Add to collection(s) Add to saved
  1. Business
  2. Finance

Leveraging Sarbanes-Oxley To Drive Enterprise Value

advertisement 
CIO
COMMUNITY OF PRACTICE
MEETING
Leveraging Sarbanes-Oxley
To
Drive Enterprise Value
Tom Captain and Carlos Munoz
Deloitte
August 21, 2003
Well Known Market Events have Severely Damaged
Investor Confidence and Public Trust
August 1982 – March 2000
March 2000 - December 2003 - Beyond
Institutional Carte Blanche
Institutional Mistrust
11,000
I
Initial
Growth
II
Consolidation/
Acceleration
III
Irrational
Exuberance
3,000
Tax Cuts
And Free
Trade
US Wins
Cold/Gulf
Wars
Y2K and
Internet
Bubble
DJIA
DJIA
11,000
9,000
800
I
Bear
Market
II
Crisis of
Confidence
Sept 11,2001,
Post Y2K
Enron and
& Internet
Bubble Bursts Andersen
III
Market
Differentiation
Public Companies
Respond to SarbanesOxley
7,000
1982
1991
2000
2000
Exuberant Capitalism
2002
2004
Sarbanes/Oxley
Sarbanes-Oxley Act of 2002
Overview
All companies get tarred with the same investor (and therefore regulatory) brush
1
Proprietary and Confidential
Evolving Regulatory Environment: Key Implications
• Sarbanes-Oxley (SOX) regulations
– Significant financial reporting /certification costs (upfront/annual)
– New CXO/Board member personal risk exposure
• Creditors tighten the terms/conditions for capital
• Equity Investors have fundamentally changed
– More active around issues of corporate governance
– Require a higher risk premium from businesses they do not understand
– Apply a considerably higher level of due diligence
– Displaying quicker/larger/more durable negative reaction to earnings
restatements
2
Proprietary and Confidential
Critical Dimension of SOX: Financial Information Quality
Sections of the Sarbanes-Oxley Act
Requirement
Information Quality Implication
for CEO & CFO to
302 • Requirement
certify periodic SEC filings
• Reporting Mistakes could result in criminal
prosecution of company officers --accuracy
409 • Requirement to disclose in real-
• Ambiguity around ‘real-time’ and
‘material’----timeliness
404 • Requirement to provide Internal
• Requires documentation, testing and
remediation ---transparency & accuracy
time any material changes
Control Report
802
• Retention and protection of Audit
documents and related records
Digital vaulting & ready access to
historical records, correspondence and
emails, must be implemented --accuracy
Other Mandatory Requirements
•103 Audit Record Retention and Security
•201 Monitoring and Pre-Approval of Non-Audit Services
•301 Audit Committee Monitoring and Complaint / Issue Process
•306 Monitoring and Prevention of Insider Trading
•401 Financial Reporting Disclosure
•402 Monitoring and Prevention of Personal Loans to Executives
•403 >10% Ownership Disclosures within 2 Business Days
• 406 Code of Ethics Creation and Disclosure
• 407 Disclosure of Financial Expertise on the Audit Committee
• 408 Facilitation of SEC Reviews
• 501 Security Analyst Monitoring and Disclosure
• 806 Whistle Blower Communications and Response
• 906 Financial Reporting Certification
• 1102 Record Retention and Security
SOX regulations attempt to ensure a minimum acceptable level of financial
information transparency, accuracy and timeliness--Tablestakes
3
Proprietary and Confidential
Restoring Trust/Building Shareholder Value will Require
Moving Beyond SOX Information Quality Requirements
Meet
Sarbanes – Oxley
Requirements
Letter of the Law
Spirit of the Law
Transparency
Accuracy
Improve Company IQTM
Timeliness
Predictability
Earnings
1999 2000 2001 2002 2003E
Technology
Standardization / Integration
Business Process, Data and Technology complexity determines the size of the iceberg
4
Proprietary and Confidential
Silver Lining in the SOX Cloud:
Business Case for Moving Beyond Compliance is Compelling
Risk Reduction
SOX Cost Savings
Effectiveness
Improvements
Efficiency
Cost Savings
Organizational
Pain
SOX Compliance
Costs *
• Decrease Cost of Capital
• Decrease personal liability exposure for
directors/CXOs
• Mitigate future liabilities exposure
+
• Reduce # of processes requiring
documentation, remediation & certification
• Improve planning/budgeting
• Improve monitoring/analytics
• Improve operational decision-making
V
A
L
U
E
Net
• Automate closing
• G&A savings
• Working Capital improvements
• Retraining
• Application Reconfiguration
• Enterprise Process/Systems/Data Standardization/Simplification
• Documentation/Assessment/Remediation
• Disclosure and Certification
(*assuming standardization/simplification initiative)
−
Sample Impact in $ millions for a $1 Billion Company
5
Proprietary and Confidential
Moving Forward: Controlled Confusion…
What are companies thinking?
