Guide to Compliance: Sarbanes-Oxley, COSO, ERM, COBIT, IFRS,
BASEL II, OMB’s A-123, ASX 10, OECD Principles, Turnbull
Guidance, Best Practices, and Case Studies
By Anthony Tarantino
Published by John Wiley & Sons, Inc.,
April 2006, $50, ISBN: 0-471-79257-8; 336 pages
Reviewed by Anthony S. Chan
2006 - Navigating the compliance landscape is never easy,
and the lack of guidance in the marketplace makes just understanding
the relevant compliance requirements a frustrating experience.
By covering a variety of hot topics under a single cover,
Anthony Tarantino has attempted to assemble an introductory
handbook for professionals in finance, information technology
(IT), and operations. He has succeeded, delivering a book
I found easy to read and navigate. Each of its 30 chapters
is dedicated to a specific compliance topic, with an overview
of the related compliance requirements.
provides an informative discussion on best practices in
corporate governance and ethics—two essentials to
compliance and risk management. The discussion is supplemented
by a description of the 10 principles to good governance
created by the Australian Stock Exchange. He also provides
a good summary of the civil and criminal penalties for noncompliance.
Readers may also find useful his discussion on data-retention
requirements and compliance project management. IT managers
who are involved in designing or testing related IT controls
should find the matrix that maps COBIT to COSO, and the
related discussion on IT risk management and segregation
of duties, very informative.
the book does provide an excellent outline of the different
compliance requirements, readers should not expect a practical
compliance handbook. The coverage of each topic is general,
and the content lacks the how-to recommendations essential
to creating an effective roadmap on compliance. My recommendation
to the author would have been to include specific discussions
on effective compliance solutions so readers would get directions
on not only what to do, but also how to do it properly.
This would also give them a basis for developing an effective
action plan to mitigate compliance risks with cost-effective
book provides a good conceptual overview of enterprise risk
management (ERM). However, ERM is no longer merely a concept.
It has become a meaningful tool to mitigate an organization’s
exposure to all kinds of compliance, business, technology,
and reputation risks. Companies that have successfully complied
with Sarbanes-Oxley (SOX) section 404 requirements are actually
leveraging controls and process improvement to strengthen
their risk-management program. In fact, risk-management
and finance managers have been taking advantage of SOX compliance
to rebuild their ERM program and strengthen its effectiveness
in both their risk-prevention and -detection efforts. Readers
would have been better served with a broader discussion
of best practices in these areas, and with specific guidance
on building an effective ERM program. On a separate note,
the book would also have benefited from a discussion of
compliance with the Foreign Corrupt Practices Act, given
its relevance for U.S. companies with foreign operations,
as well as a discussion of the extent of recent enforcement
actions taken by the SEC.
the book’s general nature, finance managers seeking
specific guidance on compliance with Sarbanes-Oxley section
404 may not find their answers here. Although it contains
a fair amount of discussion on Sarbanes-Oxley compliance,
including its impact on large and small companies, it does
not provide any guidance on how to—
develop a risk-based controls assessment methodology;
leverage SOX compliance to drive operational efficiencies;
mitigate compliance risks with cost-effective controls;
create a sustainable compliance program.
compliance is here to stay, as confirmed by a recent SEC
release stating that “ultimately all public companies
will be required to comply with the internal control reporting
requirements of section 404.” Finance managers and
operations managers are strongly encouraged to stay abreast
of their companies’ compliance requirements, and to
leverage SOX compliance to mitigate their compliance risks.
Although this book was not written specifically for finance
managers and does not provide guidance on how to comply
effectively, anyone seeking to better understand the relevant
compliance requirements should consider it a must-read.
S. Chan, CPA, is a principal with Berdon llp and
a leader of its Sarbanes-Oxley compliance and corporate governance
practice. He advises on all aspects of internal controls and
is a member of the NYSSCPA’s SEC Practice Committee.