Sarbanes-Oxley and Your Company

“Public Company Accounting Reform and Investor Protection

Act”

Claudia Imhoff, PhD and President Intelligent Solutions, Inc.

© Copyright 2003, Intelligent Solutions, Inc. All Rights Reserved.

Sarbanes-Oxley Act of 2002

“To protect investors by improving the

accuracy and reliability of corporate

disclosures made pursuant to the

securities laws.”

• To restore investor confidence…

Is It Needed?

What do you think?

• A major US company’s chief resigns after authorizing large payments to top execs while negotiating a deal to slash average workers’ pay*

• A multinational with significant business in the US restates its revenues by nearly $1 billion**

• A leading American firm based in a southern city is charged with massive financial fraud; its CEO, living an extravagant lifestyle, is indicted***

The list goes on and on! *American Airlines - 2003** Food service giant, Ahold - 2003***HealthSouth and Richard Scrushy - 2003

What is IT’s Role?Compliance is more than just financial

legislation• At its heart, it is about ensuring the validity and

transparency in creation and documentation of financial statement information

• It means having the right IT systems in place “With the current environment, there can be nothing more

important than getting the systems put in place to ensure compliance with Sarbanes-Oxley and boost investor confidence in the company” -- Joe Eckroth, CIO, Mattel Corp*

AMR predicts that Fortune 1000 companies will spend about $2.5 billion this year on compliance-related projects

*CIO Magazine, “Your Risks and Responsibilities” by Ben Worthen, May 15, 2003

Agenda

The Parts That Concern Everyone

• Material Changes

• Internal Controls

• International Concerns

• Private Companies

What’s Needed

Summary

SOX in Review

Section 404 – About 100 Words Long• Annual reports must be signed by the CEO and CFO

attesting to their accuracy

• Corporations must prove they have controls in place to assure accuracy (validity and transparency) of info

Section 409 – Real-Time Disclosures• Material events must be reported in an as-yet

undetermined, but faster (48 hours?) timeframe

Section 802 – Criminal Penalties for Altering Documents• Penalties range from fines to prison sentences

Material Changes – Reported at Light SpeedWhat’s material?• Loss of a major sales contract to a competitor?

• Cancellation of a significant partnership agreement?

• Cost overruns on IT projects and other capital expenditures?

• A large marketing expenditure?

Shift to real-time computing can be particularly onerous.• Heavy reliance in operational systems on batch

processing?

• Existing BI infrastructure can’t handle updates in real-time?

Material Changes – Reported at Light Speed* (continued)

What does real-time reporting really mean?• Difference between “right” time and real time.

Reporting on a material change two days after it occurred is NOT real time.

Reacting to one is.

• Do all employees know what constitutes a material change?

CEOs, CFOs and others must be connected to the everyday occurrences throughout their enterprises.

* “New rules for disclosing significant events will require a flow of information unlike anything corporations have done before.” CIO Magazine, May 15, 2003

Material Changes – Reported at Light Speed* (continued)

Most IT infrastructures can’t handle real-time changes.• Lack of integration between data, processes,

technologies.

• Links between systems are not robust, even undocumented.

• No repository of quality, current data.

* “New rules for disclosing significant events will require a flow of information unlike anything corporations have done before.” CIO Magazine, May 15, 2003

Material Changes – BAM and Real Time EnterprisesBusiness Activity Monitoring (BAM)• Real-time access to critical business performance

indicators to improve speed and effectiveness of business operations*

Extending BI beyond strategic/tactical decisions to yield actionable info immediately impacting business• Shorten the time horizons

Monthly to weekly Weekly to daily Daily to intraday

* David McCoy. “Business Activity Monitoring: Calm Before the Storm” Gartner Document LE-15-9727, April 2002

Material Changes – BAM and Real Time Enterprises (continued)

Faster reaction is critical to operational

effectiveness

• Today’s techniques for data analysis not suitable

for managing business operations if monitoring

must be close to real time

• BAM fills this capability

Material Changes – The Real-time Challenges

OperationalSystems

EarlyWarehouses

“Active”Warehouses

OperationalData Stores

BAM

Re

al-

Tim

e/E

ven

t-D

riv

en

Ca

pa

bil i

tie

s

XBut terriblyfractured

XSnapshots

in timeHigh latency

XTrickle feeds

overcome very

high latency

XGood solution for real time

reportingwith low latency

XBest for critical

event driven needs

Internal Controls – More Than Just Getting the Numbers Right?

