You are on page 1of 35

Sarbanes-Oxley: Compliance, Approach, Methodology and Products

Wally Khalifa- Managing Partner – Business Practice Kris DiMaggio – Director- Strategy Practice June 2005

Agenda
Section I: SOX- Background and Compliance Issues Achieving Compliance: Requirements, Approach, Framework and Development Methodology Internal Control Management (ICM) Objectives and Technology Solutions Recommendation and Final Words
WABILITY

Section II:

Section III:

Section IV:

Knowledge & Experience

Section I: Background, The Act, Timelines, Cost of Implementations, and Business Benefits

Sarbanes & Oxley compliance

Background I.   WABILITY Knowledge & Experience . Developed in response to recent corporate accounting scandals. Aimed at improving the transparency and accuracy of financial accounting of publicly traded companies.I Background The Sarbanes-Oxley Act of 2002:  Has ushered in changes to corporate governance that rank among the most sweeping in history.

II Sox Basics Enron. Worldcom. Tyco Accounting Scandals Public Markets Decline SEC & Congress Respond Sarbanes Oxley Act Public Markets Decline Significantly Public Call to Restore Investor Confidence Act Passed WABILITY Knowledge & Experience .SOX Basics I.

SOX Basics Law Happens WABILITY Knowledge & Experience .

WABILITY Knowledge & Experience .The ACT I.III Sarbanes-Oxley: The Act Section 302 -CEOs and CFOs to sign off on the validity and accuracy of their companies’ financial numbers and to certify the controls and procedures behind their financial reports. but that they can also meet strict quarterly timeframes for reporting on an ongoing basis. Section 404 -Organizations must ensure that the audit process behind their financial reporting is not only comprehensive and accurate.

destroying.More SOX I. documents or tangible objects with the intent to obstruct. Section 802 -Imposes penalties of fines and/or up to 20 years imprisonment for altering. impede or influence a legal investigation. mutilating. concealing. information on material changes in their financial condition or operations. on an urgent basis. WABILITY Knowledge & Experience . falsifying records.III Sarbanes-Oxley: The Act Section 409 -Issuers are required to disclose to the public.

Compliance Timeline I.IV Compliance Timeline Section 302 -already in effect. Section 404 -small companies accelerated filers Section 409 -will be determined Section 802 – will be determined July 2006 Nov 2005 Sarbanes Oxley WABILITY Knowledge & Experience .

Act Section Key Questions for Executives Responsible for the Compliance Section 302 Section 404 Section 409 Who in the organization is responsible for ensuring the integrity and always-on status of finance and accounting systems? Does the internal controls framework include business continuity planning and disaster recovery considerations? How will potential “material changes” be monitored when the systems conducting the monitoring go offline? WABILITY Knowledge & Experience .Questions SOX.

000 per Company (Large) CFOs estimates: $225.14 million (Large Company) The Trade Group Financial Executives Survey’s final results: $291.SOX Costs I.000 (Small Company) $3.000 per Small Company $4.VI Sarbanes-Oxley: Average Cost Of Implementation The Government estimates: $125.000 per Company (Small) $391.36 million per Large Company WABILITY Knowledge & Experience .

 WABILITY Knowledge & Experience .VII Benefits to Investors  Companies have to reveal poor financial reporting practices that should be stopped.SOX Benefits to Investors I. More trust in the financial statements of any company before deciding on any investments.

SOX Benefits to Companies I.VIII Benefits to Companies  Benefits from consolidated data store  Benefits from ability to find data and create reports – business intelligence  Side benefit: discovery of internal fraud and theft through tighter controls  Result: positive shareholder value WABILITY Knowledge & Experience .

807 Title IX.VIIII Penalties Action “Knowingly” altering. obstruct. Sec. 1105 WABILITY Knowledge & Experience . Sec. or falsifying documents in an effort to impede. Sec. Sec. or influence an investigation Punishment Fines up to $15 million and/or Imprisonment up to 20 years Reference Title VIII. 903 Title IX. Sec. 802 Securities Fraud Mail and Wire Fraud “Willfully” certifying financial reports that do not meet regulatory requirements Violating SEC regulations Fines and/or imprisonment up to 25 years Imprisonment up to 20 years Fines up to $5 million and/or Imprisonment up to 20 years May be ineligible to hold a director or officer level position at any publicly traded company Title VIII. destroying. 906 Title XI.Penalties I.

Section II: Achieving Compliance Requirements. Framework and Deployment Phases Methodology of Compliance . Approach.

I Achieving Compliance-The Big Picture Identify all processes & systems that can have a material affect on financial results:    Identify risks Document and test all related processes Document and test internal controls according to a recognized framework such as (COSO) – Committee of Sponsoring Organizations Ensure compliance of business rules and controls WABILITY  Knowledge & Experience .Achieving Compliance II.

captured and communicated internally and externally.COSO Framework II. implemented and tested How the company sets objectives and manages risk The overarching system of controls designed to govern business practices and behaviours.II COSO Framework The overall system of internal control is monitored and improved. How pertinent information is identified. How the pertinent activities are designed. WABILITY Knowledge & Experience .

III High level Approach Identify the Universe of Processes Conduct Risk & $Thru Put Assessment Confirm Adequacy of Selected Processes Group Processes into Projects for Documentation & Evaluation 4 Impact 2 6 8 1 3 Project 7 9 5 Process 1 Project Process 5 Complete list of Stream or Function Financial Processes Probability Risk-filtered processes plus processes management desires to evaluate Process 15 Project Process 22 Process 21 Process 22 Process 12 WABILITY Knowledge & Experience .High Level Approach II.

