Agenda

2. Agenda • Sarbanes Oxley Act • Where to Begin • Creating the Risk Library • Assessments / Audits • Signing Officer • Business Process Owners • Documenting Procedures • Q & A

3. Sarbanes-Oxley ActA Response to the Deterioration in Public Confidence

4. Sarbanes Oxley ActHighlights • Section 103: Your auditor must (and therefore, you should) maintain all audit-related records, including electronic ones, for seven years. Effective now. • Section 201: Firms that audit your company’s books can no longer provide you with IT-related services. Effective now. • Section 301: You must provide systems or procedures that let whistle-blowers communicate confidentially with company’s audit committee. No effective date. • Section 302: Your CEO and CFO must sign statements verifying the completeness and accuracy of financials reports. Effective now. • Section 404: CEO’s, CFO’s and outside auditors must attest to the effectiveness of internal controls for financial reporting. Effective now. • Section 409: Companies must report material changes in their financial conditions “on a rapid and current basis.” The act calls it “real-time disclosure” but doesn’t define what that means. No date set. Computerworld, April 14, 2003

5. The Act states… You must ensure internal controls over your financial reporting. Sections 302 and 404 of Sarbanes Oxley

6. You must be able to attest to… • The Processes affecting values in accounts, • which are exposed to Risks, • which are mitigated by Controls, • which are verified by Audit Procedures.

7. Internal Control TestingWhere to Start

8. Setting Up Internal Controls Review and Update Procedures -Business Process Owners Identify and Organize Processes -Internal Audit/Risk Assurance Partner Identify Risks & Controls for Processes -Internal Audit/Risk Assurance Partner Create Risks & Controls Library -Risk Assurance Partner Upload Risks & Controls Library -Risk Assurance Partner Identify Controls within your system -Internal Audit/Risk Assurance Partner Link Risks to Controls -Internal Audit/Risk Assurance Partner Link Key Controls to Audit Procedures -Internal Audit/Risk Assurance Partner Link Processes to Key Accounts -Internal Audit/Risk Assurance Partner

9. Risk & Control LibraryDEMO

10. Assessment / AuditDEMO

11. Signing OfficerDEMO

12. Business Process OwnerDEMO

13. The Act states… You must ensure internal controls over your financial reporting. Sections 302 and 404 of Sarbanes Oxley

14. You must be able to attest to… • The Processes affecting values in accounts, • which are exposed to Risks, • which are mitigated by Controls, • which are verified by Audit Procedures.

16. Business Process TUTOR Risks Controls ICM / Tutor

17. Do You Want to: • Comply with Corporate Governance regulations by having documented business policies and procedures? • Achieve success through user acceptance of business process and technology changes? • Reduce time spent documenting implementation decisions? • Easily create and maintain all documentation and training material? • Reduce training costs (development, travel, time away)? • Regularly deploy role specific, accurate, up-to-date, procedure manuals? • Modify Oracle eBusiness Suite online help? • Provide employees documentation on an as needed basis; improve employee performance? • Train employees based on theirrole in the organization? • Manage change within the organization? • Leverage documentation and training resources across the organization?

18. Tutor Tools Online and Printed Desk Manuals Content Repository Procedure Documents (MS-Word) P U B L I S H E R Online Help & Reference Materials Apps Help A U T H O R Printed/PDF Student & Instructor Guides Online Help Courseware (MS-PowerPoint) Owners Manuals and Reports Methodology Oracle Tutor - How it works

19. TutorDemo Let’s Take a Closer Look

20. Customer’s: • Uses • US Department of Transportation • University of Virginia • US Army Corps of Engineers • San Francisco State University • Testimony • Medela • Articles • Motorola • ETEC

22. Oracle Tutor • Mature Product • 250 + Pre-built business process • Arthur Andersen Study • 10 – 12 man hr’s create a procedure • 2 - 4 man hr’s to modify an existing procedure ------------ 8 man hr’s time savings per process • Integration • Update to Procedure, automatically updates all other procedures that reference it • Not just for Process Documentation

23. Why Oracle? • Our solution addresses all needs, not just documentation of processes or entering testing results • Uses the business processes that you create or can be modeled from the applications • Leverage your existing information and environment, especially in your GL which directly relates to your financial reporting • Uses powerful Workflow engine to enforce controls and automate what can be automated (reminders, notifications, etc) • Tutor offers delivered content for documentation, desk manuals, and training materials

24. The Act states… You must ensure internal controls over your financial reporting. Sections 302 and 404 of Sarbanes Oxley

25. Q & A

26. Audit Projects

27. Audit Scope

28. Audit Tasks

29. Controls that are being audited

30. Risks that are being audited

31. Findings

32. Certification Status

33. Certification tied to Financial items

34. Business Process Owner View

35. Business Process Owner View

36. Business Process View-issues