George Jones, ChangeMakers, Inc. Walt Wolenski, EDS Ray Slocumb, Partner, PWC Gary Richardson, UH Barry Rupert, UH

1. George Jones, ChangeMakers, Inc. Walt Wolenski, EDS Ray Slocumb, Partner, PWC Gary Richardson, UH Barry Rupert, UH

2. Agenda Welcome: Blake Ives SOX: Review of Act: Barry Rupert Introduction to Panel: Moderator: Gary Richardson, UH Panel Discussion

3. Upcoming Programs:Tentative Dates January 15th February 19th March 18th April 15th May 20th

4. January 15thSourcing Innovation Strategy Jane C. Linder Senior Research Fellow Institute for Strategic Change Accenture

5. February 19thExporting Business Processes

6. February 19thExporting Business Processes

7. March 18thIT in the Early 21st Century: What has changed and what has not changed - A managers Guide Warren McFarlan Professor Harvard Business School

8. April 15thValuing the IT Investment Panel Discussion of Best Practice in Responding to the �Does Doesn�t IT Matter� Challenge

9. May 20thSpring Planning Event

10. Sarbanes-Oxley Act of 2002 Overview Barry Rupert

11. Gary Richardson, Moderator George Jones, ChangeMakers, Inc. Walt Wolenski, EDS Ray Slocumb, PWC

12. November 20, 2003 Sarbanes Oxley Act of 2002Overview

13. Disclaimer Not intended as legal advice Overview not a detailed review of the Act and related rules Rules are still being reviewed and adopted Check with your auditor or legal advisor for final rules

14. Background Sarbanes-Oxley Act (SOX) was a reaction to corporate scandals and lack of investor confidence: Enron Arthur Andersen MCI Typically what is referred to as SOX is actually a combination of: Sarbanes Oxley Act of 2002 (H.R. 3763) Pending and final rules of the Public Company Accounting Oversight Board (PCAOB) Pending and final Rules of the SEC Studies by the GAO and others that may result in new laws and/or new rules Violation of SOX is considered a violation of Securities and Exchange Act of 1934

15. Title IX: White Collar Crime Penalty EnhancementOverview Establishes a maximum fine of $1,000,000 and a maximum prison sentence of 10 years for CEO�s and CFO�s that certify a financial statement knowing that it is not consistent with all of the sections of the Act. Establishes a maximum fine of $5,000,000 and a maximum prison sentence of 20 years for CEO�s and CFO�s that willfully certify a financial statement knowing that it is not consistent with all of the sections of the Act.

16. Scope Entities that come under the purview of SOX include: �Issuers� � as defined in section 3 of the Securities and Exchange Act of 1934 includes entities which: Have securities registered under section 12 or Are required to file reports under 15(d) or Has or will file a registration statement that is or will become effective and has not been withdrawn under the Securities Act of 1933. Layperson�s definition of �issuer�: Any public company or company that plans to IPO Alternatively, companies with more than $10 million in assets and whose securities are held by more than 500 owners Public accounting firms that perform audits for �issuers� There may be special rules and/or rule effective dates for: Investment Companies Foreign Private Issuers

17. Summary of Contents Title I Public Company Accounting Oversight Board Title II Auditor Independence Title III Corporate Responsibility Title IV Enhanced Financial Disclosures Title V Analyst Conflicts of Interest Title VI Commission Resources and Authority Title VII Studies and Reports Title VIII Corporate and Criminal Fraud Accountability Title IX White-Collar Crime Penalty Enhancements Title X Corporate Tax Returns Title XI Corporate Fraud and Accountability

18. Title I: Public Company Accounting Oversight Board Established by the Act Organized as a nonprofit agency� not as a government agency Responsibilities Register and inspect public accounting firms Establish standards for public accounting firms Enforce compliance with the Act and Rules of the Board Investigate firms and impose sanctions

19. Title III: Corporate ResponsibilityOverview Assigns the responsibility to appoint, compensate and oversee the public accounting firm that performs the audit to the audit committee. Requires CEO and CFO to certify fairness of financial statements take responsibility for disclosure controls Makes it unlawful to fraudulently influence, coerce, mislead an auditor Provides for the forfeiture of certain compensation following the issuance of a �non-compliant� financial document Provides the SEC with greater flexibility to remove management or board members Blocks insider trading during pension fund blackout periods Requires attorneys to report evidence of material violations Provides that disgorged profits will benefit the victims Define Disclosure controls!!! Attorneys that practice before or communicate with the SEC are required to report material violations What us a non-compliant financial document???Define Disclosure controls!!! Attorneys that practice before or communicate with the SEC are required to report material violations What us a non-compliant financial document???

