sarbanes-oxley: compliance, approach, methodology and products sarbanes-oxley: compliance, approach,...

Sarbanes-Oxley: Compliance, Approach, Sarbanes-Oxley: Compliance, Approach, Methodology and Products Methodology and Products

Wally Khalifa- Managing Partner – Business PracticeWally Khalifa- Managing Partner – Business Practice

Kris DiMaggio – Director- Strategy PracticeKris DiMaggio – Director- Strategy Practice

June 2005 June 2005

WABILITYKnowledge & Experience

Agenda

Section I: SOX- Background and Compliance Issues

Section II: Achieving Compliance: Requirements, Approach, Framework and Development Methodology

Section III: Internal Control Management (ICM) Objectives and Technology Solutions

Section IV: Recommendation and Final Words

Sarbanes & Oxley compliance

Section I: Background, The Act, Timelines, Cost of Implementations,

and Business Benefits


Background

I.I Background

The Sarbanes-Oxley Act of 2002:

Has ushered in changes to corporate governance that rank among the most sweeping in history.

Developed in response to recent corporate accounting scandals.

Aimed at improving the transparency and accuracy of financial accounting of publicly traded companies.


SOX Basics

Accounting Scandals

Public Markets Decline

SEC & Congress Respond

Sarbanes Oxley Act

Enron, Worldcom, Tyco

Public Call to Restore Investor ConfidenceAct Passed

Public Markets Decline Significantly

I.II Sox Basics


SOX Basics

Law

Happens


The ACT

Section 302 --CEOs and CFOs to sign off on the validity and accuracy of their companies’ financial numbers and to certify the controls and procedures behind their financial reports.

Section 404 --Organizations must ensure that the audit process behind their financial reporting is not only comprehensive and accurate, but that they can also meet strict quarterly timeframes for reporting on an ongoing basis.

I.III Sarbanes-Oxley: The Act


More SOX

Section 409 -- Issuers are required to disclose to the public, on an urgent basis, information on material changes in their financial condition or operations.

Section 802 -- Imposes penalties of fines and/or up to 20 years imprisonment for altering, destroying, mutilating, concealing, falsifying records, documents or tangible objects with the intent to obstruct, impede or influence a legal investigation.

I.III Sarbanes-Oxley: The Act


Compliance Timeline

Section 302 --already in effect.

Section 404 -- small companies July 2006accelerated filers Nov 2005

Section 409 -- will be determined

Section 802 –will be determined Sarbanes

Oxley

I.IV Compliance Timeline


Questions

SOX- Act Section

Section 302 Section 404 Section 409

Key Questions for Executives Responsible for the Compliance

Who in the organization is responsible for ensuring the integrity and always-on status of finance and accounting systems?

Does the internal controls framework include business continuity planning and disaster recovery considerations?

How will potential “material changes” be monitored when the systems conducting the monitoring go offline?


SOX Costs

The Government estimates:$125,000 per Company (Small)$391,000 per Company (Large)

CFOs estimates: $225,000 (Small Company)$3.14 million (Large Company)

The Trade Group Financial ExecutivesSurvey’s final results:

$291,000 per Small Company $4.36 million per Large Company

I.VI Sarbanes-Oxley: Average Cost Of Implementation


SOX Benefits to Investors

Companies have to reveal poor financial reporting practices that should be stopped.

More trust in the financial statements of any company before deciding on any investments.

I.VII Benefits to Investors


SOX Benefits to Companies

Benefits from consolidated data store

Benefits from ability to find data and create reports – business intelligence

Side benefit: discovery of internal fraud and theft through tighter controls

Result: positive shareholder value

I.VIII Benefits to Companies


Penalties

Action Punishment Reference

“Knowingly” altering, destroying, or falsifying documents in an effort to impede, obstruct, or influence an investigation

Fines up to $15 million and/or Imprisonment up to 20 years

Title VIII, Sec. 802

Securities Fraud Fines and/or imprisonment up to 25 years

Title VIII, Sec. 807

Mail and Wire Fraud Imprisonment up to 20 years Title IX, Sec. 903

“Willfully” certifying financial reports that do not meet regulatory requirements

Fines up to $5 million and/or Imprisonment up to 20 years

Title IX, Sec. 906

Violating SEC regulations May be ineligible to hold a director or officer level position at any publicly traded company

Title XI, Sec. 1105

I.VIIII Penalties

Methodology of Compliance

Section II: Achieving ComplianceRequirements, Approach, Framework

and Deployment Phases


Achieving Compliance

Identify all processes & systems that can have a

material affect on financial results:

Identify risks Document and test all related

processes Document and test internal controls

according to a recognized framework such as (COSO) – Committee of Sponsoring Organizations

Ensure compliance of business rules and controls

II.I Achieving Compliance-The Big Picture


COSO Framework

The overarching system of controls designed to govern business practices and behaviours.

The overall system of internal control is monitored and improved.

How pertinent information is identified, captured and communicated internally and externally.

