Internal Control & Sarbanes-Oley Act ERPANET Workshop Antwerp, April 14, 2004 PwC
2 Pw Agenda Background The Sarbanes-Oley Act - An Overview Approach to 404 readiness
Background
Reasons for New Legislation 4 Pw
Congressional Votes ing Marijuana** 93 310 ing 31 Securities Litigation Reform Act Yes 387 No 130 Not voting 15 Authorizing Force again Yes 373 No 156 Not voting 12 Sarbanes-Oley Act Yes 522 No 3 Not voting 9 of Representatives only 5 Pw
6 Pw Criminal Penalties Escaping from prison 1 to 2 years Kidnapping involving ransom 3 to 5 years Second degree murder Sarbanes-Oley Certification 11 to 14 years 10 to 20 years Air piracy 20 to 25 years
7 Pw Is all wisdom coming from the US? Americans will always do the right thing.. after they have ehausted all other options. Sir Winston Churchill
The Sarbanes-Oley Act An Overview
Titles of the Act I. Public Company Accounting Oversight Board II. Auditor Independence III. Corporate Responsibility IV. Enhanced Financial Disclosures V. Analyst Conflicts of Interest VI. Commission Resources and Authority VII. Studies and Reports VIII. Corporate and Criminal Fraud Accountability IX. White Collar Crime Penalty SOX of 2002: An Act protect investors b improving the accur and reliability of corporate disclosur X. Corporate Ta Returns XI. Corporate Fraud and Accountability 9 Pw
SOX: Who will be affected and how? Eecutives: Responsibility for financial reporting and keeping the markets informed Certifications: - 302 Disclosure controles & procedures - 404 Internal controls for financial reporting - 906 CEO/CFO s written statement on fairness Implement Code of Ethics and whistleblower procedure Supervisory Board: Enhanced oversight Appointment of a financial epert Auditors: Independence Attestation on internal controls Definition of internal control over financial reporting : - Encompasses subset of internal controls addressed in the COSO Report that pertains to financial reporting objectives - Including controls over safeguarding assets 10 Pw
SOX: Section 302 certification Section 302 requires (starting March 2002): Quarterly certification by the CEO / CFO regarding the completeness and accuracy of quarterly reports as well as the nature and effectiveness of disclosure controls and procedures (DC&P) supporting the quality of information included in such reports Representations by CEO and CFO as required by Section 302 to include: Review of report: no untrue statement or omission of facts & fair presentation of finan position, results and cash flow Responsibility for design and maintenance of controls & controls effective during 90 prior to filing Disclosure of deficiencies in internal control and fraud to AC and auditor Significant changes that affect internal control and management response Actions: Enhance DC&P assessment and turn into consistent and continous process Ensure coverage of entire organization (incl. all material subsidiairies) Embedding into regular review and monitoring processes Disclosure controls and procedures need to ensure that information required to be disclosed by the issuer is recorded, processed, summarized and reported and is accumulated and communicated within the time periods specified in the Commission s rules and forms 11 Pw
SOX: Section 404 certification Section 404 requires (domestic / foreign as of FY ending 15 November 2004 / 15 April 2005): Annual mngt report regarding effectiveness of internal control over financial reportin and attestation by the company s auditors as to the accuracy of mngt s assessment Representations by CEO and CFO as required by Section 404 to include: Management responsibility for adequate internal controls Conclusion about management s evaluation of internal controls for financial reporting Actions: Document of processes & internal controls (process/activity, risk, control, responsibi Management s evaluation of effectiveness (audits and self assessments) Attestation by eternal auditor Attestation by the auditor on management s report on internal control requires Management accepts responsibility and assess internal controls Controls are suitable designed and appropriately documented Internal control is the process, effected by an entity s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in three categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with laws and regulations 12 Pw
13 Pw SOX: Section 404 Assessment Management s assessment must be based on procedures sufficient both evaluate design and test operating effectiveness Management must maintain evidential matter, including documentation, provide reasonable support for the assessment (both design and testing) effectiveness Any material weakness in internal control over financial reporting precludes management from reporting that internal control is effective Reiteration of guidance regarding independence: Auditors may assist management in documenting internal controls. Management must be actively involved in the process; cannot delegat assessment responsibility to the auditor
