Sarbanes Oxley and Basel II Compliance Training: Impact on IT and Information Security

Sarbanes Oxley and Basel II Compliance Training: Impact on IT and Information Security
5 days


The seminar has been designed to with the knowledge and skills needed to understand and support Sarbanes Oxley and Basel II compliance.

Target Audience:

This course is recommended for all managers and professionals who need to understand and speak the specialized languages of Sarbanes Oxley and Basel compliance, which must become the common language
throughout their organization.
This course is highly recommended for:
Directors, Managers and Professionals
Risk and Compliance Officers
Process Owners
Network, System and Security Administrators
IT Auditors
IT, Security and Management Consultants


5 Days, 09:00 to 17:00.

Course Synopsis:

The Sarbanes Oxley Act

The Need
US federal legislation: Financial reporting or corporate governance?
The Sarbanes-Oxley Act of 2002: Key Sections SEC, EDGAR, PCAOB, SAG
The Act and its interpretation by SEC and PCAOB
PCAOB Auditing Standards: What we need to know Management's Testing
Management's Documentation
Reports used to Validate SOX Compliant IT Infrastructure
Documentation Issues
Sections 302, 404, 906 and the three certifications
Sections 302, 404, 906: Examples and case studies
Management's Responsibilities
Committees and Teams
Project Team – Section 404: Reports to Steering Committee
Steering Committee – Section 404: Reports to Certifying Officers and cooperates with Disclosure Committee
Disclosure Committee: Reports to Certifying Officers and cooperates with Audit Committee
Certifying Officers and Audit Committee: Report to the Board of
Control Deficiency
Deficiency in Design
Deficiency in Operation
Significant Deficiency
Material Weakness
Is it a Deficiency, or a Material Weakness?
Reporting Weaknesses and Deficiencies
Case Studies
Public Disclosure Requirements
Real Time Disclosures on a rapid and current basis?
Whistleblower protection
Rulemaking process
Companies Affected
International companies
Foreign Private Issuers (FPIs)
American Depository Receipts (ADRs)
Types of ADR programs
Employees Affected
Effective Dates

The Bank for International Settlements (BIS)

The Basel Committee on Banking Supervision
From the Young Plan (1930) to Basel II
Regulatory supervision of internationally active banks
The failure of the Bankhaus Herstatt and the crisis of confidence

First Basel Capital Accord

Formulating broad supervisory standards and guidelines
Regulatory and economic capital
Important objectives
1980s: The capital ratios of the main international banks are deteriorating
Credit Risk
Assets are weighted by factors
On-balance sheet engagements
Off-balance sheet engagements
Examples of capital requirements
December 1987: The Basel Capital Accord approved by the G10
Basel I amendments

The New Basel Capital Accord (Basel II)

Realigning the regulation with the economic realities of the global banking markets
New capital adequacy framework replaces the 1988 Accord
Improving risk and asset management to avoid financial disasters "Sufficient assets" to offset risks
The technical challenges for both banks and supervisors
How much capital is necessary to serve as a sufficient buffer?
The three-pillar regulatory structure
Purposes of Basel II
Scope of the application
Pillar 1: Minimum capital requirements
Credit Risk – 3 approaches
The standardized approach to credit risk
Claims on sovereigns
Claims on banks
Claims on corporates
The two internal ratings-based (IRB) approaches to credit risk
Some definitions: PD - The probability of default, LGD - The loss given default, EAD - Exposure at default, M – Maturity
5 classes of assets
Pillar 2: Supervisory review
Key principles
Aspects and issues of the supervisory review process
Pillar 3: Market discipline

Disclosure requirements
Qualitative and Quantitative disclosures
Guiding principles
Employees Affected
Effective Dates

Framework for internal control systems in banking organizations - Basel Committee on Banking Supervision

The 13 Principles for the Assessment of Internal Control Systems
The 13 Principles and COSO
The control environment
Risk assessment
Control activities
Information and communication
Types of control breakdowns typically seen in problem bank cases
The objectives and role of the internal controls framework
The major elements of an internal control process
Evaluation of internal control systems by supervisory authorities
Role and responsibilities of external auditors
Supervisory lessons learned from internal control failures

Internal Controls - COSO

The Internal Control — Integrated Framework by the COSO committee
Using the COSO framework effectively
The Control Environment
Risk Assessment
Control Activities
Information and Communication
Effectiveness and Efficiency of Operations
Reliability of Financial Reporting
Compliance with applicable laws and regulations
IT Controls
Program Development and Program Change
Deterrent, Preventive, Detective, Corrective, Recovery,
Compensating, Monitoring and Disclosure Controls
Layers of overlapping controls

