1. The Sarbanes-Oxley Act of 2002

2. 1 Overview of the Sarbanes-Oxley Act of 2002 The Sarbanes-Oxley Act and the related SEC rule-making provide clarity and certainty on a number of highly debated issues by: –Establishing an independent, full-time oversight board (the Public Company Accounting Oversight Board) for capital-market participants; the SEC has oversight of the board –Establishing new responsibilities for audit committees and corporate officers –Defining “nonaudit” services that public accounting firms can provide to audit clients Specifically prohibiting eight services to audit clients (most already eliminated in past years), including internal audit outsourcing and financial information systems design and implementation; the eight services are discussed in more detail later in this presentation Permitting all other services, subject to audit committee pre-approval (the Public Company Accounting Oversight Board may establish other prohibited nonaudit services) –Strengthening penalties for corporate fraud –Requiring rules to address analyst conflict of interest –Significantly increasing the responsibilities and budget of the SEC Overview and Impact of Sarbanes

3. 2 Potential Benefits of the Proposed Standard Strengthens confidence in the reliability of the financial statements and the quality of reporting, because it should reduce the risk of material misstatement Provides an opportunity to review the company’s processes and enhance efficiency throughout all significant financial and operating processes Enables the company to put the most effective controls in place Provides a method of setting the “tone at the top”— emphasizing the importance of a strong internal control structure Provides management with a platform to hold individuals accountable for noncompliance Provides accountability to management for resolving significant deficiencies and material weaknesses Overview and Impact of Sarbanes

4. 3 Key Requirement Implication 103Audit Record Retention and Security 201Monitoring and Pre-Approval of Non-Audit Services 301Audit Committee Monitoring and Complaint/Issue Process 306Monitoring and Prevention of Insider Trading 401Financial Reporting Disclosure 402Monitoring and Prevention of Personal Loans to Executives 403>10% Ownership Disclosures Within Two Business Days 406 Code of Ethics Creation and Disclosure 407 Disclosure of Financial Expertise on the Audit Committee 408 Facilitation of SEC Reviews 501 Security Analyst Monitoring and Disclosure 806 Whistle Blower Communications and Response 906 Financial Reporting Certification 1102 Record Retention and Security Other Mandatory Requirements CEO and CFO Certification of Periodic SEC Filings 302 404 409 802 Retention and Protection of Audit Documents and Related Records Digital vaulting and ready access to historical records, including correspondence and emails, must be implemented Sections of the Act Accuracy issues resulting in criminal prosecution of company officers must be identified and removed CEO & CFO Certification of Internal Controls With Auditor Attestation Requires ongoing documentation, evaluation, testing, and remediation of financial reporting controls Rapid and Current Basis Disclosure of Financial and Operating Events Monitoring, prevention, and real-time disclosure of material changes must be systematic and ongoing Key Requirements Overview and Impact of Sarbanes

5. 4 Current PCAOB Guidance (as updated March 9, 2004) Implementation deadline extended –Years ending after November 15, 2004 for accelerated filers –Years ending after July 15, 2005 for others Foreign filers and/or Companies with Market Cap ≤ $75 million held by non-affiliates Remaining points to be clarified: Reliance on Service Auditors (SAS 70) Final Approval and Issuance by the SEC Current PCAOB Guidance (as updated March 9, 2004) Implementation deadline extended –Years ending after November 15, 2004 for accelerated filers –Years ending after July 15, 2005 for others Foreign filers and/or Companies with Market Cap ≤ $75 million held by non-affiliates Remaining points to be clarified: Reliance on Service Auditors (SAS 70) Final Approval and Issuance by the SEC Overview and Impact of Sarbanes Section 404 Requirements This section will require management to document the design of internal controls, as well as their process for evaluating the effectiveness of the internal controls over financial reporting. The most time intensive section of the Sarbanes-Oxley legislation is expected to be Section 404. This Section requires management to assert to the design and operating effectiveness of the Company’s internal control as of its fiscal year end and to provide for an attestation by the independent auditor to such effectiveness.

