IT and Information Security after Sarbanes-Oxley

Document Sample
IT and Information Security after Sarbanes-Oxley Powered By Docstoc
					    IT and Information Security after Sarbanes-Oxley
  An open letter to IT and Information Security professionals
It is good to remember that nobody has promised that our financial
statements are accurate…

… we have promised adequate controls that provide reasonable
assurance that we do not have material misstatements, and can prevent
(not will prevent) or detect material misstatements on a timely basis.


Dear IT and Information Security professional,

Have you ever visited EDGAR?

No, not Mr. J. Edgar Hoover, the former director of the FBI. EDGAR
stands for Electronic Data Gathering, Analysis, and Retrieval. It is the
database of the Securities and Exchange Commission (SEC), the system
through which the SEC accepts electronic transmission of submissions
from filers (www.sec.gov/edgar/searchedgar/webusers.htm).

This is the first step, a great opportunity to learn what is happening in
your company. No kidding! All companies disclose to the public much
more information than they disclose to their employees. You will be able
to research your company’s financial information and operations and to
review registration statements, prospectuses and periodic reports filed
on Forms 10-K and 10-Q. Sometimes you can find important information
about recent corporate events reported on Form 8-K.

And which is the second step? To understand your company’s
disclosures. You will read what exactly you have promised to the public,
because this is what you are supposed to do. No, you will not read words
like information security, security breach, hacker, cyber attack, virus,
worm, computer attack, computer security, network intrusion, data theft,
cyber fraud. You may find the words interruption, disruption, failure. For
example, you may read that “system interruption and the lack of
redundancy in our systems may affect our sales”. You will also
understand why information security is not any more so important for
your organization. Of course, companies avoid explaining something
like that, it is simply out of the scope of the projects, there are no


                                    1
auditors that ask questions, there are no deadlines, so we just do very
few things.

You don’t believe me? Please continue to read…



What your CEO and CFO has signed - 302 Certification
CERTIFICATION OF CHIEF EXECUTIVE OFFICER PURSUANT
TO SECTION 302
I, (name of the CEO), certify that:

1. I have reviewed this annual report on Form 10-K;

2. Based on my knowledge (A), this report does not contain any untrue
statement of a material fact (B) or omit to state a material fact (B)
necessary to make the statements made, in light of the circumstances
under which such statements were made, not misleading with respect to
the period covered by this report;

3. Based on my knowledge (A), the financial statements, and other
financial information included in this report, fairly present in all material
respects (B) the financial condition, results of operations and cash flows
of the registrant as of, and for, the periods presented in this report;

4. The registrant’s other certifying officer and I are responsible for
establishing and maintaining disclosure controls and procedures (as
defined in Exchange Act Rules 13a-15(e) and 15d-15(e)) and internal
control over financial reporting (as defined in Exchange Act Rules 13a-
15(f) and 15d-15(f)) for the registrant and have:

a) Designed such disclosure controls and procedures, or caused such
disclosure controls and procedures to be designed under our
supervision, to ensure that material information (B) relating to the


                                      2
registrant, including its consolidated subsidiaries, is made known to us
by others within those entities, particularly during the period in which
this report is being prepared;

b) Designed such internal control over financial reporting, or caused
such internal control over financial reporting to be designed under our
supervision, to provide reasonable assurance (C) regarding the reliability
of financial reporting and the preparation of financial statements for
external purposes in accordance with generally accepted accounting
principles;

c) Evaluated the effectiveness of the registrant’s disclosure controls and
procedures and presented in this report our conclusions about the
effectiveness of the disclosure controls and procedures, as of the end of
the period covered by this report based on such evaluation; and

d) Disclosed in this report any change (D) in the registrant’s internal
control over financial reporting that occurred during the registrant’s
most recent fiscal quarter (the registrant’s fourth fiscal quarter in the
case of an annual report) that has materially affected (B), or is
reasonably likely to materially affect (B), the registrant’s internal control
over financial reporting; and

5. The registrant’s other certifying officer and I have disclosed, based on
our most recent evaluation (A) of internal control over financial
reporting, to the registrant’s auditors and the audit committee of
registrant’s Board of Directors (or persons performing the equivalent
functions):

a) All significant deficiencies and material weaknesses (E) in the design
or operation of internal control over financial reporting which are


                                      3
reasonably likely to adversely affect the registrant’s ability to record,
process, summarize and report financial information; and

b) Any fraud, whether or not material, that involves management or
other employees who have a significant role in the registrant’s internal
control over financial reporting.

