Sarbanes-Oxley Section 404 Compliance Process Improvement:A Financial Reporting Risk Management ModelPresented by:John A. Wheeler - Senior Vice President, Financial Reporting Risk ManagementDan Shaughnessy – Partner, KPMG LLP

May 2006

1

Discussion Agenda

1. A quick review of SunTrust's journey through two years of Sarbanes Oxley Compliance. Lessons learned from year one and best practices achieved in year two.

2. Sustainable compliance: How SunTrust has leveraged a diverse team and technology to create a sustainable process for effective compliance.

3. Future vision: How SunTrust and others can leverage SOX compliance activities into other initiatives.

2

About SunTrust

• 9th largest U.S. commercial bank based on total revenue

• Headquartered in Atlanta, Georgia

• As of December 31, 2005, total assets of $179 billion

• Footprint: Alabama, Arkansas, Florida, Georgia, Maryland, Mississippi, North Carolina, South Carolina, Tennessee, Virginia, West Virginia, District of Columbia

• Employees: more than 33,000

3

First Year Program Implementation Challenges

• Interpreting guidance from PCAOB– Definition of testing– Role definition (External Audit vs. Internal Audit)– Amount of reliance placed on Internal Audit

• Narrowing scope on key financial controls while not minimizing importance of operational or “non-key” controls

• Overcoming fatigue from 2003 “dry-run” and re-scoping effort

• Refining materiality definition / criteria and streamlining reporting process

• Coordinating efforts within the lines of business to minimize disruption to business operations

4

Lessons Learned

• Carefully manage scope

• Improve coordination with external auditor

• Foster business unit ownership of processes and compliance

• Build quality assurance into process

• Plan early and communicate often

• Devote more time to training

• Shift control testing activities to skilled resources to– increase quality – minimize disruption to business activities

• Automate to facilitate documentation, deficiency tracking and communication among the various stakeholders (i.e. Executive Management, Business Unit Management, Internal Audit, External Audit, etc.)

5

What is Sustained Compliance?

• Sustained Compliance means building a better, more embedded, compliance “infrastructure” based on the elements of the control environment.

• Sustained Compliance implies embedding the spirit of Ethics and Integrity and the process of Compliance into the organization’s way of doing business. Sustaining compliance becomes the “platform” for continuous improvement.

Design and implement “infrastructure”required to SUSTAIN it

Focus first-year efforts to FULLY COMPLY

Identify/implement changes to IMPROVE ongoing performance

Achieving this implies:

• Success is not sustained by “heroic” exertion

• Establishing a compliance program leading to a control environment/culture, not episodic compliance projects

• Assessing and addressing risk is a competence defined for all roles

• Establishing an ethical culture that guides behavior at all levels

6

2005 Sarbanes-Oxley Program Strategic Decisions

• Established Financial Reporting Risk Management Group with skilled resources to facilitate and oversee compliance program for SOX 302 & 404

• Assigned responsibility for performing management testing of keyfinancial reporting controls to Audit Services

• Leveraged LOB / Function Risk Management infrastructure to maintain required control documentation and execute remediation action plans

• Implemented a software solution to facilitate SOX documentation and reporting

• Evolved SOX 404 Implementation Steering Committee to a permanent Financial Reporting Risk Committee reporting to the Disclosure Committee

7

2005 Sarbanes-Oxley Program Timeline

1) 2004 Wrap-up / Transition

2) Program Mgt. & Scope

3) Documentation & Assessment

4) Test & Evaluate Effectiveness

5) Deficiency Remediation

6) SOX Section 302 Monitoring / Certification

7) Automation

Q1 Q2 Q3 Q4404 Report

FSRA

Y/E UpdateControl Testing

2005 Remediation

Implementation Ongoing Management

Maintain & Assess

Program Oversight & Update FSRA

= Quarterly Disclosure Review & CEO/CFO Certification

2004 Follow-up

Update

8

2005 Sarbanes-Oxley Program Structure

Disclosure CommitteeDisclosure Committee

Audit CommitteeAudit CommitteeCEO / CFOCEO / CFO

Financial ReportingControl Committee

Financial ReportingControl Committee

Financial Reporting Risk ManagementFinancial Reporting Risk Management

ExternalAudit / InternalAudit

ExternalAudit / InternalAudit

Line of Business / Function

Heads

Line of Business / Function

Heads

Line of Business / Function Risk Managers & Process OwnersLine of Business / Function Risk Managers & Process Owners

