Sarbanes Oxley and Basel II Training (Version 9, Dec. 2005)

[lekatis]

Sarbanes Oxley and Basel II ...
...engaged in both projects?

Course Title
Sarbanes Oxley and Basel II Compliance Training:
Impact on IT and Information Security
5 days

Objectives:
The seminar has been designed to with the knowledge and skills needed to understand and support Sarbanes Oxley and Basel II compliance.

Target Audience:
This course is recommended for all managers and professionals who need to understand and speak the specialized languages of Sarbanes Oxley and Basel compliance, which must become the common language throughout their organization.

This course is highly recommended for:
• C – Level Executives
• IT and Information Security Directors, Managers and Professionals
• Risk and Compliance Officers
• IT and Security Process Owners
• Network, System and Security Administrators
• IT Auditors
• IT, Security and Management Consultants

Duration:
5 Days, 09:00 to 17:00. The last day from 17:15 to 19:00hrs we will discuss your issues and questions.

Course Synopsis:

• The Sarbanes Oxley Act
• The Need
• US federal legislation: Financial reporting or corporate governance?
• The Sarbanes-Oxley Act of 2002: Key Sections
• SEC, EDGAR, PCAOB, SAG
• The Act and its interpretation by SEC and PCAOB
• PCAOB Auditing Standards: What we need to know
• Management's Testing
• Management's Documentation
• Reports used to Validate SOX Compliant IT Infrastructure
• Documentation Issues
• Sections 302, 404, 906 and the three certifications
• Sections 302, 404, 906: Examples and case studies
• Management's Responsibilities
• Committees and Teams
• Project Team – Section 404: Reports to Steering Committee
• Steering Committee – Section 404: Reports to Certifying Officers and cooperates with Disclosure Committee
• Disclosure Committee: Reports to Certifying Officers and cooperates with Audit Committee
• Certifying Officers and Audit Committee: Report to the Board of Directors
• Control Deficiency
• Deficiency in Design
• Deficiency in Operation
• Significant Deficiency
• Material Weakness
• Is it a Deficiency, or a Material Weakness?
• Reporting Weaknesses and Deficiencies
• Examples
• Case Studies
• Public Disclosure Requirements
• Real Time Disclosures on a rapid and current basis?
• Whistleblower protection
• Rulemaking process
• Companies Affected
• International companies
• Foreign Private Issuers (FPIs)
• American Depository Receipts (ADRs)
• Types of ADR programs
• Employees Affected
• Effective Dates

• The Bank for International Settlements (BIS)
• The Basel Committee on Banking Supervision
• From the Young Plan (1930) to Basel II
• Regulatory supervision of internationally active banks
• The failure of the Bankhaus Herstatt and the crisis of confidence

• First Basel Capital Accord
• Formulating broad supervisory standards and guidelines
• Regulatory and economic capital
• Important objectives
• 1980s: The capital ratios of the main international banks are deteriorating
• Credit Risk
• Assets are weighted by factors
• On-balance sheet engagements
• Off-balance sheet engagements
• Examples of capital requirements
• December 1987: The Basel Capital Accord approved by the G10
• Basel I amendments

• The New Basel Capital Accord (Basel II)
• Realigning the regulation with the economic realities of the global banking markets
• New capital adequacy framework replaces the 1988 Accord
• Improving risk and asset management to avoid financial disasters
• "Sufficient assets" to offset risks
• The technical challenges for both banks and supervisors
• How much capital is necessary to serve as a sufficient buffer?
• The three-pillar regulatory structure
• Purposes of Basel II
• Scope of the application
• Pillar 1: Minimum capital requirements
• Credit Risk – 3 approaches
• The standardized approach to credit risk
• Claims on sovereigns
• Claims on banks
• Claims on corporates
• The two internal ratings-based (IRB) approaches to credit risk
• Some definitions: PD - The probability of default, LGD - The loss given default, EAD - Exposure at default, M – Maturity
• 5 classes of assets
• Pillar 2: Supervisory review
• Key principles
• Aspects and issues of the supervisory review process
• Pillar 3: Market discipline
• Disclosure requirements
• Qualitative and Quantitative disclosures
• Guiding principles
• Employees Affected
• Effective Dates

• Framework for internal control systems in banking organizations - Basel Committee on Banking Supervision
• The 13 Principles for the Assessment of Internal Control Systems
• The 13 Principles and COSO
• The control environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring
• Types of control breakdowns typically seen in problem bank cases
• The objectives and role of the internal controls framework
• The major elements of an internal control process
• Evaluation of internal control systems by supervisory authorities
• Role and responsibilities of external auditors
• Supervisory lessons learned from internal control failures

• Internal Controls - COSO
• The Internal Control — Integrated Framework by the COSO committee
• Using the COSO framework effectively
• The Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring
• Effectiveness and Efficiency of Operations
• Reliability of Financial Reporting
• Compliance with applicable laws and regulations
• IT Controls
• Program Development and Program Change
• Deterrent, Preventive, Detective, Corrective, Recovery, Compensating, Monitoring and Disclosure Controls
• Layers of overlapping controls

• Operational Risk
• What is operational risk
• Legal risk
• Information Technology operational risk
• Operational, operations and operating risk
• The evolving importance of operational risk
• Quantification of operational risk
• Loss categories and business lines
• Operational risk measurement methodologies
• Identification of operational risk
• The Delphi method

