Sarbanes-Oxley Act of 2002 Implements Sweeping Changes Affecting Corporate Governance and Disclosure, the Accounting Industry and Penalties for Securities Law Violations April 2003 Presented By: Lisa Anderson

Remember the Headlines As today's closing bell sounded on Wall Street, shares of Enron traded at 36 cents, continuing a spectacular fall for a giant that only months ago was worth more than $80 a share. Once a poster child for the economic boom of the '90s, Enron is now on the verge of bankruptcy. At Houston headquarters, some of the company's 21,000 employees feared for their jobs. COLLAPSING GIANT November 29, 2001 After this background report on the fall of energy giant Enron, energy experts discuss the collapse of the largest trading firm in the United States.

Remember the Headlines SEC files fraud charges against WorldCom Bush vows investigation into scandal June 26 — WorldCom Inc., the nation’s No. 2 long- distance company, REVEALED late Tuesday that almost $4 billion of expenses in 2001 and $797 million in the first quarter of 2002 were wrongly listed on company books as capital expenses, thus not reflected in its earnings results. President Bush vowed to “hold people accountable” and the Securities and Exchange Commission filed fraud charges against the telecom company.

Sarbanes-Oxley - The Response Purpose: to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws  Corporate Responsibility  Enhanced Disclosures  Penalty Enhancements  Corporate and Criminal Fraud  Conflicts of Interest  Federal Regulation of Auditing Firms

NYSE Board Rules Amex Board Rules NASDAQ Board Rules Companies must implement compliance solutions which address the interplay of the Sarbanes-Oxley Act with both SEC Regulations and rules from the individual exchanges. Sarbanes-Oxley - The Response

Sarbanes-Oxley - The Impact  Legal liability – Civil and Criminal  Increased Costs  External Audit – 404 Attestation  D&O Coverage  Whistleblower Program  Future Strategies  Acquisitions / Suitors  Changes to Control Infrastructure  Lendors / Investors  Director and C-level Retention and Attraction  Lendor / Investor / Employee Trust

Sarbanes-Oxley Act (“Cliff notes”)

Involves the Management Spectrum Legal/ Risk Mgmt. Process Owners Dept. Mgmt. IT CEO/ CFO Internal Audit Committee & Board

Sarbanes-Oxley Compliance Documentation:  Code of Ethics  Conflict of Interest Disclosures  Ethics Issue Monitoring, Investigation and Resolution  Disclosure Analysis and Reporting Control Process and Accountabilities  Financial Reporting Control Process and Accountabilities  Internal Control Policies, Procedures and Practices  Assessments and Supporting Certifications  CEO / CFO Certifications  Audit Committee Reports and Disclosures to Auditors

Where Do You Start? Take a comprehensive approach –Hits all areas of the company -- Board Room to Mail Room –No logical lead within most Corporate Structures Proactively address compliance Tailor action plans to your company –Develop pragmatic solutions that you can live with Recognize that compliance is a dynamic and fluid process Most financial controls include imbedded IT controls

Information & Communications PROJECT ORGANIZATION Approach – Project Roles Executive Ownership Advisory External Auditor Audit Committee Steering - Guide, Recommend Manage Project Provide Expertise Resources (Industry, IT, Functional) Support Processes at Corporate and Business Units Business Units and Processes Bus Model A Bus Model __ Bus Model B Bus Model C Internal Audit / Quality Assurance

Possible Stages of Internal Controls Control structure is minimally defined. Control occurs incidentally. Control structure is minimally defined, but control processes may occur based on past success and management oversight. Control structure is documented, standardized, and integrated into routine processes for the organization. The financial processes are regularly assessed and consistently controlled without significant management intervention. Detailed measures of the controls are collected and reported. Control processes executed in an efficient and effective manner with little to no management intervention, while achieving the desired risk tolerance. Initial Repeatable Defined Managed Optimizing Internal Control Maturity Model Initial Repeatable Defined Managed Optimizing

Tools (supporting processes) COSO Framework Information & Communication Control Assessment & Improvement Assessment Control Procedures Processes Control Risks Financial Stmts. Documentation Framework External customer Investors Lenders SEC Integrated customer Corp Execs External Auditor

Don’t Forget Information Security  Where are most companies falling short?  Where could you be out of compliance?

Standards in Information Security  Fully developed Security Policies & Procedures  Business Continuity / Disaster Recovery Plan  Annual (Bi-annual) Vulnerability Assessment  Annual (Bi-annual) Penetration Testing  Auditing policy implementation and control  BCP / DR plan testing So what are the minimum requirements for compliance?

Integrating IT into the Documentation Identify use of supporting technology –Reliance on IT for Process Controls Data integrity controls, Security controls, and Data management controls –Reliance on IT for Reporting Exception processing to identify suspense activity and the process to correct Sources of data reporting (systems, databases, tables)

Long-Term Storage of Reusable Data Vendor master files Customer database Payroll withholding tables Files with customer credit card numbers License agreement files Parameter tables Invoice table

Embedded IT Controls Edit and Validating Routines/Controls –Edit checks on the date field of the transactions –Edit checks for incomplete, missing, or invalid data –Validation that customer number exists within the master file –Sequence number validation (detect duplicate or out-of-sequence data) Online authorizations System flags to indicate status (paid, ready for process, etc.) Dollar tolerances for 3-way match Access controls – restricted appropriately –Limit ability to perform certain functions (overrides, adjustments, etc.) –Segregation of duties Audit trails/logs

Interfaces - Control Techniques File transfer integrity – handshake, control totals, record counts, confirmation message Time-stamped, user-stamped and marked with source system transaction Reconciliation between systems (automated balancing or manual) Error detection and processing (error files, exception reports) Recovery procedures

 Help management understand there are generally accepted standards in security  Understand the business risks:  Loss of data integrity and confidentiality  Loss of productivity  Loss of consumer confidence  Exposure to regulatory fines and litigation  Assess the current state of your security policies versus these standards  Assess the actual state of your implementation  Assess the control procedures surrounding security  Assess employee awareness of security  Periodically review and test policies, procedures and the controls around them Action Items for Compliance

The Year of Change Back to the Basics of Control