The business world is becoming more regulated with all companies, regardless of industry, needing to respond to constantly changing laws and standards.
While recent events have showcased increased regulatory activity in two principal industries — namely financial services and healthcare — 2010 and beyond will present complex compliance challenges regardless of industry.
This year, three additional areas of compliance focus will undoubtedly command attention: 1) The American Recovery and Reinvestment Act of 2009 (ARRA); 2) the Payment Card Industry (PCI) Data Security Standard (DSS); and 3) the Foreign Corrupt Practices Act (FCPA).
ARRA designed to spread the opportunity around.
The ARRA provides commercial opportunities for companies in a broad range of industry sectors rather than targeting any specific industry. Principal industry beneficiaries of the ARRA include energy, science and technology, healthcare, education and construction related to the modernization of roads, bridges, transits and waterways. Along with opportunity, however, the ARRA demands unprecedented accountability on recipients to ensure how the funds are spent is in alignment with the ARRA’s intent. The recipient reporting requirements include a host of confirmations including:
- Recovery funds were received
- Recovery funds were expended for or obligated to projects or activities
- Provide a detailed list of all projects or activities that includes: Name; Description; Completion status; Jobs created or retained; For infrastructure – purpose, total cost, and rationale
- Subcontracts or subgrants awarded, including that prime recipients are responsible for managing sub-contractor reporting requirements
- Contractors / subcontractors have: Central Contractor Registration (CCR) information; Dun and Bradstreet Universal Numbering System (DUNS) number
- Funds have not been commingled
- Activity reporting, excluding any additional reporting required by Federal agencies beyond the ARRA requirements
Regardless of industry, fund recipients will need to ensure their internal controls are optimized, that they’ve performed a compliance readiness assessment and that the resulting compliance processes are in place to effectively report compliance with ARRA requirements.
Pressure on the payment card industry is intense.
It’s not just ARRA requirements that will be a major compliance focus for many businesses this year. Any business in any industry that accepts, stores, manages, processes or transmits payment card information will be subject to intense scrutiny. The specific validation and assessment procedures vary from one organization to another, but there are no exceptions, even for a business that processes just one payment transaction in a year.
The PCI DSS is a multifaceted security standard intended to help organizations protect their valued customers’ account data and prevent identity theft and payment card fraud. In today´s world of ever-expanding use of electronic payments, PCI compliance is one of the most important issues facing business owners and consumers alike.
The payment card industry is under intense pressure from banks, service providers and merchants to improve their data security. And the PCI DSS was designed to facilitate the broad adoption of consistent data security measures on a global basis.
Many businesses have faced heavy fines because they did not properly protect their customers’ sensitive payment card information, leaving vulnerabilities in their computer network systems, which provided a “back door” for hackers.
Noncompliance with PCI DSS may result in:
- Loss of ability to accept payment cards
- Fines and fees
- Lawsuits
- Federal oversight
- Lost customers
- Loss of investor confidence
The core of PCI compliance is comprised of the following six groups with 12 accompanying requirements:
Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Requirement 3: Protect stored cardholder data
- Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software
- Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Assign a unique ID to each person with computer access
- Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security
FCPA enforcement expected to stay high in 2010.
Governments and law enforcement everywhere have stepped up efforts to combat fraud, but its pervasive nature compounds the difficulty of stopping fraud before it occurs. The U.S. Foreign Corrupt Practices Act was designed to halt bribery of foreign officials and restore public confidence in the integrity of the American business system. Enforcement of the FCPA is at an all-time high. From a compliance perspective, U.S. global businesses can expect enforcement to stay high in 2010.
Continued strong enforcement of FCPA means U.S. global corporations, regardless of industry sector, will need to comply with the following two primary sets of provisions:
- Anti-bribery – prohibits bribery of foreign government or political officials for the purpose of obtaining or retaining business or securing any improper business advantage
- Accounting standards and internal controls – requires SEC-registered or reporting issuers to make and maintain accurate books and records and to implement adequate internal accounting controls
As organizations review their approach to FCPA regulations, they should keep the following better practices in mind:
- Perform an inventory analysis of business partners, agents and other third parties: Are any of them state owned? Are any employees government officials?
- Determine potential exposure to or contacts with foreign-government officials (including employees of state-owned businesses)
- Understand the services to be provided and how the payments will be made
They should also conduct a red-flag analysis and resolve as appropriate. Red flags include:
- New customers being granted unusual credits
- Inconsistent invoicing or over-invoicing
- Requests that payments be made to a third party or in a third country
- Foreign operations managers receiving unusual bonuses
- Requests for extravagant gifts
- Large commissions, retainers or fee requests
- Unusually high service-related fees
- Premiums added to contracts
- Requests for cash
The times are changing. Interest in regulatory compliance is at an all-time high. And although it’s easy for organizations to lose focus when attention seems directed toward a couple of high-profile industries, establishing an effective, comprehensive corporate compliance process is an imperative.
Compliance does matter. Complacency toward ARRA, PCI, FCPA and other compliance initiatives is not an option, especially when the potential consequences of inaction are considered.
**********
Gary Sturisky is Global Practice Leader, Risk Advisory Services, with Jefferson Wells, a global provider of professional services in risk advisory, finance and accounting, and tax.
He is a recognized expert and author on the topic of governance, risk and compliance, a sought-after contributor to leading professional journals and a frequent speaker at international and domestic conferences.
Gary holds a MBA from Duke University, a MS (Accounting) from the Georgia Institute of Technology and a BS (Accounting) from the University of South Africa. He is a Certified Public Accountant, a Certified Management Consultant and a Certified SAP Consultant. You may e-mail Gary at gary.sturisky@jeffersonwells.com.
PDF 
