CIO COMMUNITY OF PRACTICE MEETING Leveraging Sarbanes-Oxley To Drive Enterprise Value Tom Captain and Carlos Munoz Deloitte August 21, 2003 Well Known Market Events have Severely Damaged Investor Confidence and Public Trust August 1982 – March 2000 March 2000 - December 2003 - Beyond Institutional Carte Blanche Institutional Mistrust 11,000 I Initial Growth II Consolidation/ Acceleration III Irrational Exuberance 3,000 Tax Cuts And Free Trade US Wins Cold/Gulf Wars Y2K and Internet Bubble DJIA DJIA 11,000 9,000 800 I Bear Market II Crisis of Confidence Sept 11,2001, Post Y2K Enron and & Internet Bubble Bursts Andersen III Market Differentiation Public Companies Respond to SarbanesOxley 7,000 1982 1991 2000 2000 Exuberant Capitalism 2002 2004 Sarbanes/Oxley Sarbanes-Oxley Act of 2002 Overview All companies get tarred with the same investor (and therefore regulatory) brush 1 Proprietary and Confidential Evolving Regulatory Environment: Key Implications • Sarbanes-Oxley (SOX) regulations – Significant financial reporting /certification costs (upfront/annual) – New CXO/Board member personal risk exposure • Creditors tighten the terms/conditions for capital • Equity Investors have fundamentally changed – More active around issues of corporate governance – Require a higher risk premium from businesses they do not understand – Apply a considerably higher level of due diligence – Displaying quicker/larger/more durable negative reaction to earnings restatements 2 Proprietary and Confidential Critical Dimension of SOX: Financial Information Quality Sections of the Sarbanes-Oxley Act Requirement Information Quality Implication for CEO & CFO to 302 • Requirement certify periodic SEC filings • Reporting Mistakes could result in criminal prosecution of company officers --accuracy 409 • Requirement to disclose in real- • Ambiguity around ‘real-time’ and ‘material’----timeliness 404 • Requirement to provide Internal • Requires documentation, testing and remediation ---transparency & accuracy time any material changes Control Report 802 • Retention and protection of Audit documents and related records Digital vaulting & ready access to historical records, correspondence and emails, must be implemented --accuracy Other Mandatory Requirements •103 Audit Record Retention and Security •201 Monitoring and Pre-Approval of Non-Audit Services •301 Audit Committee Monitoring and Complaint / Issue Process •306 Monitoring and Prevention of Insider Trading •401 Financial Reporting Disclosure •402 Monitoring and Prevention of Personal Loans to Executives •403 >10% Ownership Disclosures within 2 Business Days • 406 Code of Ethics Creation and Disclosure • 407 Disclosure of Financial Expertise on the Audit Committee • 408 Facilitation of SEC Reviews • 501 Security Analyst Monitoring and Disclosure • 806 Whistle Blower Communications and Response • 906 Financial Reporting Certification • 1102 Record Retention and Security SOX regulations attempt to ensure a minimum acceptable level of financial information transparency, accuracy and timeliness--Tablestakes 3 Proprietary and Confidential Restoring Trust/Building Shareholder Value will Require Moving Beyond SOX Information Quality Requirements Meet Sarbanes – Oxley Requirements Letter of the Law Spirit of the Law Transparency Accuracy Improve Company IQTM Timeliness Predictability Earnings 1999 2000 2001 2002 2003E Technology Standardization / Integration Business Process, Data and Technology complexity determines the size of the iceberg 4 Proprietary and Confidential Silver Lining in the SOX Cloud: Business Case for Moving Beyond Compliance is Compelling Risk Reduction SOX Cost Savings Effectiveness Improvements Efficiency Cost Savings Organizational Pain SOX Compliance Costs * • Decrease Cost of Capital • Decrease personal liability exposure for directors/CXOs • Mitigate future liabilities exposure + • Reduce # of processes requiring documentation, remediation & certification • Improve planning/budgeting • Improve monitoring/analytics • Improve operational decision-making V A L U E Net • Automate closing • G&A savings • Working Capital improvements • Retraining • Application Reconfiguration • Enterprise Process/Systems/Data Standardization/Simplification • Documentation/Assessment/Remediation • Disclosure and Certification (*assuming standardization/simplification initiative) − Sample Impact in $ millions for a $1 Billion Company 5 Proprietary and Confidential Moving Forward: Controlled Confusion… What are companies thinking? • 79% unsure what implications SOX will have for their company • 85% planning IT systems changes to support SOX • 61% expect business process change will be required 70 IT Remedies being explored… 60 50 Percentage ERP Instance Consolidation Turning on Controls EPM System 40 Current System Upgrade 30 20 10 Source: AMR Research Change Current System Do Nothing 0 6 Proprietary and Confidential The CIO Will Play A Critical Role in SOX Compliance and the Transformation of Company IQTM • Effective IT Governance • COBIT Compliance • Data Standards Management • Policy Enforcement • Automated Controls Activation Provide the technological platform and infrastructure to enable, transparent, timely, accurate and predictable information • Platform Standardization Data Steward Provide the environment and mechanisms for establishing controls and managing exceptions, and the standards for ensuring data integrity • Infrastructure Optimization • Enhanced Transparency • System Integration IT Strategist 7 Proprietary and Confidential