Featured Member
GARY PELCAK, CICA, CTA, CFSA, CFE, CFSSP
This issue's featured member is Gary Pelcak, CICA. Gary is the Chief Audit Executive for Central National Bank located in Junction City, Kansas where he has overall responsibility for the financial, operational, information technology, fiduciary, and fraud audit functions of an 870 million dollar bank with 38 locations. Gary joined Central National in 1993 and has over 24 years in the financial services audit profession.
Prior to joining Central National Bank, Mr. Pelcak was an Associate National Bank Examiner with the Office of the Comptroller of the Currency. Gary has been in the banking industry since 1980.
Mr. Pelcak holds several professional certifications in addition to the CICA, including Certified Trust Auditor, Certified Financial Services Auditor, Certified Fraud Examiner, Certified Financial Services Security Professional, and is currently pursuing course work for Certified Forensic Interviewer. He holds a BS degree in Business Administration- Management & Economics from the University of Nebraska - Lincoln, and is a graduate of the Graduate School of Banking at the University of Colorado. Mr. Pelcak is also a graduate of the United States Army Inspector General Course serving 3 years as an Army IG field officer, the Army Command and General Staff College, and the DOD Emergency Management Preparedness Course.
In April 2011, Mr. Pelcak completed his second and final 3 year term, to the FIRMA Board of Directors. During his tenure on the FIRMA Board, Mr. Pelcak was elected and served as Vice President to the FIRMA Board. Gary will maintain his current position as co-chair of the FIRMA Education Committee.
Pelcak is a retired Army Colonel completing 30 years of active and reserve service.
__________________________________________
ABOUT THEIIC
The Institute for Internal Controls is a global organization dedicated to promoting an effective internal controls environment in all organizations by providing high quality research and education in all areas of internal controls. As an indicator of expertise in internal controls, The Institute for Internal Controls grants the designation of Certified Internal Controls Auditor (CICA) and Certified Controls Specialist (CCS).
__________________________________________
CONTACT INFORMATION
Institute for Internal Controls
109 Mullen Drive, Suite B
Sicklerville, NJ 08081
856.982.2410
TheIIC e-Newsletter is published on a quarterly basis by The Institute for Internal Controls.
Copyright 2010.
All rights reserved.
Link to TheIIC website
******************************************** ******************************************** Complete Your MBA Part-time with an 18-Month Accelerated Program with Two One-Week Business Abroad Immersion Courses
**************************************** **************************************** IT STRATEGIC & OPERATIONAL CONTROLS BOOK
**************************************** **************************************** Job Openings
**************************************** **************************************** Forward to a Friend or Add Another Email Address
**************************************** ****************************************
|
| Message from the Chairman
This past summer another hacker attack made the news with the announcement that Citigroup discovered unauthorized access to its online system during routine monitoring, and that a limited number (1 %) of its bank cardholders were affected. Still, with an overall card customer base of 21 million, exposure of 1 percent is relatively significant. Account information, including name, account number and contact information, such as e-mail address, is believed to have been exposed. More sensitive data such as customer's Social Security number, date of birth, card expiration date and card security code were alleged to not have been compromised.
It is evident that many organizations are not taking this serious enough to use the necessary resources to prevent such attacks. Organizations such as banks, credit card companies, government agencies, etc. are prime targets for the hackers. These organizations MUST be on the offensive with dedicated staffs to monitor attacks 24/7/365. Kill switches must be available to stop any detected attacks. Also a plan to report any compromising of sensitive data must be in place to alert those affected of the possible consequences immediately. Any delay will cause loss of confidence in the organization as well as the possible financial loss to those whose confidential data is stolen.
A key control would be to encrypt data sufficiently to prevent use of the data if the attacks are sufficient. Most companies have some kind of personal information in their databases. Not only do we have concerns for customer information, but employee data, shareholder data, even vendor data may be sensitive and allow criminal acts against those affected. Companies must implement multi-level controls with continuous monitoring to prevent and detect any unauthorized attacks.
Dr. Frank
__________________________________________ __________________________________________
|
| Local Chapter Organization Project Underway |
|
In 2012 TheIIC will commence a project to build local chapters throughout the U.S. and in the international area, building on the local chapters already operating. As part of this process, Eddie Saunders, CICA and founder of the Poland Chapter, has been named TheIIC Coordinate for Europe. Eddie and his team will commence organizational activities to start local chapters in Bulgaria, Czech Republic, Italy, Serbia, United Kingdom & Ireland. Anyone interested in starting a local chapter in Europe should contact Mr. Saunders at saunders@iic-polska.pl. Anyone interested in starting a local chapter in the U.S. or elsewhere in the international area should contact the Office of the Chairman at chairman@theiic.org.
