Vericept and Sarbanes Oxley

1
Vericept and Sarbanes Oxley
2
Sarbanes-Oxley Requirements

• Antifraud programs and controls
• Fraud risk assessment (Section 103)
• Actions to identify, prevent and mitigate
  fraudulent financial reporting or misuse of
  company assets
• Revenue recognition, pricing discussions
• CEO and CFO certification
• Disclosure of controls and procedures (Section
  302)
• Ensure material information is made known to them
• Evaluated effectiveness of disclosure controls
  and procedures
• Disclosed to audit committee and independent
  auditors any significant control deficiencies,
  material weaknesses and actos of fraud involving
  management or other employees

3
Sarbanes-Oxley Requirements

• Managements Annual Assessment Report
• Assessment of Internal Controls over Financial
  Reporting (Section 404)
• Statement Management is responsible for
  establishing and maintaining controls
• Disclosure of any material weakness in system of
  internal controls
• Independent Auditors attestation report on
  managements assessment of internal controls
• Code of Conduct and Ethics
• Ensuring adherence to Code (Section 406)
• Existence does not address effectiveness
• Should address conflicts of interest,
  confidentiality of information, proper use of
  assets, RPT, illegal acts and compliance with
  laws and regulations
• E-mail is a common communication method

4
Vericept Enabling Sarbanes-Oxley Compliance

• Managing and Strengthening Internal Controls
• Provides a continuous monitoring mechanism to
  satisfy and enforce Internal Control requirements
• Information financial and proprietary
• Ethical and Conduct Codes
• Communication paths
• Data-in-Motion and Data-at-Rest
• Specifically addresses 103, 302, 404 and 406

5
Actual Examples

• Case No. 1. Potential Insider Tipping
• Just prior to a Companys earnings announcement
  (but luckily after the close of trading), a Sales
  Employee contacts a third party by email and
  indicates that the Company will have a great
  quarter and that the third party should buy
  stock. The Companys policy as well as federal
  law prohibits such activity. The email is
  retrieved using Vericept along with other emails
  and the employee is dismissed. Employee does not
  bring a wrongful termination lawsuit.
• Case No. 2. Posting of Confidential Company
  Information on the Internet
• Highly confidential Product roadmap information
  is posted on a message board on the internet.
  Given the information, the Company believes that
  someone in an Engineering lab may be posting the
  information or providing a third party with the
  information. The Company conducts an
  investigation and immediately communicates to all
  employees a new email policy noting that any
  email communications are not subject to privacy.
  Management describes to the employees Vericept as
  a tool being utilized. No similar internet
  postings have occurred since the communication of
  the policy and the use of Vericept.
• Case No. 3. Revenue Recognition Reviews
• A non-material software sales transaction is
  identified early in the quarter close procedures
  as potentially not meeting the revenue
  recognition rules. Vericept is utilized to find
  the email trail that cleared the transaction.

6
How a prominent customer is using Vericept for
SOX
I am complying with 50 of my Ethical Code of
Conduct by using Vericept as an internal
monitoring control -Sr. Corporate Governance
Officer, Global Conglomerate
7
Other Regulation and Compliance Areas Enforced

• Internal Acceptable Use Policies
• Sexual harassment policy
• Use of e-mail/IM policy
• Insider trading policy
• CA SB 1386 Compliance
• Identity theft
• Conduct business in California
• Maintain computerized data with personal
  information
• First and last name in combination with SS or
  drivers license or credit or debit card
  (password)
• Failure to report unauthorized breach
• Company liable to civil action for damages
• Similar legislation introduced at federal level

8
Customer Feedback

• Vericepts Fraud and Identity Theft solution was
  a perfect fit when we were looking for a way to
  comply with the California Database Protection
  Act of 2003 (CDPA), which essentially mandates
  that any company doing business in California
  must protect the consumer information that
  resides in its database. Vericepts technology
  accurately monitors all communications across our
  network and flags all violations of the Act.
• We view Vericepts Fraud and Identity Theft
  solution as a integral element in our
  Sarbanes-Oxley Act compliance strategy, as it is
  able to pinpoint and document instances of fraud
  across the network.
• Paul Brothe
• Director Internal Audit
• McData

9
Analyst Feedback

• Increasingly, Fraud and Identity Theft are
  becoming significant problems for business. IDC
  estimates that over one third of the financial or
  data loss incidents involve insiders. Vericept's
  innovative approach ties the insider problem with
  the leaking of sensitive information. IDC
  believes organizations that are trying to combat
  fraud and identity theft should consider
  integrating Vericepts solution into their
  overall exposure management and security
  infrastructure.
• -Brian Burke
• Research Manager, Security Products
• IDC