The Sarbanes-Oxley Act of 2002 1PricewaterhouseCoopers

Introduction of Panel Members

The Sarbanes-Oxley Act of 2002

What Companies Should Be Doing Now

March 10, 2003

Michael Cobb(813) 222-6212

Insert

Worlds Image /

Client Specific Image

Here

The Sarbanes-Oxley Act of 2002 2PricewaterhouseCoopers

Sarbanes-Oxley Act of 2002

Requires quarterly certification by the CEO / CFO of all companies filing periodic reports under section 13 (a) or 15 (d) of the Securities Exchange Act of 1934 regarding the completeness and accuracy of such reports as well as the nature and effectiveness of internal controls supporting the quality of information included in such reports.

Requires an annual report by management regarding internal controls and procedures for financial reporting, and an attestation as to the accuracy of that report by the company’s auditors.

Section 302

Section 404

The Sarbanes-Oxley Act of 2002 3PricewaterhouseCoopers

Addressing DC&P Requirements

Internal Accounting

Controls

Disclosure Requirements

Financial Reporting

ComplianceOperations

Internal Controls Over Financial Reporting

Disclosure Controls and Procedures

Internal Controls over Disclosure Requirements

LEGEND

The Sarbanes-Oxley Act of 2002 4PricewaterhouseCoopers

What are the Questions That Need to be Asked?

What does our control structure look like and how does it operate?

Who is accountable?

How does it deal with change?

What are the critical control activities?

Are they monitored?

Is all of this documented?

How will I demonstrate that I have reviewed the controls every quarter?

The Sarbanes-Oxley Act of 2002 5PricewaterhouseCoopers

Why the Need for Control Structure Documentation?

Available for third-party purposes

Enables External Auditor’s attestation work

Enables ongoing assessment of operating effectiveness

Facilitates linkage to COSO

Supports management assertions

Reduces risk and supports operational efficiency

The Sarbanes-Oxley Act of 2002 6PricewaterhouseCoopers

Controls over the IT environment

• Most business processes are critically enabled by IT

• Achieving objectives is often dependent on IT based controls

• Many controls depend on data generated by IT systems

• IT controls need to be considered at 2 levels:

– Controls over the IT environment (General Controls)

– Controls over individual applications

The Sarbanes-Oxley Act of 2002 7PricewaterhouseCoopers

Audit of Financial Statements vs. 404 Controls Attestation

Audit of Financial Statements

• Understanding and consideration of

internal controls only to develop the

audit approach

• Overall objective is the rendering of an

opinion on the financial statements, not

to opine on internal controls

• Internal control reports have been very

rare in practice and are the subject of

different auditing standards

404 Attestation

• 100% controls-based approach

• Must evaluate and test controls across

business and functional areas to opine on

effectiveness (broad and deep)

• Lack of errors, historically, in financial

statements is not de-facto evidence unto

itself, of an appropriate internal control

structure

The Sarbanes-Oxley Act of 2002 8PricewaterhouseCoopers

Management’s Requirements Under Section 404

Section 404 – Management Must Assess Internal Controls Annually (effective date pending)

• Internal control report states management’s responsibility for establishing and maintaining adequate internal control structure and procedures for financial reporting.

• Management must assess effectiveness of internal control structure and procedures for financial reporting as of the end of the most recent fiscal year.

• Attestation by external auditor (Section 404 and 103).

The Sarbanes-Oxley Act of 2002 9PricewaterhouseCoopers

The Intersection of Sections 302 and 404

404:

Basis for

Auditors’

Evaluation

And

Testing

302:

Management’s

Certification

Related to the

Financial

Reporting

Elements of

DC&P

Internal Controls for

Financial Reporting

The Sarbanes-Oxley Act of 2002 10PricewaterhouseCoopers

The Five Components under the COSO Framework

Control Activities

Policies/procedures that ensure management directives are carried out.

Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties.

Monitoring

Assessment of a control system’s performance over time.

Combination of ongoing and separate evaluation.

Management and supervisory activities.

Internal audit activities.

Control Environment

Sets tone of organization-influencing control consciousness of its people.

Factors include integrity, ethical values, competence, authority, responsibility.

Foundation for all other components of control.

Information and Communication

Pertinent information identified, captured and communicated in a timely manner.

Access to internal and externally generated information.

Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action.

Risk Assessment

Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives-forming the basis for determining control activities.

All five components must be in place for a control to be effective.

The Sarbanes-Oxley Act of 2002 11PricewaterhouseCoopers

Control Objectives and Types of Financial Controls to Be Identified

Standard Control Objectives (All Cycles/Processes/Activities):

Completeness of input

Accuracy of input

Completeness and accuracy of output

Authorization/Validity

Timeliness

Others:– Safeguarding of assets– Segregation of duties

Types of Financial Controls

Basic/Application

Controls

Monitoring Controls

General/Computer

Controls

The Sarbanes-Oxley Act of 2002 12PricewaterhouseCoopers

Mapping to Controls

STEPS:

1.Map F/S line items to cycles/processes

2.Document each existing process (detailed flowcharts and narratives)

3.Identify controls in place

4.Test controls for effectiveness

5.Highlight missing controls

6.Assess impact of missing controls

7.Fill gaps

—————

FINANCIALSTATEMENT

S

CYCLES/PROCESSES CONTROLSto to

The Sarbanes-Oxley Act of 2002 13PricewaterhouseCoopers

Implementation Issues

Resources

Training / Education

Project management

Scope Setting– Centralized vs. decentralized processes– Multinational / Multilocation– Common vs. independent systems– Acquisitions– Shared service centers

Measurement of control effectiveness

Reporting

Disclosure controls and procedures– Financial– Non-financial

The Sarbanes-Oxley Act of 2002 14PricewaterhouseCoopers

This process should be repeated as necessary in a continual effort to improve the level of maturity of an organization’s

internal controls.

Action Plan

Following an iterative approach to evaluate and assess control environment will provide readiness for 404 certifications and improve 302 compliance

Educate Management / Board

Mobilize

Collect Data on “As-Is”

Environment

Assess Maturity

and Perform

Gap Analysis

Address Needs for

Continuous Improveme

nt