Information on how to start a local chapter as well as any assistance needed will be provided.
|
| Security Breaches - Too Often and Getting Bigger |
|
Millions of e-mail addresses and names were obtained in a cyberattack on marketing firm Epsilon, whose 2,500 clients include household names. The clients, including JPMorgan Chase, Citibank, Walgreens and Disney, have warned customers to beware of phishing attempts. The Epsilon attack is another example of criminals targeting corporations.
Security breaches are also happening at companies whose core business is data security. For instance, RSA Security, makers of SecurID and one of the country's leading security firms, recently announced that hackers had "extracted" data related to SecurID. In its announcement, RSA said its security systems had identified "an extremely sophisticated cyberattack in progress," to which it responded with "a variety of aggressive measures."
|
| COSO Internal Control Framework to be Overhauled |
|
The Committee of Sponsoring Organizations of the Treadway Commission published Internal Control -- Integrated Framework in 1992. The Commission recently announced that after almost 20 years, the framework is getting an overhaul to make it more relevant for today's businesses and the challenges that are faced by auditors and organizations. In a Journal of Accountancy video link, Bill Schneider, CPA, director-accounting, AT&T and a member of a COSO advisory council, gives a quick summary of COSO's work to modernize the internal control framework and explains what the project might mean for the day-to-day work of CPAs.
|
| Journal of Accountancy Now Available on YouTube. |
|
Video clips from the Journal of Accountancy, the flagship publication of the American Institute of CPAs, are now available to anyone on YouTube. The channel hosts short, practical videos on a variety of topics of interest to CPAs and financial professionals. The JOA will be posting about one video per week. The channel is organized by topical playlists, including tax, technology, firm management and professional development. To access these playlists, click "Playlists" at the top of the channel-they will display in the right column of the page.
Note that the JOA publication is available to members of the AICPA for free as part of their membership dues. The website will allow non members to subscribe to the JOA for a fee. Access to the videos is free.
|
| The State of Fraud in Government |
|
Source: SAS
In October 2010, SAS sponsored a TechWeb survey of 327 federal, state and local government decision makers to examine the state of fraud and explore key directional trends in using business analytics to combat it. This paper covers the results of that survey, which found that while many agencies regard their ability to use data analysis to combat fraud, abuse and improper payments as good or excellent, most organizations are not fully mature in the use of analytics.
|
| Forbes Articles Discusses Need to Separate Chairman/CEO Functions |
|
A recent article by Forbes adds to the momentum for publicly traded companies to separate the Chairman and CEO functions. This is viewed as a move that can help add independent oversight and foster meaningful discussions in the boardroom. In 2004, only 27% of the companies in the S&P 500 had split the roles of chairman and CEO. In 2011, the rate increased to 40% of the S&P 500 companies. Furthermore, about 20% of all S&P 500 companies now have an independent board chairman, up from under 10% in 2004. This trend may have accelerated in part because the U.S. Securities and Exchange Commission (SEC) and the Dodd-Frank Act now require public companies to explain to investors their reasoning behind either appointing an independent chair or allowing the CEO to handle both jobs in the boardroom. According to Paul Hodgson, a corporate governance expert and Senior Research Associate at GMI, "while splitting the roles of chairman and CEO is getting a lot more common in the US than even in recent years, it is important to remember that an executive chairman cannot be considered independent and is more likely to be aligned with management rather than shareholders." In the U.S., many companies have separated the roles of chairman and CEO, but have not taken the additional step of appointing an independent chairman. According to data from GMI, only 25% of all major U.S. companies have appointed an independent chairman. In the UK, by contrast, where is has been virtually mandatory since the governance revolutions in the early 1990s, chairman are required to be independent and, as such, it is the norm.
