Sarbanes-Oxley and Your Company
“Public Company Accounting Reform and Investor Protection
Act”
Claudia Imhoff, PhD and President Intelligent Solutions, Inc.
© Copyright 2003, Intelligent Solutions, Inc. All Rights Reserved.
Sarbanes-Oxley Act of 2002
“To protect investors by improving the
accuracy and reliability of corporate
disclosures made pursuant to the
securities laws.”
• To restore investor confidence…
Is It Needed?
What do you think?
• A major US company’s chief resigns after authorizing large payments to top execs while negotiating a deal to slash average workers’ pay*
• A multinational with significant business in the US restates its revenues by nearly $1 billion**
• A leading American firm based in a southern city is charged with massive financial fraud; its CEO, living an extravagant lifestyle, is indicted***
The list goes on and on! *American Airlines - 2003** Food service giant, Ahold - 2003***HealthSouth and Richard Scrushy - 2003
What is IT’s Role?Compliance is more than just financial
legislation• At its heart, it is about ensuring the validity and
transparency in creation and documentation of financial statement information
• It means having the right IT systems in place “With the current environment, there can be nothing more
important than getting the systems put in place to ensure compliance with Sarbanes-Oxley and boost investor confidence in the company” -- Joe Eckroth, CIO, Mattel Corp*
AMR predicts that Fortune 1000 companies will spend about $2.5 billion this year on compliance-related projects
*CIO Magazine, “Your Risks and Responsibilities” by Ben Worthen, May 15, 2003
Agenda
The Parts That Concern Everyone
• Material Changes
• Internal Controls
• International Concerns
• Private Companies
What’s Needed
Summary
SOX in Review
Section 404 – About 100 Words Long• Annual reports must be signed by the CEO and CFO
attesting to their accuracy
• Corporations must prove they have controls in place to assure accuracy (validity and transparency) of info
Section 409 – Real-Time Disclosures• Material events must be reported in an as-yet
undetermined, but faster (48 hours?) timeframe
Section 802 – Criminal Penalties for Altering Documents• Penalties range from fines to prison sentences
Material Changes – Reported at Light SpeedWhat’s material?• Loss of a major sales contract to a competitor?
• Cancellation of a significant partnership agreement?
• Cost overruns on IT projects and other capital expenditures?
• A large marketing expenditure?
Shift to real-time computing can be particularly onerous.• Heavy reliance in operational systems on batch
processing?
• Existing BI infrastructure can’t handle updates in real-time?
Material Changes – Reported at Light Speed* (continued)
What does real-time reporting really mean?• Difference between “right” time and real time.
Reporting on a material change two days after it occurred is NOT real time.
Reacting to one is.
• Do all employees know what constitutes a material change?
CEOs, CFOs and others must be connected to the everyday occurrences throughout their enterprises.
* “New rules for disclosing significant events will require a flow of information unlike anything corporations have done before.” CIO Magazine, May 15, 2003
Material Changes – Reported at Light Speed* (continued)
Most IT infrastructures can’t handle real-time changes.• Lack of integration between data, processes,
technologies.
• Links between systems are not robust, even undocumented.
• No repository of quality, current data.
* “New rules for disclosing significant events will require a flow of information unlike anything corporations have done before.” CIO Magazine, May 15, 2003
Material Changes – BAM and Real Time EnterprisesBusiness Activity Monitoring (BAM)• Real-time access to critical business performance
indicators to improve speed and effectiveness of business operations*
Extending BI beyond strategic/tactical decisions to yield actionable info immediately impacting business• Shorten the time horizons
Monthly to weekly Weekly to daily Daily to intraday
* David McCoy. “Business Activity Monitoring: Calm Before the Storm” Gartner Document LE-15-9727, April 2002
Material Changes – BAM and Real Time Enterprises (continued)
Faster reaction is critical to operational
effectiveness
• Today’s techniques for data analysis not suitable
for managing business operations if monitoring
must be close to real time
• BAM fills this capability
Material Changes – The Real-time Challenges
OperationalSystems
EarlyWarehouses
“Active”Warehouses
OperationalData Stores
BAM
Re
al-
Tim
e/E
ven
t-D
riv
en
Ca
pa
bil i
tie
s
XBut terriblyfractured
XSnapshots
in timeHigh latency
XTrickle feeds
overcome very
high latency
XGood solution for real time
reportingwith low latency
XBest for critical
event driven needs
Internal Controls – More Than Just Getting the Numbers Right?
Must have alerts, alarms, instant messages about:
• Hints of fraudulent internal activities
• Inaccurate or inappropriate accounting transactions
• Operational or financial “perturbations”
Need automation of manual audit tasks, rules-based enforcement of policies.
The Executive Dashboard grows up!
Internal Controls – More Than Just Getting the Numbers Right? (continued)
Executive Dashboard
• Not a quarterly look at the “numbers” any more
Requires executives to dig deeper into their
financial records.
Not episodic but a steady stream of information
– a daily onslaught!
• Sophisticated set of gauges, graphs, trend lines
Drill though capabilities.
Easily used and understood meta data.
Internal Controls – More Than Just Getting the Numbers Right? (continued)
Executive Dashboard
• Based on auditable, integrated data from a variety
of sources
Operational systems.
BI systems.
External data.
• Supporting real-time and historical analyses
React to a trend?
Observe an exception?