Date

Let’s understand better what we have just read:

(A) Based on my knowledge or based on our most recent (?) evaluation:
We do not promise that the financial information we disclose is accurate,
we just state that we do not know that it is not accurate. With other
words, we will kill the messenger of the bad news.

Try to stand in the shoes of your CEO. His fate depends heavily on the
company’s stock performance, and stock performance depends on
shareholders’ perception and the external auditors’ opinion, not
information security or better IT governance.

Every three months, the CEO has to disclose to the company’s
shareholders that based on his knowledge, the financial statements and
other financial information, fairly present in all material respects the
financial condition, results of operations and cash flows of the company.
Does he have any reason to pay six figure fees to penetration testers and
ethical hackers, in order to take a very scary report that describes every
conceivable hole in the company’s systems? After reading this report,
based on his knowledge, there are massive problems to the internal
controls that protect the financial information from unauthorized
modification, and to make things worse, the company’s staff cannot
handle them. He has the obligation to disclose the problems to the
public, and this disclosure will definitely not increase shareholder value
or his compensation. In fact, he will lose money, as he has stock options
that give him the right to buy a stock from the company at a certain price
at a future date. And, according to Senator Carl Levin (D-Mich.):
“Virtually every corporate disaster that has struck in recent years has had
a stock option component.”



                                      4
 (B) The information disclosed presents in all “material” respects the
financial conditions of the company: We can read the word “material”
four times in the above 302 certification. Yes, we can not provide
absolute assurance to the shareholders. But, disclosing material
information only, whatever it means to anybody, gives opportunities to
mislead the public. “Material information” is any information that must
be given to shareholders, in order to make informed decisions.

Dear IT and Information Security professional, do you have to disclose
all hacking attacks and information security risks? Definitely not, as
these is not “material” information for the financial conditions of the
company. What about software bugs, zero day attacks, buffer overflows,
cross-site scripting? No. Avoid speaking about all these risks to the
auditors. It is “out of the scope” of Sarbanes-Oxley.

(C) The CEO has designed controls that provide “reasonable” assurance
regarding the reliability of financial reporting: If you promise to your life
partner (or your significant other) that you will disclose all your
“material” affairs with other persons, he/she will not feel that you have
provided “reasonable assurance” that you are honest with him/her, as
there is no excuse for any infidelity. (I do not believe that you can
persuade your significant other that is adequate to comply with
Sarbanes-Oxley principles for your personal life too)

(D) The CEO has disclosed “any change” in the internal control over
financial reporting that has materially affected or is reasonably likely to
materially affect the registrant’s internal control: Which is the ugliest
word after Sarbanes-Oxley? The word change. IT professionals hate this
word and all change management procedures, as they believe that
documentation is not “the real job”.

So, we have to disclose all changes that may affect our ability to have
tested, documented and effective internal controls.

(E) The CEO has disclosed all “significant deficiencies” and “material
weaknesses” and “any fraud”. So, although there is a zero tolerance
approach for fraud, there is some tolerance for other deficiencies and
weaknesses. But, what is a significant deficiency or a material weakness?

According to the Auditing Standard No. 5 a “significant deficiency is a
deficiency, or a combination of deficiencies, in internal control over


                                      5
financial reporting that is less severe than a material weakness, yet
important enough to merit attention by those responsible for oversight of
the company's financial reporting.”

According to the same Auditing Standard a “material weakness is a
deficiency, or a combination of deficiencies, in internal control over
financial reporting, such that there is a reasonable possibility that a
material misstatement of the company's annual or interim financial
statements will not be prevented or detected on a timely basis”

What is “reasonable possibility”? The Financial Accounting Standards
Board Statement No. 5, Accounting for Contingencies (FAS 5) describes
the likelihood of a future event occurring as “probable,” “reasonably
possible,” or “remote.” According to the Auditing Standard No. 2, every
time there is “more than remote” likelihood of a misstatement, the
misstatement is reasonably possible. There is some fun there, as we try
to calculate the probability of each event, something that is very
subjective and very difficult. I still remember one of the slides during a
Sarbanes-Oxley training session for process owners: “We can define a
sub-set of n favorable elements, where n is less than or equal to N.
Probability is defined as the rapport of the favorable cases over total
cases, or calculated as: p=n/N”

Welcome to the new world, where mathematicians have become risk
managers.



