Post on 23-Jan-2016
description
transcript
CIO COMMUNITY OF PRACTICE
MEETING
Leveraging Sarbanes-Oxley To
Drive Enterprise Value
Tom Captain and Carlos Munoz Deloitte
August 21, 2003
2 Proprietary and Confidential
Well Known Market Events have Severely Damaged Investor Confidence and Public Trust
Exuberant Capitalism Sarbanes/Oxley
August 1982 – March 2000
1982 1991 2000
800
11,000
3,000
DJIA IInitial
Growth
Tax CutsAnd Free
Trade
IIConsolidation/Acceleration
US WinsCold/Gulf
Wars
IIIIrrational
Exuberance
Y2K and InternetBubble
Institutional Carte Blanche
Overview
Sarbanes-Oxley Act of 2002
All companies get tarred with the same investor (and therefore regulatory) brush
March 2000 - December 2003 - Beyond
Institutional Mistrust
2000 2002 2004
7,000
11,000
9,000
DJIA IBear
Market
Post Y2K& Internet
Bubble Bursts
IICrisis of
Confidence
Sept 11,2001,Enron andAndersen
IIIMarket
Differentiation
Public Companies Respond to Sarbanes-Oxley
3 Proprietary and Confidential
Evolving Regulatory Environment: Key Implications
• Sarbanes-Oxley (SOX) regulations
– Significant financial reporting /certification costs (upfront/annual)
– New CXO/Board member personal risk exposure
• Creditors tighten the terms/conditions for capital
• Equity Investors have fundamentally changed
– More active around issues of corporate governance
– Require a higher risk premium from businesses they do not understand
– Apply a considerably higher level of due diligence
– Displaying quicker/larger/more durable negative reaction to earnings restatements
4 Proprietary and Confidential
Critical Dimension of SOX: Financial Information Quality
• Requirement for CEO & CFO to certify periodic SEC filings
• Requirement to disclose in real-time any material changes
• Requirement to provide Internal Control Report
• Retention and protection of Audit documents and related records
• Reporting Mistakes could result in criminal prosecution of company officers --accuracy
• Ambiguity around ‘real-time’ and ‘material’----timeliness
• Requires documentation, testing and remediation ---transparency & accuracy
Requirement Information Quality Implication30
2
Secti
on
s of
the S
arb
an
es-
Oxle
y A
ct
409
404
•103 Audit Record Retention and Security•201 Monitoring and Pre-Approval of Non-Audit Services•301 Audit Committee Monitoring and Complaint / Issue Process•306 Monitoring and Prevention of Insider Trading •401 Financial Reporting Disclosure•402 Monitoring and Prevention of Personal Loans to Executives•403 >10% Ownership Disclosures within 2 Business Days
SOX regulations attempt to ensure a minimum acceptable level of financial information transparency, accuracy and timeliness--
Tablestakes
802
Digital vaulting & ready access to historical records, correspondence and emails, must be implemented --accuracy
• 406 Code of Ethics Creation and Disclosure• 407 Disclosure of Financial Expertise on the Audit Committee• 408 Facilitation of SEC Reviews• 501 Security Analyst Monitoring and Disclosure• 806 Whistle Blower Communications and Response• 906 Financial Reporting Certification• 1102 Record Retention and Security
Other Mandatory Requirements
5 Proprietary and Confidential
Restoring Trust/Building Shareholder Value will Require Moving Beyond SOX Information Quality Requirements
Technology Standardization / Integration
Data
Sim
plification/
Standardization
Pro
cess
Sim
plifi
catio
n/ S
tand
ardi
zatio
n
MeetSarbanes – Oxley
Requirements Letter of the Law
Spirit of the Law
1999 2000 2001 2002 2003E
Earnings
Improve Company IQTM
Timeliness Predictability
AccuracyTransparency
Business Process, Data and Technology complexity determines the size of the iceberg
6 Proprietary and Confidential
Sample Impact in $ millions for a $1 Billion Company
(*assuming standardization/simplification initiative)
Efficiency Cost Savings
Effectiveness Improvements
Organizational Pain
+
−
VALUE
• Retraining• Application Reconfiguration• Enterprise Process/Systems/Data Standardization/Simplification
• Improve planning/budgeting• Improve monitoring/analytics• Improve operational decision-
making• Automate closing• G&A savings • Working Capital
improvements
Risk Reduction
• Decrease Cost of Capital• Decrease personal liability
exposure for directors/CXOs• Mitigate future liabilities exposure
SOX Compliance Costs *
• Documentation/Assessment/Remediation • Disclosure and Certification
Net
SOX Cost Savings• Reduce # of processes requiring
documentation, remediation & certification
Silver Lining in the SOX Cloud:Business Case for Moving Beyond Compliance is Compelling
7 Proprietary and Confidential
Moving Forward: Controlled Confusion…
• 79% unsure what implications SOX will have for their company
• 85% planning IT systems changes to support SOX
• 61% expect business process change will be requiredP
erce
nta
ge
0
10
20
30
40
50
60
70 ERP Instance Consolidation
Turning on Controls
EPM System
Current System Upgrade
ChangeCurrent System
Do Nothing
IT Remedies being explored…
Source: AMR Research
What are companies thinking?
