Sarbanes Oxley Compliance Professionals Association (SOXCPA)
1200 G Street NW Suite 800 Washington, DC 20005-6705 USA Tel: 202-449-9750 Web: www.sarbanes-oxley-association.com

Dear Member, In 1964, Arthur C. Clarke, science fiction writer, inventor and futurist observed: ―Trying to predict the future is a discouraging and hazardous occupation, because the prophet invariably falls between two chairs.

If his predictions sound at all reasonable, you can be quite sure that in 20, or at most 50 years, the progress of science and technology has made him seem ridiculously conservative.
On the other hand, if by some miracle, a prophet could describe the future exactly as it was going to take place, his predictions would sound so absurd, so far-fetched, that everybody would laugh him to scorn.‖ I nteresting…

The Importance of Strong Risk Management: Insights From The Examination World
By Jason C. Schemmel, Community and Regional supervisory examiner with the Federal Reserve Bank of Richmond

Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


In 1995, the Board of Governors of the Federal Reserve System issued SR 95-51, which instructed examiners to begin assigning a formal supervisory rating to the adequacy of an institution’s risk management processes.
Examiners had always emphasized the importance of sound risk management processes, but this guidance heralded an era of heightened awareness in light of new technologies, product innovation and rapidly changing banking markets. Examiners continue to assess and consider factors such as profitability, asset quality and capital adequacy when assigning supervisory ratings, but these indicators, to a large degree, tell a story about the past. At the heart of risk management is the concept of looking toward the future, as being able to identify, measure, monitor and control risks before they spread is critical to the conduct of safe and sound banking, regardless of the size and complexity of the institution. Analysis of banking performance during the recession of 2007–2009 indicates that banks with strong forward-looking risk mitigation strategies weathered the recession more successfully than other banks, even those taking identical risks (see ―Weathering the Storm: A Case Study of H ealthy Fifth District State Member Banks Over the Recent Downturn‖ in the summer 2012 edition of S&R Perspectives). These successful institutions all possessed the key elements of a risk management framework, including: - An active board of directors and senior management team - Policies, procedures and risk limits governing all activities that are clearly communicated throughout the organization - Timely and accurate management information systems (M IS) - Strong internal controls To understand the risk management challenges currently facing our state member banks, we asked key members of the Federal Reserve
Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


Bank of Richmond’s Community and Regional (C&R) management team to identify areas that are
(1)Consistently cited in reports of examination as risk management weaknesses or (2)Expected to receive heightened attention in the near future. This article reinforces existing supervisory guidance and expectations and discusses the most commonly cited examination issues related to the management of credit, liquidity, market, operational, and legal and reputational risks. Properly addressing these matters will improve the prospects of early risk detection and help to prevent losses.

Credit Risk
C&R relationship managers and subject matter experts alike expressed concern over three areas: new product lines, home equity lines of credit (HELOC) and appraisal review.

New Product Lines
Interviews with bankers during examinations over the previous 12–24 months revealed that many management teams and boards of directors intend to reduce future reliance on real estate lending by expanding into commercial lending. The number of bankers that stated this intention is striking and indicates the potential for fierce competition for commercial business. In fact, several banks have reported recent solicitations from third parties attempting to negotiate participation in syndicated commercial loans. Prior to expanding into commercial lending, or any new product line, it will be critical for banks to properly research the product and ensure it aligns with the bank’s strategic plan and the risk appetite of the board of directors.
Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


Banks that venture into commercial lending are expected to have the appropriate expertise on staff to underwrite and monitor the credits.
Moreover, the lending staff must be guided by robust policies, procedures and risk limits. As was the case in the late 1990s, intense competition for commercial loan customers often leads to significant easing of both loan terms and front-end financial analysis. Discipline was — and will be — a key success factor.

