NAPP Annual Conference

1
Sarbanes-Oxley and the Procure-to-Pay Process

• NAPP Annual Conference
• February 6, 2006
• Tom Poe, Practice Director, Hudson
• tom.poe_at_hudson.com (612) 524-2600

2
I. Overview of Sarbanes-OxleyII. SOX
P2PIII. Whats Next?
3
SOX Overview
4
Section 1Overview of Sarbanes-Oxley

• The Law
• Year 1 Year 2 Compliance Efforts
• What Stage Are We In Today?
• - Recent PCAOB Developments

5
SOX Overview
Fact 1 SOX is Highly Complex
6
SOX Overview
Fact 2 Level of complexity in complying with
the law created Unprecedented Volume of
Compliance Work
7
SOX Overview
Fact 3 Costs to Comply were commonly
doubletripleor even ...quadruple original
estimates
8
SOX Overview

• FEI Survey on Year 1 Compliance
• Companies with 5 Billion in revenues expected
  to spend an average of 73,312 internal hours and
  10,834 external hours.
• Companies with 100 Million or less in revenues
  expected to spend an average of 2,143 internal
  hours and 837 external hours.
• The survey conducted in both Jan July 2004 saw
  a 62 increase in projected compliance costs over
  that 6 month period from 1.93 million to 3.14
  million (based on 2B company size)

9
SOX Overview
Section 302 CEO/CFO Certification

• Signature of Approval for each Quarterly Annual
  report submitted to SEC
• Signatory has reviewed the report
• Signatory agrees the report fairly presents, in
  all material respects, the financial condition of
  the reporting entity and does not contain any
  untrue statement of a material fact or omit to
  state a material fact.

10
SOX Overview
Section 404 CEO/CFO Assessment
of Internal Controls

• CEO/CFO must state responsibility for and provide
  conclusions about the effectiveness of the
  internal control structure and procedures as part
  of the annual reporting process
• External Auditors must attest to CEO/CFO
  assertions about the internal control structure
  and procedures
• Attestation must conform to standards to be
  adopted by PCAOB

11
SOX Overview
SEC Requirements

• Quarterly assessment of disclosure controls and
  procedures
• Annual assessment of internal control over
  financial reporting
• Assertion in Annual Report, attested to by
  External Auditors
• Separate assertion from financial condition

12
SOX Overview

• Importance of Compliance
• Adverse opinion regarding internal controls over
  financial reporting if material weakness
• External auditor determines significance of
  deficiencies
• Qualified or disclaimer report if scope
  limitation
• Not enough documentation
• Missing processes
• Significant locations not considered

13
SOX Overview
Deficiency Classifications
Less than 5 to 10 chance
Less than 1 of pre-tax income
More than a 5 to 10 chance
Less than 1 of pre-tax income
Greater than 4 to 5 of pre-tax income
More than a 5 to 10 chance
14
SOX Overview

• Circumstances which result in a Significant
  Deficiency and are strong indicators of a
  Material Weakness

• Restatement of previously issued financial
  statements.
• Identification by the auditor of a material
  misstatement in the financial statements.
• Ineffective oversight by the company's Audit
  Committee.
• Ineffective internal audit or risk assessment
  function, for more complex entities.
• Ineffective regulatory compliance function for
  complex entities in highly regulated industries.
• Identification of fraud of any magnitude on the
  part of senior management.
• Significant deficiencies communicated to
  management and the Audit Committee which remain
  uncorrected after some reasonable period of time.

