Could it be construed then, that worrying about compliance isnít something one should be doing? It begs the question of complacence. How can any organization be sure that it wonít experience some type of fraudulent action that requires an investigation? To put it simply, they canít.
"The key is to be able to uncover wrong-doing inside of the company and cooperate with law enforcement and regulatory authorities to limit corporate liability. You donít often know whether someoneís committing fraud, misappropriating company assets, or stealing your intellectual property until itís happened. You have choices though you can find out itís happened after youíve suffered a huge loss, or you can intercept it when itís happening. You donít want to find out 2 years from now that someone in finance has been placing millions of dollars in offshore bank accounts," says Victor.
It was my understanding that the executives of these corporations are culpable for what occurs under their watch. It is actually more nuanced than that, and it is these nuances that underscore the importance of having a cohesive response plan in place.
As Victor illustrates, "First of all, the things that you have been seeing since 1999 (Enron, Tyco, etc.), involved executives who were actively taking part in the fraud of their companies, and were therefore held responsible. However, under Sarbox executives are culpable in that the CEOs and CFOs are signing off on the financial statements, essentially saying that they have evaluated the companyís internal controls and they are effective. If it turns out that they didnít have good internal controls, they are going to be held accountable for having misstated the truth. I donít want to tie it only to executives though. The Board of Directors and the audit committee, specifically, are tasked with being able to investigate complaints about corporate fraud and accounting problems. Certainly the Board has a responsibility as well. To the extent that complaints are coming in, and the company is unable to investigate them effectively, unable to uncover whatís going on, and at the same time the CEOs and CFOs are signing off that they have an adequate control structure, I think those executives are at great risk."
What about the companies that arenít necessarily large enough to report their finances to the SEC? Isnít it important to implement an incident response process and be in compliance with these regulations?
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.