The Finance Role in Corporate Governance

1
The Finance Role in Corporate Governance

• November
• 2005

2
Finance Role in Corporate Governance

• Agenda
• Introduction/Ground Rules
• Governance - Overview
• COSO Framework
• Case Study
• Sarbanes-Oxley
• Overview of Act
• 302/404 Detail
• Implementation at ABC Company
• Wrap-up

3
Finance Role in Corporate Governance

• Introductions
• Name
• Current Position/Company

4
Finance Role in Corporate Governance

• General Ground Rules
• Breaks - Please return on time
• Everyone is expected to share ideas
• Be respectful
• Ask questions
• Express disagreements

5
Finance Role in Corporate Governance

• Course Objectives
• Develop a common understanding of what corporate
  governance means at ABC Company
• Gain a practical understanding of the COSO model
  for internal controls
• Be able to apply COSO to business processes
• Understand the main requirements of the
  Sarbanes-Oxley Act of 2002
• Gain an awareness of how ABC Company will address
  the requirements of the Act

6
Finance Role in Corporate Governance Related
Courses
Risk Controls Fundamentals Course Objectives

• Understand risk and how it applies to business
• Communicate using a common risk language
• Identify, source and measure risk
• Introduce a risk assessment tool
• Apply internal controls to help achieve business
  objectives
• Understand the application of risk management
  strategies in day-to-day operations

7
Finance Role in Corporate Governance Related
Courses
Business Process Improvement Course Objectives

• Understand the basic quality principles
  underlying process improvement and process
  maintenance
• Identify opportunities to improve existing
  processes and develop new processes
• Use appropriate tools and techniques to
  understand current process and develop a new
  process
• Learn some tools and techniques for planning and
  managing a process improvement opportunity
• Learn how to communicate and gain commitment from
  others to implement the new or improved process
• Understand measurement to determine success of
  the new process

8
Finance Role in Corporate Governance Related
Courses

• Consider Risk Controls course
• Consider Business Process Improvement course

9
Finance Role in Corporate Governance

• Corporate Governance at ABC Company
• ABC Company has always held ourselves to high
  standards
• ABC Company finance has a heritage of control
  discipline
• Many good governance practices are already in
  place at ABC Company

10
Finance Role in Corporate Governance

• What are the components of good Corporate
  Governance?

11
Finance Role in Corporate Governance

• Some components of good Corporate Governance
• Code of Conduct
• This We Believe
• Independent (external) audits
• Ethical culture
• Good internal control environment
• Independent Board
• Transparency in financial reporting
• Well documented processes
• Competence (training and education)

12
Finance Role in Corporate Governance

• One good definition of Corporate Governance is. .
  .
• A hefty-sounding phrase that really just means
  oversight of a companys management - making sure
  the business is run well and investors are
  treated fairly.

From The Wall Street Journal (article by Judith
Burns)
13
Internal Controls - Myth or fact?

• Myth or Fact?

14
Internal Controls - Myth or fact?

• 1) Internal control starts with a strong set of
  policies and procedures.
• Myth or Fact?

• Myth
• FACT Internal control starts with a strong
  control environment.

15
Internal Controls - Myth or fact?

• 2) Management is the owner of internal controls.
• Myth or Fact?

Fact
16
Internal Controls - Myth or fact?
Myth FACT Internal controls should be built
into, not onto, business processes.

• 3) Internal controls are a necessary evil. They
  take time away from our core activities - making
  and selling products, and serving customers.
• Myth or Fact?

17
Internal Controls - Myth or fact?

• 4) Effective internal controls provide
  reasonable, but not absolute, assurance that the
  organizations objectives will be achieved.
• Myth or Fact?

Fact
18
Internal Controls - Myth or fact?

• 5) With downsizing and empowerment, we need
  different forms of control.
• Myth or Fact?

Fact
19
Internal Control - Key Concepts

• Internal control is a process. Its a means to
  an end, not an end in itself.
• Internal control is effected by people. Its not
  simply policy manuals and forms, but people at
  every level of an organization.
• Internal control can be expected to provide only
  reasonable assurance, not absolute assurance, to
  an entitys management and board.
• Internal control is geared to the achievement of
  objectives.