20. Title III: Corporate ResponsibilityHighlights Section 301: Public Company Audit Committees Companies that are not compliant with SEC audit committee requirements are subject to delisting Audit committee is responsible for oversight of auditors including the resolution of disagreements between management and auditors Audit committees must set up procedures to receive and address �whistleblower� complaints Employees and others may take concerns directly to the audit committee. Audit committee members are required to be independent and a disclosure is required in proxy statements

21. Title III: Corporate ResponsibilityHighlights Section 302: Corporate Responsibility for Financial Reports Principal executive and financial officers are required to: Certify that the content of each report is accurate, complete and fairly presented. Take responsibility for maintaining and evaluating disclosure controls and procedures. Certification affirms that officers have made required disclosures about Fraud; Significant deficiencies, and material weaknesses, and significant changes in internal controls; and Evaluation of the effectiveness of the disclosure controls and procedures.

22. Title III: Corporate ResponsibilityHighlights Section 302: Corporate Responsibility for Financial Reports (cont.) Companies must establish and maintain an overall system of disclosure controls and procedures so that the CEO and CFO can Supervise and review periodic evaluations of the disclosure system Report the results to security holders Effectiveness of disclosure controls and procedures must be assessed within 90 days prior to filing dates of quarterly and annual reports Failure to maintain adequate disclosure controls and procedures may result in SEC action even if it doesn�t lead to flawed financial statements

23. Title IV: Enhanced Disclosure RequirementsOverview Requires disclosure of material off balance sheet arrangements Establishes standards for reporting pro forma financial information Prohibits companies from making loans to directors or executives Requires earlier disclosure of equity transactions by directors, officers, and other insiders Requires management to establish and maintain adequate internal controls and procedures for financial reporting Exempts investment companies from several of the disclosure requirements Requires disclosure of a code of ethics for senior financial officers Requires companies to disclose whether at least one of the audit committee members is a financial expert Requires rapid disclosure of changes in financial condition

24. Title IV: Enhanced Disclosure RequirementsHighlights Section 404: Management Assessment of Internal Controls Requires management to establish and maintain adequate internal controls and procedures for financial reporting Requires that each annual report includes a statement: Describing management�s responsibility for internal controls and procedures for financial reporting. Documenting management�s assessment of the effectiveness of the controls and financial reporting procedures Incorporating the independent auditor�s review of management�s assessment of internal controls and financial reporting procedures

25. Title IV: Enhanced Disclosure RequirementsHighlights Section 404: Management Assessment of Internal Controls (cont.) Related SEC releases define internal controls and procedures for financial reporting as controls that provide reasonable assurances that: Transactions are properly authorized Assets are safeguarded against unauthorized or improper use Transactions are properly recorded to permit the preparation of financial statements that are presented consistent with GAAP To meet the assessment requirement, management must select a suitable recognized framework for assessing the effectiveness of internal controls

26. Find more information on SOX at: www.findlaw.com � for the text of the Act www.pcaobus.org � for the current status of rules of the Public Company Accounting Oversight Board www.sec.gov � for the status of SOX related SEC rules. Of particular interest is www.sec.gov/rules/final/33-8238.htm which contains �Final Rule: Management�s Reports on Internal Controls Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports� www.aicpa.org � for general information on SOX and its implications www.isaca.org � for �IT Control Objectives for Sarbanes-Oxley� for a detailed discussion of this issue

27. Gary Richardson, Moderator George Jones, ChangeMakers, Inc. Walt Wolenski, EDS Ray Slocumb, PWC

28. Where Was IT ?

29. Where Was IT? �Where Was IT?� - - A Legitimate Question The Sarbanes-Oxley Challenge for IT Would a �Better� IT Organization assist in preventing financial wrongdoing and if so, what does �Better� mean?

