sarbanes-oxley: compliance, approach, methodology and products sarbanes-oxley: compliance, approach,...
Post on 19-Dec-2015
215 views
TRANSCRIPT
Sarbanes-Oxley: Compliance, Approach, Sarbanes-Oxley: Compliance, Approach, Methodology and Products Methodology and Products
Wally Khalifa- Managing Partner – Business PracticeWally Khalifa- Managing Partner – Business Practice
Kris DiMaggio – Director- Strategy PracticeKris DiMaggio – Director- Strategy Practice
June 2005 June 2005
WABILITYKnowledge & Experience
Agenda
Section I: SOX- Background and Compliance Issues
Section II: Achieving Compliance: Requirements, Approach, Framework and Development Methodology
Section III: Internal Control Management (ICM) Objectives and Technology Solutions
Section IV: Recommendation and Final Words
Sarbanes & Oxley compliance
Section I: Background, The Act, Timelines, Cost of Implementations,
and Business Benefits
WABILITYKnowledge & Experience
Background
I.I Background
The Sarbanes-Oxley Act of 2002:
Has ushered in changes to corporate governance that rank among the most sweeping in history.
Developed in response to recent corporate accounting scandals.
Aimed at improving the transparency and accuracy of financial accounting of publicly traded companies.
WABILITYKnowledge & Experience
SOX Basics
Accounting Scandals
Public Markets Decline
SEC & Congress Respond
Sarbanes Oxley Act
Enron, Worldcom, Tyco
Public Call to Restore Investor ConfidenceAct Passed
Public Markets Decline Significantly
I.II Sox Basics
WABILITYKnowledge & Experience
The ACT
Section 302 --CEOs and CFOs to sign off on the validity and accuracy of their companies’ financial numbers and to certify the controls and procedures behind their financial reports.
Section 404 --Organizations must ensure that the audit process behind their financial reporting is not only comprehensive and accurate, but that they can also meet strict quarterly timeframes for reporting on an ongoing basis.
I.III Sarbanes-Oxley: The Act
WABILITYKnowledge & Experience
More SOX
Section 409 -- Issuers are required to disclose to the public, on an urgent basis, information on material changes in their financial condition or operations.
Section 802 -- Imposes penalties of fines and/or up to 20 years imprisonment for altering, destroying, mutilating, concealing, falsifying records, documents or tangible objects with the intent to obstruct, impede or influence a legal investigation.
I.III Sarbanes-Oxley: The Act
WABILITYKnowledge & Experience
Compliance Timeline
Section 302 --already in effect.
Section 404 -- small companies July 2006accelerated filers Nov 2005
Section 409 -- will be determined
Section 802 –will be determined Sarbanes
Oxley
I.IV Compliance Timeline
WABILITYKnowledge & Experience
Questions
SOX- Act Section
Section 302 Section 404 Section 409
Key Questions for Executives Responsible for the Compliance
Who in the organization is responsible for ensuring the integrity and always-on status of finance and accounting systems?
Does the internal controls framework include business continuity planning and disaster recovery considerations?
How will potential “material changes” be monitored when the systems conducting the monitoring go offline?
WABILITYKnowledge & Experience
SOX Costs
The Government estimates:$125,000 per Company (Small)$391,000 per Company (Large)
CFOs estimates: $225,000 (Small Company)$3.14 million (Large Company)
The Trade Group Financial ExecutivesSurvey’s final results:
$291,000 per Small Company $4.36 million per Large Company
I.VI Sarbanes-Oxley: Average Cost Of Implementation
WABILITYKnowledge & Experience
SOX Benefits to Investors
Companies have to reveal poor financial reporting practices that should be stopped.
More trust in the financial statements of any company before deciding on any investments.
I.VII Benefits to Investors
WABILITYKnowledge & Experience
SOX Benefits to Companies
Benefits from consolidated data store
Benefits from ability to find data and create reports – business intelligence
Side benefit: discovery of internal fraud and theft through tighter controls
Result: positive shareholder value
I.VIII Benefits to Companies
WABILITYKnowledge & Experience
Penalties
Action Punishment Reference
“Knowingly” altering, destroying, or falsifying documents in an effort to impede, obstruct, or influence an investigation
Fines up to $15 million and/or Imprisonment up to 20 years
Title VIII, Sec. 802
Securities Fraud Fines and/or imprisonment up to 25 years
Title VIII, Sec. 807
Mail and Wire Fraud Imprisonment up to 20 years Title IX, Sec. 903
“Willfully” certifying financial reports that do not meet regulatory requirements
Fines up to $5 million and/or Imprisonment up to 20 years
Title IX, Sec. 906
Violating SEC regulations May be ineligible to hold a director or officer level position at any publicly traded company
Title XI, Sec. 1105
I.VIIII Penalties
Methodology of Compliance
Section II: Achieving ComplianceRequirements, Approach, Framework
and Deployment Phases
WABILITYKnowledge & Experience
Achieving Compliance
Identify all processes & systems that can have a
material affect on financial results:
Identify risks Document and test all related
processes Document and test internal controls
according to a recognized framework such as (COSO) – Committee of Sponsoring Organizations
Ensure compliance of business rules and controls
II.I Achieving Compliance-The Big Picture
WABILITYKnowledge & Experience
COSO Framework
The overarching system of controls designed to govern business practices and behaviours.
The overall system of internal control is monitored and improved.
How pertinent information is identified, captured and communicated internally and externally.