SOX Goes International
Discoveries of malfeasance offshore has a
material affect on international corporations
• And must be reported as such
• Sea change from the way it is handled today
Many non-US companies are deciding against a
US IPO because they cannot be SOX compliant
• German automaker, Porsche, canceled its US IPO
because its supervisory boards and audit committees
have employee reps – not independent by SOX rules
Private Companies Aren’t ImmunePrivate companies do not have to abide by SOX
regulations unless they . . .• Plan to go public – IPO – in the future
• Are acquired by or merge with a public company
• Have government contracts that require compliance
Acquiring companies will be performing much more stringent due diligence
Public and private companies must adhere to whistle-blower provisions
Many currently public companies are considering going private to avoid SOX compliance issues
Private Companies Aren’t Immune(continued)
Minimum steps private companies should
take:*
• Add independent directors to your board
• Create an independent audit committee
• Review internal accounting procedures
• Educate directors, officers and employees on
requirements pertaining to reporting of misconduct
• Provide education on fraud prevention
• Enlist the help of data-auditing solution providers
* META Group 2003 report, “More Private Firms Working Toward Sarbanes-Oxley Compliance”
And Just When You Thought You Were Done
COSO • Recommends companies adopt a framework to properly
authorize all transactions – safeguards against improper use, documented set of internal rules that control how data is generated, manipulated, recorded and reported
Basel II
Operational Risk
Even the Patriot Act . . .• Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism (P.A.T.R.I.O.T)
• Turn over your database, please . . .
Agenda
The Parts That Concern Everyone
What’s Needed
• A BI environment
• Meta data
• Solid technology architecture
• Evidence of good audit processes and procedures
• A Road map
Summary
A Business Intelligence EnvironmentAn environment in which business users receive
data that is:• Reliable
• Consistent
• Understandable
• Easily manipulated
• Timely
For analyses that yield overall understanding of:• Where the business has been
• Where it is now
• And where it will be in the near future
A Business Intelligence Environment(continued)
BI serves two main purposes:
• It monitors the financial and operational health of the organization Reports, alerts, alarms, analysis tools, key
performance indicators (KPIs) and dashboards
• It regulates the operation of the organization Two-way integration with operational systems,
information feedback analysis BI, without the ability to act on it, is not worth
much
A Business Intelligence Environment(continued)
Most companies cannot track changes to financial data as it moves around internally• Massive ERP and CRM systems to collect data but then
feed it into spreadsheets!
• Spreadsheets – manual process, prone to human error – widely used for planning and budgeting.
Reliance on human processes not cutting it• Must have automated systems.
• Must have solid audit trails.
• Must be able to reconcile information either by integration (preferred) or at least a shared data model.
Meta DataData about the data, activities, environment
It is the key to:• Assuring that numbers are what they say they are
• Verifying that procedures are what they say they are
• Visibility into the “numbers”
It is your audit trail throughout the environment
It must be “real time” as well• Much of SOX compliance can be garnered from meta
data rather than data
• Its architecture will mimic the Corporate Information Factory
The Corporate Information FactoryInformation Workshop
Meta Data Management
Operation & Administration
Library & Toolbox Workbench
Change Management
Service Management
Data Acquisition Management
Systems Management
Data Acquisition
CIF Data Management
Data Delivery
Information Feedback
API
API
API
API TrI
DSI
TrI
DSI
DSI
Operational Systems
OperationalData Store
Data Warehouse
Exploration Warehouse
Data Mining Warehouse
OLAP Data Mart
Oper Mart
External
ERP
Internal
Legacy
Other
The Corporate Information FactoryTHE architecture to ensure data integration,
quality, validity and transparency for BI applications
Benefits• Reusability of components
• Standardization Technology Nomenclature Interfaces
• Increased flexibility in terms of selecting Tools Technologies Techniques
• Audit trails following movement of data
The Corporate Information Factory(continued)
Permits optimization of each technological component to perform at its optimum
Evidence of Good Audit Procedures
Now is the time to restart the data quality, integration and standardization projects you postponed• Re-engineering of business processes and data
Use SOX compliance as a selling tool to improve overall technology environment• Standard ID, codes, numbering schemes
• Standard business definitions, names
• Standard calculations and algorithms
• Standards compliant software and hardware
A Roadmap
Develop detailed plans for controls on financial systems• Create a steering committee of top execs to ensure
cooperation
Put in place a technology infrastructure, based on a proven architecture, that facilitates data use and integration from different systems
A Roadmap (continued)
Look for places where data integrity can slip through the cracks • Watch for “customizations” to key systems – ensure
adequate audit trails
Standardize all technological aspects where possible• Operational systems
• BI environment
• Infrastructural components
A Roadmap (continued)
Set up systems to automatically notify all key constituents (senior execs, board members, investor-relations managers) of material events
• Transparency
IT projects must be intertwined with accounting processes to ensure compliance with and identification of SOX aspects
• Validity
SummaryStill unsure of actual requirements• Reacting today may leave companies playing catch-up in
the future.
• What’s “material”? What’s “real-time” reporting?
• Focus on visibility, accountability and better governance – IT plays a significant role in each of these.
Data integration becomes king• Best time to create world-class integrated environment.
• Use compliance to standardize corporation’s IT architecture and nomenclature.
• No more “best of breed” purchases?
Need “right” time data• BI is a critical component.
Summary (continued)Look at the bright side, here’s your
opportunity to:• Decrease IT maintenance costs
• Improve data integrity across the organization
• Allow for better visibility of data throughout the organization
• Improve internal control mechanisms
On the not so bright side, will risk taking become a crime?• Innovation versus SOX
• Take the opportunity to examine real business issues undermining the business
Summary (continued)
Finally, will SOX restore investor
confidence?
• TBD!
• Execs focusing on compliance but not on
changing the culture that fostered unethical
behavior?*
• This may be the most difficult change of all…
* See “Liar, Liar” by Joshua Kurlantzick, Entrepreneur Magazine, October 2003 for more on cultural change
Questions?
Claudia Imhoff, PhDIntelligent Solutions, [email protected]
303-444-6650www.IntelSols.com