30. Where Was IT? The Mutual Funds Scandal The MCI Allegations * The Health South Fraud ��������

31. The Sarbanes-Oxley Challenge The Requirement for Disclosure Bad News must be reported upwards IT�s projects have potential financial impact IT�s activity provides a cross company view �See No Evil� is not allowed

32. The Sarbanes-Oxley Challenge The Internal Controls Report Disclosure Reporting Controls Company wide disclosure reporting mechanisms IT organization�s own disclosure reporting Financial Transaction Controls Data related Software (logic) related Third Party product related IT must help evaluate, strengthen and monitor

33. What is a �Better� IT Organization? Characteristics that define �Better� Skills needed to support those characteristics Training needed to support those skills Organization and culture

34. Objectives of �Better� Able to help prevent and detect financial abuse Responsive to requirements of Sarbanes-Oxley

35. Characteristics of �Better� Knowledge of relevant law and regulations Knowledge of accounting rules Knowledge of business ethics Able to ask the right questions Able to make recommendations Able to analyze relevant design and operations issues

36. Characteristics of �Better� Expertise in Financial Controls Financial control objectives Design of financial controls in systems Financial control reporting Able to design and implement financial controls Able to evaluate controls in third party products Able to analyze controls and recommend improvements

37. Characteristics of �Better� Knowledge of the Company�s Business What we do and how we operate Understanding the significance of the operational numbers Able to spot �interesting� deviations

38. Characteristics of �Better� Healthy, Collaborative Relationships with Internal accounting Internal audit External audit Treat as a priority activity Implement their recommendations Contribute recommendations Financial Controls Operations Reporting

39. Characteristics of �Better� Familiar with the requirements of Sarbanes-Oxley Responsibility of disclosure Control of disclosure Formal disclosure mechanisms Importance of internal controls

40. Required Knowledge & Skills Legal and regulatory environment Company�s contractual obligations Accounting standards Industry standards Business and professional ethics Design and implementation of financial controls

41. Training Gaps Sarbanes-Oxley requirements Industry legal and regulatory issues Financial accounting Business and professional ethics Accepted Industry practices Financial controls design & implementation

42. Organization and Culture �See No Evil� is not allowed Bad News MUST move up Requires an open management style without retribution for bad news

43. Conclusions Sarbanes-Oxley Impact is more than technical, more than analytical, more than financial SOX places a burden of responsibility on all employees, not just the accountants SOX impacts IT priorities and �To do� list SOX will impact the role of IT in its users� business and data SOX will challenge any IT organization whose culture is one of containment

44. IT Strategies and SOX

45. The different acts within the legislation can be categorized into six major themes

46. Meeting the requirements of Sarbanes-Oxley will require a significant effort by corporations ��survey of mostly mid-cap companies...found that the average price to remain public has close to doubled�� � Foley & Larnder Law �Enterprises will not be able to easily or inexpensively fulfill government-driven public disclosure tasks.� � Aberdeen Group ��the IS organization must create near real-time reporting to meet requirements for greater transparency and quicker deadlines for report filing� - Gartner Group

47. Companies are taking various approaches to SOX compliance activities and initiatives Triage approach to changes Strategic approach to changes

48. Companies are approaching systematic remedies in a variety of manners

49. Different sections of the act are driving or will drive changes in the financial organization Section 302 & 404 Process mapping Systematic remedies Process changes Collaboration and teaming Section 409 Systematic remedies Major process changes

50. Supporting the Sarbanes-Oxley work teams can provide a simple way to create positive impact

51. What Makes A Team Successful? The Law of the Big Picture The goal is more important than the role The Law of the Compass Vision gives team members direction The Law of the Scoreboard The team can make adjustments when it knows where it stands The Law of Communication Interaction fuels action The Law of Dividends Investing in the team compounds over time

52. Providing real-time visibility into SOX activities and initiatives can create near-term and long term benefits

53. www.eds.com/dwe This is the final slide in the presentation deck. If you do not have additional contact or URL information, delete all text except �eds.com�. This is the final slide in the presentation deck. If you do not have additional contact or URL information, delete all text except �eds.com�.

54. Introduction of Panel Members

55. Sarbanes-Oxley Act - Background Public company accounting reform and investor protection act. Passed in July 2002. Legislative action in reaction to Enron, Worldcom, and other corporate scandals. Bill written by Paul Sarbanes, U.S. Senator from Maryland, and Michael Oxley, U.S. Congressman from Ohio.

