8/13/2019 Sox Presentation
1/35
Sarbanes-Oxley: Compliance, Approach,Methodology and Products
Wally Khalifa- Managing PartnerBusiness Practice
Kris DiMaggioDirector- Strategy Practice
June 2005
8/13/2019 Sox Presentation
2/35
W BILITYKnowledge&Experience
Agenda
Section I: SOX- Backgroundand Compliance Issues
Section II: Achieving Compliance:Requirements, Approach,
Framework andDevelopment Methodology
Section III: Internal Control Management
(ICM) Objectives and
Technology Solutions
Section IV: Recommendation and FinalWords
8/13/2019 Sox Presentation
3/35
Sarbanes & Oxley compliance
Section I: Background, The Act,Timelines, Cost of Implementations,
and Business Benefits
8/13/2019 Sox Presentation
4/35
W BILITYKnowledge&Experience
Background
I.I Background
The Sarbanes-Oxley Act of 2002:
Has ushered in changes to corporate governance
that rank among the most sweeping in history.
Developed in response to recent corporate
accounting scandals.
Aimed at improving the transparency and
accuracy of financial accounting of publicly
traded companies.
8/13/2019 Sox Presentation
5/35
W BILITYKnowledge&Experience
SOXBasics
AccountingScandals
PublicMarketsDecline
SEC &
CongressRespond
SarbanesOxley Act
Enron, Worldcom, Tyco
Public Call to Restore
Investor Confidence
Act Passed
Public Markets DeclineSignificantly
I.II Sox Basics
8/13/2019 Sox Presentation
6/35
W BILITYKnowledge&Experience
SOXBasics
Law
Happens
8/13/2019 Sox Presentation
7/35
W BILITYKnowledge&Experience
TheACT
Section 302--
CEOs and CFOs to sign off on the validity andaccuracy of their companies financial numbersand to certify the controls and procedures behindtheir financial reports.
Section 404--
Organizations must ensure that the audit processbehind their financial reporting is not only
comprehensive and accurate, but that they canalso meet strict quarterly timeframes for reportingon an ongoing basis.
I.III Sarbanes-Oxley: The Act
8/13/2019 Sox Presentation
8/35
W BILITYKnowledge&Experience
MoreSOX
Section 409 --
Issuers are required to disclose to the public, onan urgent basis, information on materialchanges in their financial condition or
operations.
Section 802 --
Imposes penalties of fines and/or up to 20 yearsimprisonment for altering, destroying,mutilating, concealing, falsifying records,
documents or tangible objects with the intent toobstruct, impede or influence a legalinvestigation.
I.III Sarbanes-Oxley: The Act
8/13/2019 Sox Presentation
9/35
W BILITYKnowledge&Experience
ComplianceTimeline
Section 302--
already in effect.
Section 404--
small companies July 2006
accelerated filers Nov 2005
Section 409 --
will be determined
Section 802
will be determined Sarbanes Oxley
I.IV Compliance Timeline
8/13/2019 Sox Presentation
10/35
W BILITYKnowledge&Experience
Questions
SOX- Act
Section
Section 302 Section 404 Section 409
Key Questions
for Executives
Responsible
for the
Compliance
Who in the
organization is
responsible for
ensuring the
integrity and
always-on status
of finance and
accounting
systems?
Does the internal
controls
framework include
business continuity
planning and
disaster recovery
considerations?
How will
potential
material
changes be
monitored when
the systems
conducting the
monitoring go
offline?
8/13/2019 Sox Presentation
11/35
W BILITYKnowledge&Experience
SOXCosts
The Government estimates:
$125,000per Company (Small)
$391,000per Company (Large)
CFOs estimates:
$225,000 (Small Company)
$3.14 million (Large Company)
The Trade Group Financial Executives
Surveys final results:
$291,000per Small Company
$4.36 millionper Large Company
I.VI Sarbanes-Oxley: Average Cost Of
Implementation
8/13/2019 Sox Presentation
12/35
W BILITYKnowledge&Experience
SOXBenefitstoInvestors
Companies have to reveal poor
financial reporting practices that
should be stopped.
More trust in the financial
statements of any company before
deciding on any investments.