Existing supervisory guidance stresses:
- The importance of using formal forward-looking analysis in the loan approval process - The value of assessing alternative or ―downside‖ scenarios - The dangers of unduly weighting the short-term benefit of attracting or retaining customers through price concessions while giving insufficient consideration to potential longer-term consequences1 Additionally, exceptions to approved underwriting and pricing policies should be rare, properly approved, aggregated and actively monitored by senior management.

There is considerable concern among C&R credit risk specialists that, unlike many other real estate loans, the losses in H ELOC portfolios have yet to fully materialize. Many of the loans originated from 2003 to 2007 are approaching the end of their draw periods and will soon convert from interest-only to amortizing loans or have principal due as a balloon payment.

Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


Observations from recent examinations indicate that banks with significant concentrations of HELOCs have not fully identified and measured the potential impact of these events.
Institutions with significant exposure to H ELOCs should ensure that they are adhering to effective account management practices. These include: - Periodically refreshing credit scores on customers - Periodically assessing utilization rates - Periodically assessing payment patterns, including borrowers who make only minimum payments or those who rely on the line to keep payments current - Using reasonably available tools to determine the payment status of senior liens associated with junior liens - Obtaining updated information on the collateral’s value when market factors indicate a deterioration in value since origination or when the borrower’s payment performance deteriorates Measurement of this data will allow bankers to identify customers who may default when loan terms change and facilitate the creation of effective workout solutions. Data procured from this analysis should also be incorporated into the institution’s allowance for loan and lease losses (ALLL) methodology.

Appraisal Review
Examiners continue to observe appraisal review practices that are inconsistent with supervisory guidance. Too often, appraisal reviews only consist of checklists used by the reviewer to determine compliance with federal regulations. While determining compliance with regulations is surely critical, it is merely one aspect of the appraisal review process.
Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


Just as important is an evaluation of whether the methods, assumptions and data sources in the appraisal (or evaluation) are appropriate and well-supported.
An institution’s policies and procedures for reviewing appraisals and evaluations should address, at a minimum, the following: Staff members who review appraisals and evaluations should be independent of both the property being valued and the loan production staff.

Reviewers should also possess the requisite expertise to perform a review commensurate with the level of risk and complexity in the transaction.
The depth of review should be appropriate for the risk and complexity of the transaction and property, but always be sufficient to ensure the methods, assumptions and conclusions within the appraisal and evaluation are reasonable and well-supported. Staff within the institution should have clear written guidance on how to resolve deficiencies uncovered during a review.

All reviews should be thoroughly documented and placed within appropriate credit files.

Liquidity Risk
All financial institutions, regardless of size and complexity, should have a formal contingency funding plan (CFP) that clearly sets out the strategies for addressing liquidity shortfalls in emergency situations. C&R relationship managers indicated that most banks have instituted some form of CFP; however, many banks continue to struggle with the details. In general, the CFPs reviewed during examinations do not adequately address a sufficient range of liquidity stress events.
Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


The narrative section of the CFP should contain a thorough description of any liquidity event — or combination of events — that could adversely impact the bank’s liquidity.
The events may be institution-specific or arise from external factors. Examples include, but are not limited to, the inability to fund asset growth; the inability to renew or replace a maturing funding source; unexpected deposit runoff; or financial market dislocations. Additionally, CFPs frequently are not robust enough with regard to the various stages and levels of stress severity that can occur during a contingent liquidity event. The narrative section should fully describe the stages of each event, its severity and its expected duration. Stress events should be modeled with sufficient severity to provide management and the board of directors with enough information to ascertain the durability of the bank’s liquidity position. Moreover, the duration of the event is a critical factor in accurately measuring potential funding gaps and available funding sources.

Some events may be temporary while others may be longer-term.
In either case, the event should ultimately be modeled through its conclusion. Designing the CFP in this fashion affords the opportunity to identify early-warning indicators for each stage, assess potential funding needs at various points in a developing crisis and specify action plans.