• 79% unsure what implications SOX will have for their company
• 85% planning IT systems changes to support SOX
• 61% expect business process change will be required
70
IT Remedies being explored…
60
50
Percentage
ERP Instance Consolidation
Turning on
Controls
EPM System
40
Current
System
Upgrade
30
20
10
Source: AMR Research
Change
Current
System
Do
Nothing
0
6
Proprietary and Confidential
The CIO Will Play A Critical Role in SOX Compliance and the
Transformation of Company IQTM
• Effective IT Governance
• COBIT Compliance
• Data Standards Management
• Policy Enforcement
• Automated Controls Activation
Provide the
technological
platform and
infrastructure
to enable,
transparent,
timely,
accurate and
predictable
information
• Platform Standardization
Data Steward
Provide the
environment
and
mechanisms
for establishing
controls and
managing
exceptions,
and the
standards for
ensuring data
integrity
• Infrastructure Optimization
• Enhanced Transparency
• System Integration
IT Strategist
7
Proprietary and Confidential
The Environment of Mistrust Amplifies a Previously Minimized
Dimension of the CIO’s Role: Steward of Financial Information
ROLE OF THE CIO
Strategic Advisor
US
GDP
Growth
Operational Lead
Internet Bubble
Scandal, War &
Recession
Information Steward
Post-SOX Era
Time
Market
Demands
• Growth – Revenue per share
• What’s your Internet strategy?
• Innovation – New Products &
Services
• Profitability - Earnings
• What/when are you going to
outsource?
• Operations – Cost Reduction
CIO
Priorities
• Gain advantage with new
technology
• Understand emerging trends and
their business impact
• Spend to create strategic options
for “e-businesses”
• Reduce total cost of IT
• Identify and execute on
outsourcing options
• Reduce/consolidate staff and
systems wherever possible
8
• Profitability – Quality Earnings
• How will you comply with SOX?
• Information Quality™ - Trustworthy
Financial Data & Disclosure
• Reduce total cost of IT
• Lead IT component of SOX compliance
efforts, especially 404 & 409
• Improve quality of financial information
processing & reporting
Proprietary and Confidential
The IT Lag: Cautious Movement
There appears to be a six month lag for the beginning of IT development once initial Readiness
phases have begun. We predict increasing numbers of budget increases for 2004.
Focus and Level of Spend
IT Timing and Level of Spend for Full Sarbanes-Oxley Compliance
High
Projection of Relative IT Spend
People, Process &
Systems
Optimization
Sarbanes-Oxley Compliance & COSO Optimization
Internal Controls,
Disclosure, &
Protection
Compliance
(IT Development)
Internal Controls
Readiness
Assessment
Low
2002
Sarbanes-Oxley
Becomes Law
2003
2004
2005
SOX 404
Deadline
SEC Final Ruling
/ COSO OK’d
Timing
9
U.S. Public Companies Only
Source: Deloitte & Touche
Proprietary and Confidential
The IT Change Effort: Enabling Technology
Even without performance improvement, the technology change effort required for
sustainable SOX compliance is significant.
SOX Section
Requirement
§302,401,
403,406,
407,409,
501,906
Financial Reporting Disclosure;
Disclosure of Ownership Changes;
Code of Ethics Disclosure; Audit
Committee Expertise Disclosure;
Material Operating/Financial change
Disclosure; etc.
§ 404
Management Assessment of
Internal Controls
§103,408,
802,102
Audit Record Retention and
Security; Facilitation of SEC Review;
Related Record Retention; etc.