20
Committee of Sponsoring Organizations (COSO)

• Widely respected authority on internal controls
• Self-regulation by industry
• Created a framework for developing and evaluating
  internal controls the COSO model
• This framework can be used to demonstrate
  compliance with the Sarbanes-Oxley act

21
Committee of Sponsoring Organizations (COSO)

• COSO Definition of Internal Control
• A process, effected by the Companys board of
  directors, management and other employees,
  designed to provide reasonable assurance that
  objectives will be achieved in the following
  categories
• effectiveness and efficiency of operations
• reliability of decision making information,
  including financial reporting
• compliance with applicable laws and regulations

22
COSO Model
One common way to illustrate the five components
of COSO is as a pyramid, with the fifth
component, information and communication, being
done at all levels.
23
COSO Model

• Control Environment Sets the tone for the
  organization. Includes integrity, ethical
  values, managements philosophy and operating
  style.
• Risk Assessment Includes setting clear
  objectives and identification of risks, both
  internal and external, that will prevent a
  company from achieving its objectives.
• Control Activities Process steps taken to
  achieve objectives, and include many typical
  controls such as segregation of duties, approval
  and authorizations, system controls, and
  reconciliations.
• Monitoring ongoing reviews, separate
  evaluations, reporting and correcting
  deficiencies.
• Information and communication Ensuring that
  timely, adequate information is captured and
  communicated, and fostering open communications
  up, down, and across the organization.

24
COSO Model - Hard/Soft Controls
25
Application of COSO Model

• Example New Product Development Process

Stage-gate reviews, tracking against MEAs
Project team meetings, management updates
MEAs, A162s, stage-gate approvals
Development of success criteria
Company culture
26
Internal Control
COSO Component

• Bank Reconciliations
• Financial Policies
• Risk Management
• Standards of Conduct
• Budgets
• Project Success Criteria
• Strategic Planning
• Segregation of Duties
• Weekly sales reports
• Internal audits

• Control Activity
• Control Environment
• Risk Assessment
• Control Environment
• Monitoring
• Risk Assessment
• Risk Assessment
• Control Activity
• Information Communication
• Monitoring

27
Finance Role in Corporate GovernanceCASE STUDY

• Four roles in case sales, finance, credit,
  planning
• Discuss as a group
• What controls are present
• What risks remain
• What controls should be added to mitigate risks
• Write needed controls on flipcharts identify
  COSO category
• Present to class

28
Sarbanes-Oxley Overview - Why?

• Governments around the world are enacting
  legislation to enhance financial accountability
• Sarbanes-Oxley Act - U.S. (2002)
• Cromme Code - Germany (2003)
• Loi de Sécurité Financière - France (2003)
• King Code 2 - South Africa (2002)
• Multilateral Instrument 52-109 - Canada (2004)
• Sarbanes-Oxley Act
• Applies to all public companies.
• Requires the CEO and CFO to certify that the
  financial statements are a complete and accurate
  representation of the condition of the business.
• Requires an annual internal control report,
  certified by management, stating that the
  internal control structure and procedures are
  sound, as verified through testing.
• Requires the external auditor to attest to the
  soundness of the internal control structure to
  ensure that the financial results of the company
  are properly reported.

29
As a private company, we have elected to comply
with selected provisions of Sarbanes-Oxley.

• Why has ABC Company elected to comply?
• It is good business practice.
• Increasingly, lenders and investment bankers are
  using the acts provisions as a due-diligence
  gold standard some Chicago banks are requiring
  CFOs and CEOs to certify financial statements in
  their loan covenants with private companies.
• Anticipate that this will become a minimum
  standard requirement impacting banking and Merger
  Acquisition decisions.