9

FRRM Organizational Structure

Financial Reporting Risk ManagementSenior Risk Officer

Program Management Risk Assessment /Financial Analysis

Documentation & Assessment

Deficiency Remediation& Classification

Administration

• Testing Result Monitoring• Deficiency Tracking /

Reporting• Deficiency Classification• Remediation Action Plan

Monitoring• Section 302 Monitoring /

Certification

• Risk Assessment Methodology

• Financial StatementAnalysis / Scope

• Section 302 Control Change Impact Analysis

• Control Deficiency ImpactAnalysis

Line of Business / Function Risk Management

Test & Evaluate O

perating Effectiveness –Internal A

udit

• Project Management• Organization & Communication

• Issue Management / Escalation

• Transition / Change Management

• System Implementation• Software / Database

Administration• Reporting

• Entity-wide ControlAssessment

• Financial Cycle / Control Documentation

• IT General ControlDocumentation

• External Service Provider /SAS 70 Review

Responsibilities

10

Financial Statement Risk Assessment & Scoping

• Perform initial Financial Statement Risk Assessment (FSRA) basedon 2004 year-end financials

• Use quantitative and qualitative measures to determine significant accounts

• Define significant cycles and processes

• Communicate scope changes to risk managers

• Re-perform FSRA quarterly

11

Scoping and Planning Materiality

2005 Planning Materiality Matrix

Materiality High Risk Lower Risk

Overall Materiality 5% of pre-tax income 5% of pre-tax income

Reduction/haircut 50% 25%

SunTrust Planning Materiality

Planning Materiality 2.5% of pre-tax income

3.75% of pre-tax income

Account Totals Balance Sheet178 Accounts

Income Statement48 Accounts

3% of pre-tax income

($85 Million)

12

Documentation and Assessment - Key Concepts

• Standardization of documentation– COBIT used as framework for ITGC documentation– Third Party Service Provider – standard evaluation template

• Engagement of external consultants to assist

• Ownership by Lines of Business key to success

• Risk Manager and Line of Business Head Sign-off required at end of documentation phase

• Documentation to be reviewed and updated quarterly

13

2005 Deficiency Classification Process

• Major Phases

Deficiency Identification

DeficiencyClassification

Management Reporting

Deficiency Escalation of & Approval by FRC Committee

Evaluate results from Internal Audit,

External Audit and Regulatory Agencies

Evaluate qualitative and quantitative

factors with assistance of Risk

Manager and develop recommended classification

Escalation of deficiencies to

Financial Reporting Control (FRC)

Committee and Disclosure Committee

(as needed)

Report to FRC Committee,

Disclosure Committee and Audit Committee

(as needed)

…management must exercise judgment in a reasonable manner in the evaluation of deficiencies in internal control over financial reporting, and such evaluations may appropriately consider both qualitative and quantitative analyses.” Commission Statement on Implementation of Internal Control Reporting Requirements 2005-74 (SEC, May 16, 2005)

14

2005 Deficiency Classification Criteria

Financial Reporting Risk Management will use the following Deficiency Classification Criteria agreed upon by the FRC Committee

Classification of Financial Reporting Control Deficiency

Likelihood of Misstatement

Potential Magnitude of Income Statement

Misstatement *

Potential Magnitude of Balance Sheet Misstatement*

Internal Control Deficiency

Either remote or less than a 10% chance

Inconsequential Less than 1/2% of pre-tax

income (approx. $14 million)

More than InconsequentialGreater than 1/2% of pre-tax

income(approx. $14 million)

MaterialGreater than 5% of pre-tax

income(approx. $141 million)

Inconsequential Less than 1/2% of total equity

(approx. $80 million)

Significant Deficiency

More than remote and more than a 10%

chance

More than InconsequentialGreater than 1/2% of total

equity (approx. $80 million)

Material Weakness More than remote and more than a 10%

chance

MaterialGreater than 5% of total equity

(approx. $800 million)

* Consideration will be given to the impact of known and/or potential misstatements on annual and interim financial statements.

