Question 1. What Types Of Information Must Be Protected By Internal Controls According To Sarbanes-oxley?
Information should be considered nonpublic if it isn’t widely disseminated to the general public, including electronic information. Unauthorized disclosure of nonpublic data is a violation of federal securities laws. This information should be protected, but it should also be monitored to ensure it isn’t disclosed inappropriately.
Section 404 describes management’s responsibility for building internal controls around the safeguarding of assets related to the timely detection of unauthorized acquisition, use or disposition of an entity’s assets that could have a material effect on the financial statements. You need to demonstrate that you have the capabilities to monitor, detect and record electronic information disclosures.
Question 2. Since So Much Nonpublic Information Is Communicated Beyond E-mail Based On The Simple Mail Transfer Protocol, How Can We Build Internal Controls To Adequately Detect The Timely Disclosure Of Information Flowing Over Web Mail, Chat, Or Http?
In today’s networked world, it’s not just about e-mail. Management can’t ensure the truthfulness or accuracy of financial data if it doesn’t have the means to monitor the movement of sensitive information across the entire corporate network 24 hours a day, seven days a week.
Demand more from technology. New products are available that can monitor electronic disclosure of nonpublic information and aren’t limited to SMTP-based e-mail. These technologies can monitor, record and provide alerts on electronic disclosures by analyzing all information flowing over the corporate network from Web mail and chat to file transfer protocol and HTTP. This type of monitoring technology combined with a storage system that allows forensic searches into stored information can prove invaluable if an investigation is required.
Question 3. What Are The Penalties For Exposing Nonpublic Information?
The use of nonpublic information concerning a company or any of its affiliates (a.k.a. “inside information”) in securities transactions (“insider trading”), may violate federal securities laws.
Penalties can include:
- Exposure to investigations by the SEC.
- Criminal and civil prosecution.
- Relinquishing profits realized or losses avoided through use of the information.
- Penalties up to $1 million or three times the amount of any profits or losses, whichever is greater.
- Prison terms of up to 10 years.
Question 4. What Happens If I Am Investigated?
Compliance programs should be designed to detect the particular types of operational risks most likely to occur in a corporation’s lines of business.
Question 5. Will I Need To Prevent Electronic Disclosures From Occurring?
No compliance program can ever prevent 100% of misconduct by corporate employees. Nor do the regulations state that you must prevent internal disclosures –including electronic disclosures — from happening.
If investigated, you will need to show due diligence that you have the ability for an appropriate and rapid response to detect and deter misconduct that exposes your company to operational risk that may have a material effect on your business.
Question 6. What Role Should External Auditors Play In Compliance?
The Public Company Accounting Oversight Board was created through the Sarbanes-Oxley Act to oversee the auditors of public companies. The board recently approved Auditing Standard No. 2, an audit of internal control over financial reporting conducted with an audit of financial statements. The new standard highlights the benefits of strong internal controls over financial reporting and furthers the objectives of Sarbanes-Oxley.
Question 7. Are There Compliance Strategies I Can Deploy To Help Prove Due Diligence If Our Company Is Investigated?
Today, an offensive rather than a defensive compliance program is important.
Deploy strategies that provide you with the evidentiary support you need when things go wrong. New network security appliances designed to capture and record all electronic communication can provide forensic capabilities with automated reporting that corresponds to compliance needs.
These solutions must be deployed within an overarching compliance strategy that aligns with the business to continuously:
- Identify and monitor risks.
- Establish effective internal controls.
- Test the validity of the controls.
- Support CEO and CFO certifications.
- Conduct third-party audits.
- Monitor for changes in risks, controls and compliance needs.
- Adjust proactively, as needed.
Question 8. How Long Is The “reach Back” On Compliance Violations?
Section 804 of Sarbanes-Oxley extends the statute of limitations in private securities fraud actions to the earlier of two years after the discovery of the facts constituting the violation or five years from the violation.
Question 9. Who Is Personally Liable If There Is A Compliance Violation?
The CEO and the CFO must certify all financial statements filed with the SEC. The maximum penalty for Securities Exchange Act violations has increased to $5 million for individuals and $25 million for entities, as well as imprisonment of up to 20 years.
Section 802 of Sarbanes-Oxley states, “Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any records, documents, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any department or agency of the U.S. … or contemplation of any such matter or case, shall be fined … imprisoned not more than 20 years, or both.”
Question 10. What Action Should A Company Take If Nonpublic Information Is Inappropriately Exposed On Its Network?
If nonpublic information is inappropriately disclosed on your network, you must rapidly execute a response program to identify the extent of the exposure, assess the effect on the corporation and its customers, and notify all affected parties.
Section 409 of Sarbanes-Oxley mandates that companies publicly disclose additional information concerning material changes in the company’s financial condition or operations. While Sarbanes-Oxley contains many reporting requirements, real-time identification of material changes and disclosures (the consensus being 48 hours) is the most significant challenge.
General Law Interview Questions
Patent law Tutorial
Contract Law Interview Questions
Information Security Cyber Law Tutorial
Bankruptcy Law Interview Questions
Auditing Interview Questions