30
Sarbanes Oxley Act
ABC Company will implement the following sections
31
Sarbanes Oxley Act Section 201
32
Sarbanes Oxley Act Section 201

• External Auditor Independence
• Prevents external auditors from performing nine
  services
• Bookkeeping services
• Appraisals or valuation services
• Actuarial services
• Financial information systems design and
  implementation
• Management functions or HR services
• Internal Audits
• Broker-dealer, investment advisor, or
  investment banking services
• Legal services
• Expert services unrelated to auditing
• Other services determined by PCAOB regulations

33
Sarbanes Oxley Act Section 201 at ABC Company

• External Auditor Independence
• All subsidiaries will ensure external auditor
  independence. This is effective July, 2003
• The Corporate Controller has sent out guidelines
  for the services our external auditors can and
  can not do for our company
• Corporate Tax gives guidance to subsidiaries
  identifying what types of tax services our
  auditors can provide, and when we need to hire
  other advisors
• The audit partner can only be assigned to ABC
  Company for 5 years
• This assures that the auditors (EY) maintain an
  unbiased position and are not influenced by other
  commercial dealings with ABC Company

34
Sarbanes Oxley Act Section 301
35
Sarbanes Oxley Act Section 302
36
Sarbanes Oxley Act Section 302

• What is required of the CEO and CFO?
• Each annual and quarterly report must be reviewed
  by both the CEO and CFO
• They must certify that the reports do not contain
  any falsehoods or misleading statements or omit
  any material facts
• They must certify that the reports are a fair
  representation of the financial condition and the
  results of the companys operations
• The CEO and CFO must state that they are
  responsible for establishing and maintaining
  disclosure controls and procedures, evaluating
  the effectiveness of the controls within the last
  90 days, and have presented their conclusions to
  the effectiveness of those controls and
  procedures
• The CEO and CFO must have disclosed to the
  external auditors and the Audit Committee all
  significant deficiencies in the design or
  operation of internal controls and any fraud,
  material or not, that involves management or
  other employees who have a significant role in
  the companys internal controls
• The CEO and CFO must indicate whether or not
  there has been any significant change in internal
  controls since the previous report

37
Sarbanes Oxley Act Section 302 at ABC Company

• All subsidiaries will certify their financial
  results annually. This was effective July, 2003.
• Each General Manager and Financial Director signs
  a statement indicating the reported annual
  financial results are a true picture of their
  companys financial position.
• All ABC Company operations are required to
  certify their results.

38
Sarbanes Oxley Act - Section 401
39
Sarbanes Oxley Act - Section 404
40
Sarbanes Oxley Act Section 404

• Each annual report must contain an internal
  control report, which
• States that management is responsible for
  establishing and maintaining internal controls
  over financial reporting
• Legal compliance
• Efficiency and effectiveness of operations
• Assesses the effectiveness of such controls as of
  the end of the most recent fiscal year
• The companys external auditors must attest to
  and report on managements assessment of its
  internal controls

Not in scope
The internal control report, required by 404, is
what gives management the assurance they need to
complete the 302 assertions.
41
Sarbanes-Oxley Section 404 at ABC Company

• Project SOAR
• Controls group within Global COE
• Implementation in
• conjunction with Global One.
• Implementation targeted to begin after year-end
  2005/06.

42
Sarbanes Oxley Attest Readiness (SOAR) Model

• PILLARS
• Local Work
• By Process

Control Framework Structure Content

• BRICKS
• Centralized
• One time work

Accounts/Processes/Systems/Locations Matrix
Materiality Thresholds
COSO Model
43
Layer One The COSO Model

• The Control Activities layer of the COSO model
  is key to controls developed for Sarbanes-Oxley
  404 compliance.

PILLARS
Control Framework Structure Content

• BRICKS

Materiality Thresholds
Accounts/Processes/Systems/Locations Matrix
COSO Model
44
Layer Two Materiality Thresholds
External Testing Attestation
Control Framework Structure Content
Accounts/Processes/Systems/Locations
Materiality Thresholds
COSO Model

• Material Thresholds define the scope of work
• What work is required at which ABC Company
  locations?
• Which financial line items are large enough that
  the auditors are concerned about controls?