• Operational Risk Approaches
• Basic Indicator Approach (BIA)
• Standardized Approach (SA)
• Alternative Standardized Approach (ASA)
• Advanced Measurement Approaches (AMA)
• Internal Measurement Approach (IMA)
• Loss Distribution (LD)
• Standard Normal Distribution
• “Fat Tails” in the normal distribution
• Expected loss (EL), Unexpected Loss (UL)
• Value-at Risk (VaR)
• Value-at Risk and Basel I amendment, 1996
• Value-at Risk and Basel II
• Calculating Value-at Risk
• Monte Carlo simulations
• Monte Carlo limitations
• Extreme Value theory
• Scoreboards
• Stress Testing
• Stress testing and Basel
• (AMA) Advantages / Disadvantages
• Recognition of the firms’ own modelling of operational risk losses
• “Weak banks”, internal and external audit and sound practices for operational risk
• Self assessment
• Key Risk Indicators
• Operational Risk Measurement Issues
• The game theory
• The prisoner’s dilemma – and the connection with operational risk measurement and management
• Operational risk management
• Operational Risk Management Office
• Key functions of Operational Risk Management Office
• Key functions of Operational Risk Managers
• Key functions of Department Heads
• Internal and external audit
• Operational risk sound practices
• Operational risk mitigation
• Insurance to mitigate operational risk

• COBIT - the framework that focuses on IT
• Is COBIT needed for compliance?
• COSO or COBIT?
• Corporate governance or financial reporting?
• Executive Summary
• Management Guidelines
• The Framework
• The 34 high-level control objectives
• What to do with the 318 specific control objectives
• COBIT Cube
• Maturity Models
• Critical Success Factors (CSFs)
• Key Goal Indicators (KGIs)
• Key Performance Indicators (KPIs)
• How to use COBIT for Sarbanes Oxley and Basel II compliance

• Scope of Sarbanes Oxley and Basel II Projects
• The most important challenge: The scope
• Discussing the scope with the external auditors
• Assumptions
• In or out of scope?
• Is it relevant?
• Using compliance as an excuse
• Computer Forensics Investigation?
• Business Intelligence?
• Business Continuity and Disaster Recovery?

• Meeting the Information Security Requirements of Sarbanes Oxley and Basel II
• Information security principles and best practices
• Classification, Sarbanes Oxley and Basel II
• IT and the changes demanded by the business
• Capturing, analyzing, integrating and reducing risk
• Evaluating current systems and processes
• Change and configuration management
• Common risk indicators

• Software and Spreadsheets
• Is software necessary?
• Is software needed?
• When and why
• How large is your organization?
• Is it geographically dispersed?
• How many processes will you document?
• Are there enough persons for that?
• Selection process
• Spreadsheets
• It is just a spreadsheet…
• Certain spreadsheets must be considered applications
• Development Lifecycle Controls
• Access Control (Create, Read, Update, Delete)
• Integrity Controls
• Change Control
• Version Control
• Documentation Controls
• Continuity Controls
• Segregation of Duties Controls
• Spreadsheets – Errors
• Spreadsheets and material weaknesses

• Third-party service providers and vendors
• Redefining outsourcing
• Outsourcing services and compliance
• The new definition of outsourcing
• Outsourcing after Sarbanes Oxley and Basel II
• Offshore outsourcing is also redefined
• Key risks of outsourcing
• What is needed from vendors and service providers
• SAS 70
• Type I, II reports
• Advantages of SAS 70 Type II
• Disadvantages of SAS 70 Type II
• Working with vendors and service providers

• Aligning Basel II and Sarbanes-Oxley projects
• The general expectations around Sarbanes Oxley and Basel
• From ensuring the overall safety and soundness of banks (Basel) to restoring investor confidence (Sarbanes Oxley)
• From the “under construction since the 1998” approach (Basel II) to the Sarbanes Oxley deadlines
• From the choice of risk management sophistication (Basel) to the specific SEC and PCAOB rules (Sarbanes Oxley)
• There is only one Sarbanes Oxley act but there are many different Basel II frameworks – the issue of discretion to individual jurisdictions for Basel II implementation
• Multinational companies and compliance issues
• US federal legislation and state law. The US constitutional challenges
• From the 1929 Companies Act (UK) to the 1933 Securities Act (USA) to Sarbanes Oxley: The need to avoid a federal intrusion into state reserved matters
• Auditing in the USA and auditing in UK: Very important differences
• Capital Requirements Directive (CRD)
• Markets in Financial Instruments Directive (MiFID)
• What will be the impact of MiFID to EU and non non EU banks?
• MiFID (Markets in Financial Instruments Directive) and Sarbanes Oxley and Basel
• Board review and approval
• Management responsibility
• Control objectives
• Risk identification and assessment
• Risk monitoring
• Risk mitigation
• Risk reporting
• Continuity plans
• Sufficient public disclosure
• Documentation challenges
• Effectiveness – design and operation
• Connecting the dots
• Common elements and differences of compliance projects
• New standards


United Kingdom:
Net-Security Training, Elvin House, Stadium Way, Wembley, Middlesex, HA9 0DW, Tel: 020 8900 9015


Middle East, Canada, Germany, France, Italy:
Intelligence Secured, Mauds Court, Long Lane, Tendring, Essex CO16 OBG, UK Tel: + 44 (0) 1206 790250


Singapore, Malaysia, Australia, Honk Kong, Taiwan, Thailand, Philippines, South Korea, New Zealand, Japan:
Fusion Frontier, Enquiry hotline: +65 9383 7726


The Netherlands:
CIBIT , Prof. Bronkhorstlaan 10-XII, 3720 AA Bilthoven, The Netherlands
Tel: +31 30 230 89 00


USA
In-company Training Courses
The first choice for many companies. Fully tailored training.
Presented exclusively for your own people. Saving time and money.

George Lekatis will work on your premises or at a venue of your choice,
on a fixed fee per day, for teams from 2 to 30
_________________
George Lekatis
President of the Sarbanes Oxley Compliance Professionals Association (SOXCPA)
www.sarbanes-oxley-association.com