the sarbanes – oxley act what it means to you november 2004 david kaufman
TRANSCRIPT
The Sarbanes – Oxley Act
What it Means to YouNovember 2004
David Kaufman
2
Acquis Background
• Company Type: Private management consulting firm
• Founded in 1998; profitable since inception; headquarters in New York City
• Client Profile: Main focus on Global Fortune 1000; core industries served include Pharmaceutical, High-Tech, Financial Services, Travel, Government
• Examples of Collective Client Experience: Pfizer, Bank of Tokyo-Mitsubishi, Cadbury, National Semiconductor, Mitsubishi International, NYC Government, Interpublic Group, AstraZeneca
• Staff Background: 90% of consultants have worked on European and North American initiatives, primarily in the travel area
3
Quick Facts
In 2003, corporations, conventions, and associations spent $44.7 Billion on meetings and conferences…
Meetings & Conventions Magazine, 2004 Report
…yet 68% of corporations have no standard process to control this costAmerican Express Global T&E Expense Management Study
4
What is Sarbanes-Oxley?
• Enacted in 2002 to increase corporate responsibility and accounting standards
• Requires CFO / CEO signoff on financial statements• Companies must also attest to internal controls in
place
Congressional Act Named after Senator Paul Sarbanes and Congressman Michael Oxley
Sen. Paul Sarbanes Rep. Michael Oxley
5
Sarbanes – Oxley: Also Known As
We asked 100 people (including Paul Sarbanes and Michael Oxley) :
What is Sarbanes – Oxley also known as?
6
SOX Applies to Which Companies?
• Publicly traded companies in the US• Non-US public multinational
companies engaging in business in the US
• Voluntary compliance for private firms but seen as “Best Practice”
7
Section 404 Compliance Dates
Original
6/15/2004
New
11/15/2004
Original
4/15/2005
New
7/15/2005
Accelerated Filer
A U.S. company with market capitalization over $75 million that has filed at least one annual report with the SEC
Fiscal Year ending on or after:
Compliance dates have been extended
Accelerated Filers Non-Accelerated Filers
8
Key Elements of SOX Section Requirement Frequency
302
CFO / CEO certify completeness and accuracy of statements. Identify control weaknesses and changes to internal controls.
Quarterly Annual
404 (a)Provide a report that demonstrates appropriate internal controls and control effectiveness.
Annual
404 (b)Registered external auditors must attest to controls report.
Annual
409 Rapid disclosure of changes in financial conditions or operations.
Ad-Hoc
404 (a)Provide a report that demonstrates appropriate internal controls and control effectiveness.
Annual
404 (b)Registered external auditors must attest to controls report.
Annual
9
Three Key Controls
• Authorization - Controls to confirm the appropriate approvals of expenditures
• Safeguarding assets - Controls to prevent theft, fraud, waste, and abuse
• Financial reporting - Controls to ensure the appropriate reporting of expenses
10
Why is SOX Important to Planners?
Affects almost every aspect of the meeting planning process
RFP Site
Selection Planning /
organization
• Meeting objectives• Executive approvals• Budgets• Locations• RFPs / Site selection
criteria• Standard contracts /
Negotiations• Preferred suppliers• Payment methods
• Marketing• Announcements• Registration
strategy• Travel
arrangements• Event management• Miscellaneous
Expenses
• Invoice payments• Account
reconciliation• Financial reporting• Attendee evaluation
surveys• ROI calculation
On-site Activities
Post Meeting
11
What Should Planners Look At?• Interactions with travel agencies and event
management suppliers• Contracts, commitments, financial liabilities,
and operational risks• Current controls on manual processes • Allocation of costs to the correct budgets• Current use of technology• Safety of attendees• Extravagant meetings
12
What is Extravagant?
• Roman themed party where guests are greeted by chariots and gladiators
• Events held in a Sardinian resort where rooms start at $1200 a night
• Flying Jimmy Buffett and his band to an island at a cost of $250,000
• A 7-day event including partying, jet skiing, sailing, golfing, and feasting for 75 guests
• Charging half the costs of the party to the company$2.1MM birthday party for the former Tyco
CEO’s wife
13
Case Study One
Can Susan make an exception and plan the event?
• Susan is planning the annual shareholders meeting
• Tyler, her cousin, manages sales for a major hotel • Susan’s company has a strict event vendor selection policy and Tyler’s hotel is not a preferred vendor
14
General Approach
• Document end-to-end current processes
• Identify important, manual, and risk prone processes
• Evaluate existing controls• Develop and execute strategy to
remedy deficiencies• Evaluate success and document risks
15
SOX DocumentationDocumentation
of Processes Documentation
of Controls
Covers initiation, authorization, recording, processing, and reporting of transactions
Identify process risks and demonstrate appropriate control activities and measures
• Process Flowcharts
• Policy Manuals• Accounting
Manuals• Budget Guides
• Preventative / Detective
• Control Matrices• If – Then Narratives• Process Redesign
Docs
Are these current, complete, and readily available?
16
The COSO FrameworkCommittee of Sponsoring Organization (COSO) has developed a framework for internal controls:
• Framework supported by the SEC and PCAOB• Most popular framework in the United States
Control Environment
Control Activities
Risk Assessment
Monitoring
Information & Communication
17
Types of Controls
Less Effective Most Effective
Complex / Multi-step
Single control
Post-event controls
Data analytics
Manual control
Simple / Single-step
Multiple controls
Real-time controls
Transaction monitoring
Automated control
What controls do you currently have in place?
18
The Use of Technology• Enforce a consistent process for your
meeting planning spend• Automatically record a clear and
comprehensive audit trail of all activities• Provide evidence of compliance through
built-in reports and notifications• Increase planning and registration
process efficiency
19
Technology Providers
• Meeting planning checklists
• Standardized RFPs
• Meetings-sourcing databases
• Attendee management
• Preferred supplier flags
• Company policy / best practices notification
20
Case Study Two
Who is SOX compliant?
• Highly documented policy and process
• Extensive process controls on planning activities
• No formal preferred supplier policy
• Policies developed ad-hoc and not documented
Robert
Shelly
• Uses Excel spreadsheets to track meetings
• Manual RFP process
• Uses automated online RFP process• Utilizes online resources to document
planning steps
21
Opportunities Beyond SOX
• Building a true end-to-end process• Integration with Travel programs• Increased process efficiency with
technology• Improved vendor relationships • Strategic sourcing opportunities
22
Review Survey
We asked 100 auditors:
What type of documentation in the meeting planning area will help ease your concerns?
23
David KaufmanPartnerAcquis Consulting Group299 Broadway, 12th FloorNew York, NY 10007212.233.5677