Market Risk
Proper measurement of market risk requires regularly assessing the reasonableness of assumptions that underlie an institution’s exposure estimates.
Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


C&R subject matter experts have observed repeated weaknesses in three areas related to model assumptions: documentation, sensitivity testing and corporate governance.
Key model assumptions such as asset prepayments, nonmaturity deposit price sensitivity and deposit decay rates are often unsupported and undocumented. Inputs for these assumptions typically have a material impact on the model’s output; therefore, it is critical to ensure they are accurate.

Assumptions should be specific to the bank and based on an appropriate level of empirical evidence.
The decisions made and the rationale behind them should then be thoroughly documented. To aid in determining which assumptions exert the greatest impact on measurement results, banks should periodically perform sensitivity testing. Doing so will provide valuable insight into how to allocate scarce resources, i.e., the most critical assumptions should be given the most attention. When actual experience differs significantly from past assumptions and expectations, institutions should use a range of assumptions to appropriately reflect this uncertainty. Finally, banks should develop a comprehensive governance system for actively monitoring and regularly updating key underlying assumptions. This system should include oversight by representatives from any major business line that can directly or indirectly influence the bank’s market risk exposure. Deliberations from these meetings and the rationale behind changes to key assumptions should be thoroughly documented in meeting minutes.

Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


Operational Risk
C&R operational risk specialists have identified two areas of concern as technology is increasingly integrated into the business of banking: information security and vendor management.

Information Security
One of the most common operational risk deficiencies cited during examinations over the last 18 months relates to information security.

It remains a challenge for all banks, regardless of size, because of the complex interconnectivity between the bank, its customers and its vendors.
The proliferation of mobile devices and electronic payment channels has increased the opportunities for hackers to compromise bank systems and steal critical data. Therefore, strong internal controls surrounding access management are essential, including a robust risk assessment process; effective procedures for administering, logging and monitoring critical systems; and independent validation of controls through audits or penetration testing.

Vendor Management
Not surprisingly, the increase in technological banking solutions has led to an increase in outsourcing. The scope of activities outsourced, however, has not been limited to traditional activities such as core processing and now may include interest rate risk modeling, stress testing or loan loss mitigation strategies. Recent examinations indicate that vendor management practices are often not keeping pace with the growing volume and scope of
Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


outsourcing activities, particularly in the areas of due diligence and service provider oversight.
Due diligence prior to engagement should fully consider the provider’s ability to meet the institution’s needs. Institutions should consider the provider’s technical and industry expertise, operations and controls, and financial condition. Once a contract has been signed, the institution must implement an oversight program to monitor each service provider’s controls, conditions and performance. The oversight program should be commensurate with the risk of the outsourced relationship and be thoroughly documented for use in future contract negotiations, termination issues and contingency planning.

Legal and Reputational Risk
Finally, C&R operational risk specialists expressed concern with the proliferation of social networking platforms and their potential effect on banks’ legal and reputational risks. A social networking service is an online service, platform or site that facilitates the building of social relations among people who share common interests, activities or relationships. Their use has exploded as companies attempt to reach customers with advertising and to generate business intelligence for future sales or customer service. Social networks pose several risks to banking organizations, including the potential disclosure of nonpublic personal information (NPI), disinformation or derogatory information, and security threats such as viruses or social engineering.

Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


Any of these or similar events could result in significant lawsuits or damage to the institution’s reputation.
Banks are encouraged to develop sound social connectivity policies that govern the use of social media by employees and to provide adequate training to employees on those policies. The use of social media should also be considered in the institution’s information technology risk assessment.

The current recession has been longer and deeper than any since the Great Depression, and institutions facing severe earnings pressures may be tempted to reduce resources dedicated to risk management. But evidence suggests that strong risk management, not historical financial performance, is the common denominator of successful community banks. Institutions should remain vigilant in order to identify risks that could negatively affect the bank and take appropriate action to measure, monitor and control them.

Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


Security First: New NIST Guidelines on Securing BIOS for Servers
From N IST Tech Beat: August 21, 2012 The National I nstitute of Standards and Technology (NIST) is requesting comments on new draft guidelines for securing BIOS systems for server computers. BIOS—Basic I nput/ output System— is the first major software that runs when a computer starts up. Both obscure and fundamental, the BIOS has become a target for hackers. Server manufacturers routinely update BIOS to fix bugs, patch vulnerabilities or support new hardware. However, while authorized updates to BI OS can improve functionality or security, unauthorized or malicious changes could be part of a sophisticated, targeted attack on an organization, allowing an attacker to infiltrate an organization's systems or disrupt their operations. BIOS attacks are an emerging threat area. In September, 2011, a security company discovered the first malware designed to infect the BIOS, called Mebromi. An important mechanism for protecting BIOS in servers is to secure the BIOS update process, guarding against unauthorized BI OS updates. NIST's 201 1 publication on BIOS security provided instructions for protecting BIOS in desktops and laptops.

Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


The guidelines focused on the core principles of authenticating updates using digital signatures, BIOS integrity protection and "nonbypassibility" features that ensure that no mechanisms circumvent the BIOS protections.
BIOS Protection Guidelines for Servers addresses BIOS security in the varied architectures used by servers. "While laptop and desktop computers have largely converged on a single architecture for system BIOS, server class systems have a more diverse set of architectures, and more mechanisms for updating or modifying the system BIOS," says author Andrew Regenscheid. In addition, many servers contain service processors that perform a variety of management functions that may include BIOS updates, and this document provides additional security guidelines for service processors. Servers require more flexibility, according to Regenscheid, because in addition to having different architectures, they are almost always managed remotely.

BIOS Protection Guidelines for Servers is written for server developers and information system security professionals responsible for server security, secure boot processes and hardware security modules.
The draft publication BIOS Protections Guidelines for Servers, (NIST Special Publication 800-147B), is available at http:/ / csrc.nist.gov/ publications/ drafts/ 800-147b/ draft-sp800147b_july2012.pdf

Reports on Computer Systems Technology
The Information Technology Laboratory (IT L) at the National I nstitute of Standards and Technology (NIST) promotes the U.S. economy and

Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure.
IT L develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. IT L’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in Federal information systems. The Special Publication 800-series reports on I TL’s research, guidelines, and outreach efforts in information system security, and its collaborative activities with industry, government, and academic organizations.

Executive Summary
Modern computers rely on fundamental system firmware, commonly known as the system Basic I nput/ Output System (BIOS), to facilitate the hardware initialization process and transition control to the operating system. The BIOS is typically developed by both original equipment manufacturers (OEMs) and independent BIOS vendors, and is distributed to end-users by motherboard or computer manufacturers. Manufacturers frequently update system firmware to fix bugs, patch vulnerabilities, and support new hardware. This document is the second in a series of publications on BIOS protections. The first document, SP800-147, BIOS Protection Guidelines, was released in April 2011 and provides guidelines for desktop and laptop systems deployed in enterprise environments.

Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


In the future, NIST intends to develop a new publication providing an overview of BIOS protections for IT security professionals to be released as SP800-147rev1, and will reissue the current SP800-147 as SP800-147A at that time.
Unauthorized modification of BIOS firmware by malicious software constitutes a significant threat because of the BIOS’s unique and privileged position within the PC architecture. Malicious BIOS modification could be part of a sophisticated, targeted attack on an organization—either a permanent denial of service or a persistent malware presence. This document covers BIOS protections for managed and blade servers. These types of servers contain Service Processors—specialized microcontrollers that provide administrators with an interface to manage the host server. Servers, particularly those with Service Processors, may implement multiple BIOS update mechanisms.

