Remaining Tasks for J-SOX Year One
advertisement
Leading Practices for J-SOX Compliance Remaining Tasks for J-SOX Year 1 How to prepare for Year 2 and Beyond November, 2008 About Protiviti A global business consulting and internal audit firm composed of experts specializing in risk, advisory and transaction services. Formed in 2002 with approximately 700 former Arthur Andersen professionals with internal audit and risk consulting experience. These practices operated separately from Andersen's external audit and attestation services. More than 3,300 professionals in over 60 offices worldwide. Clients include more than 25% of the FORTUNE 500. Assisted over 800 companies with U.S. SOX compliance. Assisted over 100 Japanese companies with SOX and J-SOX compliance in Japan, U.S., Europe, and Asia. Subsidiary of Robert Half International, the world’s first and largest specialized staffing firm, with 2007 revenue of $4.65 billion and more than 400 staffing and consulting services locations worldwide. © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA 2 Protiviti Solutions 3 Governance, Risk & Compliance CIO Solutions • Assist with initial year SOX/J-SOX project • Optimize ongoing SOX/J-SOX compliance • Implement control self-assessment process • Implement Protiviti Governance Portal to streamline risk management efforts • Develop enterprise risk management program • • • • Enhance IT strategy and governance Manage IT project risks Assess and enhance IT security Develop business continuity and disaster recovery programs Enterprise Application Solutions • Select business application systems Finance Transformation • Optimize ERP system configurations • Design user access and segregation of • Reduce closing and reporting time/cost duty framework • Enhance budgeting/planning processes • Implement integrated GRC applications • Develop performance management • Audit effectiveness of ERP system and program related processes • Support implementation of new accounting rules and requirements Business Operations Improvement • • • • Analyze and manage operating expenses Mitigate inventory and cash loss Customer credit risk management Assess and manage fraud risks Enterprise Information Management • Improve integrity of financial and managerial information • Implement data mining to analyze strategic, financial and operational issues Litigation, Restructuring & Investigative Services • Develop legal discovery process and systems to manage the cost of litigation • Research within electronically-stored information • Perform investigative analysis for merger, acquisition, and separation Financial Risk Strategy & Management • Develop models for credit, market, and other operational risks • Assess and enhance asset/liability management programs Internal Audit • • • • Support launch of internal audit function Improve internal audit productivity Perform special internal audits Provide internal audit outsourcing or cosourcing services © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA Agenda Remaining Tasks for Year 1 Coordination with External Auditors Planning for Year 2 Managing the Compliance Cost © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA 4 Project Tasks covered in today’s session 2007 2008 Parent Steps 1. Determine scope and approach Subsidiary Steps J-SOX Year 1 1. Develop project plan 2. Support subsidiaries’ activities 3. Compile results and prepare reports 4. Support external audits 2. Document processes, risks, and controls 3. Evaluate control design and correct gaps 4. Test control operation and correct gaps 5. Support external audits (1) This example is for parent and subsidiary with March year end © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA 5 2009 J-SOX Year 2 (1) 6 Remaining Tasks for Year 1 Coordination with External Auditors Planning for Year 2 Managing the Compliance Cost © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA Remaining Tasks for Year 1 Overview 7 Subsidiary Obtain Obtain Instruction Instruction from fromParent Parent Evaluate Evaluate Control Control Design Design Correct Correct Design DesignGaps Gaps (if needed) (if needed) Perform Perform Operational Operational Test Test Correct Correct Operational Operational Gaps Gaps (if (ifneeded) needed) External Auditor Obtain Obtainaudit audit instruction instruction from fromParent’s Parent’s Auditor Auditor Review Review Control Control Design Design Evaluation Evaluation Review Review or or Perform Perform operation operation testing testing In addition, parent J-SOX team may perform Independent Monitoring © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA Provide Provide results results to to Parent’s Parent’s Auditor Auditor Remaining Tasks for Year 1 Subsidiary Task Obtain Obtain Instruction Instruction from fromParent Parent 8 Obtain Obtain Instruction Instruction from from Parent Parent Evaluate Evaluate Control Control Design Design Obtain Obtain instruction instruction from from Parent’s Parent’s Auditor Auditor Correct Correct Design Design Gaps Gaps (if(ifneeded) needed) Review Review Control Control Design Design Evaluation Evaluation Perform Perform Operation Operation alalTest Test Correct Correct Operation Operation alalGaps Gaps (if(ifneeded) needed) Review Revieworor Perform Perform operation operation testing testing Provide Provide results resultstoto Parent’s Parent’s Auditor Auditor Confirm walk-through and/or design evaluation requirements