8 Proprietary and Confidential
The CIO Will Play A Critical Role in SOX Compliance and the Transformation of Company IQTM
IT Strategist
Data Steward• Effective IT Governance
• COBIT Compliance
• Data Standards Management
• Policy Enforcement
• Automated Controls Activation
Company IQTM
Company IQTM
• Platform Standardization
• Infrastructure Optimization
• Enhanced Transparency
• System Integration
Provide the environment and mechanisms for establishing controls and managing exceptions, and the standards for ensuring data integrity
Provide the technological platform and infrastructure to enable, transparent, timely, accurate and predictable information
9 Proprietary and Confidential
The Environment of Mistrust Amplifies a Previously Minimized Dimension of the CIO’s Role: Steward of Financial Information
US GDP
GrowthInternet Bubble Scandal, War &
RecessionPost-SOX Era
Strategic AdvisorStrategic Advisor Information StewardInformation Steward
Market Demands
Time
CIO Priorities
• Growth – Revenue per share• What’s your Internet strategy?• Innovation – New Products &
Services
• Gain advantage with new technology
• Understand emerging trends and their business impact
• Spend to create strategic options for “e-businesses”
• Profitability - Earnings• What/when are you going to
outsource?• Operations – Cost Reduction
• Reduce total cost of IT• Identify and execute on
outsourcing options• Reduce/consolidate staff and
systems wherever possible
• Profitability – Quality Earnings• How will you comply with SOX?• Information Quality™ - Trustworthy
Financial Data & Disclosure
• Reduce total cost of IT• Lead IT component of SOX compliance
efforts, especially 404 & 409• Improve quality of financial information
processing & reporting
Operational LeadOperational Lead
ROLE OF THE CIO
10 Proprietary and Confidential
The IT Lag: Cautious Movement
IT Timing and Level of Spend for Full Sarbanes-Oxley ComplianceIT Timing and Level of Spend for Full Sarbanes-Oxley Compliance
High
LowFo
cu
s a
nd
Le
ve
l o
f S
pe
nd
2002 20042003 2005
Timing
Sarbanes-OxleyBecomes Law
SEC Final Ruling / COSO OK’d
SOX 404Deadline
Internal Controls, Disclosure, &
Protection Compliance
(IT Development)
People, Process & Systems
Optimization
Internal Controls Readiness
Assessment
Projection of Relative IT SpendSarbanes-Oxley Compliance & COSO Optimization
U.S. Public Companies OnlySource: Deloitte & Touche
There appears to be a six month lag for the beginning of IT development once initial Readiness phases have begun. We predict increasing numbers of budget increases for 2004.
11 Proprietary and Confidential
The IT Change Effort: Enabling Technology
Even without performance improvement, the technology change effort required for sustainable SOX compliance is significant.