15
SOX Overview
10Ks Adverse
of Auditor Filed Opinions
Filings DT 542 75
13.8 EY 793 95
12.0 KPMG 652 95
14.6 PwC 717 94
13.1 Others 378 83
22.0 Total 3,082 442
14.3 As of August 31, 2005 Source
Compliance Week
16
SOX Overview

• Year 1 Material Weaknesses
• Cause of problem
• Misapplication of GAAP
• People issues
• Financial statement close process
• Reconciliations
• IT environment
• Financial statement areas impacted
• Income taxes
• Revenue recognition
• Leases
• Inventory

17
SOX Overview
Year 1 Compliance

• Sarbanes-Oxley doesnt say you have to be a good
  businessman. It just says that whatever decisions
  you make, you have to record properly in your
  financial statements.
• Director of Internal Audit, The Sports Authority,
  Inc.
• 1.8 billion sporting goods retailer

18
SOX Overview
Year 1 Compliance FEI Survey

• 75 of financial executives say their companies
  benefited in some way from SOX compliance.
• Benefits included
• Ensuring accountability of individuals involved
  in financial reporting
• Decreased risk of fraud
• Reduced errors in financial operations

19
SOX Overview
Not Scalable for Size of Company

• Each Process requires 30-40 hours of work,
  regardless of company
• Revenue not indicative of level of complexity
• Volume of work and Pricing is based on
• Number of locations
• Number of systems
• Amount of existing documentation
• Quality of staff
• Remediation needed

20
SOX Overview
Small Company Issues

• I wont say the SOX compliance process wasnt
  helpful, but I think the way the law was written
  has put a lot of cost in organizations without
  regard to their size and complexity. The one
  size fits all regulations that were passed
  resulted in spending some money that couldnt be
  justified in a cost-benefit analysis.
• CFO, Stratasys, Inc.
• 70 million manufacturing company

21
SOX Overview
Scalability Example

• Software Company B
• 80 Million Revenue
• 2 million Consulting Fees
• 8 locations
• 14 systems in scope
• Extensive amount of remediation needed

• Software Company A
• 130 Million Revenue
• 900k Consulting Fees
• 1 location
• 1 primary ERP system
• Moderate amount of remediation needed

22
SOX Overview
Small Company Assistance

• October 2005 SEC extended Non-accelerated Filer
  Deadline by 1 year
• COSO Draft Guidance for Smaller Companies
• Released November 2005
• No Shortcuts - maintains all 26 fundamental
  principles found in the original framework

• The conclusion of the group was that those 26
  principles are as valid for small
  businesses as they are for large businesses.
• David Richards, President, Institute of Internal
  Auditors
• There isnt a shortcut to good internal
  controls There
  is not a 'COSO Lite'.
• - Larry Rittenberg, COSO
  Chairman

23
SOX Overview
Small Company Assistance

• PCAOB still reviewing standards for small
  companies going forward
• Reducing number of processes tested each year?
• Reducing control coverage requirements?
• Reducing documentation requirements?

24
SOX Overview

• Year 2 Compliance Creating Sustainability
• Compliance did not meet expectations of getting
  cheaper in Year 2
• Companies are hoping to make the most of their
  investment and taking the opportunity to develop
  best practices throughout the organization

25
SOX Overview

• Where Stage Are We In Today?
• as we enter Year 3
• Continued focus on sustainability and automation
• SOX Committee within the company to bring
  together one rep from all disciplines CFO,
  Internal Audit, CIO, Operations
• Inconsistency remains
• Recent Development Recommendation for
  Eliminating Section 404 Requirements for Small
  Companies

26
Section 2SOX and its Impact on the
Procure-to-Pay Process

• SOX Issues for P2P
• Purchase Cards
• Segregation of Duties
• Procurement

27
SOX Impact on P2P
28
SOX Impact on P2P

• Purchase Cards
• Number of authorized individuals need to be
  limited
• Types of purchases needs to be limited
• Authorization limits need to conform with
  Delegation of Authority (DOA) policy requirements
• Purchase limits need to be set relatively low
  and/or combined with the Purchase Order (PO)
  process
• Receipts and related documentation need to be
  monitored and maintained
• Card statements must be regularly reconciled and
  reviewed