Finalize approach for Operational testing Determine the sample size for each type of control to be tested What periods should the sample size cover and what is the process for making selections? How should annual controls (i.e., year-end reporting) be tested? Confirm if, when, and how the parent would perform independent monitoring Clarify requirements for roll-forward procedures Are they required? What has to be done and when? Confirm required forms and supporting documents Finalize overall schedule with the parent and the auditors © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA Remaining Tasks for Year 1 Subsidiary Task (continued) Evaluate Evaluate Control Control Design Design Correct Correct Design DesignGaps Gaps (if (ifneeded) needed) 9 Obtain Obtain Instruction Instruction from from Parent Parent Evaluate Evaluate Control Control Design Design Obtain Obtain instruction instruction from from Parent’s Parent’s Auditor Auditor Correct Correct Design Design Gaps Gaps (if(ifneeded) needed) Review Review Control Control Design Design Evaluation Evaluation Perform Perform Operation Operation alalTest Test Correct Correct Operation Operation alalGaps Gaps (if(ifneeded) needed) Review Revieworor Perform Perform operation operation testing testing Provide Provide results resultstoto Parent’s Parent’s Auditor Auditor Perform walkthroughs (if required) Confirm whether documentation is still accurate Confirm whether the controls are actually placed in operation Identify operational gaps before formal testing Complete required documents and collect evidences Evaluation of DESIGN generally requires a judgment by a person with adequate knowledge of internal control and financial reporting Carefully evaluate whether the independent monitoring by the parent team is necessary at your subsidiary © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA Remaining Tasks for Year 1 Subsidiary Task (continued) Perform Perform Operational Operational Test Test Correct Correct Operational Operational Gaps Gaps (if needed) (if needed) 10 Obtain Obtain Instruction Instruction from from Parent Parent Evaluate Evaluate Control Control Design Design Obtain Obtain instruction instruction from from Parent’s Parent’s Auditor Auditor Correct Correct Design Design Gaps Gaps (if(ifneeded) needed) Perform Perform Operation Operation alalTest Test Review Review Control Control Design Design Evaluation Evaluation Correct Correct Operation Operation alalGaps Gaps (if(ifneeded) needed) Review Revieworor Perform Perform operation operation testing testing Tests may be performed in a single step (high risk, low cost) or in several steps (low risk, high cost). Consider the following factors to determine approach Results of previous tests (i.e. year 0 test) Sample period requirements Time allocated for remediation Schedule of the parent’s independent monitoring and external audit Individuals with an appropriate level of competence and objectivity should perform testing Knowledge of business, accounting, and/or IT processes Ability to perform thorough test and ask right questions Communication and documentation skills © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA Provide Provide results resultstoto Parent’s Parent’s Auditor Auditor Remaining Tasks for Year 1 Subsidiary Task (continued) Perform Perform Operational Operational Test Test Correct Correct Operational Operational Gaps Gaps (if needed) (if needed) 11 Obtain Obtain Instruction Instruction from from Parent Parent Evaluate Evaluate Control Control Design Design Obtain Obtain instruction instruction from from Parent’s Parent’s Auditor Auditor Correct Correct Design Design Gaps Gaps (if(ifneeded) needed) Review Review Control Control Design Design Evaluation Evaluation Correct Correct Operation Operation alalGaps Gaps (if(ifneeded) needed) Perform Perform Operation Operation alalTest Test Review Revieworor Perform Perform operation operation testing testing Consider the use of judgmental sampling instead of random sampling If performed by experienced tester, judgmental sampling can generate more meaningful results that can be relied upon by external auditors Remediation may be required Change of control design, communication/training, and/or enforcement If possible, remediate gaps before the audit starts If not possible, explain remediation plan to the auditor If possible, retest remediated controls Prepare re-usable test plan. A good test plan generates the same results even if performed by another person © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA Provide Provide results resultstoto Parent’s Parent’s Auditor Auditor Remaining Tasks for Year 1 Subsidiary Task – Test Sheet Sample (top half of the form) Control Reference: C11-2 Process / Sub-Process: Revenue – Billing/Invoicing Control Activity: The Accounting Supervisor investigates all variances between the Shipping and Billing Report for the month’s shipments. Control Owner: Accounting Supervisor Control Effective Date: March 1 2008 Control Frequency: Monthly Control Priority: Primary Control Type: Manual Tested/Documented by: Bill Smith Date: 10/26/2008 Reviewed by: Nancy Lee Date: 10/28/2008 Test Date: 3/1/08 - 9/30/08 Operational Effectiveness: Effective Sample Size: 3 Test Procedures: Select a sample of 3 monthly Shipping and Billing reports from System for the period of June through August 2008 and: 1) Re-perform the review by the Accounting