15

Sarbanes-Oxley Compliance Software Selection

Users:• Financial Reporting Risk

Management• Risk Managers• Process Owners• Internal Audit• Executive Management• External Audit

• Considerations:• Controls repository• Documentation repository• Test results• Certification• Workflow• Security• Audit trails• Reporting

Leading Vendors:

• OpenPages • Certus

• Paisley Consulting • Handysoft

• IBM • Stellent

16

2006 and Beyond – Continuous Improvement

• Entity-wide assessment – timely execution

• Risk assessment to minimize testing

• Interpreting guidance from PCAOB & SEC

• Continuous enhancement of end-user computing controls

• Leveraging knowledge of controls and optimizing control portfolio to bring value

• Ongoing management of external audit relationship – strengthen communication

• Embedding efforts within the lines of business to foster accountability and ownership of risks

2004

2005

2006+

17

Sustainability

Rationalizationn

Compliance

Optimization

Bus

ines

s B

enef

it

The pendulum has moved from Performance-focused to Control-focused as market and regulatory drivers have changed in the last 5 years.

Regarding SOX, most companies started with a compliancy focus and have entered into sustainability. Some are finding it difficult to move into rationalization.

PerformancePerformanceFocused

PerformanceBiased

ControlControlFocusedFocused

ControlBiased

PerformanceAnd ControlOptimized

Business Improvement

Ris

k / C

ontr

ols

Impr

ovem

ent

Ris

k / C

ontr

ols

Impr

ovem

ent

Late 1990’s

2006 and2006 andBeyondBeyond

Y2K

S-O 404

TodayToday

How Did the Marketplace Get Here?How Did the Marketplace Get Here?Transformationn

Time

18

Analysis of Control Data

All Processes

One Process

19

Sample Reporting: Opportunity Analysis

Based on Current Control Data

Significant Opportunity

20

Sample Reporting - Summary of Control

Transformation/Elimination Opportunities

Opportunity Area RevenueFinancial

CloseCorporate Processes ITGC

Automate Controls: Lowers cost, improve effectiveness, and simplify on-going testing of controls

Transform Controls from Detective to Preventive: Shifts the focus to preventing errors and improving decision information

Lower Frequency of Controls: Ensuring the appropriate number of times a control needs to be performed will ensure efficiency.

Lower Data Error & Rework Rates: Improves cycle time, quality of information, reduces costs and reduces risk.

Improve Staffing Conditions: Enhances employee performance resulting in improved effectiveness and efficiency reducing overall cost

Insignificant Controls (That are currently marked as significant): Controls that were tested in 2004 that are no longer deemed significant.

Overall Opportunity: Prioritization around resource allocation to take advantage of improvements

Greatest Opportunity Exists, Apply Resources Baseline Resources are SufficientAnalysis Needed to Determine Resource Allocation

21

Driving Efficiencies: Cost Reduction Factors

Life Cycle Cost Reduction Approach

Limit the number of in-scope processes and locations based on account characteristics.

Identify key controls to test, and streamlining of processes and controls across multiple locations / divisions. Fewer documents will result in fewer external auditor walkthroughs.

Limit testing to critical plants based on key control selection scoping definitions, a sample across plants or division where possible.

Prioritized remediation based on risk to financials.

Higher reliance on management’s testing, and limited to testing subset of management’s controls.

Less rework and better definitions of evidentiary requirements.

More efficient management of tasks, timeliness, and deliverables.

Scope & Plan

Documentation

Testing

Remediation

External Audit

Process Owner

PMO

22

Keys to Building a Sustainable Model

Formalize the compliance and governance structureClearly define roles and responsibilitiesIdentify and actively seek needed skills and competenciesInvest in training programs that are portable and easy to maintainUnderstand and optimize your controls portfolioStandardize documentation across the companyIntegrate Section 302 and 404 – financial reporting and internal control certificationsImplement a top-down, risk-based scoping approachAutomate the compliance process as well as controlsAlign key stakeholders’ performance goals/incentives with compliance program objectivesCommunicate, communicate, communicate