The Value-Added Proposition

Get independent documented proof that the Directors & Officers are doing all that current laws and regulations require 


Corporate Directors’ & Officers’ Legal Duties for Information Security and Privacy: A Turn-Key Compliance Audit Process, by Charles Cresson Wood 

This new process is far better than the management self-assessment of, and representations about, internal controls that is required by the Sarbanes-Oxley Act of 2002 § 404. That is because the Sarbanes-Oxley management self-assessments and management representations are suspect, and of questionable merit, because they originate with the management of the firm in question, and thus the management has reason to paint an unrealistically rosy picture. The Duties Audit™ Professional Opinion about the prevailing “tone at the top” is instead based on an independent attorney’s identification of the relevant legal obligations, an investigation of the evidence of compliance, and a structured and standardized review of that same evidence, so that the resulting standardized objective report can be used to provide:


  1. EVIDENCE: Internally create credible documentary evidence, that could later be admissible in court, indicating that the Directors & Officers have been diligent, and have in fact been shown to be in full compliance, in all material respects, with all their legal duties in the information security and privacy area,
  2. AWARENESS: Internally raise the level of awareness of the Directors & Officers, when it comes to information security and privacy, by giving them an explicit job description that indicates their minimum legal duties (this clarity about their legally defined responsibilities naturally generates a new level of concern and engagement),
  3. REMEDIES: Confidentially and rapidly generate a list of remedial actions that need to be pursued in the near term, in order for the Directors & Officers to be found to be “fully compliant” in the following year’s Duties Audit engagement (this additional report about remedial actions is provided only when needed),
  4. QUALITY: Internally establish a new and more rigorous quality control process, a new information technology governance process, or a new integrated risk management process, on which management bonuses, management promotions, management performance reviews, and other decision-maker incentives can be based,
  5. SCREENING: Externally determine whether your firm can trust the information security and privacy provided by third-party firms (outsourcing firms, software as a service firms, cloud-based data processing firms, business partners, etc.), and whether it is reasonable and justifiable to do business with those firms,
  6. PROTECTION: Externally obtain annual assurances that third-party firms continue to properly protect your firm’s disclosed data—for example, assurance that a third-party firm, which has received your firm’s trade secrets, continues to be able to protect those trade secrets—as is required by contract; alternatively, obtain demonstrated “satisfactory assurances” so that they might be passed along to both customers and business partners,
  7. RELIANCE: Externally measure whether another firm is well-managed, in the area of information security and privacy, for example as a part of the due diligence process that must be successfully completed before a merger or acquisition deal could be closed, or before a major loan or capital infusion is approved,
  8. ASSURANCE: Externally assure stockholders, lenders, and regulators, that the Directors & Officers have in fact been diligently performing their fiduciary duties in this same area, and that they have been avoiding what the law calls the “waste” of corporate resources,
  9. CONDITIONS: Externally create contractual hurdles, that must be cleared in order for something important to happen, for example in order for an outsourcing firm’s contract to be annually renewed (also suitable for settlement agreements, consent decrees, non-prosecution agreements, plea deals, etc.), and
  10. TRUST: Externally generate a markedly higher level of third-party trust (for example by disclosing the “fully compliant” Professional Opinions generated via the Duties Audit™ process to prospective customers and existing customers), showing that the auditee firm is a good corporate citizen, and thereby obtain marketing benefits, generate competitive advantage, and/or help restore a good reputation after a breach.


To buy your copy now click here