SOX: Scope of 302 and 404 302: Disclosure controls and procedures 404: Internal controls & procedures for financial reporting (COSO & Cob Disclosure Requirements Operations Financial Reporting Internal Accounting Controls Compliance & Regulatory Disclosur Controls a Procedure Other asp Complianc Operation to DC&P Internal Co Over Finan Reporting 14 Pw
15 Pw SOX: Meeting SEC Epectations Compliance with COSO control standards (or other accepted standard IT Governance Institute recently recommended CobiT for general IT controls assessment) Clear documentation of internal controls as well as the testing processes Evidence that management have evaluated the adequacy of the design and the effectiveness of operation of the procedures and controls Evidence that the auditor has adequately evaluated the design and operation of financial controls Evidence that the audit committee and/or disclosure committee have taken a keen interesting the effectiveness of controls
16 Pw SOX: Auditor Responsibility (1) Independent evaluation of design effectiveness Independent tests of operating effectiveness Use of internal audit and management tests will need to be assessed to determine how they impact nature, timing and etent of auditor testing Requires some re-performance for each significant account, class of transactions, and disclosure Independent testing Limited use of or inability to use tests performed by others; e.g., internal aud Monitoring function may impair objectivity and ability to use in direct assistance Precluded from using internal testing related to certain controls
17 Pw SOX: Auditor Responsibility (2) Auditors Report: On management s assertion, if effective internal control or Directly on ineffectiveness of internal control over financial reporting Findings reported include: Significant Deficiency referred to in body of opinion A deficiency that could adversely affect an entity s ability to initiate, record, process and report financial data Material Weakness results in an ecept for qualified report A deficiency that precludes the entity s internal control from reducing to appropriately low level the risk that a material misstatement will not be prevented or detected on a timely basis.
Approach to 404 readiness
19 Pw Approach to 404 readiness Recommend a Sound but Practical approach Maimise what has already been achieved and is internally available Anticipate on upcoming Changes Value Added rom Sarbanes-Oley priate Control entation Approach Value Added Approach seek out operating improvements and identify best practices Formal management process to maintain compliance throughout organization Avoid process fatigue Opportunity for ROI ng Technology Use technology throughout organization to facilitate assessment and communication Compliance would add recurring costs
20 Pw Considerations Appropriate control documentation: Compliance with SOX 404 regulations and proof of compliance Timely identification of control weaknesses Facilitation of prioritization of remedial actions and action tracking Provides basis for attestation by the auditors Enabling technology: Consistency and quality of controls documentation Transparency of weaknesses and improvement areas Maintenance and improvement of controls documentation Linkage to other risk and quality initiatives Auditability of controls Facilitation of project management
21 Pw Project Structure Top down: develop at the center, eecution by opco s with support of Group te Development of process and controls standards by corporate & Group teams Methodology to be developed by corporate project team and tested and tailored pilot site (opportunity: etrapolate best practices) Based on Blueprint Internal Control Framework (guidelines following COSO/Cob and Roadmap (project steering) Steering Committee SOX 404 Core Project Team Group Team Group Team Group Team ICT Team
22 Pw Project Responsibilities Corporate project team also responsible for: Communication to divisional teams Monitoring of progress Consolidation/consistency Quality assurance on divisional input Change management and training Coordination with steering committee Quality, progress and consistency of opco activities and deliverables to be assured by project teams on Group level Eecution and addressing control gaps is the responsibility of each opco Decision to be taken on full roll out or selected companies only