Operational Risk

What is operational risk
Legal risk
Information Technology operational risk
Operational, operations and operating risk
The evolving importance of operational risk
Quantification of operational risk
Loss categories and business lines
Operational risk measurement methodologies
Identification of operational risk
The Delphi method

Operational Risk Approaches

Basic Indicator Approach (BIA)
Standardized Approach (SA)
Alternative Standardized Approach (ASA)
Advanced Measurement Approaches (AMA)
Internal Measurement Approach (IMA)
Loss Distribution (LD)
Standard Normal Distribution
“Fat Tails” in the normal distribution
Expected loss (EL), Unexpected Loss (UL)
Value-at Risk (VaR)
Value-at Risk and Basel I amendment, 1996
Value-at Risk and Basel II
Calculating Value-at Risk
Monte Carlo simulations
Monte Carlo limitations
Extreme Value theory
Stress Testing
Stress testing and Basel
(AMA) Advantages / Disadvantages
Recognition of the firms’ own modeling of operational risk losses “Weak banks”, internal and external audit and sound practices for operational risk
Self assessment
Key Risk Indicators
Operational Risk Measurement Issues
The game theory
The prisoner’s dilemma – and the connection with operational risk measurement and management
Operational risk management
Operational Risk Management Office
Key functions of Operational Risk Management Office
Key functions of Operational Risk Managers
Key functions of Department Heads
Internal and external audit
Operational risk sound practices
Operational risk mitigation
Insurance to mitigate operational risk

COBIT - the framework that focuses on IT

Is COBIT needed for compliance?
Corporate governance or financial reporting?
Executive Summary
Management Guidelines
The Framework
The 34 high-level control objectives
What to do with the 318 specific control objectives
Maturity Models
Critical Success Factors (CSFs)
Key Goal Indicators (KGIs)
Key Performance Indicators (KPIs)
How to use COBIT for Sarbanes Oxley and Basel II compliance

Scope of Sarbanes Oxley and Basel II Projects

The most important challenge: The scope
Discussing the scope with the external auditors
In or out of scope?
Is it relevant?
Using compliance as an excuse
Computer Forensics Investigation?
Business Intelligence?
Business Continuity and Disaster Recovery?

Meeting the Information Security Requirements of Sarbanes Oxley

and Basel II
Information security principles and best practices
Classification, Sarbanes Oxley and Basel II
IT and the changes demanded by the business
Capturing, analyzing, integrating and reducing risk
Evaluating current systems and processes
Change and configuration management
Common risk indicators

Software and Spreadsheets

Is software necessary?
Is software needed?
When and why
How large is your organization?
Is it geographically dispersed?
How many processes will you document?
Are there enough persons for that?
Selection process
It is just a spreadsheet…
Certain spreadsheets must be considered applications
Development Lifecycle Controls
Access Control (Create, Read, Update, Delete)
Integrity Controls
Change Control
Version Control
Documentation Controls
Continuity Controls
Segregation of Duties Controls
Spreadsheets – Errors
Spreadsheets and material weaknesses

Third-party service providers and vendors

Redefining outsourcing
Outsourcing services and compliance
The new definition of outsourcing
Outsourcing after Sarbanes Oxley and Basel II
Offshore outsourcing is also redefined
Key risks of outsourcing
What is needed from vendors and service providers
SAS 70
Type I, II reports
Advantages of SAS 70 Type II
Disadvantages of SAS 70 Type II
Working with vendors and service providers

Aligning Basel II and Sarbanes-Oxley projects

The general expectations around Sarbanes Oxley and Basel
From ensuring the overall safety and soundness of banks (Basel) to restoring investor confidence (Sarbanes Oxley)
From the “under construction since the 1998” approach (Basel II) to the Sarbanes Oxley deadlines
From the choice of risk management sophistication (Basel) to the specific SEC and PCAOB rules (Sarbanes Oxley)
There is only one Sarbanes Oxley act but there are many different
Basel II frameworks – the issue of discretion to individual
jurisdictions for Basel II implementation
Multinational companies and compliance issues
US federal legislation and state law. The US constitutional challenges
From the 1929 Companies Act (UK) to the 1933 Securities Act
(USA) to Sarbanes Oxley: The need to avoid a federal intrusion into state reserved matters
Auditing in the USA and auditing in UK: Very important differences
Capital Requirements Directive (CRD)
Markets in Financial Instruments Directive (MiFID)
What will be the impact of MiFID to EU and non EU banks?
Board review and approval
Management responsibility
Control objectives
Risk identification and assessment
Risk monitoring
Risk mitigation
Risk reporting
Continuity plans
Sufficient public disclosure
Documentation challenges
Effectiveness – design and operation
Connecting the dots
Common elements and differences of compliance projects
New standards

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License