The Department of Justice and the Securities and Exchange Commission just released A Resource Guide to the U.S....
Foreign Corrupt Practices Act. What is the Foreign Corrupt Practices Act, and how does it affect information security? What controls are necessary, and how does the act map to regulations and standards we comply with now, such as SOX?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The Foreign Corrupt Practices Act (FCPA) is a U.S. federal law passed in 1977 that applies to all U.S. individuals and businesses. At its heart, the FCPA has two major provisions. The first is a set of rules that prohibit bribe payments (whether monetary or nonmonetary) from U.S. persons and businesses to foreign officials. The second is a set of accounting rules that require all companies publicly traded in the U.S. to keep a consistent set of records that reflect the business transactions of the organization. These accounting provisions are designed to ensure that companies are not able to hide bribe payments through intentionally sloppy accounting practices.
From an information security perspective, there's not really much to address under the anti-bribery provisions of FCPA, unless you're in the habit of paying bribes related to information security! (If you are, don't do that.) However, the accounting provisions do affect security professionals. Specifically, FCPA requires that businesses implement a set of internal controls that:
- Ensures that transactions are executed with authorization from management;
- Ensures that transactions are recorded in a manner that allows preparation of accurate financial statements and asset tracking;
- Permits access to assets only with management authorization; and
- Performs periodic reconciliations between financial records and assets.
Information security professionals will often be called upon to perform risk assessments and design specific provisions of these controls. Security professionals at publicly traded companies should already be familiar with these practices from Sarbanes-Oxley Act compliance. Internal controls should be applied to all financially significant systems and often include ensuring adequate logging, verification of the proper functioning of access control mechanisms and performing periodic account reviews.
Dig Deeper on Sarbanes-Oxley Act
Related Q&A from Mike Chapple
Cloud compliance issues are no reason for enterprises not to move to the cloud. Expert Mike Chapple explains why, as well as what to keep in mind ...continue reading
The GAO reported on SEC cybersecurity weaknesses, even though the SEC regulates cybersecurity. Expert Mike Chapple discusses the effects of this ...continue reading
Enterprise compliance can be a burden to manage, which is where a PCI ISA can be helpful. Expert Mike Chapple explains how a PCI Internal Security ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.