Manager’s Guide to Compliance: Sarbanes-Oxley, COSO, ERM, COBIT, IFRS, BASEL II, OMB’s A-123, ASX 10, OECD Principles, Turnbull Guidance, Best Practices, and Case Studies

By Anthony Tarantino

Published by John Wiley & Sons, Inc., April 2006, $50, ISBN: 0-471-79257-8; 336 pages

Reviewed by Anthony S. Chan

E-mail Story Print Story

Tarantino provides an informative discussion on best practices in corporate governance and ethics—two essentials to compliance and risk management. The discussion is supplemented by a description of the 10 principles to good governance created by the Australian Stock Exchange. He also provides a good summary of the civil and criminal penalties for noncompliance. Readers may also find useful his discussion on data-retention requirements and compliance project management. IT managers who are involved in designing or testing related IT controls should find the matrix that maps COBIT to COSO, and the related discussion on IT risk management and segregation of duties, very informative.

While the book does provide an excellent outline of the different compliance requirements, readers should not expect a practical compliance handbook. The coverage of each topic is general, and the content lacks the how-to recommendations essential to creating an effective roadmap on compliance. My recommendation to the author would have been to include specific discussions on effective compliance solutions so readers would get directions on not only what to do, but also how to do it properly. This would also give them a basis for developing an effective action plan to mitigate compliance risks with cost-effective controls.

The book provides a good conceptual overview of enterprise risk management (ERM). However, ERM is no longer merely a concept. It has become a meaningful tool to mitigate an organization’s exposure to all kinds of compliance, business, technology, and reputation risks. Companies that have successfully complied with Sarbanes-Oxley (SOX) section 404 requirements are actually leveraging controls and process improvement to strengthen their risk-management program. In fact, risk-management and finance managers have been taking advantage of SOX compliance to rebuild their ERM program and strengthen its effectiveness in both their risk-prevention and -detection efforts. Readers would have been better served with a broader discussion of best practices in these areas, and with specific guidance on building an effective ERM program. On a separate note, the book would also have benefited from a discussion of compliance with the Foreign Corrupt Practices Act, given its relevance for U.S. companies with foreign operations, as well as a discussion of the extent of recent enforcement actions taken by the SEC.

Given the book’s general nature, finance managers seeking specific guidance on compliance with Sarbanes-Oxley section 404 may not find their answers here. Although it contains a fair amount of discussion on Sarbanes-Oxley compliance, including its impact on large and small companies, it does not provide any guidance on how to—

• develop a risk-based controls assessment methodology;
• leverage SOX compliance to drive operational efficiencies;
• mitigate compliance risks with cost-effective controls; and
• create a sustainable compliance program.

SOX compliance is here to stay, as confirmed by a recent SEC release stating that “ultimately all public companies will be required to comply with the internal control reporting requirements of section 404.” Finance managers and operations managers are strongly encouraged to stay abreast of their companies’ compliance requirements, and to leverage SOX compliance to mitigate their compliance risks. Although this book was not written specifically for finance managers and does not provide guidance on how to comply effectively, anyone seeking to better understand the relevant compliance requirements should consider it a must-read.