1 / 15

CIO COMMUNITY OF PRACTICE MEETING Leveraging Sarbanes-Oxley To Drive Enterprise Value

CIO COMMUNITY OF PRACTICE MEETING Leveraging Sarbanes-Oxley To Drive Enterprise Value. Tom Captain and Carlos Munoz Deloitte. August 21, 2003. Institutional Carte Blanche. Well Known Market Events have Severely Damaged Investor Confidence and Public Trust. August 1982 – March 2000.

thane
Download Presentation

CIO COMMUNITY OF PRACTICE MEETING Leveraging Sarbanes-Oxley To Drive Enterprise Value

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CIO COMMUNITY OF PRACTICEMEETINGLeveraging Sarbanes-Oxley ToDrive Enterprise Value Tom Captain and Carlos Munoz Deloitte August 21, 2003

  2. Institutional Carte Blanche Well Known Market Events have Severely Damaged Investor Confidence and Public Trust August 1982 – March 2000 March 2000 - December 2003 - Beyond Institutional Mistrust II Crisis of Confidence Sept 11,2001, Enron and Andersen III Market Differentiation Public Companies Respond to Sarbanes-Oxley I Bear Market Post Y2K & Internet Bubble Bursts I Initial Growth Tax Cuts And Free Trade II Consolidation/ Acceleration US Wins Cold/Gulf Wars III Irrational Exuberance Y2K and Internet Bubble DJIA DJIA 11,000 11,000 9,000 3,000 800 7,000 1982 1991 2000 2000 2002 2004 Exuberant Capitalism Sarbanes/Oxley All companies get tarred with the same investor (and therefore regulatory) brush

  3. Evolving Regulatory Environment: Key Implications • Sarbanes-Oxley (SOX) regulations • Significant financial reporting /certification costs (upfront/annual) • New CXO/Board member personal risk exposure • Creditors tighten the terms/conditions for capital • Equity Investors have fundamentally changed • More active around issues of corporate governance • Require a higher risk premium from businesses they do not understand • Apply a considerably higher level of due diligence • Displaying quicker/larger/more durable negative reaction to earnings restatements

  4. Critical Dimension of SOX: Financial Information Quality Requirement Information Quality Implication • Reporting Mistakes could result in criminal prosecution of company officers --accuracy • Ambiguity around ‘real-time’ and ‘material’----timeliness • Requires documentation, testing and remediation ---transparency & accuracy 302 • Requirement for CEO & CFO to certify periodic SEC filings • Requirement to disclose in real-time any material changes • Requirement to provide Internal Control Report • Retention and protection of Audit documents and related records 409 404 Digital vaulting & ready access to historical records, correspondence and emails, must be implemented --accuracy 802 Sections of the Sarbanes-Oxley Act Other Mandatory Requirements • 103 Audit Record Retention and Security • 201 Monitoring and Pre-Approval of Non-Audit Services • 301 Audit Committee Monitoring and Complaint / Issue Process • 306 Monitoring and Prevention of Insider Trading • 401 Financial Reporting Disclosure • 402 Monitoring and Prevention of Personal Loans to Executives • 403 >10% Ownership Disclosures within 2 Business Days • 406 Code of Ethics Creation and Disclosure • 407 Disclosure of Financial Expertise on the Audit Committee • 408 Facilitation of SEC Reviews • 501 Security Analyst Monitoring and Disclosure • 806 Whistle Blower Communications and Response • 906 Financial Reporting Certification • 1102 Record Retention and Security SOX regulations attempt to ensure a minimum acceptable level of financial information transparency, accuracy and timeliness--Tablestakes

  5. Earnings 1999 2000 2001 2002 2003E Restoring Trust/Building Shareholder Value will Require Moving Beyond SOX Information Quality Requirements Meet Sarbanes – Oxley Requirements Letter of the Law Spirit of the Law Accuracy Transparency Process Simplification/ Standardization Data Simplification/ Standardization Improve Company IQTM Timeliness Predictability Technology Standardization / Integration Business Process, Data and Technology complexity determines the size of the iceberg

  6. Silver Lining in the SOX Cloud:Business Case for Moving Beyond Compliance is Compelling VALUE + Risk Reduction • Decrease Cost of Capital • Decrease personal liability exposure for directors/CXOs • Mitigate future liabilities exposure Net SOX Cost Savings • Reduce # of processes requiring documentation, remediation & certification Effectiveness Improvements • Improve planning/budgeting • Improve monitoring/analytics • Improve operational decision-making Efficiency Cost Savings • Automate closing • G&A savings • Working Capital improvements Organizational Pain • Retraining • Application Reconfiguration • Enterprise Process/Systems/Data Standardization/Simplification SOX Compliance Costs * • Documentation/Assessment/Remediation • Disclosure and Certification − (*assuming standardization/simplification initiative) Sample Impact in $ millions for a $1 Billion Company

  7. Moving Forward: Controlled Confusion… What are companies thinking? • 79% unsure what implications SOX will have for their company • 85% planning IT systems changes to support SOX • 61% expect business process change will be required 70 ERP Instance Consolidation IT Remedies being explored… 60 Turning on Controls 50 EPM System 40 Percentage Current System Upgrade 30 Do Nothing ChangeCurrent System 20 10 0 Source: AMR Research

  8. The CIO Will Play A Critical Role in SOX Compliance and the Transformation of Company IQTM Data Steward • Effective IT Governance • COBIT Compliance • Data Standards Management • Policy Enforcement • Automated Controls Activation Provide the environment and mechanisms for establishing controls and managing exceptions, and the standards for ensuring data integrity Provide the technological platform and infrastructure to enable, transparent, timely, accurate and predictable information Company IQTM • Platform Standardization • Infrastructure Optimization • Enhanced Transparency • System Integration IT Strategist