IV Our Methodology IDENTIFY IDENTIFY MAP EXISTING BUSINESS CONTROL CONTROL PROCESSES OBJECTIVES ACTIVITIES DETERMINE REMEDIATE ‘GAPS’ ‘GAPS’ TESTING AUDITOR ATTESTATION Processes Assessed through a systematic evaluation WABILITY Knowledge & Experience .Our Methodology II.

Our Methodology Plan Project  Form Steering Committee  Select Documentation Format  Perform Risk Assessment  Prioritize Processes to Document  Identify External Auditor Expectations  Identify Corporate Governance & Management Controls  Identify/Assess/Document IT General Controls  Document & Test Controls for 1-3 Processes  Review Results w/Steering Committee  Refine Approach  Roll-out to Centralized Processes  Roll-out to Other Significant Locations and/or Decentralized Processes Assess Control Environment Conduct Pilot Project Roll-Out Report Overall Results  Report/Fix Any Control Deficiencies  Cover Period to Yearend WABILITY Knowledge & Experience .

Internal Control Management (ICM) Objectives and Technology Solutions Software Solution .Section III.

I Internal Controls .Internal Controls Defined III.Objectives Internal Controls are measures Designed to provide reasonable assurance for Reliability of financial reporting Effectiveness and efficiency of operations Compliance with applicable laws and regulations WABILITY Knowledge & Experience .

Technology Solutions III.II Technology Solutions Technology will help:  Provide Optimal Solutions that will embrace the improvements of the financial processes that underlie internal controls  Accommodate changes in the regulations. The Final Word WABILITY Knowledge & Experience . as well as changes in the way the company operates its business.

III Selection Criteria  Reduces time to compliance  Enhances the procedures for financial reporting & business Processes  Accommodates changes in regulations and procedures  Monitors and Maintains control procedures  An Infrastructure for broader process automation Final Word WABILITY Knowledge & Experience .Selection Criteria III.

IV Solution Features General  Provides environment that provides fast access to SOX information (accounts. procedures and documentation  Integrates with existing workflow processes  Can import control information from other applications Managing Controls  Automates and manages control procedures  Records all control process user workflow activities for accountability Issues and Audits  Manages audit preparation activities  Automates SOX issue resolution WABILITY Knowledge & Experience . controls)  Maintains policies.Technology Features III. processes.

Products III.V Solution Products Categories  Process Centric Workflow Solutions  E-mail and IM Scanning and Archiving Solutions  Information Lifecycle Management Solutions: Document Management Storage Management WABILITY Knowledge & Experience .

VI Process Centric Workflow Features  Supports the rapid thorough completion of the audit process  Enables management.Optimal Solutions III. enforcement and modification of key processes and financial controls  Allows organizations to easily modify requirements and business logic WABILITY Knowledge & Experience .

WABILITY Knowledge & Experience . search and personalization capabilities of Plumtree's Enterprise website Portal. documenting and enforcing internal controls  Combines business processes management (BPM) technology with the collaboration.Products III.VII Process Centric Workflow Products SOXA Accelerator from HandySoft  Provides a solid foundation for corporate governance by stream lining and automating the processes involved in evaluating.

daily supervision of messages – picks out words and phrases that might be in violation of brokerage laws  Assentor Discovery – retrieve archived messages for audits WABILITY Knowledge & Experience .Products III.VIII Email Management Products Example: Assentor Enterprise Suite from Illumin Software Services.Performs Message Management  Assentor Compliance .

For SOX. HIPAA. SEC Rule 17 a-4   WABILITY Knowledge & Experience . documents.VIIII Email Archiving Products Example: KVS Enterprise Vault  Can reduce the cost of expensive disk storage Lets customers set customized retention policies for e-mail.Products III. instant messages and Microsoft’s SharePoint Portal Server documents. GLB.

Final Words and Future Legislation Recommendations and Final Words .Section IV: Recommendations.

methodology and documentation to provide complete solution for SOX compliance and further process improvements  We believe that the deployment of a ProcessCentric Solution will turn the challenges of SOX compliance into an opportunity.I Recommendations  Process Centric Solutions bring together process.Recommendations IV. because the same methods you use to come into compliance will be used to improve the performance of your entire financial organization. WABILITY Knowledge & Experience .

II Final Words  Sarbanes-Oxley has transformed the corporate landscape with new and complex mandates for corporate financial reporting.  Select a tool that will allow you to capture and enforce best practices around the collection and reporting of financial data.Final Words IV. each will take a slightly different approach.  All public companies of all sizes will go through the same basic steps to achieve compliance. WABILITY Knowledge & Experience .  Organizations will require a technology solution that does not force them into a particular process or methodology.

tasks. and systems involved in compliance. people. provide long term flexibility while coordinating all of the moving parts. WABILITY Knowledge & Experience . followed by ongoing enforcement of controls and process enhancement.  Smart organizations will view SOX as an opportunity to establish corporate governance and process excellence in their financial processes and other key business areas.  Compliance is not a one-time event: it is an ongoing process where the initial audit is only the first phase.Final Words IV.II Final Words  The best solutions must be able to easily adapt to individual approaches.

would require cyber-security certification by public companies – Not introduced last year.Future Legislation? IV. – Primary concern: identity theft – Potential SOX-style compliance. R-Fla.III Future Legislation ? Corporate Information Security Accountability Act (proposed) Rep. could be introduced in the future? WABILITY Knowledge & Experience . Adam Putnam.