23 Pw Project Steps Step 0.1 Project setup Initial awareness, project owners, resources, budget Project team: roles & responsibilities Step 0.2 Develop Blueprint Internal Control Framework (COSO/Co Internal control requirements, objectives & components Control environment Risk assessment Control activities Monitoring Information & communication: guidelines & tools Step 0.3 Develop Roadmap Project time line, organisation & quality assurance Project communication, training and information sessions
Net Steps se 1 ject ation & isation Phase 2 Eecution Phase 3 Evaluation p 1 ation & ject ement p 2 ation ring & ject ning Step 3 Setting the Scope for Pilots Step 4 Pilot Eecution & Completion of Templates Step 5 Roll-out at the Selected Opcos Step 6 Evaluating Results & Gap Analysis Step 7 Assessment & Testing Step 8 Internal Reporting Step 9 Eternal Audit & Action Planning 24 Pw
25 Pw Net steps Phase 1: Preparation & Mobilisation Step 1: Mobilisation & project mngt Project organisation, project plan and initial communication Establishment of communication channels Step 2: Information gathering & detailed planning Overview of key processes Selected Opcos for pilot and full roll out Communication and training plan Detailed project plan & status reporting template Documentation templates
26 Pw Net steps Phase 2: Eecution Step 3: Setting the scope for the pilots Key business processes relevant for reporting One pilot for each selected process Communication to all selected Opcos Step 4: Pilot eecution and completion of templates Templates to be rolled out to all Opcos Trained Opco representatives Updated control self assessment questionnaire Updated detailed roll-out planning Step 5: Roll-out at the selected Opcos Populated documentation for all selected Opcos Updated control self assessment questionnaire
27 Pw Net steps Phase 3: Evaluation Step 6: Evaluation of results & gap analysis Assessment of key controls Identification of gaps (internal control weaknesses) High level action plan for improvement (closing the gaps) Completed and validated documentation on process, risk and controls Step 7: Assessment & testing Testing plan and eecution of internal testing Step 8: Internal reporting Overview of the assessment process Reported conclusions on effectiveness of internal control, weaknesses reportable conditions and improvement actions Clear process for 302 certification and 404 reporting Definition of the tet of the 302 certification and 404 reporting in SEC fi
28 Pw Selecting relevant Business Units Is location or business unit individually important? No Are there specific significant risks? No Are there locations or business units that are not important even when aggregated with others? No Are there documented entity - wide controls over this group? Yes Yes Yes Yes No Evaluate documentation and test significant controls at each location or business unit Evaluate documentation and and test controls over specific risks No further action required for such units Evaluate documentation and test entity - wide controls over group Some testing of controls at individual locations or business units required
DELIVERY & SUPPORT 29 Pw SOX: How does IT fit in (1)? : Control Objectives for mation and related hnology ITORING IT RESOURCES data application systems technology facilities people PO1 define a strategic IT plan PO2 define the information architecture PO3 determine technological direction PO4 define the IT organisation and relationships PO5 manage the investment in IT PO6 communicate management aims and direction PO7 manage human resources PO8 ensure compliance with eternal requirements PO9 assess risks PO10 manage projects PO11 manage quality PLANNING & ORGANISATION COSO CE RA CA ACQUISITION & IMPLEMENTATION
30 Pw SOX: How does IT fit in (2)? CobiT: IT RESOURCES RING data application systems technology facilities people DELIVERY & SUPPORT ACQUISITION & IMPLEMENTATION PLANNING & AI1 identify solutions ORGANISATION AI2 acquire and maintain application software AI3 acquire and maintain technology infrastructure AI4 develop and maintain procedures AI5 install and accredit systems AI6 manage changes COSO CE RA CA
31 Pw SOX: How does IT fit in (3)? SO CA A IC M CobiT: DS1 define service levels DS2 manage third party services DS3 manage performance and capacity DS4 ensure continuous service DS5 ensure systems security DS6 identify and attribute costs DS7 educate and train users DS8 assist and advise IT customers DS9 manage the configuration DS10 manage problems and incidents DS11 manage data DS12 manage facilities DS13 manage operations MONITORING IT RESOURCES data application systems technology facilities people DELIVERY & SUPPORT PLANNI ORGANIS ACQUISITION & IMPLEMENTATION
32 Pw SOX: How does IT fit in (4)? SO CA A IC M CobiT: M1 monitor the processes M2 assess internal control adequacy M3 obtain independent assurance M4 provide for independant audit MONITORING IT RESOURCES data application systems technology facilities people PLANNING ORGANISATI ACQUISITION & IMPLEMENTATION DELIVERY & SUPPORT