360 likes | 560 Views
Sarbanes-Oxley: Compliance, Approach, Methodology and Products. Wally Khalifa- Managing Partner – Business Practice Kris DiMaggio – Director- Strategy Practice. June 2005. Agenda. Section I: SOX- Background and Compliance Issues
E N D
Sarbanes-Oxley: Compliance, Approach, Methodology and Products Wally Khalifa- Managing Partner – Business Practice Kris DiMaggio – Director- Strategy Practice June 2005
Agenda Section I: SOX- Background and Compliance Issues Section II: Achieving Compliance: Requirements, Approach, Framework and Development Methodology Section III: Internal Control Management (ICM) Objectives and Technology Solutions Section IV: Recommendation and Final Words
Section I: Background, The Act, Timelines, Cost of Implementations, and Business Benefits Sarbanes & Oxley compliance
Background I.I Background The Sarbanes-Oxley Act of 2002: • Has ushered in changes to corporate governance that rank among the most sweeping in history. • Developed in response to recent corporate accounting scandals. • Aimed at improving the transparency and accuracy of financial accounting of publicly traded companies.
SOX Basics I.II Sox Basics Enron, Worldcom, Tyco Accounting Scandals Public Markets Decline Significantly Public Markets Decline Public Call to Restore Investor Confidence SEC & Congress Respond Act Passed Sarbanes Oxley Act
SOX Basics Law Happens
The ACT I.III Sarbanes-Oxley: The Act Section 302 -- CEOs and CFOs to sign off on the validity and accuracy of their companies’ financial numbers and to certify the controls and procedures behind their financial reports. Section 404 -- Organizations must ensure that the audit process behind their financial reporting is not only comprehensive and accurate, but that they can also meet strict quarterly timeframes for reporting on an ongoing basis.
More SOX I.III Sarbanes-Oxley: The Act Section 409 -- Issuers are required to disclose to the public, on an urgent basis, information on material changes in their financial condition or operations. Section 802 -- Imposes penalties of fines and/or up to 20 years imprisonment for altering, destroying, mutilating, concealing, falsifying records, documents or tangible objects with the intent to obstruct, impede or influence a legal investigation.
Compliance Timeline I.IV Compliance Timeline Section 302 -- already in effect. Section 404 -- small companies July 2006 accelerated filers Nov 2005 Section 409 -- will be determined Section 802 – will be determined Sarbanes Oxley
SOX Costs I.VI Sarbanes-Oxley: Average Cost Of Implementation The Government estimates: $125,000 per Company (Small) $391,000 per Company (Large) CFOs estimates: $225,000 (Small Company) $3.14 million (Large Company) The Trade Group Financial Executives Survey’s final results: $291,000 per Small Company $4.36 million per Large Company
SOX Benefits to Investors I.VII Benefits to Investors • Companies have to reveal poor financial reporting practices that should be stopped. • More trust in the financial statements of any company before deciding on any investments.
SOX Benefits to Companies I.VIII Benefits to Companies • Benefits from consolidated data store • Benefits from ability to find data and create reports – business intelligence • Side benefit: discovery of internal fraud and theft through tighter controls • Result: positive shareholder value
Penalties I.VIIII Penalties
Section II: Achieving ComplianceRequirements, Approach, Framework and Deployment Phases Methodology of Compliance
Achieving Compliance II.I Achieving Compliance-The Big Picture Identify all processes & systems that can have a material affect on financial results: • Identify risks • Document and test all related processes • Document and test internal controls according to a recognized framework such as (COSO) – Committee of Sponsoring Organizations • Ensure compliance of business rules and controls
COSO Framework II.II COSO Framework The overall system of internal control is monitored and improved. How pertinent information is identified, captured and communicated internally and externally. How the pertinent activities are designed, implemented and tested How the company sets objectives and manages risk The overarching system of controls designed to govern business practices and behaviours.