How the pertinent activities are designed, implemented and tested
How the company sets objectives and manages risk
II.II COSO Framework
WABILITYKnowledge & Experience
High Level Approach
Group Processes into
Projects for Documentation & Evaluation
Identify the Universe
of Processes
Process 1
Process 22
Process 21
Process 22
Project
Project
Confirm Adequacy
of Selected
Processes
Complete list of Stream or Function Financial Processes
Risk-filtered processes plus processesmanagement desires to evaluate
4 2 1
367
9 8 5
Impact
Probability
Conduct Risk & $Thru Put Assessment
Process 5
Process 15
Process 12Project
II.III High level Approach
WABILITYKnowledge & Experience
Our Methodology
AUDITOR ATTESTATION
IDENTIFY
EXISTING CONTROL
ACTIVITIES
REMEDIATE ‘GAPS’
IDENTIFY CONTROL OBJECTIVES
TESTING DETERMINE
‘GAPS’
MAP BUSINESS
PROCESSES
Processes Assessed through a systematic evaluation
II.IV Our Methodology
WABILITYKnowledge & Experience
Our Methodology
Plan Project
Assess Control Environment
Conduct Pilot
ProjectRoll-Out
Report OverallResults
Form Steering Committee Perform Risk Assessment Identify External Auditor Expectations
Select Documentation Format Prioritize Processes to Document
Identify Corporate Governance & Management Controls Identify/Assess/Document IT General Controls
Document & Test Controls for 1-3 Processes Review Results w/Steering Committee Refine Approach
Roll-out to Centralized Processes Roll-out to Other Significant Locations and/or Decentralized Processes
Report/Fix Any Control Deficiencies Cover Period to Yearend
Software Solution
Section III- Internal Control Management (ICM) Objectives and Technology Solutions
WABILITYKnowledge & Experience
Internal Controls Defined
Internal Controls are measures Designed to provide reasonable assurance for
Reliability of financial reporting
Effectiveness and efficiency of operations
Compliance with applicable laws and regulations
III. I Internal Controls - Objectives
WABILITYKnowledge & Experience
Technology will help:
Provide Optimal Solutions that will embrace the improvements of the financial processes that underlie internal controls
Accommodate changes in the regulations, as well as changes in the way the company operates its business.
The Final Word
Technology Solutions
III.II Technology Solutions
WABILITYKnowledge & Experience
Reduces time to compliance
Enhances the procedures for financial reporting & business Processes
Accommodates changes in regulations and procedures
Monitors and Maintains control procedures
An Infrastructure for broader process automation
Final Word
Selection Criteria
III.III Selection Criteria
WABILITYKnowledge & Experience
Technology Features
General Provides environment that provides fast
access to SOX information (accounts, processes, controls)
Maintains policies, procedures and documentation
Integrates with existing workflow processes Can import control information from other
applicationsManaging Controls Automates and manages control procedures Records all control process user workflow
activities for accountabilityIssues and Audits Manages audit preparation activities Automates SOX issue resolution
III.IV Solution Features
WABILITYKnowledge & Experience
Products
Process Centric Workflow Solutions
E-mail and IM Scanning and Archiving Solutions
Information Lifecycle Management Solutions:
Document Management Storage Management
III.V Solution Products Categories
WABILITYKnowledge & Experience
Optimal Solutions
Supports the rapid thorough completion of the audit process
Enables management, enforcement and modification of key processes and financial controls
Allows organizations to easily modify requirements and business logic
III.VI Process Centric Workflow Features
WABILITYKnowledge & Experience
Products
SOXA Accelerator from HandySoft
Provides a solid foundation for corporate governance by stream lining and automating the processes involved in evaluating, documenting and enforcing internal controls
Combines business processes management (BPM) technology with the collaboration, search and personalization capabilities of Plumtree's Enterprise website Portal.
III.VII Process Centric Workflow Products
WABILITYKnowledge & Experience
Products
Example: Assentor Enterprise Suite from Illumin SoftwareServices- Performs Message Management
Assentor Compliance - daily supervision of messages – picks out words and phrases that might be in violation of brokerage laws
Assentor Discovery – retrieve archived messages for audits
III.VIII Email Management Products
WABILITYKnowledge & Experience
Products
Example: KVS Enterprise Vault
Can reduce the cost of expensive disk storage
Lets customers set customized retention policies for e-mail, documents, instant messages and Microsoft’s SharePoint Portal Server documents.
For SOX, GLB, HIPAA, SEC Rule 17 a-4
III.VIIII Email Archiving Products
WABILITYKnowledge & Experience
Recommendations
We believe that the deployment of a Process-Centric Solution will turn the challenges of SOX compliance into an opportunity, because the same methods you use to come into compliance will be used to improve the performance of your entire financial
organization.
Process Centric Solutions bring together process, methodology and documentation to provide complete solution for SOX compliance and further process improvements
IV.I Recommendations
WABILITYKnowledge & Experience
Final Words
Sarbanes-Oxley has transformed the corporate landscape with new and complex mandates for corporate financial reporting.
All public companies of all sizes will go through the same basic steps to achieve compliance, each will take a slightly different approach.
Organizations will require a technology solution that does not force them into a particular process or methodology.
Select a tool that will allow you to capture and enforce best practices around the collection and reporting of financial data.
IV. II Final Words
WABILITYKnowledge & Experience
Final Words
The best solutions must be able to easily adapt to individual approaches, provide long term flexibility while coordinating all of the moving parts, tasks, people, and systems involved in compliance.
Compliance is not a one-time event: it is an ongoing process where the initial audit is only the first phase, followed by ongoing enforcement of controls and process enhancement.
Smart organizations will view SOX as an opportunity to establish corporate governance and process excellence in their financial processes and other key business areas.
IV.II Final Words
WABILITYKnowledge & Experience
Future Legislation?
Corporate Information Security Accountability Act (proposed)
Rep. Adam Putnam, R-Fla.
– Primary concern: identity theft
– Potential SOX-style compliance; would require cyber-security certification by public companies
– Not introduced last year; could be introduced in the future?
IV.III Future Legislation ?