CIO COMMUNITY OF PRACTICE MEETING Leveraging Sarbanes-Oxley To Drive Enterprise Value

CIO COMMUNITY OF PRACTICE

MEETING

Leveraging Sarbanes-Oxley To

Drive Enterprise Value

Tom Captain and Carlos Munoz Deloitte

August 21, 2003

2 Proprietary and Confidential

Well Known Market Events have Severely Damaged Investor Confidence and Public Trust

Exuberant Capitalism Sarbanes/Oxley

August 1982 – March 2000

1982 1991 2000

800

11,000

3,000

DJIA IInitial

Growth

Tax CutsAnd Free

Trade

IIConsolidation/Acceleration

US WinsCold/Gulf

Wars

IIIIrrational

Exuberance

Y2K and InternetBubble

Institutional Carte Blanche

Overview

Sarbanes-Oxley Act of 2002

All companies get tarred with the same investor (and therefore regulatory) brush

March 2000 - December 2003 - Beyond

Institutional Mistrust

2000 2002 2004

7,000

11,000

9,000

DJIA IBear

Market

Post Y2K& Internet

Bubble Bursts

IICrisis of

Confidence

Sept 11,2001,Enron andAndersen

IIIMarket

Differentiation

Public Companies Respond to Sarbanes-Oxley


Evolving Regulatory Environment: Key Implications

• Sarbanes-Oxley (SOX) regulations

– Significant financial reporting /certification costs (upfront/annual)

– New CXO/Board member personal risk exposure

• Creditors tighten the terms/conditions for capital

• Equity Investors have fundamentally changed

– More active around issues of corporate governance

– Require a higher risk premium from businesses they do not understand

– Apply a considerably higher level of due diligence

– Displaying quicker/larger/more durable negative reaction to earnings restatements


Critical Dimension of SOX: Financial Information Quality

• Requirement for CEO & CFO to certify periodic SEC filings

• Requirement to disclose in real-time any material changes

• Requirement to provide Internal Control Report

• Retention and protection of Audit documents and related records

• Reporting Mistakes could result in criminal prosecution of company officers --accuracy

• Ambiguity around ‘real-time’ and ‘material’----timeliness

• Requires documentation, testing and remediation ---transparency & accuracy

Requirement Information Quality Implication30

2

Secti

on

s of

the S

arb

an

es-

Oxle

y A

ct

409

404

•103 Audit Record Retention and Security•201 Monitoring and Pre-Approval of Non-Audit Services•301 Audit Committee Monitoring and Complaint / Issue Process•306 Monitoring and Prevention of Insider Trading •401 Financial Reporting Disclosure•402 Monitoring and Prevention of Personal Loans to Executives•403 >10% Ownership Disclosures within 2 Business Days

SOX regulations attempt to ensure a minimum acceptable level of financial information transparency, accuracy and timeliness--

Tablestakes

802

Digital vaulting & ready access to historical records, correspondence and emails, must be implemented --accuracy

• 406 Code of Ethics Creation and Disclosure• 407 Disclosure of Financial Expertise on the Audit Committee• 408 Facilitation of SEC Reviews• 501 Security Analyst Monitoring and Disclosure• 806 Whistle Blower Communications and Response• 906 Financial Reporting Certification• 1102 Record Retention and Security

Other Mandatory Requirements


Restoring Trust/Building Shareholder Value will Require Moving Beyond SOX Information Quality Requirements

Technology Standardization / Integration

Data

Sim

plification/

Standardization

Pro

cess

Sim

plifi

catio

n/ S

tand

ardi

zatio

n

MeetSarbanes – Oxley

Requirements Letter of the Law

Spirit of the Law

1999 2000 2001 2002 2003E

Earnings

Improve Company IQTM

Timeliness Predictability

AccuracyTransparency

Business Process, Data and Technology complexity determines the size of the iceberg


Sample Impact in $ millions for a $1 Billion Company

(*assuming standardization/simplification initiative)

Efficiency Cost Savings

Effectiveness Improvements

Organizational Pain

+

−

VALUE

• Retraining• Application Reconfiguration• Enterprise Process/Systems/Data Standardization/Simplification

• Improve planning/budgeting• Improve monitoring/analytics• Improve operational decision-

making• Automate closing• G&A savings • Working Capital

improvements

Risk Reduction

• Decrease Cost of Capital• Decrease personal liability

exposure for directors/CXOs• Mitigate future liabilities exposure

SOX Compliance Costs *

• Documentation/Assessment/Remediation • Disclosure and Certification

Net

SOX Cost Savings• Reduce # of processes requiring

documentation, remediation & certification

Silver Lining in the SOX Cloud:Business Case for Moving Beyond Compliance is Compelling


Moving Forward: Controlled Confusion…

• 79% unsure what implications SOX will have for their company

• 85% planning IT systems changes to support SOX

• 61% expect business process change will be requiredP

erce

nta

ge

0

10

20

30

40

50

60

70 ERP Instance Consolidation

Turning on Controls

EPM System

Current System Upgrade

ChangeCurrent System

Do Nothing

IT Remedies being explored…

Source: AMR Research

What are companies thinking?