Supervisor by verifying that all variances between the shipping value and invoice value have been investigated and remediate adequately; 2) Inspect the selected monthly Shipping and Billing reports for evidence of review by the Accounting Supervisor. The testing period cannot begin before a control was implemented. Choices are: - Effective - Ineffective - Not Testable Provide a detailed description of the testing procedure. This should be written so that individuals from the subsidiary, parent, and auditor can understand and follow. © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA 12 Remaining Tasks for Year 1 Subsidiary – Test Sheet Sample (bottom half of the form) Test Results: Obtained the Shipping vs. Billing Report for the months of June, July and August. Inspected the Variance (differences between Shipping and Billing) column and noted that there were no differences. Additionally, inspected the Shipping vs. Billing Report and noted the Accounting Supervisor's signature and date, evidencing review. Based on the results below, the control appears to be operating effectively as of 08/31/2008. Issues / Tester's Comments / Notes: Issues Log Test Step Test Step Sample Month 1 2 1 June √ √ 2 July √ √ 3 August √ √ Notes Provide a detailed description of actions taken, test plan items executed and results. Include additional comments such as how tester judged borderline case or when the tester made additional selections. 1 Legend: √: No exceptions noted Exceptions: Notes: 1: Variance of $50,322 (order # 123968) was corrected by order # 123579. © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA List sample selected and testing results. 13 Remaining Tasks for Year 1 Auditor Task Obtain Obtainaudit audit instruction instruction from fromParent’s Parent’s Auditor Auditor 14 Obtain Obtain Instruction Instruction from from Parent Parent Evaluate Evaluate Control Control Design Design Obtain Obtain instruction instruction from from Parent’s Parent’s Auditor Auditor Correct Correct Design Design Gaps Gaps (if(ifneeded) needed) Review Review Control Control Design Design Evaluation Evaluation Perform Perform Operation Operation alalTest Test Correct Correct Operation Operation alalGaps Gaps (if(ifneeded) needed) Review Revieworor Perform Perform operation operation testing testing Provide Provide results resultstoto Parent’s Parent’s Auditor Auditor Parent auditor determines the role and approach of subsidiary auditors Subsidiaries’ auditor performs certain procedures requested by the parent auditor Parent auditor may review company level controls and financial reporting control while asking subsidiary auditors to review process controls and ITGC Communicate frequently with the parent to ensure there is a sufficient communication between the auditors In Year 1, parent auditor’s instructions to subsidiary auditors may not be very specific Both auditors will perform J-SOX audits for the first time Consult with the parent if the subsidiary auditor’s procedure is significantly different from the parent © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA Remaining Tasks for Year 1 Auditor Task (continued) Review Review Control Control Design Design Evaluation Evaluation 15 Obtain Obtain Instruction Instruction from from Parent Parent Evaluate Evaluate Control Control Design Design Obtain Obtain instruction instruction from from Parent’s Parent’s Auditor Auditor Correct Correct Design Design Gaps Gaps (if(ifneeded) needed) Review Review Control Control Design Design Evaluation Evaluation Perform Perform Operation Operation alalTest Test Correct Correct Operation Operation alalGaps Gaps (if(ifneeded) needed) Review Revieworor Perform Perform operation operation testing testing Provide Provide results resultstoto Parent’s Parent’s Auditor Auditor Local auditor may perform walk-through first to evaluate control design, and evaluate operational effectiveness later Remediate auditors’ comments on control design before proceeding with operation testing Find ways to support auditor’s walk-through If auditor can utilize management’s walk-through documents, it may reduce the fees charged by auditors Explain the reasons for the selection of key controls The management and the auditor may have different opinions on what should be key controls. It is acceptable to have difference of opinions. © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA Remaining Tasks for Year 1 Auditor Task (continued) Review Review or or Perform Perform operation operation testing testing 16 Obtain Obtain Instruction Instruction from from Parent Parent Evaluate Evaluate Control Control Design Design Obtain Obtain instruction instruction from from Parent’s Parent’s Auditor Auditor Correct Correct Design Design Gaps Gaps (if(ifneeded) needed) Review Review Control Control Design Design Evaluation Evaluation Correct Correct Operation Operation alalGaps Gaps (if(ifneeded) needed) Perform Perform Operation Operation alalTest Test Review Revieworor Perform Perform operation operation testing testing Provide Provide results resultstoto Parent’s Parent’s Auditor Auditor Understand if, how, and when the auditor performs operational testing Consider ways to reduce management effort and audit costs. For example, pull samples for both management and auditor tests at the same time Thorough testing by management could reduce audit cost Auditor may reduce the amount of testing it performs if it can rely