6. 5 Managements’ Responsibility for 404 Compliance The Company should be prepared to perform the following in preparation for the 404 attestation: –Management must accept responsibility for the effectiveness of the internal control environment –The organization must evaluate the effectiveness of internal controls utilizing suitable criteria (such as COSO) –Sufficient evidence must be gathered that supports management’s assertion –Management must document internal controls and their assessment of effectiveness, and the monitoring and testing performed to ensure that controls are operating effectively –Management must provide a written assertion on the effectiveness of internal control over financial reporting The external auditor will be responsible for performing the financial statement audit and the internal control audit: –The external auditor will examine and express an opinion of management’s written assertions of the Company’s internal control structure, including: The design of internal controls The operation of internal controls The process management used for evaluating internal controls –The external auditor will examine and express an opinion of the financial statements Overview and Impact of Sarbanes

7. 6 Managements’ Report (Assertion) A Company’s Annual Report must include: A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company; A statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company's internal control over financial reporting; Management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year, including a statement as to whether or not the company's internal control over financial reporting is effective. The assessment must include disclosure of any "material weaknesses" in the company's internal control over financial reporting identified by management; and A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management's assessment of the registrant's internal control over financial reporting. Overview and Impact of Sarbanes

8. 7 Select a Suitable Internal Control Framework Overview and Impact of Sarbanes © 1992 by the American Institute of Certified Public Accountants, Inc. Reprinted with permission. The process to determine whether internal control is adequately designed, executed effective and adaptive Management Analysis Disclosure Committee Internal Audits The policies and procedures that help ensure that actions are identified to manage risk are executed and timely Delegation of Authority Approvals Common Processes and Systems Segregation of Duties Account Reconciliations Information Technology Controls The control conscience of an organization. The “tone at the top” Code of Ethics Documented Policies and Procedures Cultural Assessment The process which ensures that relevant information is identified and communicated in a timely manner Messages from Senior Management Policies and Procedures Training Code of Ethics The evaluation of internal and external factors that impact an organization’s performance Business Risk Management Process Risk Management Internal Audit Risk Assessment

9. 8 Deficiencies – Specific Guidance “At least” Significant Deficiencies Selection and application of accounting policies Antifraud programs and controls Non-routine and nonsystematic Period end financial reporting process, including journal entries “Strong Indicator” of Material Weakness Restatement of previously issued financials Material audit adjustments Ineffective audit committee Ineffective control environment Ineffective internal audit or risk assessment function Ineffective regulatory compliance function Fraud of any magnitude by senior management Failure to timely correct significant deficiencies Absence of misstatements detected does not provide evidence that controls are effective Overview and Impact of Sarbanes

10. 9 Establishing a Compliance Program and Infrastructure Example Project Organization Board/Audit Committee Steering Committee Internal Control Implementation Team Project Manager CEODisclosure Committee CFO External Auditor Project Plan

11. 10 Sample Project Timeline Project Plan Scope & Plan External Audit Retesting Client Documentation, Testing and Remediation Ext. Audit Retesting Year-End Control s Estimated Timeline 2004 2005AprilMayJuneJulyAugustSeptOctNovDecJan

12. 11 Lessons Learned from Early Implementers Companies should understand outsourced business relationships as soon as possible. You have to understand the controls over these activities as well as activities conducted wholly within the organization. Our experience suggests that many service providers are not ready to provide the information and assistance you need. Companies are encouraged to build a sustainable process that becomes embedded in ‘the way you do business’. Remember, compliance is not a one-off event. Everything takes longer to complete than anticipated. Keep the “pedal to the metal” in the project! COSO contains five areas that need to be addressed for compliance. Do not focus on one to the detriment of the others. They all require time to address. Reporting the results of the assessments performed at diverse locations requires preplanning and consideration early Current Developments

13. 12 Companies should consider how they can use this project as an opportunity to challenge current business practices and processes. The result can be reduced complexity, standardization, stronger and more effective controls, and – ultimately - a stronger and more manageable enterprise. Ensure that anti-fraud programs and controls are addressed sufficiently. In essence, this is why Sarbanes-Oxley was enacted in the first place. Understanding the nature of controls and how to test them appropriately can be a confusing and daunting task for individuals that have never had to face this before. Even those you think know how to identify, document and test controls – such as internal audit - often need much assistance. Companies should train their team early, often and well! Lessons Learned from Early Implementers, continued Current Developments