|
| China Accounting Scandals Put Big Four Auditors on Red Alert |
|
(extract) The string of recent accounting problems and stock plunges at publicly traded Chinese groups has sparked deep concerns across the world's biggest audit firms, putting the Big Four on alert from worries that their reputation could be brought down along with a growing list of stricken companies. Auditing Chinese firms preparing to go public on overseas exchanges is a lucrative business and one that plays into the strengths of the Big Four. Yet fears are growing that the struggle to find enough high-quality auditors in China and Hong Kong means it may only be a matter of time until one of the top firms finds itself caught in a blow-up rivaling Enron, which brought down their old rival Arthur Andersen. The Big Four are also getting nervous about work with existing Chinese clients, turning to lawyers at an earlier stage if they think something might be amiss. All four of the audit firms responded to a Reuters request to comment on the matter. The four firms said they have a rigorous approach to risk management. The big four have basked in China's emergence as an economic powerhouse. In 2009 their revenue from work on the mainland stood at 9.1 billion yuan ($1.41 billion) according to the Chinese Institute of CPAs (CICPA), around half of China's accounting industry's revenue. Last year's figures were not immediately available. As the revenues have risen, so have the risks. Most of the accounting scandals in the U.S. have come from small Chinese companies who went public via a reverse takeover. Those companies were audited by smaller U.S. or Hong Kong-based accountancy practices, not the Big Four's China firms. But some recent high profile cases have started to drag in the names of the world's most prestigious auditors. For example, in May Deloitte quit as auditor of Longtop Financial Technologies after working on the company's books for six years, citing "recently identified falsity" in their finances. Ernst & Young was named in two class action lawsuits over its work on Sino-Forest, the Toronto-listed company accused by short-seller Muddy Waters of accounting fraud. In Hong Kong, KPMG said in January that it had found possible irregularities in the books of China Forestry, leading to a suspension of its shares. Accounting experts say the firms have been acting as they should by raising the alarm once they find irregularities that can't be explained by the company. They also point out that the Big Four's China businesses and its broad global resources are much better placed than small U.S. firms to conduct audits on Chinese companies. The latest string of scandals has laid bare some of the difficulties auditors have in China, forcing the big firms to reappraise their methods, given that a loss of reputation could bring them to their knees.
|
| Questions on the Effectiveness of SOX on Preventing Fraud |
|
An article from CFO Magazine's Laton McCartney concluded that SOX has done little to curb corporate malfeasance and that CFOs need to implement a range of fraud-prevention measures. A 2010 COSO report on corporate fraud concluded that (1) fraud continues to increase in depth and breadth despite Sarbanes-Oxley; (2) the methods of committing financial fraud have not materially changed; and (3) traditional measures of corporate governance have limited impact on predicting fraud. However, a 2010 survey by the Association of Certified Fraud Examiners (ACFE) concluded that key fraud prevention measures can mitigate losses significantly, with hotlines, employee support programs, surprise audits and fraud training being the most productive.
The 2010/2011 Global Fraud Report by the risk consulting firm Kroll Associates found that business losses due to fraud increased 20% in the last 12 months, from $1.4 million to $1.7 million per billion dollars of sales. The report, based on a survey of more than 800 senior executives from 760 companies around the world, also found that 88% of the respondents reported being victims of corporate fraud over the past 12 months. The most likely targets by industry include financial services, media, technology, manufacturing, and health care. Small and midsize companies are also more vulnerable. Aside from various forms of embezzlement and outright theft, and the growing risk of information theft from hackers and others, two other kinds of corporate malfeasance have come to the fore in recent years: fraud in the business model and fraud in the business process.
As for what to do, while no one has yet come up with a silver bullet, experts point to seven useful steps that all companies can take:
1. Start at the top.
2. Educate employees.
3. Change the culture.
4. Conduct Surprise Audits
5. Check (and double-check) employee backgrounds.
6. Prepare a data-breach response plan.
|
| Call for Volunteers |
|
As discussed in previous communications from TheIIC, we are seeking volunteers for the following positions:
- Organizers to commence operations to start local chapters.
- Volunteers to present as instructors training courses.
- Volunteers to develop courses on internal controls, ethics, auditing, etc.
- Authors and contributors for articles for the upcoming Internal Controls Magazine.
- Educators and researchers to present articles on research related to internal controls for publication in the upcoming Journal of Internal Controls
All interested members should contact the Chairman at chairman@theiic.org
|
| Call for Papers |
|
A key resource for members is the sharing of information among the membership via articles. Subject matter including techniques for reviewing internal controls, discussion of available tools, case studies, etc. can assist both the new and experienced internal controls auditor/specialist.
If you would like to submit an article or monograph on any subject matter that may be of interest to the membership, we encourage you to do so. You can direct any materials for review to the Chairman at chairman@theiic.org.
|
| Message from the Editor: Welcome for First-timers |
|
For first timers, I would like to welcome you to the TheIIC e-Newsletter. In the design of the newsletter we completed extensive research on how to make the e-newsletter successful. As you can see, the layout is a little different than you see in other e- newsletters. While most e-newsletters only give you a few lines of the article, with a link to the full article, we have decided to present an abstract type summary of each, with a link to the full article, when available. We feel that this allows you to get the substance of the article without having to link to another site. However, we do provide a link for those who want any additional details available. This also provides you with the ability to print out the newsletter and read it at your leisure. We encourage any comments or suggestions for improving the e-newsletter. Comments as well as contributions for publication should be sent to me at e-newsletter@theiic.org.
|
| NEWS: Archived e-Newsletters Now Available on TheIIC Website |
|
If you missed a previous edition of TheIIC
e-newsletter, or would like to retrieve a copy, you can now view archived editions of TheIIC
e-Newsletter on TheIIC website at http://www.theiic.org/publicationsnewsletter.html.
|
|
|