Must have alerts, alarms, instant messages about:

• Hints of fraudulent internal activities

• Inaccurate or inappropriate accounting transactions

• Operational or financial “perturbations”

Need automation of manual audit tasks, rules-based enforcement of policies.

The Executive Dashboard grows up!

Internal Controls – More Than Just Getting the Numbers Right? (continued)

Executive Dashboard

• Not a quarterly look at the “numbers” any more

Requires executives to dig deeper into their

financial records.

Not episodic but a steady stream of information

– a daily onslaught!

• Sophisticated set of gauges, graphs, trend lines

Drill though capabilities.

Easily used and understood meta data.

Internal Controls – More Than Just Getting the Numbers Right? (continued)

Executive Dashboard

• Based on auditable, integrated data from a variety

of sources

Operational systems.

BI systems.

External data.

• Supporting real-time and historical analyses

React to a trend?

Observe an exception?

SOX Goes International

Discoveries of malfeasance offshore has a

material affect on international corporations

• And must be reported as such

• Sea change from the way it is handled today

Many non-US companies are deciding against a

US IPO because they cannot be SOX compliant

• German automaker, Porsche, canceled its US IPO

because its supervisory boards and audit committees

have employee reps – not independent by SOX rules

Private Companies Aren’t ImmunePrivate companies do not have to abide by SOX

regulations unless they . . .• Plan to go public – IPO – in the future

• Are acquired by or merge with a public company

• Have government contracts that require compliance

Acquiring companies will be performing much more stringent due diligence

Public and private companies must adhere to whistle-blower provisions

Many currently public companies are considering going private to avoid SOX compliance issues

Private Companies Aren’t Immune(continued)

Minimum steps private companies should

take:*

• Add independent directors to your board

• Create an independent audit committee

• Review internal accounting procedures

• Educate directors, officers and employees on

requirements pertaining to reporting of misconduct

• Provide education on fraud prevention

• Enlist the help of data-auditing solution providers

* META Group 2003 report, “More Private Firms Working Toward Sarbanes-Oxley Compliance”

And Just When You Thought You Were Done

COSO • Recommends companies adopt a framework to properly

authorize all transactions – safeguards against improper use, documented set of internal rules that control how data is generated, manipulated, recorded and reported

Basel II

Operational Risk

Even the Patriot Act . . .• Providing Appropriate Tools Required to Intercept and

Obstruct Terrorism (P.A.T.R.I.O.T)

• Turn over your database, please . . .

Agenda

The Parts That Concern Everyone

What’s Needed

• A BI environment

• Meta data

• Solid technology architecture

• Evidence of good audit processes and procedures

• A Road map

Summary

A Business Intelligence EnvironmentAn environment in which business users receive

data that is:• Reliable

• Consistent

• Understandable

• Easily manipulated

• Timely

For analyses that yield overall understanding of:• Where the business has been

• Where it is now

• And where it will be in the near future

A Business Intelligence Environment(continued)

BI serves two main purposes:

• It monitors the financial and operational health of the organization Reports, alerts, alarms, analysis tools, key

performance indicators (KPIs) and dashboards

• It regulates the operation of the organization Two-way integration with operational systems,

information feedback analysis BI, without the ability to act on it, is not worth

much

A Business Intelligence Environment(continued)

Most companies cannot track changes to financial data as it moves around internally• Massive ERP and CRM systems to collect data but then

feed it into spreadsheets!

