Title Slide:
Sarbanes-Oxley Act of 2002
Internal Controls over Financial Reporting and What It Means to You

Slide 1:
Meeting the Sarbanes-Oxley Challenge
Enacted in July 2002, the Sarbanes-Oxley Act marked the beginning of a new era in public companies' financial auditing and reporting practices.

• Made law after major corporate accounting scandals involving prominent companies like Enron and Arthur Andersen destroyed public trust.
• Objective: To prevent such scandals in the future and to restore public trust.
• New, comprehensive reporting requirements go beyond earnings, profits, and losses to include internal controls over financial reporting and specific steps taken to manage reporting obligations.

• It is the responsibility of a company's CEO and CFO to ensure that such reporting is complete and accurate. Internal auditors have a major role to play in supporting their company's executives in meeting the demands of this responsibility.
• Ultimately, Sarbanes-Oxley is about providing the financial information needed by shareholders and other stakeholders in a spirit of transparency that is conducive to making well-informed decisions.

Section 302
Requires quarterly certification by the CEO/CFO of all companies filing periodic reports under section 13 (a) or 15 (d) of the Securities Exchange Act of 1934 regarding the completeness and accuracy of such reports as well as the nature and effectiveness of disclosure controls and procedures supporting the quality of information included in such reports.

Section 404
Requires an annual report by management on the effectiveness of internal controls over financial reporting and an attestation by the company's auditors as to the accuracy of management's assessment. This is the first new requirement in 50 years calling for transparency in financial reporting.

Slide 4:
The Road to Compliance

• Most companies have already been through one certification and are getting ready for their second as required by Section 302. They're probably also preparing for Section 404 assertion and audit by their external auditors.
• A number of key tasks need to be handled to help management determine the status of controls and what needs to be done to ensure compliance, including:
  • Identifying which controls are most important
  • Establishing a process to determine which controls are material
  • Determining which locations are significant
  • Documenting controls and evaluating their design and effectiveness

Internal Controls Maturity Framework
PricewaterhouseCoopers believes the following framework works well for categorizing the maturity levels of internal controls:

• Level 1: Unreliable — Unpredictable environment where controls are not designed or in place
• Level 2: Informal — Controls are designed and in place but not adequately documented; they are mostly dependent on people; there is no formal training or communication of controls
• Level 3: Standardized — Controls are designed and in place; have been documented and communicated to employees; but deviations from controls may not be detected
• Level 4: Monitored — Standardized controls with periodic testing for effective design and operation with reporting to management; automation and tools may be used in a limited way to support controls
• Level 5: Optimized — An integrated internal control framework with real-time monitoring by management with continuous improvement (Enterprise-Wide Risk Management); automation and tools are used to support controls and allow the organization to make rapid changes to controls, if needed

• Since internal auditors bear so much of the responsibility to meet a company's reporting obligations, they need specific knowledge and skills to ensure compliance.
• Sarbanes-Oxley and the many rules and regulations that have followed in its wake might well be viewed as the full-employment act for anyone with a control background.
• What skills do you need to provide the auditing and data processing support needed to achieve full compliance — and to ensure that you and your company's top execu-tives avoid severe penalties for reporting irregularities?

Key Skills

• Project management
• Business process design
• Financial management and control
• Audit

These are described in more detail in a white paper recently published by PricewaterhouseCoopers entitled The Sarbanes-Oxley Act of 2002: Strategies for Meeting New Internal Control Reporting Challenges.

Auditors need to understand the ins and outs of the business processes required to monitor and report accurately on financial results.

Slide 8:
The Start of Something New

• Sarbanes-Oxley marks the beginning of a new reporting era for public companies, with high expectations on the part of the public and regulators.
• For some companies, initial efforts to comply may have been tough. In the long term, every company will need to build in the processes needed to ensure that reporting on internal controls becomes an integrated part of doing business.
• No company can afford to ignore today's many new reporting requirements. Auditors and IT professionals especially need to understand the impact of Sarbanes-Oxley and how to comply with that legislation as well as rules and regulations that are yet to come.

For more information about meeting today's new reporting challenges, visit the PricewaterhouseCoopers website at www.CFOdirect.com. And be sure to ask for copies of our recently published whitepapers: The Sarbanes-Oxley Act of 2002: Strategies for Meeting New Internal Control Reporting Challenges and Board and Audit Committee Roles in the Era of Corporate Reform.

BACK TO SAMPLES