I.VII Benefits to Investors
8/13/2019 Sox Presentation
13/35
W BILITYKnowledge&Experience
SOXBenefitstoCompanies
Benefits from consolidateddata store
Benefits from ability to finddata and create reports
business intelligence
Side benefit: discovery ofinternal fraud and theftthrough tighter controls
Result: positive shareholdervalue
I.VIII Benefits to Companies
8/13/2019 Sox Presentation
14/35
W BILITYKnowledge&Experience
Penalties
Action Punishment Reference
Knowingly altering destroying orfalsifying documents in an effort to impede,obstruct, or influence an investigationFines up to 15 millionand/orImprisonment up to 20 years
Title VIII,Sec. 802
Securities Fraud Fines and/or imprisonment up to 25years Title VIII,Sec. 807Mail and Wire Fraud Imprisonment up to 20 years Title IX,
Sec. 903Willfully certifying financial reports that donot meet regulatory requirements Fines up to 5 millionand/orImprisonment up to 20 years
Title IX,Sec. 906Violating SEC regulations May be ineligible to hold a director orofficer level position at any publiclytraded company
Title XI,Sec. 1105
I.VIIII Penalties
8/13/2019 Sox Presentation
15/35
Methodology of Compliance
Section II: Achieving ComplianceRequirements, Approach, Framework
and Deployment Phases
8/13/2019 Sox Presentation
16/35
W BILITYKnowledge&Experience
AchievingCompliance
Identify all processes & systems that can have a
material affect on financial results:
Identify risks
Document and test all related
processes
Document and test internal controls
according to a recognized framework
such as (COSO)Committee of
Sponsoring Organizations
Ensure compliance of business rules
and controls
II.I Achieving Compliance-The Big Picture
8/13/2019 Sox Presentation
17/35
W BILITYKnowledge&Experience
COSOFramework
The overarching system of controls
designed to govern business practices and
behaviours.
The overall system of internal control is
monitored and improved.
How pertinent information is identified,captured and communicated internally
and externally.
How the pertinent activities are
designed, implemented and
tested
How the company sets objectives
and manages risk
II.II COSO Framework
8/13/2019 Sox Presentation
18/35
W BILITYKnowledge&Experience
HighLevelApproach
Group Processesinto Projects for
Documentation &Evaluation
Identify theUniverse
of Processes
Process 1
Process 22
Process 21
Process 22
Project
Project
ConfirmAdequacy
of SelectedProcesses
Complete listof Stream orFunction
FinancialProcesses
Risk-filteredprocesses plusprocessesmanagementdesires toevaluate
4 2 1
367
9 8 5
Impact
Probability
Conduct Risk &$Thru Put
Assessment
Process 5
Process 15
Process 12Project
II.III High level Approach
8/13/2019 Sox Presentation
19/35
W BILITYKnowledge&Experience
OurMethodology
AUDITORATTESTATION
IDENTIFYEXISTINGCONTROLACTIVITIES
REMEDIATEGAPS
IDENTIFYCONTROL
OBJECTIVESTESTING
DETERMINEGAPS
MAPBUSINESS
PROCESSES
Processes Assessed through a systematic evaluation
II.IV Our Methodology
8/13/2019 Sox Presentation
20/35
W BILITYKnowledge&Experience
OurMethodology
Plan Project
Assess Control
Environment
Conduct Pilot
ProjectRoll-Out
Report Overall
Results
Form Steering Committee
Perform Risk AssessmentIdentify External Auditor Expectations
Select Documentation Format
Prioritize Processes to Document
Identify Corporate Governance & Management Controls
Identify/Assess/Document IT General Controls
Document & Test Controls for 1-3 Processes
Review Results w/Steering Committee
Refine Approach
Roll-out to Centralized Processes
Roll-out to Other Significant Locations and/orDecentralized Processes
Report/Fix Any Control Deficiencies
Cover Period to Yearend
8/13/2019 Sox Presentation
21/35
Software Solution
Section III- Internal Control Management
(ICM) Objectives and TechnologySolutions
8/13/2019 Sox Presentation
22/35
W BILITYKnowledge&Experience
InternalControlsDefined
Internal Controls are measures Designed to providereasonable assurance for
Reliability of financial reporting
Effectiveness and efficiency of operations
Compliance with applicable laws and regulations
III. I Internal Controls - Objectives
T h l S l i
8/13/2019 Sox Presentation
23/35
W BILITYKnowledge&Experience
Technology will help:
Provide Optimal Solutions that will
embrace the improvements of the
financial processes that underlieinternal controls
Accommodate changes in the
regulations, as well as changes in the
way the company operates its
business.