§201,301,
306,402
806
Pre-approval of Non-Audit Services;
Audit Committee Monitoring and
Complaint Process; Insider Trading
During Blackout Prevention;
Personal Loan Prevention; Whistle
Blower Process; etc.
Change Effort
PROCESS
10
DATA
PEOPLE
TECHNOLOGY
Proprietary and Confidential
Technology Implications: Requirements
The underlying technology is driven by the mandated Compliance requirements and the
opportunity for COSO operating efficiencies
System Requirements
Functionality
Type of System
Risk Control
Tracking System
Internal Control Field Audit and Measurement
ERP, G/L, Consolidation,
Fin. Reptg. Systems
Controlled Financial Reporting & Transactions
Portal, Advanced Reporting,
DW, Data Analytics, email
Compliance Systems
Document Management,
Workflow System
eLearning System
Enterprise Systems Mgt,
Project Mgt, IT Auto
Discovery, Tax Optimization
Monitoring, Disclosure, and Prevention
Content Management and Archiving
Training and Communication
Optimization and Cash Generation
(Productivity Tools)
11
Proprietary and Confidential
IT Reference Architecture
A suggested SOX IT Reference Architecture addresses all mandatory requirements, and positions
organizations for ongoing performance improvement
Key SOA
Sections
Sarbanes Oxley Reference Architecture
Compliance & Control Portal
Audit & Remediation Views
Monitoring, Prevention & Disclosure Views
Training Views
404 Controls
Sarbanes Field Audit
PMO
View
View
(RCTS)
409 Disclosure
Internal
Audit
View
External
Audit
View
CEO/CFO Disclosure
Audit
View
Committee Committee
View
View
CIO
/COO
View
Business
Unit
View
...
etc
.
HR/
Training
View
Advanced Reporting & Query Engine
SECURITY
802 Retention
Compliance
Digital Vault
Analytics Engine
Training /
eLearning
System
Compliance
Data Warehouse
Document Management & Workflow
Enterprise Application Integration Engine
Sarbanes
Risk & Control
System *
(e.g., RCTS)
RACK **
Risk
Mgt
Systems
EMAIL
System
EMAIL
Compliance
* = Risk Control Tracking System (RCTS)
(used for SOA Readiness Assessments)
Financial
Systems
HR
Systems
CRM
Systems
** = Risk & Control Knowledge Base (RACK)
(source of COSO/Process/Industry Framework)
Other
Internal
Other
External
(e.g., SEC)
= Existing or lower impacted
technologies
PERFORMANCE IMPROVEMENT / CASH GENERATION
302 Disclosure
COMPLIANCE INFRASTRUCTURE
12
Proprietary and Confidential
Conclusion…
• We are where we are; (grief)
• Some are skeptical of the real consequences or probability of
punishment; (denial)
• Effort may look like a tax, or maybe worse - punishment of the
innocent and uninvolved; (anger)
• Some will only minimally comply; (resignation)
• However, something may strike a chord for CIOs; (acceptance):
–
–
–
–
Comparing and contrasting SOX reference architecture with your projects
Can we re-position the portfolio of typical IT initiatives and projects?
Will this make funding and resourcing more likely?
Is this a good thing, ANYWAY?
13
Proprietary and Confidential
Contact Information
• Tom Captain; Partner, Seattle
– tcaptain@dc.com
– 206.465.5622
• Carlos Munoz; Senior Manager, San Francisco
– cmunoz@dc.com
– 415.268.1211
• Deloitte website
– www.dc.com
14
Proprietary and Confidential
Related documents
JD Manager, Internal Audit
JD Manager, Internal Audit
Sarbanes-Oxley, COSO and You
Sarbanes-Oxley, COSO and You
Internal Audit Supervisor - The Institute of Internal Auditors
Internal Audit Supervisor - The Institute of Internal Auditors
Sr Analyst II IT SOX Compliance
Sr Analyst II IT SOX Compliance
view documents
view documents
Code of Conduct
Code of Conduct
Disclosure and Confidentiality Agreement for Staff and Board
Disclosure and Confidentiality Agreement for Staff and Board
What is Sarbanes – Oxley also known as? - E
What is Sarbanes – Oxley also known as? - E
Proprietary Information And Confidentiality Policy
Proprietary Information And Confidentiality Policy
Download
advertisement