What your CEO and CFO have signed - 404 Certification
The Sarbanes-Oxley 404 certification and the 404 http error messages are
very similar in something: Both do not explain what we should do.

The 404 http standard response code indicates that the client was able to
communicate with the server but either the server can not find what was
requested, or it is configured not to fulfill the request and not reveal the
reason why.

After reading section 404 of the Sarbanes-Oxley Act, we feel that either
we do not find what was requested, or it is configured to give us
opportunities not to fulfill the request and not to reveal the reason why.


                                     6
Section 404 is small, just 173 words. The CEOs spent $6.1 billion on
complying with it during 2005, just to explain to the shareholders that
they take the Sarbanes-Oxley Act seriously. These 173 words put U.S.
capital markets at a competitive disadvantage, driving initial public
offerings away from the New York Stock Exchange to the London
exchange that is advertising that is “SOX free”.

Let’s read a 404 certification:

CERTIFICATION OF CHIEF EXECUTIVE OFFICER PURSUANT
TO SECTION 404

MANAGEMENT’S ANNUAL REPORT ON INTERNAL
CONTROLS OVER FINANCIAL

REPORTING

The management of (company’s name) is responsible for establishing
and maintaining adequate internal control over financial reporting (as
defined in Rules 13a-15(f) and 15d-15(f) under the Securities Exchange
Act of 1934) for the company. The company’s internal controls over
financial reporting is designed to provide reasonable assurance
regarding the reliability of financial reporting and the preparation of
financial statements for external purposes in accordance with generally
accepted accounting principles.

Because of its inherent limitations, internal control over financial
reporting may not prevent or detect misstatements (A). Also, projections
of any evaluation of effectiveness to future periods are subject to the risk
that controls may become inadequate (B) because of changes in
condition or the deterioration of compliance with procedures or policies.

The management of (our company’s name) performed an evaluation as
of December 31, 2007 of the effectiveness of the company’s internal



                                     7
control over financial reporting based on the Committee of Sponsoring
Organizations of the Treadway Commission’s (COSO’s) Internal Control
– Integrated Framework (C). Based on the review performed,
management believes that as of December 31, 2007 (our company’s
name) internal control over financial reporting was effective.

The independent registered public accounting firm (one of the big four)
as auditors of the consolidated financial statements of (our company’s
name) has issued an attestation report on management’s assessment of
(our company’s name) internal control over financial reporting.

Ohh!

(A) Because of its inherent limitations, internal control over financial
reporting may not prevent or detect misstatements: It is quite funny, we
promise very few things.

On one hand, the CEO accepts responsibility for establishing and
maintaining adequate internal control over financial reporting.

On the other hand, the CEO explains that these internal controls have
inherent limitations, so they may not prevent or detect misstatements. It
means that the financial statements may be accurate, but perhaps not.

 How can he do something like that? After March 2004, we can read at
the Auditing Standard No 2: “Internal control over financial reporting
cannot provide absolute assurance of achieving financial reporting
objectives because of its inherent limitations. Internal control over
financial reporting is a process that involves human diligence and
compliance and is subject to lapses in judgment and breakdowns
resulting from human failures. Internal control over financial reporting
also can be circumvented by collusion or improper management
override. Because of such limitations, there is a risk that material
misstatements may not be prevented or detected on a timely basis by
internal control over financial reporting.”




                                     8
We can find exactly the same paragraph at the Auditing Standard No. 5.
This standard agrees also with the previous ones about the ability of the
auditors to find what is wrong: “Just as there are inherent limitations on
the assurance that effective internal control over financial reporting can
provide, there are limitations on the amount of assurance the auditor can
obtain as a result of performing his or her audit of internal control over
financial reporting. Limitations arise because an audit is conducted on a
test basis and requires the exercise of professional judgment.”