Servers implementing a single BIOS update mechanism, similar to those in PC client systems, are expected to meet the guidelines in SP800-147.
The security guidelines in this publication do not attempt to prevent installation of unauthentic BIOSs through the supply chain, by physical replacement of the BIOS chip, or through secure local update procedures. Security guidelines are specified for four system BIOS security features: •Authenticated BIOS update mechanisms, where digital signatures prevent the installation of BIOS update images that are not authentic. •An optional secure local update mechanism, which requires that an administrator be physically present at the machine in order to install BIOS images without authentication.
Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


•Firmware integrity protections, to prevent unintended or malicious modification of the BIOS outside the authenticated BIOS update process.
•Non-bypassability features, to ensure that there are no mechanisms that allow the system processor or any other system component to bypass the BIOS protections. This document also provides additional information and recommendations for implementing BIOS protections using three BIOS update mechanisms that are commonly implemented in servers. This material is intended to help implementers design systems that meet the security requirements in this publication. Service Processors are critical management components in many modern server designs. They are responsible for various management features, depending on the implementation of the system. Some, but not all, Service Processors are able to update the system BIOS. This document describes the possible roles of Service Processors in the system BIOS update process, and describes how the security guidelines apply to systems containing these components.

Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


Understanding better…

Information Operations, Electronic Warfare, Computer Network Operations Information Operations
The integrated employment of the core capabilities of electronic warfare, computer network operations, psychological operations, military deception and operations security, in concert with specified supporting and related capabilities, to influence, disrupt, corrupt or usurp adversarial human and automated decision making while protecting our own. Also called I O.

Electronic Warfare
Any military action involving the use of electromagnetic and directed energy to control the electromagnetic spectrum or to attack the enemy. Also called EW. The three major subdivisions within electronic warfare are: electronic attack, electronic protection, and electronic warfare support. a. Electronic attack. That division of electronic warfare involving the use of electromagnetic energy, directed energy, or antiradiation weapons to attack personnel, facilities, or equipment with the intent of degrading, neutralizing, or destroying enemy combat capability and is considered a form of fires. Also called EA. EA includes:

Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


1)Actions taken to prevent or reduce an enemy’s effective use of the electromagnetic spectrum, such as jamming and electromagnetic deception, and
2)Employment of weapons that use either electromagnetic or directed energy as their primary destructive mechanism (lasers, radio frequency weapons, particle beams). b.Electronic protection. That division of electronic warfare involving passive and active means taken to protect personnel, facilities, and equipment from any effects of friendly or enemy employment of electronic warfare that degrade, neutralize, or destroy friendly combat capability. Also called EP. c.Electronic warfare support. That division of electronic warfare involving actions tasked by, or under direct control of, an operational commander to search for, intercept, identify, and locate or localize sources of intentional and unintentional radiated electromagnetic energy for the purpose of immediate threat recognition, targeting, planning and conduct of future operations. Thus, electronic warfare support provides information required for decisions involving electronic warfare operations and other tactical actions such as threat avoidance, targeting, and homing. Also called ES. Electronic warfare support data can be used to produce signals intelligence, provide targeting for electronic or destructive attack, and produce measurement and signature intelligence.

Computer N etwork Operations
Comprised of computer network attack, computer network defense, and related computer network exploitation enabling operations.
Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


Also called CN O.

Computer network attack
Actions taken through the use of computer networks to disrupt,deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. Also called CN A.

Computer network defense
Actions taken through the use of computer networks to protect, monitor, analyze, detect and respond to unauthorized activity within Department of Defense information systems and computer networks. Also called CND.

Computer network exploitation
Enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks. Also called CN E.

Psychological Operations
Planned operations to convey selected information and indicators to foreign audiences to influence their emotions, motives, objective reasoning, and ultimately the behavior of foreign governments, organizations, groups, and individuals.

The purpose of psychological operations is to induce or reinforce foreign attitudes and behavior favorable to the originator’s objectives.
Also called PSYOP.
Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


Military Deception
Actions executed to deliberately mislead adversary military decision makers as to friendly military capabilities, intentions, and operations, thereby causing the adversary to take specific actions (or inactions) that will contribute to the accomplishment of the friendly forces mission. Also called MILDEC.

