Category Archives: Vendors

Indicted

A Tesla employee is indicted for creating fake documents to cover up a fake-payment scheme.  “Former Tesla Employee Is Indicted,” The Wall Street Journal, November 12, 2018 B5.

Companies have a lot of controls to prevent fraud by employees, and often these controls work.  Why are there more such controls to prevent financial fraud than to prevent violations of other company procedures, such as those related to document creation, retention, and storage?

One wonders whether, in the aggregate, companies lose more money through poor document management and control than they lose through financial fraud.  How would one conduct such a study?

Advertisements

Leave a comment

Filed under Accuracy, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Oversight, Protect assets, Records Management, Security, Third parties, Value, Vendors

How much did that free dinner cost me?

“Annuities Soar After Rule’s Demise,” The Wall Street Journal, October 29, 2018 B1.  More annuities sold after failure to pass rule about disclosure of conflicts by investment advisers.

If you don’t institute controls on behavior, what will enterprising (sales)people do?  What’s it worth to you to know whether the person advising you is getting a large commission?  Would that information influence your financial decisions?  Do investors need to be protected from salespeople offering “free” meals? And if investors either (a) are or (b) are not so protected, what are the consequences on the other decisions those investors make in their lives?  Do we rely on the government to protect us from our dumb decisions?

Caveat emptor?  Is this an Information post or a Governance post?

Leave a comment

Filed under Controls, Duty, Governance, Information, Reliance, Third parties, Use, Value, Vendors

Too much sharing

“Facebook Draws U.K. Fine Over Sharing Data,” The Wall Street Journal, October 26, 2018 B4. Facebook fined half a million Pounds ($645,000) for allowing Cambridge Analytica for letting them see and use user data.  This is separate and apart from any fines the EU may impose.

Part of the problem is that Facebook didn’t do enough (i.e., anything) after it found out about Cambridge Analytica having accessed the data.

So, some points to consider:

  1. Whose information was it?
  2. Whose (and how many) rules (EU, UK, US, other) apply to (i.e., govern) a data breach?
  3. Why didn’t FB do anything after learning of the problem?  Did it not have a process for handling a vendor that accessed data inappropriately?  Doesn’t Governance require you to have such a process?  Does Compliance entail requiring your vendors to follow a process, and penalizing them when they don’t?
  4. The fine here won’t go to the UK residents whose privacy was invaded.  Is this a fine or a tax?  It certainly isn’t damages.

 

 

Leave a comment

Filed under Access, Compliance, Compliance (General), Controls, Corporation, Duty, Duty of Care, Governance, Internal controls, IT, Oversight, Privacy, Protect assets, Security, Third parties, Vendors

Who exactly are your partners?

“U.S. Probes Microsoft on Bribery,” The Wall Street Journal, August 24, 2018 B1.  DOJ probes sales of software licenses to middlemen for ultimate sales to smaller governments.

Did the middlemen in, say, Hungary, share their discounted purchase price with government officials by way of bribes?  Even if they did, is Microsoft liable?  Unless the middlemen were Microsoft sales agents (who didn’t take title to the software licenses), or Microsoft knew of the scheme, hard to see FCPA liability for Microsoft.  Were the middlemen business partners of Microsoft, or just intermediate purchasers?

The ethics of the people with whom you do business can come back to bite you.  Your policies may apply by contract to consultants and third parties that you engage, but do they apply to the people to whom you sell/license your product?

 

 

 

Leave a comment

Filed under Compliance, Compliance (General), Controls, Corporation, Duty, Governance, Oversight, Policy, Third parties, Vendors

Finally, we have a winner

At least somebody goes to jail for leaking top secret information about Russian hacking of elections.  In less than a year and a half.

“Former Intelligence Contractor Gets Five Years in Prison for Leak,” The Wall Street Journal, August 24, 2018 A2. Reality Winner, a contract worker at the NSA, gets sentenced for leaking a secret report on election hacking by the Russians from the NSA to a news outlet.

The rules do need to be enforced from time to time, or they are more like guidelines.  And contractors seem to be a weak link.

Did anyone else in the chain of command get punished?  If she were in Washington, DC, rather than Augusta, Ga., would she have faced the same fate?

See also https://infogovnuggets.com/2017/06/06/we-have-a-winner/.

 

 

Leave a comment

Filed under Compliance, Compliance (General), Controls, Duty, Employees, Governance, Internal controls, Oversight, Protect assets, Third parties, Vendors

Your vendors

This blog focuses more on the intersection of Governance, Information, and Compliance than on the implications of information security.  But the topics do overlap.

So, what controls do you have in place to prevent from someone accessing your computer and changing the information there or, as important, changing how your computer operates?  That’s an identified risk, right?

“Russia Hacks Its Way Into U.S. Utilities,” The Wall Street Journal, July 24, 2018 A3.  Russian hackers gain access to sensitive information at utilities by compromising the utilities’ vendors and their access to the utilities’ systems.  Can the hackers take control of those systems or shut them down?

Does anyone recall the name of the HVAC contractor that was the entry point for the Target hack several years ago?  Contractors can be a massive IT security risk.

Is this part of Information Governance?

What duties do the directors of the utilities have to make sure processes are in place to prevent third parties from causing harm by accessing the company’s information and process control systems?  And to control the third parties who do have that access?  Is there a process?

Leave a comment

Filed under Access, Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Third parties, Vendors

CEOs in the news

“Ex-CEO at Oil Driller Settles SEC Inquiry On Undisclosed Loans,” The Wall Street Journal, July 17, 2018.  CEO had taken more than $10 million in loans from vendors in return for awarding contracts.

He used the money to cover margin calls and to maintain an extravagant lifestyle.  Also caught up in the scandal was a former portfolio manager who got a seat on the company’s board.

CEOs get hammered, too, for conflicts and poor ethics.

 

Leave a comment

Filed under Compliance, Compliance (General), Controls, Corporation, Culture, Directors, Duty, Employees, Governance, Internal controls, Investor relations, Oversight, Policy, Third parties, Vendors