(B) Projections of any evaluation of effectiveness to future periods are
subject to the risk that controls may become inadequate: The CEO signs
that the controls are adequate today. Tomorrow is another day; he can
not promise that the controls will continue to be effective. So, if there is a
material misstatement, perhaps has happened after the day he signed
that the controls were adequate.

Do you know that future plans are not controls, so plans are out of the
Scope of Sarbanes-Oxley?

According to the Auditing Standard No 2: “Management's plans that
could potentially affect financial reporting in future periods are not
controls. For example, a company's business continuity or contingency
planning has no effect on the company's current abilities to initiate,
authorize, record, process, or report financial data. Therefore, a
company's business continuity or contingency planning is not part of
internal control over financial reporting.”

Be careful: Future plans, business continuity plans and disaster recovery
plans are out of the scope of Sarbanes-Oxley, but other elements of
business continuity are in the scope. Backups and off-site storage of
tapes are very important internal controls that must be tested and
documented.

(C) The management performed an evaluation of the effectiveness of the
company’s internal control over financial reporting based on the
Committee of Sponsoring Organizations of the Treadway Commission’s
(COSO’s) Internal Control – Integrated Framework: COSO stands for
the "Committee Of Sponsoring Organizations" (the American
Accounting Association, the American Institute of Certified Public
Accountants, the Financial Executives International, the Institute of
Internal Auditors, and the National Association of Accountants, now the


                                      9
Institute of Management Accountants). They developed in 1992 the
leading framework for evaluating the effectiveness of internal controls.

From the technical risk assessment to the COSO business risk
assessment
Do you know which is the first word that pops up in mind after the
words “Sarbanes-Oxley”? The word “control”. The COSO paper repeats
this word 1368 times (in 163 pages!). We have been brainwashed.

Frequency analysis is a great tool in cryptanalysis (code breaking), but it
is also useful to “feel” a document. (Sorry! I started my career as a
mathematician and I can not resist the temptation to use frequency
analysis).

The word “internal” appears 846 times, about eight times the frequency
of the word “external” (123 times). It is obvious that COSO has shifted
the focus from network security and external threats to internal threats
and internal fraud.

The word “objective” appears in the COSO document 452 times. The
word “business” 124 times. The words “attack” or “defense” 0 times. It
is not encouraging that you will find the word “hacker” twice. Let’s read
COSO:

“Effective access security controls can protect the system, preventing
inappropriate access and unauthorized use of the system. If well
designed, they can intercept hackers and other trespassers" and

“Former or disgruntled employees can be more of a threat to a system
than hackers; terminated employee passwords and user IDs should be
revoked immediately. By preventing unauthorized use of and changes to
the system, data and program integrity are protected”

If only it was that simple!




                                    10
Why hackers are no more that important?
After Sarbanes-Oxley, every time I try to explain that external fraud and
hackers are not that important for shareholders and the public, there are
persons that protest:

“How could it be possible?”

“Can they understand the potential for fraud and criminal activities?

Well, no, they can not understand and they don’t even try. To be honest,
we do not help them understand. In order to comply with Sarbanes-
Oxley we have to disclose to the public what has happened, not what
could happen. So, they never learn the potential for fraud, loss and
problems.

It is interesting to compare some incidents:

1. Vladimir Levin was a hacker from St. Petersburg, Russia. He hacked
into Citibank and stole more than $10 million. In March 1995 he was
arrested at London's Stansted Airport by Scotland Yard officers. Levin
was tried in New York. He was convicted and sentenced to three years in
jail. Citibank said that all but US$400,000 of the stolen money have been
recovered. Shareholders did not bother to learn more about the incident.

2. Senior executives of Mercury Finance Company, a subprime lending
company, tried to do exactly what Vladimir Levin did: To make some
money using their knowledge and experience. But, there is a difference.
Vladimir Levin’s fraud was external, he was not a corporate officer.
When senior executives commit fraud, shareholders take it very
seriously. The market capitalization of this company decreased by nearly
$2 billion in one day after the fraud was made public. The former CEO,
treasurer and accounting manager each pleaded guilty and were
sentenced to 10 years, 20 months, and 12 months, respectively. The
former CFO admitted his role and cooperated, but died before being
charged.