29
SOX Impact on P2P

• Case Study
• 140 million Educational Technology Company
• Before
• Multiple cards used across multiple functional
  areas
• Widespread usage with very limited control
  (unknown spend)
• Statements were impossible to reconcile
• Process Changes
• Separate accounts for each function limited
  cards issued
• Purchase cards for non-inventory only approved
  requisitions required in advance
• Procurement makes the decision whether card or PO
  used
• Statements reconciled and reviewed monthly

30
SOX Impact on P2P

• Case Study
• 140 million Educational Technology Company
• Benefits
• Control is drastically improved
• Spend is known and budgeting is much more
  accurate
• Transactions are reduced and documentation much
  improved
• Better management of payables / cash
• Challenges
• More process requires better planning and more
  time
• Not considered to be a bad thing

31
SOX Impact on P2P
32
SOX Impact on P2P

• Segregation of Duties
• Big issue with External Auditors
• One of the top reasons for material weaknesses
• Particular challenge for smaller companies
• Requires careful coordination between manual
  controls and automated system controls (ERP)
• Documentation is difficult to develop and
  maintain
• Segregation of Duties Matrix
• Identifies areas of differing risks
• Allows for focus on critical processes

33
SOX Impact on P2P
34
SOX Impact on P2P
35
SOX Impact on P2P

• Case Study
• 15 million subsidiary of large medical claims
  processing company
• Before
• Broad access to claims information by various
  functional areas
• Process Changes
• Introduced staffing changes to isolate access to
  claims data
• Implemented change management process within IT
  to control and verify accuracy of customer data
  transmission interfaces
• Instituted more extensive functional reviews

36
SOX Impact on P2P

• Case Study
• 15 million subsidiary of large medical claims
  processing company
• Benefits
• Increased security of customer claims information
• Tighter control over information systems process
  changes
• Significant reduction in claims fraud risk
• Challenges
• Reduction in timely response to requested
  customer IT interface changes
• Increase in staffing requirements

37
SOX Impact on P2P

• Procurement
• Centralized vs. Decentralized
• Shared Services increasingly popular
• More cost effective approach
• Greater control over spend
• Simplifies training and communication
• Likely more process / documentation intensive
• Inventory versus non-inventory issues

38
SOX Impact on P2P

• Case Study
• 1.5 billion Payroll Services company
• Before
• Decentralized according to individual operating
  business units
• Inconsistent process, approval limits, level of
  control
• Expenditures were very difficult to budget and
  track consistently
• Process Changes
• Moved to more centralized function at the
  Divisional level
• Standardized approval processes and review
  requirements
• Instituted more formalized documentation,
  tracking, and reconciliation processes

39
SOX Impact on P2P

• Case Study
• 1.5 billion Payroll Services company
• Benefits
• Better cost control
• Easier to budget and track expenditures (known
  spend)
• Less spending waste across the organization
• Challenges
• Compliance with policies continues to be a real
  problem
• Decentralized culture difficult to overcome
  (enforcement)
• Risk of significant deficiencies / material
  weaknesses

40
Section 4Whats Next?
41
Whats Next? SOX Technology

• Why is technology so important?
• Sustainability is all about automation!
• Software that truly fits the company can save
  money on compliance in the long run

42
Whats Next? SOX Technology
43
Whats Next? SOX Technology
44
Whats Next? SOX Technology
45
Whats Next? SOX Technology
Software Decision-Making Factors
46
Whats Next?

• Closing Comments
• Some specific requirements may be modified, but
  SOX isnt going away
• Needs to become part of internal audit process
  like other compliance measures (FDA, etc.)
• Focus needs to be efficiency, effectiveness,
  control
• Seek opportunities to automate wherever feasible

47
QA
Compliance Resources

• Compliance Week magazine
  www.complianceweek.com
• Free Compliance Webcasts Register at
  http//finance.hudson.com
• Institute of Internal Auditors (IIA)
  www.theiia.org
• Information Systems and Control Association
  (ISACA) www.isaca.org