1. Page 1 Internal Audit Outsourcing The Moss Adams Approach to Internal Audit Outsourcing Proposed SOX 404 Changes

2. Page 2 Agenda Introductions Brief Review of History Summary of Events Guesses of what will happen Questions

3. Page 3 The Early Environment Corporate Scandals Sarbanes-Oxley (SOX) Rules Shareholder Suits Stakeholder, Investor and/or Public Uncertainty Severe Impact of Non-Compliance Organization Exposures

4. Page 4 Certification Required Section 302 Section 404

5. Page 5 Annual Review Section 404 – Management Must Assess Internal Controls Annually –Management’s responsibility for establishing and maintaining adequate internal control structure and procedures for financial reporting –Management must assess effectiveness of internal control structure and procedures for financial reporting as of the end of each fiscal year –Attestation by external auditor (Section 404 and 103)

6. Page 6 SOX 404 Coverage COSO Standard Control Activities Policies/procedures that ensure management directives are carried out. Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties. Monitoring Assessment of a control system’s performance over time. Combination of ongoing and separate evaluation. Management and supervisory activities. Internal audit activities. Control Environment Sets tone of organization-influencing control consciousness of its people. Factors include integrity, ethical values, competence, authority, responsibility. Foundation for all other components of control. Information and Communication Pertinent information identified, captured and communicated in a timely manner. Access to internally and externally generated information. Effective information technology internal controls Flow of information that allows for successful control performance Risk Assessment Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives-forming the basis for determining control activities. All five components must be in place for an effective internal control structure.

7. Page 7 Where are we? Initial Adversarial Relationship with External Auditors Expensive processes to comply Duplicative efforts Inconsistent application of SOX

8. Page 8 Update Feb. 7, Some Groups not satisfied, file lawsuit. Feb. 26, Comment Period over. Apr. 4, SEC says change AS5. Apr. 18, PCAOB reports that Auditors could be more efficient.

9. Page 9 SEC Proposed SOX 404 Implementation Guidance  SEC Meeting Held on December 13, 2006  SEC Provided Interpretive Guidance on Management’s Assessment of Internal Control Over Financial Reporting (ICFR)  PCAOB to Revised AS2 on December 19, 2006  SEC Delayed Audit Requirement for Non-Accelerated Filers until 2008

10. Page 10 What will change?  Sarbanes-Oxley Act, Section 404 (SOX 404) Opinion Only one opinion on the effectiveness of internal controls Elimination of separate opinion on management’s assessment process  Implications: Management must perform an assessment Emphasis on less auditor intervention in management’s process Management has more flexibility in documentation Inquiry and minimal documentation of second year walkthrough work as needed to validate controls existence Auditor reliance on management’s work requires adequate documentation of the work performed

11. Page 11 What will change? (Cont.)  Guidance on Risk-Based Scoping Interpretive release is to include a description of a principals oriented and risk based approach included in guidance In-scope areas are only those that are material and pose a risk to financial misstatement The guidance does not require that every control in a process be identified, only those that adequately address the risk of material misstatement in the financial statements  Implications: Risk assessment will still be required and more important than ever Account and location scope coverage could be reduced Only key controls will be in scope

12. Page 12 What will change? (Cont.)  Reporting the Overall Results of Management’s Evaluation The proposed guidance provides management with a framework, outside of the auditing literature, for determining the effectiveness of internal control Includes examples of situations that are considered strong indicators that a material weakness exists The guidance describes the factors that management should consider to evaluate the severity of a deficiency  Implications: Deficiency evaluation will still be required New guidance should help with how to do this evaluation

13. Page 13 What is still required?  Management is still required to assess ICFR  Management must still issue an opinion on the effectiveness of ICFR  Management must still document and test internal controls, including: Overall risk assessment and scoping Mapping of key controls to accounts, disclosures and locations Entity-level controls evaluation Control matrices preparation and maintenance Risk based sampling and test procedures Gap log Fraud analysis Deficiency evaluation and aggregation process

14. Page 14 Where are the opportunities to better manage SOX 404 cost?  Management needs to lead the ICFR assessment process, not the external auditor Management now has solid ground for having a separate process from the external auditor  The external auditors ability to leverage management’s assessment process will become more important to controlling overall costs The PCAOB is expected to issue a new audit standard strongly encouraging the reliance on management’s work

15. Page 15  Management should pursue: Reduced SOX 404 coverage Reduced number of key controls identified and tested Extent of testing based on risk More auditor reliance on management testing Amount of documentation (narrative and walkthrough) Cost Saving Opportunities to Pursue

16. Page 16 Future??? May 24 PCAOB scheduled to vote on Final AS5.

17. Page 17 Questions & Answers