BKMAGUCO.RVW 20070213 "Manager's Guide to Compliance", Anthony Tarantino, 2006, 0-471-79257-8, U$50.00/C$64.99 %A Anthony Tarantino %C 5353 Dundas Street West, 4th Floor, Etobicoke, ON M9B 6H8 %D 2006 %G 0-471-79257-8 %I John Wiley & Sons, Inc. %O U$50.00/C$64.99 416-236-4433 fax: 416-236-4448 %O http://www.amazon.com/exec/obidos/ASIN/0471792578/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0471792578/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0471792578/robsladesin03-20 %O Audience i- Tech 1 Writing 1 (see revfaq.htm for explanation) %P 315 p. %T "Manager's Guide to Compliance" In the preface, the author states that compliance (presumably with national laws such as Sarbanes-Oxley, or SOX, from the United States) is important even in an international market (where foreign regulations may not apply), primarily in terms of interest and insurance rates. He also compares government regulations, such as SOX, with "principles-based" standards such as ISO 27000, seeming to imply that the latter are not quite as significant. (Compliance has recently become a commodity rather than a condition. One of the indications of this change is that nobody seems to need to define what they mean by compliance any more. In this case, Tarantino is apparently talking about the various regulations, standards, and directives dealing with financial reporting.) The first six chapters of the book deal with various sections of SOX and implications they have for companies. Chapter one examines off- balance sheet items, such as contracts and agreements, and notes that the guidance from the Security and Exchange Commission has been confusing. Section 404, discussed in chapter two, is the directive on internal controls that is of such moment in information security. The author notes that a great many planning tools (generally spreadsheets) are used within companies in a completely uncontrolled manner, and frequently erroneously. Chapter three looks at section 406 and codes of ethics, while four notes section 409's requirements on material changes to company status. The implications of SOX for private companies are purportedly reviewed in chapter five, which basically promotes the pursuit of "good practices" and marginally mentions the provisions for non-reporting companies doing business with companies that must report. The excessive cost to small business is noted in chapter six. Chapter seven remarks that many foreign companies are delisting from American stock exchanges in order to avoid reporting provisions, but does not deal with the provisions for foreign companies that do substantial business with United States' firms that are covered by the Act. The United States' Office of Management and Budget (OMB) circular A-123 on the requirements for federal agencies to report on internal controls is outlined in chapter eight. Chapter nine looks at the Health Insurance Portability and Accountability Act (HIPAA). The banking industry's Basel II requirements for bank solvency is noted in chapter ten, along with the American Gramm-Leach-Bliley Act (GLBA) on privacy in banking operations. Australian, Canadian (actually only the Ontario Securities Commission standards 52-109 and 52-111, with no mention of the Criteria Control Committee [CoCo] of the Canadian Insitute of Chartered Accountants and other guidance), and the United Kingdom (Turnbull Guidance) standards on internal controls are examined in chapter eleven, with the 1999 Organization for Economic Cooperation and Development (OECD) Principles (particularly section 8) and the Corporate Governance Scoring (CGS) benchmarks briefly touched on in chapter twelve. Chapter thirteen outlines the International Financial Reporting Standards (IFRS), but not in detail. The chapters that follow rather tersely address issues that may have implications for or from the various standards: outsourcing is in chapter fourteen, legal penalties in fifteen, business penalties in sixteen, differences in revenue recognition in seventeen, and data retention standards in eighteen. Chapter nineteen notes a few software tools for assessing compliance. A sample checklist and flowchart (and some case studies) for auditing internal controls are in chapter twenty. The COSO (Committee of Sponsoring Organizations of the Treadway Commission) three-dimensional structure for assessing enterprise risk management and internal controls is given in chapter twenty-one. Chapter twenty-two reviews the United States' National Institute for Standards and Technology (NIST) document 800-30 on risk management and systems development life cycles. A rough mapping of the COBIT (Control OBjectives for Information Technology) items to the areas of the COSO structure and the Public Company Accounting Oversight Board (PCAOB, a provision of SOX) components is in twenty-three. Chapter twenty-four has a few further objectives from the COBIT lists. Australian Stock Exchange (ASX) principles are given a detailed treatment in chapter twenty- five, which is rather odd in view of the paucity of information in other sections. Another roundup of miscellaneous topics finishes off the book with chapters on segregation of duties (twenty-six), some "case studies" (twenty-seven), compliance project management (twenty-eight), governance and ethics (twenty-nine), and cost/benefit analysis (thirty, which gives hard data on costs: the benefits are mostly just suggested). While the collection of various frameworks could be helpful for those confused by the alphabet soup of assorted standards, the lack of detail in most areas is not. There is very little in the way of guidance in regard to actual compliance with the standards or directives: basically, even with this book, you are going to have to get diverse documents and work out the requirements for yourself. copyright Robert M. Slade, 2007 BKMAGUCO.RVW 20070213