Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Manager's Guide to Compliance", Anthony Tarantino

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKMAGUCO.RVW 20070213 Manager s Guide to Compliance , Anthony Tarantino, 2006, 0-471-79257-8, U$50.00/C$64.99 %A Anthony Tarantino %C 5353 Dundas Street
    Message 1 of 1 , Mar 20 1:00 PM
    • 0 Attachment
      BKMAGUCO.RVW 20070213

      "Manager's Guide to Compliance", Anthony Tarantino, 2006,
      0-471-79257-8, U$50.00/C$64.99
      %A Anthony Tarantino
      %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8
      %D 2006
      %G 0-471-79257-8
      %I John Wiley & Sons, Inc.
      %O U$50.00/C$64.99 416-236-4433 fax: 416-236-4448
      %O http://www.amazon.com/exec/obidos/ASIN/0471792578/robsladesinterne
      http://www.amazon.co.uk/exec/obidos/ASIN/0471792578/robsladesinte-21
      %O http://www.amazon.ca/exec/obidos/ASIN/0471792578/robsladesin03-20
      %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation)
      %P 315 p.
      %T "Manager's Guide to Compliance"

      In the preface, the author states that compliance (presumably with
      national laws such as Sarbanes-Oxley, or SOX, from the United States)
      is important even in an international market (where foreign
      regulations may not apply), primarily in terms of interest and
      insurance rates. He also compares government regulations, such as
      SOX, with "principles-based" standards such as ISO 27000, seeming to
      imply that the latter are not quite as significant.

      (Compliance has recently become a commodity rather than a condition.
      One of the indications of this change is that nobody seems to need to
      define what they mean by compliance any more. In this case, Tarantino
      is apparently talking about the various regulations, standards, and
      directives dealing with financial reporting.)

      The first six chapters of the book deal with various sections of SOX
      and implications they have for companies. Chapter one examines off-
      balance sheet items, such as contracts and agreements, and notes that
      the guidance from the Security and Exchange Commission has been
      confusing. Section 404, discussed in chapter two, is the directive on
      internal controls that is of such moment in information security. The
      author notes that a great many planning tools (generally spreadsheets)
      are used within companies in a completely uncontrolled manner, and
      frequently erroneously. Chapter three looks at section 406 and codes
      of ethics, while four notes section 409's requirements on material
      changes to company status. The implications of SOX for private
      companies are purportedly reviewed in chapter five, which basically
      promotes the pursuit of "good practices" and marginally mentions the
      provisions for non-reporting companies doing business with companies
      that must report. The excessive cost to small business is noted in
      chapter six. Chapter seven remarks that many foreign companies are
      delisting from American stock exchanges in order to avoid reporting
      provisions, but does not deal with the provisions for foreign
      companies that do substantial business with United States' firms that
      are covered by the Act. The United States' Office of Management and
      Budget (OMB) circular A-123 on the requirements for federal agencies
      to report on internal controls is outlined in chapter eight.

      Chapter nine looks at the Health Insurance Portability and
      Accountability Act (HIPAA). The banking industry's Basel II
      requirements for bank solvency is noted in chapter ten, along with the
      American Gramm-Leach-Bliley Act (GLBA) on privacy in banking
      operations. Australian, Canadian (actually only the Ontario
      Securities Commission standards 52-109 and 52-111, with no mention of
      the Criteria Control Committee [CoCo] of the Canadian Insitute of
      Chartered Accountants and other guidance), and the United Kingdom
      (Turnbull Guidance) standards on internal controls are examined in
      chapter eleven, with the 1999 Organization for Economic Cooperation
      and Development (OECD) Principles (particularly section 8) and the
      Corporate Governance Scoring (CGS) benchmarks briefly touched on in
      chapter twelve. Chapter thirteen outlines the International Financial
      Reporting Standards (IFRS), but not in detail.

      The chapters that follow rather tersely address issues that may have
      implications for or from the various standards: outsourcing is in
      chapter fourteen, legal penalties in fifteen, business penalties in
      sixteen, differences in revenue recognition in seventeen, and data
      retention standards in eighteen.

      Chapter nineteen notes a few software tools for assessing compliance.
      A sample checklist and flowchart (and some case studies) for auditing
      internal controls are in chapter twenty. The COSO (Committee of
      Sponsoring Organizations of the Treadway Commission) three-dimensional
      structure for assessing enterprise risk management and internal
      controls is given in chapter twenty-one. Chapter twenty-two reviews
      the United States' National Institute for Standards and Technology
      (NIST) document 800-30 on risk management and systems development life
      cycles. A rough mapping of the COBIT (Control OBjectives for
      Information Technology) items to the areas of the COSO structure and
      the Public Company Accounting Oversight Board (PCAOB, a provision of
      SOX) components is in twenty-three. Chapter twenty-four has a few
      further objectives from the COBIT lists. Australian Stock Exchange
      (ASX) principles are given a detailed treatment in chapter twenty-
      five, which is rather odd in view of the paucity of information in
      other sections.

      Another roundup of miscellaneous topics finishes off the book with
      chapters on segregation of duties (twenty-six), some "case studies"
      (twenty-seven), compliance project management (twenty-eight),
      governance and ethics (twenty-nine), and cost/benefit analysis
      (thirty, which gives hard data on costs: the benefits are mostly just
      suggested).

      While the collection of various frameworks could be helpful for those
      confused by the alphabet soup of assorted standards, the lack of
      detail in most areas is not. There is very little in the way of
      guidance in regard to actual compliance with the standards or
      directives: basically, even with this book, you are going to have to
      get diverse documents and work out the requirements for yourself.

      copyright Robert M. Slade, 2007 BKMAGUCO.RVW 20070213


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      The simple fact that nobody understands you is not to be taken as
      proof that you are an artist
      Dictionary of Information Security www.syngress.com/catalog/?pid=4150
      http://victoria.tc.ca/techrev/rms.htm
    Your message has been successfully submitted and would be delivered to recipients shortly.