45
Materiality defined
Locations
Financial Statement Line Items

• Larger
• Comprise over 80 of annual Account Revenue and
  Total Assets.
• All entities are above 40mm in Account Revenue
• Using SAP
• All other
• Limited scope for Sarbanes-Oxley
• Special consideration
• Entity-level risk assessment
• Corporate finance business process risk
  assessment
• History of misstatement, errors, or control
  breakdowns
• Judgment of Corporate Controller and/or Director
  of Audit
• Locations that do not cross the materiality
  threshold, but contribute more than 5 to the
  consolidated balance of a material financial
  statement line item

• Material
• A profit and loss or balance sheet line item
  greater than 5 of Operating Profit
• All other
• Not included for Sarbanes-Oxley
• Special consideration
• Additional qualitative factors, such as level of
  dependency on judgment, estimates, or actuarial
  assumptions

46
Companies fall into two categories
ABC Company Locations
Larger
All Other

• Eurafne
• Portugal
• Turkey
• Greece
• Romania
• Norway
• Sweden
• Russia
• Ukraine
• Czech Republic
• Hungary
• Slovakia
• Egypt
• Saudi Arabia
• Kenya
• Ghana
• Nigeria
• Morocco

• Headquarters
• Holding Cos.
• Americas
• Venezuela
• Paraguay
• Uruguay
• El Salvador
• Costa Rica
• Ecuador
• Peru
• Chile
• Colombia
• North America
• Puerto Rico
• Barbados
• Dominican Republic

• Americas
• Mexico
• Brazil
• Argentina
• Asia-Pacific
• Japan (incl. Japan Trading)
• China
• Indonesia (JHHP)
• Korea
• Australia
• North America
• Canada
• ABC Company including
• US Consumer
• Headquarters
• Regional Staffs
• ABC Company Investments

• Eurafne
• Britain
• France
• Italy
• Germany
• Spain
• Benelux
• Belgium
• Netherlands
• Luxembourg
• Poland
• Britain Eurafne
• Frimley
• CMSE
• Regional Staff
• Europlant
• South Africa

• Switzerland
• Algeria
• Gulf Hub
• Bulgaria
• Croatia
• Denmark
• Asia - Pacific
• New Zealand
• India PPL
• India KAPL
• Taiwan
• Hong Kong
• Indonesia - SCJ
• Philippines
• Singapore
• Malaysia
• Pakistan
• Vietnam
• Thailand

Italics identify non GO-enabled entities.
All Other locations fall into two categories
those with SAP implemented and those on other
systems.
47
What does it mean if my country is in one column
or the other?

• Large Subsidiaries
• Documentation, Flow Chart, and Controls for all
  financially-significant sub-processes performed
  locally. This includes any IT General Controls
  for local systems (such as payroll).
• All sub-processes will go through all four
  pillars annually beginning after year-end
  2005/06.
• Complete work on documentation for Payroll,
  Benefits, Local Taxes and budgets in 2005/06.
• Other Subsidiaries
• Control activities documented for risks for four
  key sub-processes
• All four pillars completed annually after
  year-end 2005/06 for the key sub-processes.
• If you use SAP, you will also have to sign off on
  documentation for other processes annually, but
  will not be required to perform testing.

Scope is different for different sizes of
companies.
48
Layer Two Accounts/Processes/Systems/Locations
External Testing Attestation
Control Framework Structure Content
Materiality Thresholds
Accounts/Processes/Systems/Locations
COSO Model

• Controls occur at the process level for a
  business, and in the systems that enable that
  process. We need to map the accounts to the
  processes that generate the numbers, then to the
  systems that enable the process for each location.

49
Layer Two Accounts/Systems/Processes/Locations
All controls occur at the process and system
level.
To ensure that proper controls are in place for
all material financial line items, all accounts
must be mapped to processes, and their IT enabler
must be identified for each location.
50
The processes that generate the financial numbers
4 key sub-processes The Big Four
Other local financially-significant sub-processes.
Large operations will test controls for all
financially-significant sub-processes. All Other
operations will test the Big Four.
51
Additional processes
Local processes, contd
Corporate Finance and BPT processes
52
Layer Three Control Frameworks
External Testing Attestation
Control Framework Structure Content
Materiality Thresholds
Accounts/Processes/Systems/Locations
COSO Model

• Controls occur at the process level for a
  business, and in the systems that enable that
  process. We need to map the accounts to the
  processes that generate the numbers, then to the
  systems that enable the process for each location.

53
Controls Frameworks are the tie between the
Bricks and Pillars.

• The Act requires that each financially
  significant process, those that generate numbers
  that are in the financial statements, must have
  specific documentation.
• A small number of other processes, such as
  payroll, local taxes and budgets, are performed
  outside of SAP and will also have to be
  documented at the local level.
• All Other companies will only complete Controls
  Frameworks for the Big Four. No additional
  documentation is needed.