The Environment of Mistrust Amplifies a Previously Minimized Dimension of the CIO’s Role: Steward of Financial Information ROLE OF THE CIO Strategic Advisor US GDP Growth Operational Lead Internet Bubble Scandal, War & Recession Information Steward Post-SOX Era Time Market Demands • Growth – Revenue per share • What’s your Internet strategy? • Innovation – New Products & Services • Profitability - Earnings • What/when are you going to outsource? • Operations – Cost Reduction CIO Priorities • Gain advantage with new technology • Understand emerging trends and their business impact • Spend to create strategic options for “e-businesses” • Reduce total cost of IT • Identify and execute on outsourcing options • Reduce/consolidate staff and systems wherever possible 8 • Profitability – Quality Earnings • How will you comply with SOX? • Information Quality™ - Trustworthy Financial Data & Disclosure • Reduce total cost of IT • Lead IT component of SOX compliance efforts, especially 404 & 409 • Improve quality of financial information processing & reporting Proprietary and Confidential The IT Lag: Cautious Movement There appears to be a six month lag for the beginning of IT development once initial Readiness phases have begun. We predict increasing numbers of budget increases for 2004. Focus and Level of Spend IT Timing and Level of Spend for Full Sarbanes-Oxley Compliance High Projection of Relative IT Spend People, Process & Systems Optimization Sarbanes-Oxley Compliance & COSO Optimization Internal Controls, Disclosure, & Protection Compliance (IT Development) Internal Controls Readiness Assessment Low 2002 Sarbanes-Oxley Becomes Law 2003 2004 2005 SOX 404 Deadline SEC Final Ruling / COSO OK’d Timing 9 U.S. Public Companies Only Source: Deloitte & Touche Proprietary and Confidential The IT Change Effort: Enabling Technology Even without performance improvement, the technology change effort required for sustainable SOX compliance is significant. SOX Section Requirement §302,401, 403,406, 407,409, 501,906 Financial Reporting Disclosure; Disclosure of Ownership Changes; Code of Ethics Disclosure; Audit Committee Expertise Disclosure; Material Operating/Financial change Disclosure; etc. § 404 Management Assessment of Internal Controls §103,408, 802,102 Audit Record Retention and Security; Facilitation of SEC Review; Related Record Retention; etc. §201,301, 306,402 806 Pre-approval of Non-Audit Services; Audit Committee Monitoring and Complaint Process; Insider Trading During Blackout Prevention; Personal Loan Prevention; Whistle Blower Process; etc. Change Effort PROCESS 10 DATA PEOPLE TECHNOLOGY Proprietary and Confidential Technology Implications: Requirements The underlying technology is driven by the mandated Compliance requirements and the opportunity for COSO operating efficiencies System Requirements Functionality Type of System Risk Control Tracking System Internal Control Field Audit and Measurement ERP, G/L, Consolidation, Fin. Reptg. Systems Controlled Financial Reporting & Transactions Portal, Advanced Reporting, DW, Data Analytics, email Compliance Systems Document Management, Workflow System eLearning System Enterprise Systems Mgt, Project Mgt, IT Auto Discovery, Tax Optimization Monitoring, Disclosure, and Prevention Content Management and Archiving Training and Communication Optimization and Cash Generation (Productivity Tools) 11 Proprietary and Confidential IT Reference Architecture A suggested SOX IT Reference Architecture addresses all mandatory requirements, and positions organizations for ongoing performance improvement Key SOA Sections Sarbanes Oxley Reference Architecture Compliance & Control Portal Audit & Remediation Views Monitoring, Prevention & Disclosure Views Training Views 404 Controls Sarbanes Field Audit PMO View View (RCTS) 409 Disclosure Internal Audit View External Audit View CEO/CFO Disclosure Audit View Committee Committee View View CIO /COO View Business Unit View ... etc . HR/ Training View Advanced Reporting & Query Engine SECURITY 802 Retention Compliance Digital Vault Analytics Engine Training / eLearning System Compliance Data Warehouse Document Management & Workflow Enterprise Application Integration Engine Sarbanes Risk & Control System * (e.g., RCTS) RACK ** Risk Mgt Systems EMAIL System EMAIL Compliance * = Risk Control Tracking System (RCTS) (used for SOA Readiness Assessments) Financial Systems HR Systems CRM Systems ** = Risk & Control Knowledge Base (RACK) (source of COSO/Process/Industry Framework) Other Internal Other External (e.g., SEC) = Existing or lower impacted technologies PERFORMANCE IMPROVEMENT / CASH GENERATION 302 Disclosure COMPLIANCE INFRASTRUCTURE 12 Proprietary and Confidential Conclusion… • We are where we are; (grief) • Some are skeptical of the real consequences or probability of punishment; (denial) • Effort may look like a tax, or maybe worse - punishment of the innocent and uninvolved; (anger) • Some will only minimally comply; (resignation) • However, something may strike a chord for CIOs; (acceptance): – – – – Comparing and contrasting SOX reference architecture with your projects Can we re-position the portfolio of typical IT initiatives and projects? Will this make funding and resourcing more likely? Is this a good thing, ANYWAY? 13 Proprietary and Confidential Contact Information • Tom Captain; Partner, Seattle – tcaptain@dc.com – 206.465.5622 • Carlos Munoz; Senior Manager, San Francisco – cmunoz@dc.com – 415.268.1211 • Deloitte website – www.dc.com 14 Proprietary and Confidential