California State University, Fullerton SOX 404

1. California State University, FullertonSOX 404 April 29, 2005 Glenn Burr Ernst & Young

2. Topics Material Weaknesses Using the Work of Management and Others Best Practices Thinking Beyond Year One

3. Evaluating and Classifying Deficiencies(1)

4. Internal Control Deficiencies The PCAOB clarified the term �inconsequential� as follows: �A misstatement is inconsequential if a reasonable person would conclude, after considering the possibility of further undetected misstatements, that the misstatement, either individually or when aggregated with other misstatements, would clearly be immaterial to the financial statements. If a reasonable person could not reach such a conclusion regarding a particular misstatement, that misstatement is more than inconsequential.� �Reasonable Person� criteria involves significant judgment

5. Deficiencies and Weaknesses Material Weakness: Is a significant deficiency or combination of significant deficiencies that result in more than a remote likelihood that a material misstatement will not be prevented or detected Must be reported publicly Significant Deficiency: Is a control deficiency or combination of control deficiencies that results in more than a remote likelihood that a misstatement will not be prevented or detected Must be reported to the Audit Committee but are not required to be reported publicly

6. Evaluating and Classifying Deficiencies (1) Restatement of previously issued financial statements to reflect the correction of an error Material audit adjustments in the current year Ineffective audit committee oversight Ineffective internal audit or risk assessment function Ineffective regulatory compliance function for highly regulated industries Identification of fraud of any magnitude on the part of senior management Lack of progress on correcting significant deficiencies over time Ineffective control environment (e.g., tone at the top) (1) See paragraph 140 of PCAOB auditing standard #2 for a more expanded discussion

7. Internal Control Deficiencies Likelihood of potential misstatement should be determined after considering compensating controls Deficiencies should first be evaluated individually, and the determination as to whether they are significant deficiencies or material weaknesses should be made considering the effects of compensating controls The effects of compensating controls should be taken into account when assessing the likelihood of a misstatement occurring and not being prevented or detected

8. Remediating Deficiencies Management�s report for SOX 404 is as at fiscal year-end and deficiencies fixed by that time generally do not result in an adverse opinion In order to say that a deficiency is fixed, it must be remediated and tested to show that it is working over a sufficient period of time � for example, a quarterly control needs to be working over two quarters to be considered closed It is important to remediate deficiencies in sufficient time before year-end for testing by both management and the internal auditor to show the remediation is working

9. Using the Work of Management and Others Overall, auditor�s own work must provide principal evidence for audit opinion (considering qualitative and quantitative factors) Auditor�s consideration focuses on: Nature of controls being tested Competence and objectivity of individuals performing the work Testing the work performed by others to evaluate the quality and effectiveness of their work (it should be noted that testing the work of others does not �count� as principal evidence of the auditor) An effective internal audit function permits the auditor to reduce the work that otherwise would be necessary Auditor prohibited from using the work of others in evaluating the control environment, including fraud programs and controls, and in performing walk-throughs of major classes of transactions (should review results of work performed by others) Testing performed by internal auditors as direct assistance does not qualify as part of the principal evidence supporting the auditors� opinion The Final Standard describes a framework for evaluating the extent to which the auditor can use the work of management and others, focusing on the nature of the controls tested, and the competence and objectivity of those who performed the work. In this regard, internal auditors would normally be expected to have greater competence and objectivity with regard to internal control over financial reporting than other company personnel. The Final Standard retains the requirement that the auditor�s own work must provide the principal evidence for the audit opinion on internal control. Although the auditor is required to re-perform some of the tests performed by others in order to use their work, the Final Standard does not set any specific requirement on the extent of the re-performance. For example, it does not require that the auditor re-perform tests of controls over all significant accounts for which the auditor uses the work of others. Rather, the Final Standard relies on the auditor's judgment and the above two principles to determine the appropriate extent of re-performance. The Final Standard describes a framework for evaluating the extent to which the auditor can use the work of management and others, focusing on the nature of the controls tested, and the competence and objectivity of those who performed the work. In this regard, internal auditors would normally be expected to have greater competence and objectivity with regard to internal control over financial reporting than other company personnel. The Final Standard retains the requirement that the auditor�s own work must provide the principal evidence for the audit opinion on internal control. Although the auditor is required to re-perform some of the tests performed by others in order to use their work, the Final Standard does not set any specific requirement on the extent of the re-performance. For example, it does not require that the auditor re-perform tests of controls over all significant accounts for which the auditor uses the work of others. Rather, the Final Standard relies on the auditor's judgment and the above two principles to determine the appropriate extent of re-performance.

10. Using the Work of Management and Others The materiality of the accounts and disclosures that the control addresses and the risk of material misstatement The degree of judgment required to evaluate the operating effectiveness of the control (that is, the degree to which the evaluation of the effectiveness of the control requires evaluation of subjective factors rather than objective testing). The pervasiveness of the control The level of judgment or estimation required in the account or disclosure The potential for management override of the control

11. Best Practices

12. Best Practices

13. Best Practices

14. Thinking Beyond Year One Sarbanes Section 404 is not a one-time event A more efficient and effective process must be developed to sustain compliance at a reasonable cost Comply by designing and sustaining a process that: Provides for management reliance for quarterly and annual attestations Is seamlessly embedded with other business processes Achieves efficiency and effectiveness in documenting, updating, archiving and assessing company control documentation, as well as company policies Manages administrative burden of compliance Enables teams to identify, report and remediate failures in a timely manner Proactively deal with change in people, processes and technology � a formalized �change management� process