PROCESS PEOPLEDATA TECHNOLOGY
Change EffortRequirementSOX Section
Financial Reporting Disclosure; Disclosure of Ownership Changes; Code of Ethics Disclosure; Audit Committee Expertise Disclosure; Material Operating/Financial change Disclosure; etc.
§302,401, 403,406, 407,409, 501,906
Management Assessment of Internal Controls
§ 404
Audit Record Retention and Security; Facilitation of SEC Review; Related Record Retention; etc.
§103,408, 802,102
Pre-approval of Non-Audit Services; Audit Committee Monitoring and Complaint Process; Insider Trading During Blackout Prevention; Personal Loan Prevention; Whistle Blower Process; etc.
§201,301, 306,402806
12 Proprietary and Confidential
The underlying technology is driven by the mandated Compliance requirements and the opportunity for COSO operating efficiencies
Technology Implications: Requirements
Internal Control Field Audit and Measurement
Monitoring, Disclosure, and Prevention
Content Management and Archiving
Training and Communication
Controlled Financial Reporting & Transactions
Optimization and Cash Generation (Productivity Tools)
Type of System Functionality
Risk ControlTracking System
ERP, G/L, Consolidation, Fin. Reptg. Systems
Portal, Advanced Reporting, DW, Data Analytics, email
Compliance Systems
Document Management, Workflow System
eLearning System
Enterprise Systems Mgt, Project Mgt, IT Auto
Discovery, Tax Optimization
System Requirements
13 Proprietary and Confidential
IT Reference Architecture
A suggested SOX IT Reference Architecture addresses all mandatory requirements, and positions organizations for ongoing performance improvement
SarbanesRisk & Control
System(e.g., RCTS)
EMAIL System
FinancialSystems
HRSystems
CRMSystems
OtherInternal
RACK EMAILCompliance
Compliance Data Warehouse
Analytics EngineComplianceDigital Vault
OtherExternal(e.g., SEC)
Advanced Reporting & Query Engine
Training / eLearningSystem
Field Audit View
(RCTS)
Internal AuditView
External AuditView
CEO/CFOView
SarbanesPMOView
DisclosureCommittee
View
Audit Committee
View
CIO/COOView
BusinessUnitView
......etc.
etc. HR/
TrainingView
Compliance & Control Portal Audit & Remediation Views Audit & Remediation Views
COMPLIANCE INFRASTRUCTURE
* = Risk Control Tracking System (RCTS) (used for SOA Readiness Assessments)
* = Risk Control Tracking System (RCTS) (used for SOA Readiness Assessments)
= Existing or lower impacted technologies
= Existing or lower impacted technologies
RiskMgt
Systems
**** = Risk & Control Knowledge Base (RACK)
(source of COSO/Process/Industry Framework)** = Risk & Control Knowledge Base (RACK)
(source of COSO/Process/Industry Framework)
*
PE
RF
OR
MA
NC
E IM
PR
OV
EM
EN
T / C
AS
H G
EN
ER
AT
ION
Monitoring, Prevention & Disclosure Views Monitoring, Prevention & Disclosure Views Training Views Training Views
Enterprise Application Integration Engine
Document Management & Workflow
802 Retention
409 Disclosure
404 Controls
302 Disclosure
Key SOA Sections
SE
CU
RIT
YSarbanes Oxley Reference Architecture
14 Proprietary and Confidential
Conclusion…
• We are where we are; (grief)
• Some are skeptical of the real consequences or probability of punishment; (denial)
• Effort may look like a tax, or maybe worse - punishment of the innocent and uninvolved; (anger)
• Some will only minimally comply; (resignation)
• However, something may strike a chord for CIOs; (acceptance):– Comparing and contrasting SOX reference architecture with your projects
– Can we re-position the portfolio of typical IT initiatives and projects?
– Will this make funding and resourcing more likely?
– Is this a good thing, ANYWAY?
15 Proprietary and Confidential
Contact Information
• Tom Captain; Partner, Seattle– tcaptain@dc.com
– 206.465.5622
• Carlos Munoz; Senior Manager, San Francisco– cmunoz@dc.com
– 415.268.1211
• Deloitte website– www.dc.com