IT and Financial Compliance: Closing the Gaps in Sarbanes-

Oxley

April 19, 2005

Steve Greenstein / Rudy Kiste

2

Closing / Explaining the Gaps in Sarbanes-Oxley

3

About BridgeMarkBDO Seidman, LLP’s BridgeMark practice is dedicated to Risk Consulting and Advisory Services. We leverage our more than 90-year heritage as a CPA firm, entrepreneurial spirit, full service capabilities and extraordinary responsiveness to deliver value to companies throughout our local offices and our global network.

BDO Seidman• U.S. member firm of BDO International• $375 million in revenue• Over 2,100 people in 36 offices plus over 5,000 professionals in 185 alliance firm locations

BDO International• $2.9 billion in revenue• 5th largest global accounting firm in the world• Over 22,600 people in 590 member firm offices in 100 countries

4

BridgeMark Spectrum of Services

Internal Audit – Financial, Operational and Information Technology

• Risk Assessment

• Internal Audit Transformation

• Strategic Partnering & Staffing

• Vendor, Royalty & Construction Audits

• Fraud/Forensic Investigations

• Establishment of Internal Audit Function

• Information Technology Audit

Technology Risk & Security

• Enterprise Security

• System Controls and Effectiveness

• Business Continuity Planning

• Privacy & Data Protection

• Vulnerability Analysis and Testing

• Technology & Strategy Alignment

• Change Management

Business Process Improvement

• Operational Performance Reviews

• Business Process Integration

• Financial Analysis & Modeling

• System Implementation Support

• Special Accounting Projects

• Project Management Office (PMO)

Compliance Services

• Sarbanes-Oxley Readiness Service

• Corporate Governance Assessment

• Regulatory Risks (PATRIOT, HIPAA, SAS 70, GLB)

• Human Resource Compliance

• Federal and State Regulations

Experienced in executing integrated Non-US SOX Compliance Projects

5

Reporting Requirements

The Requirements: Key Sections 302, 404 and 409

(Appendix A)and

SEC Rulemaking

Management’sAssertion

COSO & COSO ERM,COBIT, Basel IIISO17799 and

AS/NZS 4360:1999Frameworks

PCAOB Auditing Standard No.2

Company’sAssessment Process,

Documentation and Testing

6

COBIT Components

7

Information Technology Compliance

Today’s Organizations are Concerned About:

• Risk Management

• Governance

• Control

• Assurance (and Consulting)

Importance of IT Compliance and integration:

• Enhances corporate accountability.

• IT plays a vital role in the internal control structure.

• Systems, data and infrastructure components, are critical to the financial reporting process.

• Develop a compliance plan that specifically addresses IT controls.

• Integrating the Sarbanes-Oxley compliance plan into the overall IT plan.

8

BridgeMark Can Add Value By:

• Financial and IT experience in performing integrated off-shore and Non-US SOX Compliance projects.

• Defining risk tolerances where none have been identified, based on experience, judgment, and consultation with management.

• Reviewing critical control systems and risk management processes.

• Performing continuous reviews and evaluation on the effectiveness of management's risk assessments and internal controls.

• Providing advice in the design and improvement of control systems and risk mitigation strategies.

• Implementing a risk-based approach to planning and executing compliance processes to ensure that resources are directed at those areas most important to the organization.

• Challenging the basis of management’s risk assessments and evaluating the adequacy and effectiveness of risk treatment strategies.

9

Non-US BridgeMark SOX Compliance Projects

Examples of Financial and IT experience of off-shore and foreign location SOX Compliance Projects:

• UK

• Scotland

• Israel• Thailand

• Japan• Korea

• Mexico

• Panama

• Brazil

• Argentina

• Dominican

Republic

• France

• Germany

• Belgium

• Italy

10

COSO Components

Monitoring

• Assess control system performance over time

• Ongoing and separate evaluations

• Management and supervisory activities

Control Activities

• Policies that ensure management directives are carried out

• Approval and authorizations, verifications, evaluations, safeguarding assets security and segregation of duties

Control Environment

• Sets “tone at the top”

• Foundation for all other components of control

• Integrity, ethical values, competence, authority, responsibility

Information and Communication

• Relevant information identified, captured and communicated timely

• Access to internal and externally generated information

• Information flow allows for management action

Risk Assessment

• Identify and analyze relevant risks to achieving the entity’s objectives

11

The COSO ERM Framework

Entity objectives can be viewed in the context of four categories:

ERM considers activities at all levels of the organization:

• Enterprise-level

• Division or subsidiary

• Business unit processes

The eight components of the Framework are interrelated …

12

Compliance & Information Technology Governance

Building a strong internal control program:

• Enhances overall IT governance

• Enhances the understanding and importance of IT among executives.

• Improves business decisions with high-quality, more timely information.

• Aligns project initiatives with business requirements.

• Prevents loss of intellectual assets.

• Minimizes the possibility of a system breach.

• Gaining competitive advantages through more efficient and effective operations and processing integrity.

• Enhances risk management competencies.

• Enhances prioritization of initiatives.