  9. The Environment of Mistrust Amplifies a Previously Minimized Dimension of the CIO’s Role: Steward of Financial Information ROLE OF THE CIO Strategic Advisor Operational Lead Information Steward US GDP Growth Internet Bubble Scandal, War & Recession Post-SOX Era Time • Growth – Revenue per share • What’s your Internet strategy? • Innovation – New Products & Services • Profitability - Earnings • What/when are you going to outsource? • Operations – Cost Reduction • Profitability – Quality Earnings • How will you comply with SOX? • Information Quality™ - Trustworthy Financial Data & Disclosure Market Demands • Gain advantage with new technology • Understand emerging trends and their business impact • Spend to create strategic options for “e-businesses” • Reduce total cost of IT • Lead IT component of SOX compliance efforts, especially 404 & 409 • Improve quality of financial information processing & reporting • Reduce total cost of IT • Identify and execute on outsourcing options • Reduce/consolidate staff and systems wherever possible CIO Priorities

  10. The IT Lag: Cautious Movement There appears to be a six month lag for the beginning of IT development once initial Readiness phases have begun. We predict increasing numbers of budget increases for 2004. IT Timing and Level of Spend for Full Sarbanes-Oxley Compliance Projection of Relative IT Spend Sarbanes-Oxley Compliance & COSO Optimization People, Process & Systems Optimization High Internal Controls, Disclosure, & Protection Compliance (IT Development) Focus and Level of Spend Internal Controls Readiness Assessment Low 2002 2003 2004 2005 Sarbanes-Oxley Becomes Law SOX 404 Deadline SEC Final Ruling / COSO OK’d U.S. Public Companies Only Source: Deloitte & Touche Timing

  11. The IT Change Effort: Enabling Technology Even without performance improvement, the technology change effort required for sustainable SOX compliance is significant. Requirement Change Effort SOX Section § 302,401, 403,406, 407,409, 501,906 Financial Reporting Disclosure; Disclosure of Ownership Changes; Code of Ethics Disclosure; Audit Committee Expertise Disclosure; Material Operating/Financial change Disclosure; etc. PROCESS DATA PEOPLE TECHNOLOGY § 404 Management Assessment of Internal Controls § 103,408, 802,102 Audit Record Retention and Security; Facilitation of SEC Review; Related Record Retention; etc. § 201,301, 306,402 806 Pre-approval of Non-Audit Services; Audit Committee Monitoring and Complaint Process; Insider Trading During Blackout Prevention; Personal Loan Prevention; Whistle Blower Process; etc.

  12. Technology Implications: Requirements The underlying technology is driven by the mandated Compliance requirements and the opportunity for COSO operating efficiencies System Requirements Functionality Type of System Risk Control Tracking System Internal Control Field Audit and Measurement ERP, G/L, Consolidation, Fin. Reptg. Systems Controlled Financial Reporting & Transactions Portal, Advanced Reporting, DW, Data Analytics, email Compliance Systems Monitoring, Disclosure, and Prevention Document Management, Workflow System Content Management and Archiving Training and Communication eLearning System Enterprise Systems Mgt, Project Mgt, IT Auto Discovery, Tax Optimization Optimization and Cash Generation (Productivity Tools)

  13. Internal Audit View Sarbanes PMO View Field Audit View (RCTS) External Audit View CEO/CFO View IT Reference Architecture A suggested SOX IT Reference Architecture addresses all mandatory requirements, and positions organizations for ongoing performance improvement Key SOA Sections Sarbanes Oxley Reference Architecture Compliance & Control Portal 302 Disclosure Audit & Remediation Views Monitoring, Prevention & Disclosure Views Training Views ... 404 Controls etc. CIO /COO View HR/ Training View Disclosure Committee View Audit Committee View Business Unit View 409 Disclosure Advanced Reporting & Query Engine 802 Retention Training / eLearning System Compliance Digital Vault Analytics Engine PERFORMANCE IMPROVEMENT / CASH GENERATION SECURITY Compliance Data Warehouse Document Management & Workflow Enterprise Application Integration Engine Sarbanes Risk & Control System (e.g., RCTS) Risk Mgt Systems Other External (e.g., SEC) EMAIL System Other Internal HR Systems CRM Systems Financial Systems * ** EMAIL Compliance RACK = Existing or lower impacted technologies ** = Risk & Control Knowledge Base (RACK) (source of COSO/Process/Industry Framework) * = Risk Control Tracking System (RCTS) (used for SOA Readiness Assessments) COMPLIANCE INFRASTRUCTURE

  14. Conclusion… • We are where we are; (grief) • Some are skeptical of the real consequences or probability of punishment; (denial) • Effort may look like a tax, or maybe worse - punishment of the innocent and uninvolved; (anger) • Some will only minimally comply; (resignation) • However, something may strike a chord for CIOs; (acceptance): • Comparing and contrasting SOX reference architecture with your projects • Can we re-position the portfolio of typical IT initiatives and projects? • Will this make funding and resourcing more likely? • Is this a good thing, ANYWAY?

  15. Contact Information • Tom Captain; Partner, Seattle • tcaptain@dc.com • 206.465.5622 • Carlos Munoz; Senior Manager, San Francisco • cmunoz@dc.com • 415.268.1211 • Deloitte website • www.dc.com

More Related