• Spreadsheets – manual process, prone to human error – widely used for planning and budgeting.

Reliance on human processes not cutting it• Must have automated systems.

• Must have solid audit trails.

• Must be able to reconcile information either by integration (preferred) or at least a shared data model.

Meta DataData about the data, activities, environment

It is the key to:• Assuring that numbers are what they say they are

• Verifying that procedures are what they say they are

• Visibility into the “numbers”

It is your audit trail throughout the environment

It must be “real time” as well• Much of SOX compliance can be garnered from meta

data rather than data

• Its architecture will mimic the Corporate Information Factory

The Corporate Information FactoryInformation Workshop

Meta Data Management

Operation & Administration

Library & Toolbox Workbench

Change Management

Service Management

Data Acquisition Management

Systems Management

Data Acquisition

CIF Data Management

Data Delivery

Information Feedback

API

API

API

API TrI

DSI

TrI

DSI

DSI

Operational Systems

OperationalData Store

Data Warehouse

Exploration Warehouse

Data Mining Warehouse

OLAP Data Mart

Oper Mart

External

ERP

Internal

Legacy

Other

The Corporate Information FactoryTHE architecture to ensure data integration,

quality, validity and transparency for BI applications

Benefits• Reusability of components

• Standardization Technology Nomenclature Interfaces

• Increased flexibility in terms of selecting Tools Technologies Techniques

• Audit trails following movement of data

The Corporate Information Factory(continued)

Permits optimization of each technological component to perform at its optimum

Evidence of Good Audit Procedures

Now is the time to restart the data quality, integration and standardization projects you postponed• Re-engineering of business processes and data

Use SOX compliance as a selling tool to improve overall technology environment• Standard ID, codes, numbering schemes

• Standard business definitions, names

• Standard calculations and algorithms

• Standards compliant software and hardware

A Roadmap

Develop detailed plans for controls on financial systems• Create a steering committee of top execs to ensure

cooperation

Put in place a technology infrastructure, based on a proven architecture, that facilitates data use and integration from different systems

A Roadmap (continued)

Look for places where data integrity can slip through the cracks • Watch for “customizations” to key systems – ensure

adequate audit trails

Standardize all technological aspects where possible• Operational systems

• BI environment

• Infrastructural components

A Roadmap (continued)

Set up systems to automatically notify all key constituents (senior execs, board members, investor-relations managers) of material events

• Transparency

IT projects must be intertwined with accounting processes to ensure compliance with and identification of SOX aspects

• Validity

Agenda

The Parts That Concern Everyone

What’s Needed

Summary

SummaryStill unsure of actual requirements• Reacting today may leave companies playing catch-up in

the future.

• What’s “material”? What’s “real-time” reporting?

• Focus on visibility, accountability and better governance – IT plays a significant role in each of these.

Data integration becomes king• Best time to create world-class integrated environment.

• Use compliance to standardize corporation’s IT architecture and nomenclature.

• No more “best of breed” purchases?

Need “right” time data• BI is a critical component.

Summary (continued)Look at the bright side, here’s your

opportunity to:• Decrease IT maintenance costs

• Improve data integrity across the organization

• Allow for better visibility of data throughout the organization

• Improve internal control mechanisms

On the not so bright side, will risk taking become a crime?• Innovation versus SOX

• Take the opportunity to examine real business issues undermining the business

Summary (continued)

Finally, will SOX restore investor

confidence?

• TBD!

• Execs focusing on compliance but not on

changing the culture that fostered unethical

behavior?*

• This may be the most difficult change of all…

* See “Liar, Liar” by Joshua Kurlantzick, Entrepreneur Magazine, October 2003 for more on cultural change

Questions?

Claudia Imhoff, PhDIntelligent Solutions, Inc.CImhoff@IntelSols.com

303-444-6650www.IntelSols.com