“The Impact of Sarbanes Oxley, An Evolving Best Practice” Ellen C. Wolf Senior Vice President & Chief Financial Officer American Water National Association of Regulatory Utility Commissioners Committee on Water February 2008
2 American Water Founded in 1886 Largest investor-owned water and wastewater utility in the United States Serves approximately 16.2 million people Operations in 32 states and Ontario, Canada Approximately 7,000 employees
3 Agenda SOX Benefits to Companies Continuing Evolution of SOX Initial SOX Compliance Experience An Evolving Best Practice Beyond SOX – Enterprise Risk Management Controls Rationalization Top Down Risk-Based Approach
4 Benefit of SOX Compliance According to a survey entitled “Oversight Systems Financial Executive Report” conducted with 222 Corporate finance leaders: –74 percent said their company benefited from SOX –79 percent reported “significantly stronger” or “somewhat stronger” internal controls as a result of SOX –46 percent said SOX compliance benefits the company by ensuring accountability –75 percent said they would vote to keep Section 404 if they were members of Congress
5 Benefits of SOX Compliance Positive influence on maintaining investor confidence (and long-term share price) through increased transparency and fewer surprises –Investors are requiring successful risk management –Rating agencies are increasingly focused on qualitative factors around risk management More timely and reliable financial reporting Improved overall control culture Better business risk information for Audit Committees and Management Enhancement of processes and the underlying control structure to drive operational effectiveness and cost efficiencies Improved Corporate Governance Process Back to the basics: strengthening foundational controls that had received less attention prior to SOX Alignment of IT with the business Elimination of outdated, redundant and ineffective processes and controls Easier employee on-boarding process
6 SOX Benefits to Customers and Regulators Enhances capital attraction at appropriate rates –Avoids a risk penalty Transparency –Enhances regulatory and public confidence More pro-active Board of Directors Oversight Greater financial accountability Attracts and improves quality of employees
7 Initial 404 Compliance Experience Most companies faced various challenges around their initial SOX compliance exercise: –Reliance to heavily on manual controls and under utilized IT potential –Lack of a risk-based approach and performed repetitive, manual tasks –Had disparate IT systems, making access to data very difficult –Identified a very high number of key controls Detect and manual controls were, in many instances, prevalent –Staffing issues Lack of sufficient resources Employees who lacked clear roles, responsibilities and goals Sarbanes Oxley was key to companies rethinking many of these issues
8 An Evolving Best Practice e f f i c i e n c y c o s t Top-Down Risk Assessment & Scoping Risk Based Testing & Evaluation Optimization & Standardization of Controls Leveraging Monitoring Controls Controls Automation & Continuous Controls Monitoring Risk Convergence- Consistent Risk & Control Framework Coverage of Fraud Risk & Controls Process & Controls Improvement strategic operations financial compliance i n v e s t m e n t v a l u e Making the Business Better: Leverage 404 efforts to invest in a comprehensive control environment, drive efficiency and create value to the company
9 Beyond SOX: Enterprise Risk Management Evolution of Enterprise Risk Coverage as a “Best Practice” –Coordinated approach to address strategic, financial, operational and compliance risks (leverage the SOX compliance documentation to extend risk assessment beyond financial reporting) –Enhanced risk assessment process, which fully considers the business strategy, business drivers and initiatives –Enhanced change management processes across the company –Entity-level controls are leveraged Risk Management as a Competency –Embedded in the organization, its management processes and functions –SOX compliance seen as an evolving process, not a project –Achieved through a framework of activities to improve the management of an organization’s constantly evolving risk profile
10 Controls Rationalization Rationalization: Removing controls that are not significant or are unnecessarily redundant Optimization: Selecting controls that are more efficient to test than other controls which mitigate the same risk (e.g., automated vs. manual controls), leveraging strong entity-level controls to reduce the need to rely solely on transaction-level controls Improvement: Modifying, re-designing or re-engineering a process and underlying control structure to drive operational efficiency and effectiveness Objective: To create value and promote efficiency
11 Top Down Risk-Based Approach Financial Statement Risk Assessment Company-Level Controls High Risk Accounts, Processes, and Locations Pervasive Coverage Materiality All Other Accounts and Locations -Top-down approach begins by identifying, understanding, and evaluating the design of company- level (entity level) controls. Entity-level controls include: -Controls within the control environment, such as tone at the top, organizational structure, commitment to competence, human resources policies and procedures; -Management’s risk assessment process; -Control to monitor other controls; and -The period-end financial reporting process. PCAOB – FAQ 38
12 In Closing Benefits of SOX (beyond compliance) –Capital attraction –Improved processes and controls –Stakeholder confidence –Enhanced governance and culture –More engaged and informed audit committees and Board of Directors –Enhanced Customer Service Continuing Evolution of SOX –New SEC Management Guidance and PCAOB Auditing Standards –The ability to leverage SOX efforts for Enterprise Risk Management and increased rigor over non-financial processes Q&A