3. The Chaos Computer Club (CCC), based in Germany, is one big
“hacker organization”. They support the hacker ethics (!!!) and fight for
free access to computers and the technological infrastructure. Investors
don’t know them.


                                    11
The hacker’s Achilles heel is the love for publicity. The members and the
friends of the Chaos Computer Club were no different, so they became
famous when they hacked a bank in Hamburg, Germany, and took DM
134,000. The money was returned the next day in front of the press. Very
few investors had learned about them.

In 1989, Karl Koch, who was affiliated with the Chaos Computer Club,
and some other hackers, crossed the line from looking for money to
sharing secrets with the Soviets. They were hired by the Soviet KGB to
break into US and western government and corporate computers and sell
secrets including operating system source code to the KGB. The German
Intelligence authorities announced that “this is a new quality of
espionage” and that they had awaited something similar but are
nevertheless surprised that it happened so soon and with such broad
effects.

Espionage and business intelligence incidents are very serious, and have
far-reaching consequences to shareholders’ value. Companies lose
billions of dollars each year through information leaks. Investors didn’t
understand and were not scared.

4. Charles Prince III was the Chairman and Chief Executive Officer of
Citigroup Inc. (NYSE:C). He was a very good and experienced leader.
The first days of November, 2007, he elected to retire from Citi, after the
unexpected write-down of up to $11 billion in assets. Mr. Prince
commented that " Given the size of the recent losses in our mortgage-
backed securities business, the only honorable course for me to take as
Chief Executive Officer is to step down”

The same month, a lawsuit was filed on behalf of Stephen Gray, a
participant in Citigroup's 401(k) Plan. According to the lawsuit,
Citigroup failed to prudently manage the Plan's assets, failed to provide
Plan participants with important information regarding Citigroup's
financial condition and failed to appoint and monitor the performance of
other fiduciaries. Some of the information that was not disclosed was
important to give shareholders the opportunity to make informed
decisions, like information about the degree of losses that Citigroup
faced.

The suit seeks class action status for participants in Citigroup's
retirement plans from January 1, 2007 to the present. Citigroup also faces


                                     12
lawsuits from shareholders who accuse the group that has recklessly
spent money purchasing sub-prime loans. Citigroup has lost billions of
dollars doing so, but most other major banks had exactly the same
problems. Citigroup's share price has dropped from $54.26 in June 2007
to $37.73 in November 2007.

If you compare the money public companies and shareholders lose
because of external fraud and hacking (some millions of dollars) with the
money they lose from internal fraud and wrong decisions (some billions
of dollars) it is easy to understand why shareholders do not really care
about good information security and IT governance.

Although we continue to insist that computers and systems are
increasingly vulnerable to hackers attempting to infiltrate networks, and
that most incidents can be prevented if the company has adequate
knowledge that the vulnerability exists, all these incidents do not seem
so important to shareholders. For them, information security protects the
company from cyber-vandalism and the defacement of the corporate web
sites, not from white collar crime and money sent offshore to SPVs
(Special Purpose Vehicles). What about cyber-war and massive attacks
on critical infrastructure? They just ignore this risk.

5. Sarbanes-Oxley was not the only effort to prevent corporate fraud. The
President’s Corporate Fraud Task Force has been trying to restore public
and investor confidence in America’s corporations following the wave of
major corporate scandals since July, 2002. The Task Force includes
senior Department of Justice officials, seven U.S. Attorneys and the head
of the Securities and Exchange Commission. In five years they have
yielded amazing results with 1,236 total corporate fraud convictions,
including 214 chief executive officers and presidents, 53 chief financial
officers, 23 corporate counsels or attorneys and 129 vice presidents. The
Task Force has brought charges for accounting fraud, securities fraud,
insider trading, market manipulation, wire fraud, obstruction of justice,
false statements, money laundering, Foreign Corrupt Practices Act
violations, stock option backdating and conspiracy, among others.

Hackers, you have lost the battle of publicity. Sophisticated internal
fraud artists are much better than you. They not only hack the company,
they are paid from the same company to do it as well!




                                   13
Epilogue
With how many Sarbanes-Oxley like Acts do you have to comply today?

No kidding! If you are listed in 4 different countries, perhaps you have to
comply with 4 similar but different SOX flavors and interpretations.