Operations Security
A process of identifying critical information and subsequently analyzing friendly actions attendant to military operations and other activities to:
a . I dentify those actions that can be observed by adversary intelligence systems; b.Determine indicators that hostile intelligence systems might obtain that could be interpreted or pieced together to derive critical information in time to be useful to adversaries; and c.Select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation. Also called OPSEC.

Air University, with headquarters at Maxwell Air Force Base, Ala., is a key component of Air Education and Training Command, and is the Air Force's center for professional military education.

Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


An interesting article about China. We will be glad to discuss other opinions in our next newsletter.

China’s Slowdown May Be Worse Than Official Data Suggest
by Janet Koech and Jian Wang In the months following the 2008–09 economic crisis, emerging-market economies robustly rebounded. Output in China and I ndia expanded more than 10 percent in 2010, and Brazil’s gross domestic product (GDP) growth of 7.5 percent was its best performance in 25 years.

Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


Emerging-market economies retraced their precrisis level of industrial production by 2009, while advanced economies remained below their precrisis levels in 2012 (Chart 1). But the strong emerging-market rebound—most significantly in China—hasn’t endured. When China’s average GDP growth remained above 9 percent in 2011, hopes rose that a sustained recovery would prop up the world economy amid the European sovereign debt crisis and subpar growth in the U.S. However, China’s economy deteriorated rapidly in 2012, with GDP growth slowing to 8.1 percent in the first quarter from 8.9 percent at year- end 2011. Second quarter GDP growth slid further, to 7.6 percent, the lowest reading since the height of the global financial crisis in early 2009.

Even with the decline, there is speculation that these figures may still understate economic slowing.
Economists have long doubted the credibility of Chinese output data. For example, some studies indicate that GDP growth was overstated during the 1998–99 Asian financial crisis, when official figures reported that China’s GDP grew on average 7.7 percent annually. Alternative estimates using economic activity measures such as energy production, air travel and trade data ranged from 2 percent to 5 percent.

The dubious character of the official figures is no secret in China. Senior
government officials, including Vice Premier Li Keqiang, dismiss official GDP data as ―man-made‖ and ―for reference only‖ because of political influence, particularly at the local level, on data reporting.
Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


Data Reliability
To get a more accurate picture of China’s economy, economists examine other measures of activity that closely track growth but are less prone to political interference than output data. Industrial electricity consumption, a major production input, serves as such a proxy. If industrial output grows at a slower pace, electricity consumption should behave similarly. China’s year-over-year growth rates of industrial electricity consumption and industrial production are shownfor 2011 and 2012 in Chart 2.

Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


Red dots, illustrating 2012 activity, are below the blue dots, depicting 2011, which indicates that the growth rate of industrial electricity consumption is relatively lower this year.
This is consistent with China’s recent economic slowdown. The chart also shows fitted linear trends—a way of extrapolating activity over a longer period—computed using 2011 data only (solid line) and 2011 and 2012 data (dashed line). This depiction relies on just these two years because of limited electricity-consumption reporting by the China Electricity Council. Hence, these results should be viewed with caution. As expected, Chart 2 shows that there is a tight relationship between industrial electricity consumption and industrial output. As industrial production growth expands, China’s industries consume more electricity, and vice versa. However, a closer look at the chart raises questions. Consider a scenario in which electricity consumption doesn’t increase. To illustrate this, we extend the linear trend lines to the horizontal axis (representingno change in electricity consumption). The lines intercept the axis at 5 and 7.5, implying that China’s industrial production continues to grow 5 percent or 7.5 percent annually (depending on which trend line we use) even when electricity consumption remains constant. Although heightened electricity consumption efficiency could induce positive industrial production growth, a 7.5 percent growth rate seems too large to attribute to efficiency gains alone.
Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


The solid line computed using just 2011 data is flatter than the dashed line computed using both 2011 and 2012 data.
Extrapolating from the trend line that includes just 2011 data points yields a lower, more reasonable industrial production growth rate of about 5 percent when the electricity consumption growth rate is zero. The same data are shown in Chart 3, with only the 2011 trend line depicted.