13

Relationship to Internal Control - Integrated Framework

A strong system of internal control is essential to effective enterprise risk management:

• Expands and elaborates on elements of internal control as set out in COSO’s control framework.

• Includes objective setting as a separate component. Objectives are a prerequisite for internal control.

• Expands the control framework’s “Financial Reporting” and “Risk Assessment.”

14

Our Approach to SOX Compliance

BridgeMark’s comprehensive approach is designed to help companies meet the requirements under Section 404 of the Sarbanes-Oxley Act.

Engagement Management

Organizeand PlanProject

Phase I

Corporate-Level

Control Assessment

Phase II

Process-LevelControl

Assessment

Phase III

Testing, Reporting & Continuous Monitoring

Phase IV

Phase I Deliverables:

Project team organizational chart

Project team roles and responsibility matrix

Preliminary significant accounts and process matrix

Project plan (includes project timeline, responsibilities and milestones)

Phase II Deliverables:

Documentation of general controls over key technology systems

Corporate-level control assessment and recommendations for improvement

Final significant accounts, processes and transaction stream matrix

Updated project plan

Phase III Deliverables:

Process maps for significant processes

Matrix of all key risks and related control points

Assessment of the design of controls and recommendations for improvement

Phase IV Deliverables:

Summary of critical findings

Updated control matrix reflecting procedures performed, results of such procedures and assessment of risks

Documentation of all detailed testing

15

Key Process Derivation & Financial Statement Coverage

1. Determine Significant Accounts at the Financial Statement Level.

2. Map General Ledger Accounts to Significant Processes.

3. Determine Material Reporting Units (PCAOB Release No. 2003-17).

4. Map Processes and Sub-processes to Material Reporting Units - significant account balances.

High-level summary

YesSummaryLow

SummaryYesLimitedMedium

DetailedYesComprehensiveHigh

Process Narrative

Risk/Control Matrix

Level of Documentation

Process Rating

High-level summary

YesSummaryLow

SummaryYesLimitedMedium

DetailedYesComprehensiveHigh

Process Narrative

Risk/Control Matrix

Level of Documentation

Process Rating

H

M

L

16

General and Application Controls

17

General and Application Controls

• Designed to ensure financial information generated from the Company’s application systems can be relied upon via:• Data Center operations controls

• Access security controls

• Application systems developments and information infrastructure implementation and maintenance controls

• Support the functioning of application controls to help ensure accurate information processing and the integrity of the resulting information used to managed.

18

Assessing IT Controls

Understanding IT Controls

Roles and Responsibilities

Based on Risk

Monitoring and Techniques

Assessment

Importance of Controls

19

IT Audit Structure and Controls

Assess

IT

Controls

Understanding IT Controls

Governance, Management, Technical

General / Application

Preventative, Detective, Corrective

Information Security

Importance of IT Controls

Reliability and Effectiveness

Competitive Advantage

Legislation and Regulation

Roles and Responsibilities

Governance

Management

Audit

Based on Risk

Risk Analysis

Risk Response

Baseline Controls

Monitoring and Techniques

Risk Control Matrices

Frequency

Assessment

Methodologies

Audit Committee Interface

20

On-Going Compliance / Continuous Monitoring

EffectiveEffective

GovernanceGovernance

21

Visit us in Booth 21 and Contact UsFinancial / Operations / Sales

Steven Greenstein

Sr. Customer Relationship Director

212.885.8074

sgreenstein@BridgeMark.com

Rudy Kiste

Engagement Manager

212.885.8400 x:5261

rkiste@BridgeMark.com

Information Technology

David Smokler

Director

212.885.8077

dsmokler@BridgeMark.com

Lily Shue

Senior Manager

201.788.2323

lshue@BridgeMark.com

22

Sarbanes-Oxley, Some Key Provisions (Appendix A)

• Sarbanes-Oxley Act of 2002

• Expands reporting requirements and accountabilities – requires CEO and CFO attestations/filing of internal control reports with annual report (Sections 302 & 404).

• External auditors will be required to attest to and report on management’s assessment in the internal controls report (Section 404).

• Disclose to public on a “rapid and current basis” material changes to financial condition or results of operations (Section 409).

• Empowers audit committees (Section 407).

• Requires disclosure regarding code of ethics (Section 406).

• Creates new oversight for external auditors, mandates audit partner rotation and establishes audit firm rotation study (Sections 203 & 303).

• Increases civil and criminal penalties.

23

General Controls (Appendix B)

• Administration - planning and controlling IT activities

• Logical Security Controls - access control

• Accounting Systems Development - application system development life cycle

• Accounting Systems Change Management - change control and authorization

• Packaged Software Evaluation - maintenance of software packages

• System Software - development and maintenance of infrastructure support software

• Data Center/Network Operations - backup, recovery and contingency planning, job scheduling, performance and monitoring

24

Application Controls (Appendix C)

• Controls embedded within software programs to prevent or detect unauthorized transactions.

• Controls that ensure the completeness, accuracy and validity of processing transactions.

Examples of application controls:

• Balancing control activity within the system

• Check digits

• Predefined data listings

• Data reasonableness tests

• Logic tests, range limits, etc.