How the pertinent activities are designed, implemented and tested

How the company sets objectives and manages risk

II.II COSO Framework


High Level Approach

Group Processes into

Projects for Documentation & Evaluation

Identify the Universe

of Processes

Process 1

Process 22

Process 21

Process 22

Project

Project

Confirm Adequacy

of Selected

Processes

Complete list of Stream or Function Financial Processes

Risk-filtered processes plus processesmanagement desires to evaluate

4 2 1

367

9 8 5

Impact

Probability

Conduct Risk & $Thru Put Assessment

Process 5

Process 15

Process 12Project

II.III High level Approach


Our Methodology

AUDITOR ATTESTATION

IDENTIFY

EXISTING CONTROL

ACTIVITIES

REMEDIATE ‘GAPS’

IDENTIFY CONTROL OBJECTIVES

TESTING DETERMINE

‘GAPS’

MAP BUSINESS

PROCESSES

Processes Assessed through a systematic evaluation

II.IV Our Methodology


Our Methodology

Plan Project

Assess Control Environment

Conduct Pilot

ProjectRoll-Out

Report OverallResults

Form Steering Committee Perform Risk Assessment Identify External Auditor Expectations

Select Documentation Format Prioritize Processes to Document

Identify Corporate Governance & Management Controls Identify/Assess/Document IT General Controls

Document & Test Controls for 1-3 Processes Review Results w/Steering Committee Refine Approach

Roll-out to Centralized Processes Roll-out to Other Significant Locations and/or Decentralized Processes

Report/Fix Any Control Deficiencies Cover Period to Yearend

Software Solution

Section III- Internal Control Management (ICM) Objectives and Technology Solutions


Internal Controls Defined

Internal Controls are measures Designed to provide reasonable assurance for

Reliability of financial reporting

Effectiveness and efficiency of operations

Compliance with applicable laws and regulations

III. I Internal Controls - Objectives


Technology will help:

Provide Optimal Solutions that will embrace the improvements of the financial processes that underlie internal controls

Accommodate changes in the regulations, as well as changes in the way the company operates its business.

The Final Word

Technology Solutions

III.II Technology Solutions


Reduces time to compliance

Enhances the procedures for financial reporting & business Processes

Accommodates changes in regulations and procedures

Monitors and Maintains control procedures

An Infrastructure for broader process automation

Final Word

Selection Criteria

III.III Selection Criteria


Technology Features

General Provides environment that provides fast

access to SOX information (accounts, processes, controls)

Maintains policies, procedures and documentation

Integrates with existing workflow processes Can import control information from other

applicationsManaging Controls Automates and manages control procedures Records all control process user workflow

activities for accountabilityIssues and Audits Manages audit preparation activities Automates SOX issue resolution

III.IV Solution Features


Products

Process Centric Workflow Solutions

E-mail and IM Scanning and Archiving Solutions

Information Lifecycle Management Solutions:

Document Management Storage Management

III.V Solution Products Categories


Optimal Solutions

Supports the rapid thorough completion of the audit process

Enables management, enforcement and modification of key processes and financial controls

Allows organizations to easily modify requirements and business logic

III.VI Process Centric Workflow Features


Products

SOXA Accelerator from HandySoft

Provides a solid foundation for corporate governance by stream lining and automating the processes involved in evaluating, documenting and enforcing internal controls

Combines business processes management (BPM) technology with the collaboration, search and personalization capabilities of Plumtree's Enterprise website Portal.

III.VII Process Centric Workflow Products


Products

Example: Assentor Enterprise Suite from Illumin SoftwareServices- Performs Message Management

Assentor Compliance - daily supervision of messages – picks out words and phrases that might be in violation of brokerage laws

Assentor Discovery – retrieve archived messages for audits

III.VIII Email Management Products


Products

Example: KVS Enterprise Vault

Can reduce the cost of expensive disk storage

Lets customers set customized retention policies for e-mail, documents, instant messages and Microsoft’s SharePoint Portal Server documents.

For SOX, GLB, HIPAA, SEC Rule 17 a-4

III.VIIII Email Archiving Products

Recommendations and Final Words

Section IV: Recommendations, Final Words

and Future Legislation


Recommendations

We believe that the deployment of a Process-Centric Solution will turn the challenges of SOX compliance into an opportunity, because the same methods you use to come into compliance will be used to improve the performance of your entire financial

organization.

Process Centric Solutions bring together process, methodology and documentation to provide complete solution for SOX compliance and further process improvements

IV.I Recommendations


Final Words

Sarbanes-Oxley has transformed the corporate landscape with new and complex mandates for corporate financial reporting.

All public companies of all sizes will go through the same basic steps to achieve compliance, each will take a slightly different approach.

Organizations will require a technology solution that does not force them into a particular process or methodology.

Select a tool that will allow you to capture and enforce best practices around the collection and reporting of financial data.

IV. II Final Words


Final Words

The best solutions must be able to easily adapt to individual approaches, provide long term flexibility while coordinating all of the moving parts, tasks, people, and systems involved in compliance.

Compliance is not a one-time event: it is an ongoing process where the initial audit is only the first phase, followed by ongoing enforcement of controls and process enhancement.

Smart organizations will view SOX as an opportunity to establish corporate governance and process excellence in their financial processes and other key business areas.

IV.II Final Words


Future Legislation?

Corporate Information Security Accountability Act (proposed)

Rep. Adam Putnam, R-Fla.

– Primary concern: identity theft

– Potential SOX-style compliance; would require cyber-security certification by public companies

– Not introduced last year; could be introduced in the future?

IV.III Future Legislation ?

sarbanes-oxley: compliance, approach, methodology and products sarbanes-oxley: compliance, approach,...

Documents

sox section

act slide

compliance issues section

sarbanesoxley act

compliance timeline

technology solutions

sarbanes oxley act enron

products sarbanesoxley