “ Operational risks” broadly defined as “The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events” Operational risk centres around breakdowns in internal controls and corporate governance Such breakdowns can lead to financial loss through error (manual or IT) and fraud, or cause the interests of the bank to be compromised, through staff exceeding their authority Some of the other events that could lead to operation risk include: Damage to physical assets Business disruption Legal risks Events and security Transaction risk
  • 26. Basel II – APRA Implementation National Australia Bank have survived significant operational risk events recently with foreign currency losses of $360 million but the events have been quite damaging to the bank, as well as resulting in significant loss to shareholders Others like Barings have not been so lucky Improvements in technology have allowed banks to better identify, measure and manage operational risks
  • 27. Basel II – APRA Implementation One of the key IT implications is the collection and management of historical data required to implement Basel II Historical data will have to be pooled from disparate systems, cleaned and stored in a central repository to be used by a system with the updated risk model
  • 28. Basel II – APRA Implementation Improving IT Risk Management: taking risk out of the IT component as problems in one can be quickly transmitted to other institutions due to the inter-networking of global financial systems Business Continuity Planning: to ensure that the institution can continue to function and meet its obligations – regulatory or otherwise – in the event of a disruption AS/NZS 4360  Risk Management Set HB 221 Business Continuity Management
  • 29. Protection of Electronic Information The increased efficiency, capacity of computers and the interconnectivity of computer systems especially with the Internet has allowed easier access to electronic information Electronic information is now pervasive if not vital for the essential operation of a modern day organisation CIO has increasing accountability for integrity and consistency of information within the organisation To secure information effectively, it needs to be secured from all perceivable threats
  • 30. Protection of Electronic Information From Unauthorised Access From Unauthorised Use & Disclosure From Interception From Piracy & Copying From Unauthorised Modification (alteration, deletion or addition)
  • 31. Impact of the Misuse of Electronically Stored Information Has a range of consequences that depends on the sensitivity and nature of the information
  • 32. Protection of Electronic Information Using Privacy Laws Using Technical & Physical Means Using Common Law Using Copyright & Other IP Legislation Using Spam & Cybercrime Laws
  • 33. Protection of Electronic Information Using Technical & Physical Means IT Governance Compliance & Risk Management
  • 34. Guidance to Australian Government agencies on protecting their information systems Australian Communications Electronic Security Instruction 33 by the Defence Signals Directorate Commonwealth protective security policies, principles, standards and procedures Protective Security Manual issued by the Attorney-General's Department Information Security Management Information security risk management guidelines AS 7799 HB231 Guidelines for the management of IT Security AS ISO/IEC 13335 Code of practice for information security management AS/NZS ISO/IEC 17799 Scope Security Management Standards (not exhaustive)
  • 35. Protection of Electronic Information Using Privacy Laws IT Governance Compliance & Risk Management
  • 36. JetBlue Airways Corporation and Acxiom Corporation JetBlue and Acxiom disclosed 5 million passenger records to a military contractor at the request of the US Department of Defense without the knowledge or consent of the affected passengers Military contractor specializes in information mining and developed pattern recognition technology Prior to September 2002, military contractor was hired to determine how information might be analyzed for an antiterrorism study to track high-risk passengers or suspected terrorists JetBlue faces class-action lawsuits filed by outraged customers CIO had unwittingly assumed the role of privacy compliance One of the lessons learned: CIOs would be wise to play a central role in the proactive shaping and enforcing of data privacy policies as guardians of data
  • 37. Privacy Compliance The Privacy Act 1988 (Cth) sets out 11 Information Privacy Principles (IPPs) protects privacy of person dealing with the Federal Government It has also been extended to regulate the way private sector organisations can collect, use, keep secure and disclose personal information stored whether electronic or not It only protects “Personal Information” and NOT Commercial Information
  • 38. Privacy Compliance There are 10 National Privacy Principles (NPPs) of application in the private sector. The following are more pertinent to the “Protection of Electronic Information”: NPP2 – the use and disclosure of personal information NPP 4 – data security; where reasonable steps to protect personal information from misuse and loss and unauthorised access, modification or disclosure NPP 7 – prohibit the use of Federal government identifiers in the private sector eg. Tax File Number NPP9 – the transfer of data to another country NPP 10 – the use and disclosure of sensitive information (about individual racial, political or religious beliefs, health, membership etc)
  • 39. Other Privacy laws including: Applies personal privacy to the public sector in NSW Privacy and Personal Information Act 1998 (NSW) Where telecommunications service providers are required to maintain confidentiality ( eg. ISPs in relation to internet logs of access to websites and time of access, copy of web contents accessed) where disclosure may be permitted with a subpoena Telecommunications Act 1991 (Fed) – Part 13 Protects privacy by prohibiting interception of communications passing over telecommunications systems. Interception may be permitted under warrant issued to eg. Police and ASIO Telecommunications (Interception) Act 1979 (Fed)
  • 40. Other Privacy laws including: Regulates data matching between particular Federal departments eg. Tax Office and Social Security Data-Matching Program (Assistance and Tax) Act 1990 (Fed) Governs the handling of health information in both the public and private sectors in NSW including hospitals doctors, and other health care organisations Health Records and Information Privacy Act 2002 (NSW) Covers privacy of personal information collected from Health Medicare claims and Pharmaceutical benefits National Health Act 1953 (Fed)
  • 41. Industry Privacy Codes: The NPPs set the baseline standards for privacy protection Organisations can create their own codes For participants in Communications Industry Protection of Personal Information of Customers of Telecommunications Providers Code of Practice (PPIC) For the Internet Industry Internet Industry Association (IIA) Provisions Code of Conduct
  • 42. Industry Privacy Codes: Protects customer privacy by contract as adjunct to the banker-customer relationship Code of Banking Practice Applicable to privacy, security, loss and misuse of smart cards Asia Pacific Smart Card Industry ATM, EFTPOS, telephone or internet banking, credit card, stored value smart cards Electronic Funds Transfer For participants in Direct Marketing Australian Direct Marketing Association Provisions Code of Conduct
  • 43. Cybercrime There are at least 13 Federal Acts which have some relevance to cybercrime States and territories have their own legislation which is not uniform, either in offence provision or in penalties The State and Territory offences apply within each jurisdiction and Commonwealth offences target unlawful access to Commonwealth computers and data, and offences committed using a telecommunications service or carrier The main legislation includes Cybercrime Act 2001 (Federal) and Crimes Amendment (Computer Offences) Act 2001 (NSW)
  • 44. Cybercrime Generally, the Australian provisions make it an offence for a person to do or attempt to do the following: unauthorised access to a computer system unauthorised access or modification of data impairment of electronic data and communication impeding access to computers; and possession of data with intent to commit serious offence
  • 45. Spam Act 2003 Australian Spam Act 2003 came into effect 11 April An article covering “The impact of Australia's anti-spam legislation” is available from the ZDnet website on http://www.zdnet.com.au/insight/business/0,39023749,39116020,00.htm
  • 46. Records Retention & Managment Records Retention and Management State and Commonwealth Archives Acts AS ISO 15489 - Records Management Standard State and Commonwealth Evidence Acts Freedom of Information legislation Tax Obligations Other record retention obligations imposed by various legislation depending on the organisation environment in which it operates
  • 47. Other IT related Compliance Legislation Electronic Transactions Act 1999 Trade Practices legislation (eg. eCommerce & Websites) Occupational Health & Safety Workplace Surveillance Bill 2005 (NSW) Other State and Commonwealth laws
  • 48. Thank you Anthony Wong ICT Counsel Aequitas Attorneys