High Level Approach II.III High level Approach Confirm Adequacy of Selected Processes Group Processes into Projects for Documentation & Evaluation Identify the Universe of Processes Conduct Risk & $Thru Put Assessment 4 2 1 7 6 3 Impact Project 5 9 8 Project Process 1 Process 5 Complete list of Stream or Function Financial Processes Risk-filtered processes plus processes management desires to evaluate Probability Process 15 Project Process 12 Process 22 Process 21 Process 22
Our Methodology II.IV Our Methodology IDENTIFY CONTROL OBJECTIVES IDENTIFY EXISTING CONTROL ACTIVITIES REMEDIATE ‘GAPS’ TESTING AUDITOR ATTESTATION MAP BUSINESS PROCESSES DETERMINE ‘GAPS’ Processes Assessed through a systematic evaluation
Our Methodology Plan Project • Form Steering Committee • Perform Risk Assessment • Identify External Auditor Expectations • Select Documentation Format • Prioritize Processes to Document Assess Control Environment • Identify Corporate Governance & Management Controls • Identify/Assess/Document IT General Controls Conduct Pilot • Document & Test Controls for 1-3 Processes • Review Results w/Steering Committee • Refine Approach ProjectRoll-Out • Roll-out to Centralized Processes • Roll-out to Other Significant Locations and/or Decentralized Processes Report OverallResults • Report/Fix Any Control Deficiencies • Cover Period to Yearend
Section III- Internal Control Management (ICM) Objectives and Technology Solutions Software Solution
Internal Controls Defined III. I Internal Controls - Objectives Internal Controls are measures Designed to provide reasonable assurance for • Reliability of financial reporting • Effectiveness and efficiency of operations • Compliance with applicable laws and regulations
Technology Solutions III.II Technology Solutions • Technology will help: • Provide Optimal Solutions that will embrace the improvements of the financial processes that underlie internal controls • Accommodate changes in the regulations, as well as changes in the way the company operates its business. • The Final Word
Selection Criteria III.III Selection Criteria • Reduces time to compliance • Enhances the procedures for financial reporting & business Processes • Accommodates changes in regulations and procedures • Monitors and Maintains control procedures • An Infrastructure for broader process automation • Final Word
Technology Features III.IV Solution Features General • Provides environment that provides fast access to SOX information (accounts, processes, controls) • Maintains policies, procedures and documentation • Integrates with existing workflow processes • Can import control information from other applications Managing Controls • Automates and manages control procedures • Records all control process user workflow activities for accountability Issues and Audits • Manages audit preparation activities • Automates SOX issue resolution
Products III.V Solution Products Categories • Process Centric Workflow Solutions • E-mail and IM Scanning and Archiving Solutions • Information Lifecycle Management Solutions: Document Management Storage Management
Optimal Solutions III.VI Process Centric Workflow Features • Supports the rapid thorough completion of the audit process • Enables management, enforcement and modification of key processes and financial controls • Allows organizations to easily modify requirements and business logic
Products III.VII Process Centric Workflow Products • SOXA Accelerator from HandySoft • Provides a solid foundation for corporate governance by stream lining and automating the processes involved in evaluating, documenting and enforcing internal controls • Combines business processes management (BPM) technology with the collaboration, search and personalization capabilities of Plumtree's Enterprise website Portal.
Products III.VIII Email Management Products Example: Assentor Enterprise Suite from Illumin Software Services- Performs Message Management • Assentor Compliance - daily supervision of messages – picks out words and phrases that might be in violation of brokerage laws • Assentor Discovery – retrieve archived messages for audits
Products III.VIIII Email Archiving Products Example: KVS Enterprise Vault • Can reduce the cost of expensive disk storage • Lets customers set customized retention policies for e-mail, documents, instant messages and Microsoft’s SharePoint Portal Server documents. • For SOX, GLB, HIPAA, SEC Rule 17 a-4
Section IV: Recommendations, Final Wordsand Future Legislation Recommendations and Final Words
Recommendations IV.I Recommendations • Process Centric Solutions bring together process, methodology and documentation to provide complete solution for SOX compliance and further process improvements • We believe that the deployment of a Process-Centric Solution will turn the challenges of SOX compliance into an opportunity, because the same methods you use to come into compliance will be used to improve the performance of your entire financial organization.
Final Words IV. II Final Words • Sarbanes-Oxley has transformed the corporate landscape with new and complex mandates for corporate financial reporting. • All public companies of all sizes will go through the same basic steps to achieve compliance, each will take a slightly different approach. • Organizations will require a technology solution that does not force them into a particular process or methodology. • Select a tool that will allow you to capture and enforce best practices around the collection and reporting of financial data.
Final Words IV.II Final Words • The best solutions must be able to easily adapt to individual approaches, provide long term flexibility while coordinating all of the moving parts, tasks, people, and systems involved in compliance. • Compliance is not a one-time event: it is an ongoing process where the initial audit is only the first phase, followed by ongoing enforcement of controls and process enhancement. • Smart organizations will view SOX as an opportunity to establish corporate governance and process excellence in their financial processes and other key business areas.
Future Legislation? IV.III Future Legislation ? Corporate Information Security Accountability Act (proposed) Rep. Adam Putnam, R-Fla. • Primary concern: identity theft • Potential SOX-style compliance; would require cyber-security certification by public companies • Not introduced last year; could be introduced in the future?