on management’s test results Auditor who performs testing in year 1 may reduce the extent of tests in year 2 if the auditor’s test results agrees with management’s test results Quality of management testing could also affect the cost of financial statement audit © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA 17 Remaining Tasks for Year 1 Coordination with External Auditors Planning for Year 2 Managing the Compliance Cost © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA Coordination with External Auditors Case Study #1 Challenge: A parent company was not able to obtain information about the audit approach at its foreign subsidiaries. However, the parent wanted to avoid the situation where subsidiaries have to correct many deficiencies at last minute. Solution: The parent asked foreign subsidiary to retain subsidiary auditor to perform a “dry run audit” for selected processes before the beginning of Year 1. This allowed some subsidiaries to identify additional tasks they have to complete before the end of Year 1. © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA 18 Coordination with External Auditors Case Study #2 Challenge: A parent company wanted to make sure that the level of evaluation is consistent across its subsidiaries. However, the subsidiaries were receiving different recommendations from their respective auditors Solutions: After consulting with the parent auditor, the parent company prepared a master list of significant risks and asked each subsidiary to use it as a check list when finalizing the identification of risks. This helped to keep the level of detail similar between the subsidiaries. This also helped the parent auditor to clarify requirements for subsidiary auditors. © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA 19 Coordination with External Auditors Case Study #3 Challenge: The foreign subsidiary asked questions about the audit approach to subsidiary auditors so that it can schedule management’s assessment accordingly. However, it was difficult to obtain clear answers because the subsidiary auditor needed to consult with the parent auditor, and the parent auditor was not always to show directions to subsidiary auditor. Solution: The parent, subsidiary, parent auditor and subsidiary auditor held a video conference to discuss all open issues. After just one such conference, the majority of the open issues, which have been pending for several months, were resolved, and the subsidiary was able to finalize its own plan. © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA 20 Coordination with External Auditors Case Study #4 Challenge: When the parent and subsidiary compared notes on planned audit procedures by respective auditors, it became apparent that subsidiary auditor was planning to perform more extensive work than the parent auditor. As the subsidiary’s business is much simpler and smaller than the parent, the subsidiary became concerned with the planned procedure. Solution: The subsidiary requested the parent to inform that the subsidiary auditor was planning more extensive procedures The parent auditor sent instructions to the subsidiary auditor to scale down the procedure. © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA 21 22 Remaining Tasks for Year 1 Coordination with External Auditors Planning for Year 2 Managing the Compliance Cost © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA Planning for Year 2 Challenges Scope may change Additional subsidiaries may be added due to change of revenue Additional processes may be added due to change of business Approach may change Based on the experience in year 1, the parent may introduce new approach or document templates Based on the feedback from the auditors, additional tasks may become necessary Different skills may be required Subsidiaries may need additional or different set of skill set to fulfill requirements in year 2 due to the change of requirements or availability of support from the parent © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA 23 Planning for Year 2 Goal Setting Most companies focused on “Passing J-SOX” in year 1 and did not have a enough time to consider other aspects of the effort. Year 2 may be the start of an effort to create a compliance process that is Cost-effective Measure and reduce the overall cost of J-SOX compliance over time Sustainable Establish an efficient and repeatable J-SOX process Manage the impact of company-wide business changes on the control environment as they occur Value-added Build controls in financial reporting, business, and IT processes to • Improve quality of operations and services • Improve response / cycle time of processes • Improve employee skill set by reducing non value-adding activities © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA 24 Planning for Year 2 Project Team Project team that has required skill sets and availability is critical for successful compliance effort Consider utilizing all of the following Parent J-SOX team Subsidiary internal audit or compliance team Process owners Outside specialists with relevant skills When using internal or outside specialists, consider Capability and cost Skill development / Career path Seasonality of needs (most tasks performed between October and March) Project management skills Ability to work with auditors and support continuous improvement © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA 25 Planning