56. Sarbanes-Oxley Act - Summary The Act was signed into law on July 30, 2002 and includes eleven titled sections: Title I Public Company Accounting Oversight Board Title II Auditor Independence Title III Corporate Responsibility Title IV Enhanced Financial Disclosures Title V Analyst Conflicts of Interest Title VI Commission Resources and Authority Title VII Studies and Reports Title VIII Corporate and Criminal Fraud Accountability Title IX White Collar Crime Penalty Enhancements Title X Corporate Tax Returns Title XI Corporate Fraud and Accountability

57. Sarbanes-Oxley Act of 2002  Requires quarterly certification by the CEO / CFO of all companies filing periodic reports under section 13 (a) or 15 (d) of the Securities Exchange Act of 1934 regarding the completeness and accuracy of such reports as well as the nature and effectiveness of internal controls supporting the quality of information included in such reports. Requires an annual report by management regarding internal controls and procedures for financial reporting, and an attestation as to the accuracy of that report by the company�s auditors.

58. Management�s Requirements under Section 404 Section 404 � Management Must Assess Internal Controls Annually (for fiscal years ending 6/15/04 and later) Internal control report states management�s responsibility for establishing and maintaining adequate internal control structure and procedures for financial reporting. Management must assess effectiveness of internal control structure and procedures for financial reporting as of the end of the most recent fiscal year. Attestation by external auditor (Section 404 and 103).

59. The Final 404 Rule Provisions�Background Final Rule Provisions Affect Company Actions Under Sections 404 and 302. Section 404: Requires an annual report by management regarding the effectiveness of internal control over financial reporting, and an attestation by the company�s auditors as to the accuracy of management�s assessment. Section 302: Requires quarterly certification by the CEO / CFO regarding the completeness and accuracy of quarterly reports as well as the nature and effectiveness of disclosure controls and procedures (DC&P) supporting the quality of information included in such reports. Instructor Notes: Our focus today is on 404 but lets spend a minute getting straight the difference between 302 DC&P and 404. Say: As you have all read the PwC dataline on the final 404 rules, we are going to highlight the changes rather quickly here: Quarterly disclosure in 302 certification of material changes in internal control over financial reporting rather than repetition of annual evaluation. Evaluation date is as of the end of the period covered by the report (annual for foreign private issuers). Section 302 certifications filed as exhibits to all applicable SEC reports (effectively means that any significant deficiencies are made public) There is latitude for issuers in determining which internal controls over financial reporting are included in the Company�s inventory of disclosure controls and procedures under Section 302. See following diagram.Instructor Notes: Our focus today is on 404 but lets spend a minute getting straight the difference between 302 DC&P and 404. Say: As you have all read the PwC dataline on the final 404 rules, we are going to highlight the changes rather quickly here: Quarterly disclosure in 302 certification of material changes in internal control over financial reporting rather than repetition of annual evaluation. Evaluation date is as of the end of the period covered by the report (annual for foreign private issuers). Section 302 certifications filed as exhibits to all applicable SEC reports (effectively means that any significant deficiencies are made public) There is latitude for issuers in determining which internal controls over financial reporting are included in the Company�s inventory of disclosure controls and procedures under Section 302. See following diagram.

60. Disclosure Controls and Procedures versus Internal Control Over Financial Reporting The rule states that while the two types of controls are similar in nature, neither one is a complete subset of the other. Disclosure controls will include the components of internal control over financial reporting that reasonably assure financial statements are prepared in accordance with GAAP, but may not include other components of internal control over financial reporting such as safeguarding of assets. The rule gives the example of the control of dual signatures on checks that, while part of internal control over financial reporting, may not necessarily be part of disclosure controls and procedures of a particular company. The rule states that while the two types of controls are similar in nature, neither one is a complete subset of the other. Disclosure controls will include the components of internal control over financial reporting that reasonably assure financial statements are prepared in accordance with GAAP, but may not include other components of internal control over financial reporting such as safeguarding of assets. The rule gives the example of the control of dual signatures on checks that, while part of internal control over financial reporting, may not necessarily be part of disclosure controls and procedures of a particular company.

61. Audit of Financial Statements vs. 404 Controls Attestation Audit of Financial Statements Understanding and consideration of internal controls only to develop the audit approach Overall objective is the rendering of an opinion on the financial statements, not to opine on internal controls Internal control reports have been very rare in practice and are the subject of different auditing standards 404 Attestation 100% controls-based approach over the entire control environment Must evaluate and test controls across business and functional areas to opine on effectiveness (broad and deep) Lack of errors, historically, in financial statements is not de-facto evidence unto itself, of an appropriate internal control structure

62. COSO Is Currently the Only Recognized Internal Control Framework While Internal Control was not defined in the Act, the COSO definition has been accepted by the US government and its agencies, incorporated in US auditing standards (AU 319), and is a generally accepted integrated framework for control infrastructure. Under regulations for Section 404, the SEC will use AU319 as the reference. Internal Control is defined as a process, effected by an entity�s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations COSO identifies five components of control that need to be in place and integrated to ensure the achievement of each of the objectives.