TheFinalWord
TechnologySolutions
III.II Technology Solutions
S l i C i i
8/13/2019 Sox Presentation
24/35
W BILITYKnowledge&Experience
Reduces time to compliance
Enhances the procedures for financial
reporting & business Processes
Accommodates changes inregulations and procedures
Monitors and Maintains control
procedures
An Infrastructure for broader process
automation
FinalWord
SelectionCriteria
III.III Selection Criteria
8/13/2019 Sox Presentation
25/35
W BILITYKnowledge&Experience
TechnologyFeatures
General Provides environment that provides fast
access to SOX information (accounts,processes, controls)
Maintains policies, procedures anddocumentation
Integrates with existing workflow processes Can import control information from other
applications
Managing Controls
Automates and manages control procedures
Records all control process user workflowactivities for accountability
Issues and Audits
Manages audit preparation activities
Automates SOX issue resolution
III.IV Solution Features
8/13/2019 Sox Presentation
26/35
W BILITYKnowledge&Experience
Products
Process Centric Workflow
Solutions
E-mail and IM Scanning and
Archiving Solutions
Information Lifecycle
Management Solutions:
Document Management
Storage Management
III.V Solution Products Categories
O ti l S l ti
8/13/2019 Sox Presentation
27/35
W BILITYKnowledge&Experience
OptimalSolutions
Supports the rapid thorough
completion of the audit process
Enables management, enforcement
and modification of key processes
and financial controls
Allows organizations to easily
modify requirements and business
logic
III.VI Process Centric Workflow Features
P d t
8/13/2019 Sox Presentation
28/35
W BILITYKnowledge&Experience
Products
SOXA Accelerator from HandySoft
Provides a solid foundation for
corporate governance by stream lining
and automating the processes involved
in evaluating, documenting andenforcing internal controls
Combines business processes
management (BPM) technology with
the collaboration, search and
personalization capabilities of
Plumtree's Enterprise website Portal.
III.VII Process Centric Workflow Products
P d
8/13/2019 Sox Presentation
29/35
W BILITYKnowledge&Experience
Products
Example: Assentor Enterprise
Suite from Illumin Software
Services- Performs Message
Management
Assentor Compliance - daily
supervision of messages
picks out words and phrases
that might be in violation of
brokerage laws
Assentor Discoveryretrieve
archived messages for audits
III.VIII Email Management Products
P d
8/13/2019 Sox Presentation
30/35
W BILITYKnowledge&Experience
Products
Example: KVS Enterprise Vault
Can reduce the cost of expensive
disk storage
Lets customers set customizedretention policies for e-mail,
documents, instant messages and
Microsofts SharePoint Portal
Server documents.
For SOX, GLB, HIPAA, SEC
Rule 17 a-4
III.VIIII Email Archiving Products
8/13/2019 Sox Presentation
31/35
Recommendations and Final Words
Section IV: Recommendations,
Final Wordsand Future Legislation
Recommendations
8/13/2019 Sox Presentation
32/35
W BILITYKnowledge&Experience
Recommendations
We believe that the deployment of a Process-
Centric Solution will turn the challenges of
SOX compliance into an opportunity, because
the same methods you use to come intocompliance will be used to improve the
performance of your entire financial
organization.
Process Centric Solutions bring together
process, methodology and documentation to
provide complete solution for SOX compliance
and further process improvements
IV.I Recommendations
Fi l W d
8/13/2019 Sox Presentation
33/35
W BILITYKnowledge&Experience
FinalWords
Sarbanes-Oxley has transformed the corporatelandscape with new and complex mandates for
corporate financial reporting.
All public companies of all sizes will go through
the same basic steps to achieve compliance, eachwill take a slightly different approach.
Organizations will require a technology solution
that does not force them into a particular process
or methodology.
Select a tool that will allow you to capture and
enforce best practices around the collection and
reporting of financial data.
IV. II Final Words
Fi l W d
8/13/2019 Sox Presentation
34/35
W BILITYKnowledge&Experience
FinalWords
The best solutions must be able to easily adapt to
individual approaches, provide long term
flexibility while coordinating all of the moving
parts, tasks, people, and systems involved in
compliance.
Compliance is not a one-time event: it is an
ongoing process where the initial audit is only
the first phase, followed by ongoing enforcement
of controls and process enhancement.
Smart organizations will view SOX as an
opportunity to establish corporate governance
and process excellence in their financial
processes and other key business areas.
IV.II Final Words
F t L i l ti ?
8/13/2019 Sox Presentation
35/35
FutureLegislation?
Corporate Information SecurityAccountability Act (proposed)
Rep. Adam Putnam, R-Fla. Primary concern: identity theft
Potential SOX-style compliance; would
require cyber-security certification by
public companies
Not introduced last year; could be
introduced in the future?
IV.III Future Legislation ?
Top Related