for Year 2 Required Tasks Continue remediation efforts from Year 1, if necessary Develop Year 2 Plan Goals Schedule Approach for each step/task Project Team Re-evaluate scope based on changes of business At global level (selection of companies) At subsidiary level (selection of business segment and processes) Update and re-assess Company Level Control Update and re-assess Consolidated Financial Reporting Level Control Review & update documentation Update before design evaluation, or Update every time process or control changes © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA 26 Planning for Year 2 Required Tasks (continued) Rationalize controls (if desired) Perform walk-through and re-evaluate control design Consider change of business, people, systems Remediate design deficiencies Perform operation testing Update testing script if necessary Remediate operating deficiencies If many controls fail, consider ways to enforce controls Retest failed controls after remediation, if necessary Perform roll-forward procedures, if necessary Support external auditors © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA 27 28 Remaining Tasks for Year 1 Coordination with External Auditors Planning for Year 2 Managing the Compliance Cost © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA Managing the Compliance Cost Long-term View 29 Management should define strategic goals for J-SOX. Management should consider not only the reduction of the compliance cost but also the improvement of the productivity of in-scope business processes Year 1 State Future Goals (sample) Project Ad hoc, undefined processes Project team driven React to external auditor Manual controls Detective controls Unpredictable costs Manual journal entries Spreadsheets Weak entity level controls Inefficient close processes Process Managed processes Process owner driven Managed audit relationship Automated controls Preventive controls Managed costs Automated journal entries System reports More reliance on entity level controls Streamlined close processes © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA Managing the Compliance Cost Key Steps In order to reduce the cost and increase the benefit Obtain better understanding of requirements and define local objectives Regulatory and auditor requirements Global (parent) requirements and objectives Local (subsidiary) goals and objectives Develop sustainable compliance plan Policies and procedures for control maintenance and rationalization Approach and schedule of recurring activities Organize compliance team that includes Compliance (internal audit) manager – test critical controls, manage process Process owner – build controls within business and IT processes and own them Outside specialists - complement internal resources if needed Utilize proper set of compliance solutions to improve To develop sustainable processes To reduce the overall cost of compliance effort © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA 30 Managing the Compliance Cost Control Rationalization Rationalize Controls Control rationalization is a process to Identify a set of controls that efficiently mitigates significant risks Identify a set of monitoring and testing activities that efficiently ensures the operation of controls Control rationalization may include Replacement of manual controls with automated controls Replacement of detective controls with preventive controls Increased use of company level controls to mitigate risks Control rationalization can support Reduction of compliance cost Increase of productivity © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA 31 Managing the Compliance Cost Control Rationalization Approach Apply RiskBased Scoping Link Entity Level Controls to Risk Rationalize Controls 32 Scope General IT Controls Implement SelfAssessment Evaluate Effect on Test Plan Identify in-scope general IT processes linked to critical applications in the inscope business processes Identify robust monitoring controls for the critical risks for each process and assess their impact on the internal controls evaluation Determine Company Level Controls that can be relied upon and assess their impact on the internal controls evaluation Rationalize risk and sharpen the risk assessment to ensure primary focus is on the critical risk areas © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA Leverage Value-Added Opportunities Managing the Compliance Cost Control Rationalization Approach (continued) Apply RiskBased Scoping Link Entity Level Controls to Risk Rationalize Controls Scope General IT Controls Implement SelfAssessment 33 Evaluate Effect on Test Plan Plan, develop, implement self assessment approach and report findings and follow-up Convert identified impacts on the internal controls evaluation to specific revisions to test plans Analyze observations and insights accumulated through the process and “string” opportunities to improve process quality, time and cost performance © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA Leverage Value-Added Opportunities How to Contact Us 34 Paul Sachs Managing Director 213-327-1439 paul.sachs@protiviti.com Aki Tohyama Managing Director 213-327-1466 aki.tohyama@protiviti.com Miharu White Director 408-808-3227 miharu.white@protiviti.com © 2008 Protiviti Inc. An Equal Opportunity Employer. This document is for your company’s internal use only and may not be distributed to any third party. 0806JA