Sarbanes-Oxley is here to stay. I have heard several times that the Act
will be definitely relaxed, is not any more needed, or even that it will be
rewritten to meet international standards. Well, the opposite is
happening.

Not only thousands of international foreign companies try hard to
comply with the US Sarbanes-Oxley, but also many countries develop a
local version of this Act! We will have a flat world for public companies,
and Sarbanes-Oxley will be the common framework.

Although the 8th Company Law Directive is considered the European
post Sarbanes-Oxley regulatory retaliation, it is in fact a European
version of the Sarbanes-Oxley Act.

You may wonder why we speak about retaliation.

After the passage of the US Sarbanes-Oxley Act in 2002, US and non-US
companies listed in a US stock exchange have the difficult task to
comply with the Sarbanes-Oxley Act.

After the passage of the European Union’s 8th Company Law Directive
on Statutory Audit (Directive 2006/43/EC), European and non-
European companies listed in any country of the European Union have
to comply with the 8th company law directive. Now, the American
auditors have to be registered with the European national boards, just
like the European Union’s auditors, that had to be registered with the US
Public Company Accounting Oversight Board. EU Member States must
transpose the directive into national law before 29 June 2008.

And, like in the US SOX, there are extremely important extraterritorial
consequences. All the non EEA (European Economic Area) countries,
the USA included, must prove that they have an “equivalent level of
regulation”, to protect their auditors that audit offshore companies with
EU listings from being subject to a tough European oversight regime.
Otherwise, auditors and audit firms from ‘third countries’ have to be

                                     14
registered in the EU and to be subject to oversight, quality assurance
and sanctions.

Companies listed in EU are directly affected. From the changes in the
audit committee and the role of the board of directors to the new internal
controls requirements, professionals in EU listed companies will face the
same or similar challenges with their American colleagues that have to
comply with the US SOX.

 The Financial Instruments and Exchange Law is the Japanese version
of Sarbanes-Oxley. It is unofficially called J-SOX and it is really very
similar to SOX. There are requirements similar to the Sarbanes-Oxley
Act Sections 302 and 404 (management certification and management
evaluation and report on internal controls). Companies have to comply
on or after April 1, 2008.

In Canada, Bill 198 is known as the “Canadian Sarbanes and Oxley” Act
or CSOX. The date of full application is for the financial years ending on
or after June 30, 2006.

The moral of the story: You will not get rid of it! Learn how to provide
reasonable assurance to shareholders, and forget hackers, at least until
the next major corporate scandal that involves external fraud.

Sincerely,

George Lekatis
General Manager and Chief Compliance Consultant
Compliance LLC




                                    15
                            Our web sites

                              A. Basel ii



Basel ii Training
Courses designed to provide with the knowledge and skills needed to
understand and support Basel ii compliance.
www.basel-ii-training.com


Basel ii Training for the Board of Directors
The members of the Board of Directors not only need to exercise
oversight, but also to direct the organization to use Basel ii compliance
as a competitive advantage.
www.basel-ii-board-directors.com


Capital Requirements Directive Training
Courses designed to provide with the knowledge and skills for the
implementation of Basel ii in the European Union
www.capital-requirements-directive-training.com


Basel ii Accord
(Information and documents used in our compliance training classes)
Basel ii: The sections of the accord in an easy to read format.
www.basel-ii-accord.com


Capital Requirements Directive
(Information and documents used in our compliance training classes)
The common framework for the implementation of Basel ii in the
European Union. The directive in an easy to read format.
www.capital-requirements-directive.com




                                    16
Basel iii Accord
(Information and documents used in our compliance training classes)
Basel iii: What is wrong in Basel ii – What will be included in the “even
more sensitive” accord, Basel iii.
www.basel-iii-accord.com


Basel ii, Structured Products and Securitization
(Information and documents used in our compliance training classes)
Basel II and the securitization markets. What is different. The efforts to
minimize exposure to sub-investment grade tranches, to avoid the
significant amount of regulatory capital banks have to hold
www.basel-ii-securitization.com


                         B. Sarbanes Oxley



Sarbanes Oxley Training
Courses designed to provide with the knowledge and skills needed to
understand and support Sarbanes-Oxley compliance.
www.sarbanes-oxley-training.com