Suspiciously, all 2012 data (red dots) lie below the trend line. This suggests that given the amount of electricity consumed, China’s official industrial production figures for 2012 are higher than those implied by the 2011 data trend.
Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


For instance, China’s industrial electricity consumption grew 5.6 percent on a year-over-year basis in March 2012.
Using the trend from 2011 data, the estimate for M arch’s industrial production growth is about 9.3 percent rather than the 1 1.9 percent reported in the official data. This discrepancy could be due to unintentional, random survey errors. However, it is hard to imagine that all available 2012 data erred on the side of overstating industrial production growth. Rather, it suggests that China might have overstated its 2012 industrial production data to mask the economy’s weakness. In other words, the slowdown in China could be worse than the official data indicate.

Composition of Production
Of course, other factors may explain why all red dots lie below the trend line in Chart 3. For example, growth of industrial production varied across sectors whose consumption of electricity per unit of output differs. For a unit of output, a company involved in steel production will generally consume more electricity than a factory making T-shirts. If the growth rate of the steel industry slowed more than that of the textile industry, we would expect to see the growth in electricity consumption decline faster than the growth of total industrial output. To address this industry composition effect, we include output growth of two different sectors in our data: the heavy and light industrial sectors.

Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


The heavy industrial sector (for example, the steel industry) usually consumes more electricity than the light sector (the textile industry).
The relationship between electricity consumption and industrial output can be more accurately estimated by analysing the two sectors separately than by using aggregate industrial output data. Accounting for the sectoral difference yields more sensible results when 2011 data are analyzed. When industry electricity consumption remains constant—that is, it shows a zero growth rate—light industrial sectors grow at an annual rate of 2.8 percent, a much smaller reading than the 5 percent for aggregate output. On the other hand, the heavy industrial sectors contract 1.9 percent, reflecting this industry’s relatively heavy reliance on electricity.

Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


Chart 4 plots actual electricity consumption growth in China (purple line) together with estimated electricity consumption using 2011 output data for light and heavy industries (orange line).

The two lines track each other closely, indicating a tight relationship between electricity consumption and output in the heavy and light industries.
The blue line shows the forecast growth of electricity consumption in 2012, computed from the relationship estimated from 2011 data. The official industrial production data square well with electricity consumption in March 2012; predicted consumption data almost perfectly match the reported data.
Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


During March, growth in heavy industries declined sharply to 1 1.2 percent from 13 percent in December 2011, while growth in the light industries increased to 13.9 percent from 12.6 percent over the same period.
The difference in growth between the heavy and light industries explains the overall sharp decline in electricity consumption, while overall industrial output growth remained strong in March 2012. In the subsequent months, however, the out-of-sample forecasts diverge substantially from the actual data. Given the official industrial production numbers, our model suggests that China should have consumed about twice as much electricity as it actually did. This is not surprising after closer examination of the data. From April to June, growth in the light industries declined more than in the heavy industries, a reversal of March’s activity. Given such a pattern in China’s official industrial production data, electricity consumption growth should have dropped only moderately. However, China’s actual electricity consumption continues to decline sharply from April to June, raising doubts about the accuracy of the official industrial production figures.

Improving Data Reporting
Although China’s economic growth has slowed sharply in recent months, evidence suggests that the situation may be worse than reported. Several factors contributed to China’s slowdown.

Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


Demand for China’s exports in Europe and the U.S. has weakened amid the deepening European sovereign debt crisis and sluggish U.S. economic activity.
Additionally, China’s policy response following the global financial crisis is having unintended effects on its economy. China loosened monetary policy and undertook a massive fiscal stimulus program in response to 2008–09 developments. These policies, which cushioned the economy from the impact of falling demand for exports, had the unintended consequence of generating higher inflation and rising asset prices, particularly in the real estate sector. These developments forced China to reverse course and institute tighter monetary policy last year, creating another round of effects on the economy that continue this year. China’s abrupt policy changes during the past two years are not historically unusual and have been criticized as a source of the country’s big economic swings, which hurt long-run growth. Future policymakers will need more, high-quality quantitative (as opposed to qualitative) economic research to avoid overshooting policy targets and to better stabilize the economy. A critical first step is acquiring highquality economic data, a process already in the works. China’s National Bureau of Statistics started a new data-collecting system under which businesses report industrial production data online directly to the national statistics agency in Beijing, reducing the chance of manipulation by local authorities. As the world’s second largest economy, China plays an increasingly
Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