54
Control Framework
A Control Framework has three parts ? Control
Objectives - DESCRIBES a controlled
environment. ?Risks - Tells WHAT can go
wrong. ?Control Activities - Explains HOW the
activity will be performed to reduce the risk.
SAMPLE
?
?
?
Control Frameworks will be maintained centrally,
in Racine, for all locations. These are the
global standards.
55
Bricks

• Bricks represent the framework of the Sarbanes
  Oxley 404 effort. They are the structure for the
  effort.
• Bricks are maintained centrally by the Global
  COE.
• Base for the effort is the COSO model.
• All ABC companies will participate, but the
  effort will be greater for the larger companies
  than for the smaller companies.
• Control Frameworks are the link between the
  Bricks and Pillars.

56
PILLAR 1 Documentation
Documentation
Control Framework Structure Content
Accounts/Processes/Systems/Locations Matrix
Materiality Thresholds
COSO Model
Legislation requires a flowchart and narrative
for the process, and documentation of the
controls in place. The documentation developed
for Global One meets these requirements and will
be used as a standard for all processes.
57
Controls Assertions Localization

• Sarbanes Oxley states that companies have to
  assess controls in two ways
• Design Effectiveness Are the controls designed
  properly?
• Operating Effectiveness Are the controls
  actually operating correctly?
• ABC Company is doing this in two steps
• The Controls group is analyzing proposed local
  controls (when different from Global Controls)
  for design effectiveness. Once approved, the
  controls will be designed effectively.
• Each location needs to test for operating
  effectiveness.
• How do we ensure that we have designed solid
  local control activities?

58
Pillar 2 Testing Assessment
PILLARS
Control Framework Structure Content

• BRICKS

Materiality Thresholds
Accounts/Processes/Systems/Locations Matrix
COSO Model
59
Planning the Testing

• In each operation, testing is best performed by
  someone who is independent from whoever is
  performing the work.
• Options for testers include
• Other departments in the company, e.g. someone in
  AP tests the AR controls AR tests the GL
  controls etc.
• If there is another ABC company nearby, the
  companies can set up testing of each others
  processes.
• Summer interns work well as does trained
  contract help
• Other ideas?
• When we need to attest the results, we will need
  to have more independent testing.

60
Sampling Size Chart
61
How to prepare?

• If you are an SAP location, review control
  activities sent by the Controls group and ensure
  that controls are in place.
• If you are an SAP location, review the
  documentation for processes, ensuring that it is
  in place for your company.
• If you are not an SAP location, you will be
  contacted about the four main financial
  sub-processes. There will be risks that apply to
  all locations, and you will provide the control
  activities.
• Contact the Controls group with any questions
• Marie Kidder
• Hsiu Hua (Emily) Liu

62
Pillars Management Review
PILLARS
Control Framework Structure Content

• BRICKS

Accounts/Processes/Systems/Locations Matrix
Materiality Thresholds
COSO Model
This is a critical review of the testing and
assessment that have been done up to this point.
63
Pillars Management Assertion
PILLARS
Control Framework Structure Content

• BRICKS

Accounts/Processes/Systems/Locations Matrix
Materiality Thresholds
COSO Model
This step is performed by the General Manager and
Finance Director for each subsidiary and by the
CEO and CFO for the entire company.
64
External Testing Attestation

• This work would be done by our external auditors.
• Review of all of our testing, assessment and
  assertions.
• Re-perform testing of some key controls
• Attest that our controls are properly designed
  and executed.

External Testing Attestation
Control Framework Structure Content
Materiality Thresholds
Accounts/Processes/Systems/Locations
COSO Model

• We will contract for this work only when required
  by some external event.

But we must be ready.
65
Finance Role in Corporate Governance
Review Course Objectives

• Develop a common understanding of what corporate
  governance means at ABC Company
• Gain a practical understanding of the COSO model
  for internal controls
• Be able to apply COSO to business processes
• Understand the main requirements of the
  Sarbanes-Oxley act of 2002
• Gain an awareness of how ABC Company will address
  the requirements of the Act