J-SOX Training in Japan
Course: "From SOX to J-SOX: Lessons Learned from the
Implementation of Sarbanes Oxley Act in the USA and the World"
www.j-sox-training.com


Sarbanes Oxley Act
(Information and documents used in our compliance training classes)
Sarbanes-Oxley Compliance: The Act in an easy to read format, Auditing
Standards, resources.
www.sarbanes-oxley-act.biz




                                    17
            C. EU - Financial Services Action Plan


MiFID Training
Training and Presentations. From the four-level approach (the
Lamfalussy process) to the MiFID implementation, the differences and
the opportunities for competitive advantage in the EU and offshore.
www.mifid-training.net


MiFID Training for the Board of Directors
The members of the Board of Directors not only need to exercise
oversight, but also to direct the organization to use the Markets in
Financial Services Directive (MiFID) compliance as a competitive
advantage.
www.mifid-board-directors.com


8th Company Law Training
The European Sarbanes Oxley: Similarities and differences between 8th
Company Law Directive of the European Union and the Sarbanes-Oxley
Act of the USA. Implementation and compliance training and
presentations.
www.8th-company-law-training.com


Risk Committee Training
Presentations and training for the Risk Committee of the Board of
Directors that increase awareness and effectiveness. Special
consideration is given to the new need to provide “evidence” and keep
records and documents for years, and to new regulatory and legal
obligations.
www.risk-committee-training.com


Solvency ii Training
Courses and presentations designed to provide with the knowledge and
skills needed to understand and support compliance with the Solvency ii


                                    18
and the Reinsurance directives of the European Union. The
implementation of the Solvency II regime can benefit greatly from the
experience and lessons learned during the Basel II projects in the world.
www.solvency-ii-training.com


Reinsurance Directive Training
Courses and presentations designed to provide with the knowledge and
skills needed to understand and support compliance with the
Reinsurance Directive of the European Union.
www.reinsurance-directive-training.com


UCITS iii training
From the Management Directive and the Product Directive, to UCITS iii
compliant funds, sophisticated UCITS, hedge funds and alternative
investments, onshore and offshore legal structures and products
authorized under different regimes.
www.ucits-iii-training.com


European Exchange Traded Funds Training (ETFs)
UCITS iii and MiFID Training and Presentations. Providing Financial
Services to the European Clients, Training and Presentations. ETFs
based on alternative assets such as commodities with UCITS iii status.
ETFs that are UCITS iii compliant domiciled in EEA countries.
www.etf-training.com


Hedge Funds Compliance Training
Hedge Funds, Collective Investments, Structured Products, and the
directives of the European Union. UCITS iii, MiFID, 8th Company Law,
Capital Requirements Directive, legal structures, marketing of funds,
management and administration at the 30 countries of the European
Economic Area
www.hedge-funds-compliance.com


Financial Conglomerates Directive Training and Presentations




                                   19
We can help your organization understand better the Financial
Conglomerates Directive in the context of the Financial Services Action
Plan of the European Union.
Common elements with the Capital Requirements Directive (Basel ii in
the EU) and the Financial Services Action Plan.
www.financial-conglomerates-directive.com/Presentations.htm


The Financial Services Action Plan
There are 42 original measures: Some are non-legislative, a few are
regulations, and there are almost 30 directives. Over 20 of the original
measures are likely to affect the financial sector.
 www.financial-services-action-plan.com


The Markets in Financial Instruments Directive (MiFID)
(Information and documents used in our compliance training classes)
MiFID is a very important part of the European Union's Financial
Services Action Plan. The directive in an easy to read format.
www.markets-in-financial-instruments-directive.com


European Savings Tax Directive (ESD)
(Information and documents used in our compliance training classes)
Tax competition and the European Union. The G-7 and the offshore
financial centers (OFCs). Basel ii and the European Savings Tax
Directive (ESD). The directive in an easy to read format.
www.savings-tax-directive.com


European Savings Tax Directive Training and Presentations
The Savings Tax Directive in the context of the Financial Services
Action Plan of the European Union.
The tax competition: Higher-tax nations and the offshore financial
centers. From the "automatic exchange of information" option to the
"withholding tax" option. Opportunities for a competitive advantage.
www.savings-tax-directive.com/Presentations.htm