important role in the global economy.
Acquiring accurate economic data isnot only useful to China’s policymaking, but also helpful to other nations, allowing them to better understand China’s current economic conditions and design their policies accordingly.

Koech is an assistant economist and Wang is a senior research economist in the Research Department at the Federal Reserve Bank of Dallas.

Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


Sarbanes Oxley Speakers Bureau
Visit our Sarbanes Oxley Speakers Bureau. The Sarbanes Oxley Compliance Professionals Association (SOXCPA) has established the Speakers Bureau for firms and organizations that want to access the Sarbanes Oxley expertise of Certified Sarbanes Oxley Experts (CSOEs), Certified JSOX Experts (CJSOXEs) and Certified EU Sarbanes Oxley Experts (CEUSOEs) - experts of the 8th Company Law Directive of the European Union. The SOXCPA will be the liaison between our certified professionals and these organizations, at no cost. We strongly believe that this can be a great opportunity for both, our certified professionals and the organizers. We will give the details of an event to one or more Sarbanes Oxley experts, who will contact directly the organization requesting services. The Sarbanes Oxley experts will negotiate services and fees. To learn more: www.sarbanes-oxleyassociation.com/ Sarbanes_Oxley_Speakers_Bureau.html

Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


Certified Sarbanes-Oxley Expert (CSOE) Distance Learning and Online Certification Program.
The all-inclusive cost is $147 What is included in the price:

A.The official presentations we use in our instructor-led classes (2247 slides)
The 1271 slides cover what is needed for the exam and 976 slides cover the Dodd Frank Act that is not part of the exam). Updated: February 17, 2011. The presentations include the Auditing Standards 8 to 15 that apply to Sarbanes Oxley audits, from the PCAOB Course Synopsis: www.sarbanes-oxley-association.com/ CSOE_Course_Synopsis.htm

B. Up to 3 Online Exams
There is only one exam you need to pass, in order to become a Certified Sarbanes-Oxley Expert (CSOE). If you fail, you must study again the official presentations, but you do not need to spend money to try again.
To learn more you may visit: www.sarbanes-oxleyassociation.com/ Questions_About_The_Certification_And_The_Exams _1.pdf www.sarbanes-oxley-association.com/ CSOE_Certification_Steps_1.pdf

C. Personalized Certificate printed in full color
Processing, printing, packing and posting to your office or home
Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


D. The Dodd Frank Act and the Sarbanes Oxley amendments (976 slides)
The US Dodd-Frank Wall Street Reform and Consumer Protection Act is the most significant piece of legislation concerning the financial services industry in about 80 years. What does it mean for risk and compliance management professionals? I t means new challenges, new jobs, new careers, and new opportunities. The bill establishes new risk management and corporate governance principles, sets up an early warning system to protect the economy from future threats, and brings more transparency and accountability. It also amends important sections of the Sarbanes Oxley Act. For example, it significantly expands whistleblower protections under the Sarbanes Oxley Act and creates additional anti-retaliation requirements. THE DODD FRAN K ACT PRESEN TATION IS N OT PART OF THE EXAM - THERE ARE N O QUESTIONS BASED ON TH ESE 976 SLIDES We will follow the steps: www.sarbanes-oxleyassociation.com/ Distance_Learning_and_Certification.htm

Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com


Sarbanes Oxley Compliance Professionals Association (SOXCPA) www.sarbanes-oxley-association.com

Sign up to vote on this title
UsefulNot useful