US Company with Foreign Locations 664

  • I have a client that is headquartered in the US, but has operations in various foreign locations. Some locations are connected to the financial application at the headquarters. Others are not. To what extent do I need to test controls in the foreign locations? To what level will the foreign sites be scrutinized from a SOX perspective?

  • Depending on the level of technology uses as it relates to financial data and the tools neccessary to safeguard that data. You may have to plan on looking at those locations with regards to SOX. What has your external auditor stated about this?

  • My company is headquartered in Germany with presence in 194 countries and we are listed at NYSE, therefore we are obliged to achieve SOX compliance at all our entities.

  • I am currently working on a SOX project in Belgium (a Sub of a US Parent). If any one needs SOX consulting in Europe or other international sites write me at I have been doing process and internal control work (now SOX) for 7 years. I also teach a seminar in Corporate Governance. This seminar can be taught in-house.

  • My company is headquartered in Germany with presence in 194 countries and we are listed at NYSE, therefore we are obliged to achieve SOX compliance at all our entities.
    Only the parent entity needs to acheive compliance - although you will need to assess controls is subsidiaries to achieve that. Some entities may be excluded on grounds of materiality.

  • I am working on a grobal company, listed at NYSE, in Japan. We’d like to know best practices of employee training of global companies about SOX.
    About important subsidiaries in China, Europe and others,

    • What kind of training for employees is applied?
    • What language is needed? Is only English enough?
    • Do we need to track the status and the result of training?
      😄 :oops:

  • Compliance Week (June 15, 2004)
    Article: 39 Questions To Expect From Your Audit Committee

    Question 2: Is there a formal training program in place to educate managers on their responsibilities?
    Question 3: Have managers and employees been trained on Committee of Sponsoring Organizations of the Treadway Commission (COSO) concepts and methodologies?
    It is important to provide the knowledge and skills needed to understand and support Sarbanes-Oxley compliance. You need to include in the training The Sarbanes Oxley Act, the PCAOB standards, the COSO and COBIT frameworks, the controls and the obligations.
    If you are a large multinational company and choose to develop your own material to cover your specific needs:
    Sarbanes-Oxley Needs Assessment
    A very important first step in order to determine the needs of a training program is a needs assessment. It is a systematic exploration of the way things are and the way they should be. The key is to seek the gap between the current situation and the desired situation.
    GAP Analysis
    Check the actual performance of people against standards. This includes the current state of skills, knowledge, and abilities of the current and/or future employees. Next, define the desired / necessary situation.
    Special consideration is needed in order to understand the actual needs that are not always the same as perceived needs, or ‘wants’. Many training programs have failed in the past and will continue to fail because the instructional designer did not understand the needs or wants of the company.
    There are two parts:
    A. Current situation
    Determine the current state of skills, knowledge, and abilities of employees. This analysis will also examine the organizational goals, climate, and internal and external constraints.
    Necessary actions include:
    Review and assessment of available resource material, such as current awareness and training material.
    Analysis of metrics related to training
    Review of security plans for general support systems and major applications to identify system and application owners and appointed security representatives
    Review of any findings and/or recommendations from oversight bodies
    Meetings with owners of general support systems and major applications, and other organization staff whose business functions rely on IT
    B. Desired or necessary situation
    Identify the desired or necessary conditions for compliance. This analysis focuses on the necessary job tasks/standards, as well as the skills, knowledge, and abilities needed to accomplish these successfully. Distinguish actual needs from perceived needs.
    Measurements of the compliance training effectiveness
    The requirement to measure compliance performance is driven not only by organizational, but also by the Sarbanes-Oxley documentation and testing needs as well.
    Training metrics must be based on performance objectives (remember the COSO framework). Monitor the accomplishment of the goals and objectives by quantifying the level of implementation of the security controls and the effectiveness and efficiency of the controls, analyzing the adequacy of security activities and identifying possible improvement actions.
    The following matters must be considered during development and implementation of a compliance training program:
    Metrics must yield quantifiable information (percentages, averages, and numbers)
    Data supporting metrics needs to be readily obtainable
    Only repeatable processes should be considered for measurement
    Metrics must be useful for tracking performance and directing resources.
    Metrics Development and Implementation
    Two processes guide the establishment and operation of a security metrics program: metrics development and metrics implementation.
    The metrics development process establishes the initial set of metrics and selection of the metrics subset appropriate for the organization.
    The metrics implementation process operates a metrics program that is iterative by nature and ensures that appropriate aspects of Sarbanes Oxley compliance issues are measured for a specific time period.

Log in to reply