Agenda

Sarbanes Oxley Act Where to Begin Creating the Risk Library Assessments / Audits Signing Officer Business Process Owners Documenting Procedures Q & A

Sarbanes-Oxley ActSarbanes-Oxley ActA Response to the Deterioration in A Response to the Deterioration in

Public ConfidencePublic Confidence

Sarbanes Oxley ActHighlights

Section 103: Your auditor must (and therefore, you should) maintain all audit-related records, including electronic ones, for seven years. Effective now.

Section 201: Firms that audit your company’s books can no longer provide you with IT-related services. Effective now.

Section 301: You must provide systems or procedures that let whistle-blowers communicate confidentially with company’s audit committee. No effective date.

Section 302: Your CEO and CFO must sign statements verifying the completeness and accuracy of financials reports. Effective now.

Section 404: CEO’s, CFO’s and outside auditors must attest to the effectiveness of internal controls for financial reporting. Effective now.

Section 409: Companies must report material changes in their financial conditions “on a rapid and current basis.” The act calls it “real-time disclosure” but doesn’t define what that means. No date set.

Computerworld, April 14, 2003

You must ensure internal controls over your financial reporting.

Sections 302 and 404 of Sarbanes Oxley

The Act states…

You must be able to attest to…

The Processes affecting values in accounts,

which are exposed to Risks,

which are mitigated by Controls,

which are verified by Audit Procedures.

Internal Control TestingInternal Control TestingWhere to StartWhere to Start

Setting Up Internal Controls

Review and Update Review and Update ProceduresProcedures

-Business Process -Business Process OwnersOwners

Identify and Organize Identify and Organize ProcessesProcesses

-Internal Audit/Risk -Internal Audit/Risk Assurance PartnerAssurance Partner

Identify Risks & Identify Risks & Controls for ProcessesControls for Processes

-Internal Audit/Risk -Internal Audit/Risk Assurance PartnerAssurance Partner

Create Risks & Create Risks & Controls LibraryControls Library

-Risk Assurance -Risk Assurance PartnerPartner

Upload Risks & Upload Risks & Controls LibraryControls Library

-Risk Assurance -Risk Assurance PartnerPartner

Identify Controls within Identify Controls within your systemyour system

-Internal Audit/Risk -Internal Audit/Risk Assurance PartnerAssurance Partner

Link Risks to ControlsLink Risks to Controls

-Internal Audit/Risk -Internal Audit/Risk Assurance PartnerAssurance Partner

Link Key Controls to Link Key Controls to Audit ProceduresAudit Procedures

-Internal Audit/Risk -Internal Audit/Risk Assurance PartnerAssurance Partner

Link Processes to Key Link Processes to Key AccountsAccounts

-Internal Audit/Risk -Internal Audit/Risk Assurance PartnerAssurance Partner

Risk & Control LibraryRisk & Control LibraryDEMODEMO

Assessment / AuditAssessment / AuditDEMODEMO

Signing OfficerSigning OfficerDEMODEMO

Business Process OwnerBusiness Process OwnerDEMODEMO

You must ensure internal controls over your financial reporting.

Sections 302 and 404 of Sarbanes Oxley

The Act states…

You must be able to attest to…

The Processes affecting values in accounts,

which are exposed to Risks,

which are mitigated by Controls,

which are verified by Audit Procedures.

ICM / Tutor

Business Process

Risks

Controls

TUTOR

Do You Want to: Comply with Corporate Governance regulations by having documented business

policies and procedures? Achieve success through user acceptance of business process and technology

changes? Reduce time spent documenting implementation decisions? Easily create and maintain all documentation and training material? Reduce training costs (development, travel, time away)? Regularly deploy role specific, accurate, up-to-date, procedure manuals? Modify Oracle eBusiness Suite online help? Provide employees documentation on an as needed basis; improve employee

performance? Train employees based on their role in the organization? Manage change within the organization? Leverage documentation and training resources across the organization?

Oracle Tutor - How it worksTutor Tools

AUTHOR

PUBLISHER

Apps Help

Printed/PDF Student & Instructor Guides

Online Help &Reference Materials

Online and Printed Desk Manuals

Owners Manuals and Reports

Content Repository

Procedure Documents

(MS-Word)

Online Help

Courseware(MS-PowerPoint)

Methodology

Tutor Demo

Let’s Take a Closer Look

Customer’s:

Uses– US Department of Transportation

– University of Virginia

– US Army Corps of Engineers

– San Francisco State University

Testimony– Medela

Articles– Motorola

– ETEC

Oracle Tutor

Mature Product 250 + Pre-built business process

– Arthur Andersen Study 10 – 12 man hr’s create a procedure 2 - 4 man hr’s to modify an existing procedure

------------

8 man hr’s time savings per process

Integration Update to Procedure, automatically updates all other

procedures that reference it Not just for Process Documentation

Why Oracle? Our solution addresses all needs, not just

documentation of processes or entering testing results

Uses the business processes that you create or can be modeled from the applications

Leverage your existing information and environment, especially in your GL which directly relates to your financial reporting

Uses powerful Workflow engine to enforce controls and automate what can be automated (reminders, notifications, etc)

Tutor offers delivered content for documentation, desk manuals, and training materials

You must ensure internal controls over your financial reporting.

Sections 302 and 404 of Sarbanes Oxley

The Act states…

Q & A

Audit Projects

Audit Scope

Audit Tasks

Controls that are being audited

Risks that are being audited

Findings

Certification Status

Certification tied to Financial items

Business Process Owner View

Business Process Owner View

Business Process View-issues