63. The Five Components under the COSO Framework

64. Introduction of Panel Members

65. Sarbanes-Oxley Act � Role of IT �Some controls � might have a pervasive effect on achieving many overall objectives of the control criteria. For example, information technology general controls over program development, program changes, computer operations, and access to programs and data help ensure that specific controls over the processing of transactions are operating effectively.� � PCAOB�s Proposed Auditing Standard for Section 404 �With widespread reliance on information systems, controls are needed over all such systems: financial, compliance and operational, large and small� Two broad groupings of information systems control activities can be used. The first is general controls -- which apply to many if not all application systems and help ensure their continued, proper operation. The second category is application controls, which include computerized steps within the application software and related manual procedures to control the processing of various types of transactions. Together, these controls serve to ensure completeness, accuracy and validity of the financial and other information in the system.� � COSO Report: Internal Control - Integrated Framework

66. Controls over the IT environment Most Business Processes are either partially or wholly enabled by IT Achieving control objectives is often dependant on IT based controls Many controls depend on data generated by IT systems IT controls need to be considered at 2 levels: Controls over the IT environment (General Controls) Controls over individual applications (Application Controls)

67. General computer controls (GCC) - Definition Controls used to manage and control the information technology activities and computer environment. Comprised of 4 major areas: Information security � both physical and logical access Maintenance of existing systems (program change controls) Computer operations Development and implementation of new systems The controls within the GCC environment are considered �pervasive�. They help assure that assure that specific controls over processing of transactions are operating effectively.

68. General computer controls (GCC) � Information security Examples of controls in this area include: Authentication of users (e.g, log-in ids and passwords) Password controls (e.g., password expiry, minimum length, etc.) Security administration (new user set-up, removing terminated employees, password resets, etc.) Security monitoring Physical security of computers and business facility

69. General computer controls (GCC) � Program change controls Examples of controls in this area include: All program change requests are appropriate and authorized Segregation of duties exists between those that make the changes and those that move the changes to the live processing environment Version control exists so that two programmers are not modifying the same program which would result in lost changes or conflicts Testing of the changes to ensure they are accurate Sign off by the business users who requested the changes to ensure the changes meet the business needs

70. General computer controls (GCC) � Computer operations Examples of controls in this area include: Computer systems are monitored Job scheduling (batch programs) are monitored Computer systems are protected against fire/flood Backups of data are taken daily A disaster recovery plan (DRP) exists and has been tested recently

71. General computer controls (GCC) � Development & implementation of new systems Relevant when the company implements new applications or systems. Examples of controls in this area include: Converted account balances are reconciled Testing has occurred Training has occurred Data integrity controls are in place In general, an effective Systems Development Lifecycle (SDLC) and implementation methodology should be followed.

72. Application Controls

73. Summary Application Control Types

74. Linkage between Controls and Financial Statements

75. What guidance is available to help IT meet SOX requirements? Several standards exist that provide guidance on internal controls from an IT perspective Application controls: COSO � Internal Control: Integrated Framework COBIT � Control Objectives for Information and Related Technology General computer controls: COBIT ISO 17799 � Information Security Management ITIL � IT Infrastructure Library SAC � Systems Auditability and Control (IIA)

76. COBIT is a framework well-suited to the needs of SOX 404 Domains PO: Planning & Organization AI: Acquisition & Implementation DS: Delivery & Support M: Monitoring

77. IT Governance Institute: Control Objectives for Sarbanes-Oxley Discussion document issued in October 2003 Based on COBIT Maps COBIT to COSO Proposes IT control objectives that are relevant to Sarbanes-Oxley Control objectives are a subset of COBIT controls objectives COBIT has 318 control objectives ITGI proposes 136 for Sarbanes-Oxley Discussion document can be obtained at www.isaca.org

78. Summary IT plays a key role in a company�s internal control framework, and therefore has a key role to play in compliance with Sarbanes-Oxley IT controls include general controls, which ensure the continued, proper operation of computer systems, and application controls, which control the processing of transactions within computer applications. General controls have a pervasive impact on the overall control environment, and are therefore very important. Automated application controls must be considered as part of the relevant business process, requiring communication between IT and the business.