Radian Compliance Management Services

We peruse the Internet headlines so you don’t have to. Here are the recent SOX and GRC headlines (and links) we felt are newsworthy:

PCAOB Reports on Ernst & Young Audit Problems - The Public Company Accounting Oversight Board found problems with four audits conducted by Ernst & Young in its latest inspection report.

Audit Board Finds Fault with BDO Seidman - The accounting firm should have done more work to support its audit opinions for five of its clients, according to the PCAOB.

Stryker Corp raises spending in quality, compliance - It plans to spend $50 million in 2008 to improve its quality and compliance as it works to resolve issues with federal health regulators.

IRS E-Crimes Program Needs Better Controls - E-Crimes has not established some common and necessary internal controls over digital evidence seized during investigations.

FEI Survey: Average 2007 SOX Compliance Cost $1.7 Million - Financial Executives International (FEI) announced today the results of its seventh Sarbanes-Oxley compliance survey, which found that Section 404 compliance cost Corporate America less in year four of adoption than in each of the first three years.

Risk climbs to top of corporate to-do list - Subprime losses spawn board-level risk committees. Sign of the times: Hot job title is Chief Risk Officer.

Accounting Degrees Reach 36-Year High - Hiring by firms in 2006-2007 shot up 83 percent over the previous three years, according to the report. Sixty-seven percent of the firms that responded to the AICPA survey anticipate they will continue to increase their hiring.

US audit watchdog eyeing hard-to-value securities - U.S. banks and other companies have struggled with valuing securities linked to the subprime mortgage crisis and Wall Street has been forced to write down billions of dollars in related losses in recent months.

April 22, 2008 — Network World — Researchers are touting an innovative cryptography method they’ve developed called "functional encryption," which though largely untested in the real world, one day could have an impact on how enterprise data is encrypted, stored and decrypted.

UCLA associate professor Amit Sahai, who has worked with UCLA computer-science alumnus Brent Waters on functional encryption for three years, says the technology lets an individual encrypt data in a way that lets people decrypt it only if they have the right "attributes."

"The mathematical system will produce an encrypted record that only people matching the criteria can decrypt," says Sahai, who recently published a paper on functional encryption with Waters that was presented at last week’s Eurocrypt Conference. "To do this, you get a personalized key that expresses your attributes bound up in one key."

In an enterprise environment, the attributes bound up in users’ encryption keys might be associated with just a name or also with the jobs they do that require restricted access to scrambled data in business, government or a university. "There could be a one-way decryption function used in many ways in both custom or Web applications, for example," Sahai says Each personalized key, expressing the security attributes of what that person is permitted to view, would unlock only the appropriate encrypted data and nothing else.

A user’s key would be able to decrypt scrambled data because the data, always stored in encrypted form, would recognize through a mathematical process the people holding the right key with the appropriate attribute associated with that data. "It’s through all this math packed into the message that the reader is recognized," says Sahai, who says functional encryption makes use of elliptic-curve encryption, which is seen as computationally efficient.

Sahai says the hope is that the work he and his colleagues have done will one day improve server-based security. "We really want to make it so the server has no idea what it’s holding," he says. "Instead, we want to make sure the right people get the data, and this is through the mathematics itself."

Although Sahai says his technology can’t properly be called digital-rights management, he says it could be viewed as a type of "privacy-rights management" based on the concept of a system public key. The challenge of devising a tool for functional encryption is not just the complex math but also making sure the system can withstand so-called "collusion attacks" to undermine its integrity, Sahai says.

Earlier versions of a functional-encryption software tool were made public in the past at UCLA, and Sahai says he will soon make available a new version of the functional encryption tool for review so experts can test its efficacy.

The paper will also be published in a forthcoming edition of the Journal of Cryptography. UCLA says the research into functional encryption has been funded in part by the National Science Foundation, the U.S. Army Research Office and the U.S. Dept of Homeland Security.

Bank Technology News  |  May 2008

The risk in supply chains is growing as businesses expand their outsourcing efforts, says risk-consulting firm Kroll of New York. A survey found that 42 percent of companies had suffered from either theft of physical assets or other incident of supplier fraud, a problem which has manifested itself from lost or stolen funds to the importation of dangerous materials (remember melamine in pet food?)



As part of some corrective steps, Kroll points out that the payment and financial activity with a supplying vendor could provide fraud-vetting clues for companies and their financial institutions. Among the suggestions is that firms modernize accounts payable systems to fully automate purchase order/invoice comparisons and gain more understanding into the calculation of charges. Traders must also invest in data mining and reporting capabilities to figure out where payment matching and approval systems are weakest: falsified invoices that have telltale signs of dramatic payment increases to one vendor; a high number of transactions conveniently coming in under audit thresholds; or consecutive invoice numbers or multiple same-day invoices.



One important tip, which apparently no technology can duplicate: keep the lines of communication open with potential tipsters by following departmental dynamics. “While logistics managers or executives may wield the power to navigate weak controls to perpetrate fraud, they have a harder time fooling those working closely with them. Eventually, they try to get rid of non-conformers or exclude them…” according to Kroll.