 The 8th Company Law Directive
(Information and documents used in our compliance training classes)

                                    20
The 8th Company Law Directive is similar to the US Sarbanes Oxley Act.
This directive is called the European Sarbanes Oxley. Although there are
important similarities, there are also very important differences.
The directive in an easy to read format.
www.8th-company-law-directive.com


European Sarbanes Oxley
(Information and documents used in our compliance training classes)
After the US Sarbanes-Oxley Act, we have the Japanese Sarbanes-Oxley
Act (J-SOX) and the European Sarbanes Oxley Act (8th Directive in the
context of the European Union’s Financial Services Action Plan).
www.european-sarbanes-oxley.com


Financial Conglomerates Directive
(Information and documents used in our compliance training classes)
The Financial Conglomerates Directive tries to introduce supplementary
supervision of financial conglomerates on a group-wide basis, in
addition to both the prudential supervision of regulated entities on a
standalone basis and consolidated supervision on a sectoral basis.
The directive in an easy to read format.
www.financial-conglomerates-directive.com


The EU Reinsurance Directive
(Information and documents used in our compliance training classes)
Reinsurance allows direct insurance undertakings have a higher
underwriting capacity and reduce their capital costs. The Directive
forms part of the European Union’s Financial Services Action Plan,
which aims to create a single market in financial services in the
European Union.
www.reinsurance-directive.com


UCITS iii
(Information and documents used in our compliance training classes)
UCITS stands for Undertakings for Collective Investments in
Transferable Securities
The UCITS iii directive consists of two directives that regulate funds
sold across the EEA

                                   21
www.ucits-iii.com


European Exchange Traded Funds (ETFs)
(Information and documents used in our compliance training classes)
In the European Economic Area many Exchange Traded Funds are
traded as cross border UCITS iii funds. Compliance and
acknowledgement of the UCITS status is of paramount importance for
the freedom to provide services in all 30 countries of the EEA
www.european-exchange-traded-funds.com


Risk Committee of the Board of Directors
(Information and documents used in our compliance training classes)
The Board of Directors has risk management responsibilities that are
defined not only by best practices and guidelines, but also by laws and
regulations. The Risk Committee must assist the Boards in assessing the
risks to which the organization is exposed.
www.risk-committee.com



                       D. Other Web Sites



Board of Directors Compliance Training
Risks to serving directors have risen exponentially after the new Basel
Capital Accord, the US Sarbanes Oxley Act, the European Sarbanes
Oxley (8th Company Law Directive), the Japanese Sarbanes Oxley
(Financial Instruments and Exchange Law, J-SOX), the European
Union's Financial services Action Plan that includes MiFID (Markets in
Financial Services Directive.
www.board-of-directors-compliance-training.com


Off Balance Sheet
(Information and documents used in our compliance training classes)
From Enron and BCCI, to the Sarbanes-Oxley Act and Basel ii.


                                  22
Off Balance Sheet Entities and items. If a company has an asset or a
liability, and it's not on the balance sheet, then where is it?
www.off-balance-sheet.com


Compliance and Outsourcing Research Project
(Information and documents used in our compliance training classes)
Outsourcing was a way to reduce cost. Outsourcing becomes a way to
transfer compliance
Outsourcing after Basel ii, Sarbanes-Oxley, and the European Union's
Financial Services Action Plan.
www.compliance-and-outsourcing.com


Compliance LLC
Compliance LCC is a leading provider of Basel ii, Sarbanes Oxley,
MiFID and the European Union's Financial Services Action Plan
training, executive coaching and consulting in more than 30 countries
www.compliance-llc.com




                                   23
Compliance LCC
HQ: 1220 N. Market Street Suite 804, Wilmington, DE 19801, USA
Mail: 1200 G Street NW Suite 800, Washington, DC 20005, USA

Tel: +1 (302) 342-8828
Web: www.compliance-llc.com


Lyn Spooner:          +1 (302) 342-8828 Ext. 1
Email :               lyn@compliance-llc.com

George Lekatis:       +1 (302) 342-8828 Ext. 5
Email:                lekatis@compliance-llc.com




                                 24