Communications-SOX in General _and_amp; Whistleblower 954

  • We’re wanting to communicate SOX (an overview) to all employees. We’ve got a good start on what to communicate, but does anyone have any past experiences (good/bad) with this and any specific points to be sure to address?
    Also, we need to communicate our whistleblower policy and procedures to all staff. How have you handleds this? We have a large workforce made up of union and non-union. We’re getting some pushback from HR stating that we don’t have to communicate this to the hourly staff (which are union). I disagree with HR, but what are everyone elses thoughts?

  • You need compliance awareness and training curriculum providing learning paths individually suited to the needs of each sector of organizations (executive management, IT, security, sales and marketing, administration, users etc.)
    If someone is not aware of the risks and exposures, appropriate controls and protection are hardly likely to be employed.

    People must be motivated to take security more seriously.
    It is not bad to have really large classes - teams from 2 to 300.
    Another point of view…
    Training - a COBIT Requirement.
    I strongly believe that organizations want and try to use COBIT , where are specific, detailed control objectives associated with each IT process. For each of the 34 IT processes of the Framework, there are from three to 30 detailed control objectives, for a total of 318.
    Planning and Organisation
    Manage Human Resources
    Control over the IT process of: Managing human resources
    Business requirement: To acquire and maintain a motivated and competent workforce and maximise personnel contributions to the IT processes
    Enabled by: Sound, fair and transparent personnel management practices to recruit, line, vet, compensate, train, appraise, promote and dismiss.
    7.4 Personnel Training
    Management should ensure that employees are provided with orientation upon hiring and with on-going training to maintain their knowledge, skills, abilities and security awareness to the level required to perform effectively. Education and training programmes conducted to effectively raise the technical and management skill levels of personnel should be reviewed regularly
    This was general…
    Let’s go on
    Planning and Organisation
    Manage Projects
    Control over the IT process of: Managing projects
    Business requirement: To set priorities and to deliver on time and within budget
    Enabled by: The organisation identifying and prioritising projects in line with the operational plan and the adoption and application of sound project management techniques for each project undertaken
    10.12 Training Plan
    The organisation’s project management framework should require that a training plan be created for every development, implementation and modification project.
    My comments: Sarbanes Oxley is a huge project, training is absolutely important if you want to follow COBIT.
    Delivery and Support
    Educate and Train Users
    Control over the IT process of: Educating and training users
    Business requirement: To ensure that users are making effective use of technology and are aware of the risks and responsibilities involved
    Enabled by: a comprehensive training and development plan
    7.1 Identification of Training Needs
    In line with the long-range plan, management should establish and maintain procedures for identifying and documenting the training needs
    of all personnel using information services. A training curriculum for each group of employees should be established.
    7.2 Training Organisation
    Based on the identified needs, management should define the target groups, identify and appoint trainers, and organise timely training
    sessions. Training alternatives should also be investigated (internal or external location, in-house trainers or third-party trainers, etc.).
    Compliance Week (June 15, 2004)
    Article: 39 Questions To Expect From Your Audit Committee

    Question 2: Is there a formal training program in place to educate managers on their responsibilities?
    Question 3: Have managers and employees been trained on Committee of Sponsoring Organizations of the Treadway Commission (COSO) concepts and methodologies?

  • Also, we need to communicate our whistleblower policy and procedures to all staff. How have you handleds this? We have a large workforce made up of union and non-union. We’re getting some pushback from HR stating that we don’t have to communicate this to the hourly staff (which are union). I disagree with HR, but what are everyone elses thoughts?
    My understanding is that a whistleblower policy should be communicated to ALL staff.
    However, I also find the position of your HR to be rather distasteful. If you treat your hourly paid workers as second rate corporate citizens then you’ll get second rate work from them.

  • I absolutely agree with you Denis.
    SOA, if you want to persuade your company:
    Sarbanes-Oxley Act, Section 301.4
    (4) COMPLAINTS.Each audit committee shall establish procedures for
    (A) the receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; and
    (B) the confidential, anonymous submission by employees (my comment: all employees, not certain employees.) of the issuer of concerns regarding questionable accounting or auditing matters.’
    Whistleblower Policy and Procedures
    The policy applies to all domestic and international offices and subsidiaries of the Company.

    Be careful:

    1. Listen to employees when they express their complaints and concerns
    2. Communicate the program often within the organization.
      Ensure all employees understand HOW TO report complaints as well as confidential and anonymous submissions.
      The Section 301 requirements are important: The SEC’s rules direct the securities associations to prohibit the listing of any security of a company that is not compliant with them…

  • Quick question regarding whistleblower policy, this is the best thread to ask it. What is the deadline for implementing Section 301, specifically the whistleblower program, and what document prescribes that deadline?
    The SOX act itself says ‘270 days after enactment of this subsection’. Then, I see a PwC whitepaper that says ‘the earlier of (1) their first annual meeting after January 15, 2004 or (2) October 31, 2004’. I assume that the PwC paper is correctly informed, or was at the time it was written, but I don’t know what resource they are referencing to get those timeframes. Has the timeline been moved back a year?
    I’m new to SOX, and am still getting my mind around all of the documents that provide structure and guidance to the new laws. Please tell me what specific document I can reference to understand this deadline.

Log in to reply