The CIO Will Play A Critical Role in SOX Compliance and the Transformation of Company IQTM

IT Strategist

Data Steward• Effective IT Governance

• COBIT Compliance

• Data Standards Management

• Policy Enforcement

• Automated Controls Activation

Company IQTM

Company IQTM

• Platform Standardization

• Infrastructure Optimization

• Enhanced Transparency

• System Integration

Provide the environment and mechanisms for establishing controls and managing exceptions, and the standards for ensuring data integrity

Provide the technological platform and infrastructure to enable, transparent, timely, accurate and predictable information


The Environment of Mistrust Amplifies a Previously Minimized Dimension of the CIO’s Role: Steward of Financial Information

US GDP

GrowthInternet Bubble Scandal, War &

RecessionPost-SOX Era

Strategic AdvisorStrategic Advisor Information StewardInformation Steward

Market Demands

Time

CIO Priorities

• Growth – Revenue per share• What’s your Internet strategy?• Innovation – New Products &

Services

• Gain advantage with new technology

• Understand emerging trends and their business impact

• Spend to create strategic options for “e-businesses”

• Profitability - Earnings• What/when are you going to

outsource?• Operations – Cost Reduction

• Reduce total cost of IT• Identify and execute on

outsourcing options• Reduce/consolidate staff and

systems wherever possible

• Profitability – Quality Earnings• How will you comply with SOX?• Information Quality™ - Trustworthy

Financial Data & Disclosure

• Reduce total cost of IT• Lead IT component of SOX compliance

efforts, especially 404 & 409• Improve quality of financial information

processing & reporting

Operational LeadOperational Lead

ROLE OF THE CIO


The IT Lag: Cautious Movement

IT Timing and Level of Spend for Full Sarbanes-Oxley ComplianceIT Timing and Level of Spend for Full Sarbanes-Oxley Compliance

High

LowFo

cu

s a

nd

Le

ve

l o

f S

pe

nd

2002 20042003 2005

Timing

Sarbanes-OxleyBecomes Law

SEC Final Ruling / COSO OK’d

SOX 404Deadline

Internal Controls, Disclosure, &

Protection Compliance

(IT Development)

People, Process & Systems

Optimization

Internal Controls Readiness

Assessment

Projection of Relative IT SpendSarbanes-Oxley Compliance & COSO Optimization

U.S. Public Companies OnlySource: Deloitte & Touche

There appears to be a six month lag for the beginning of IT development once initial Readiness phases have begun. We predict increasing numbers of budget increases for 2004.


The IT Change Effort: Enabling Technology

Even without performance improvement, the technology change effort required for sustainable SOX compliance is significant.

PROCESS PEOPLEDATA TECHNOLOGY

Change EffortRequirementSOX Section

Financial Reporting Disclosure; Disclosure of Ownership Changes; Code of Ethics Disclosure; Audit Committee Expertise Disclosure; Material Operating/Financial change Disclosure; etc.

§302,401, 403,406, 407,409, 501,906

Management Assessment of Internal Controls

§ 404

Audit Record Retention and Security; Facilitation of SEC Review; Related Record Retention; etc.

§103,408, 802,102

Pre-approval of Non-Audit Services; Audit Committee Monitoring and Complaint Process; Insider Trading During Blackout Prevention; Personal Loan Prevention; Whistle Blower Process; etc.

§201,301, 306,402806


The underlying technology is driven by the mandated Compliance requirements and the opportunity for COSO operating efficiencies

Technology Implications: Requirements

Internal Control Field Audit and Measurement

Monitoring, Disclosure, and Prevention

Content Management and Archiving

Training and Communication

Controlled Financial Reporting & Transactions

Optimization and Cash Generation (Productivity Tools)

Type of System Functionality

Risk ControlTracking System

ERP, G/L, Consolidation, Fin. Reptg. Systems

Portal, Advanced Reporting, DW, Data Analytics, email

Compliance Systems

Document Management, Workflow System

eLearning System

Enterprise Systems Mgt, Project Mgt, IT Auto

Discovery, Tax Optimization

System Requirements


IT Reference Architecture

A suggested SOX IT Reference Architecture addresses all mandatory requirements, and positions organizations for ongoing performance improvement

SarbanesRisk & Control

System(e.g., RCTS)

EMAIL System

FinancialSystems

HRSystems

CRMSystems

OtherInternal

RACK EMAILCompliance

Compliance Data Warehouse

Analytics EngineComplianceDigital Vault

OtherExternal(e.g., SEC)

Advanced Reporting & Query Engine

Training / eLearningSystem

Field Audit View

(RCTS)

Internal AuditView

External AuditView

CEO/CFOView

SarbanesPMOView

DisclosureCommittee

View

Audit Committee

View

CIO/COOView

BusinessUnitView

......etc.

etc. HR/

TrainingView

Compliance & Control Portal Audit & Remediation Views Audit & Remediation Views

COMPLIANCE INFRASTRUCTURE

* = Risk Control Tracking System (RCTS) (used for SOA Readiness Assessments)

* = Risk Control Tracking System (RCTS) (used for SOA Readiness Assessments)

= Existing or lower impacted technologies

= Existing or lower impacted technologies

RiskMgt

Systems

**** = Risk & Control Knowledge Base (RACK)

(source of COSO/Process/Industry Framework)** = Risk & Control Knowledge Base (RACK)

(source of COSO/Process/Industry Framework)

*

PE

RF

OR

MA

NC

E IM

PR

OV

EM

EN

T / C

AS

H G

EN

ER

AT

ION

Monitoring, Prevention & Disclosure Views Monitoring, Prevention & Disclosure Views Training Views Training Views

Enterprise Application Integration Engine

Document Management & Workflow

802 Retention

409 Disclosure

404 Controls

302 Disclosure

Key SOA Sections

SE

CU

RIT

YSarbanes Oxley Reference Architecture


Conclusion…

• We are where we are; (grief)

• Some are skeptical of the real consequences or probability of punishment; (denial)

• Effort may look like a tax, or maybe worse - punishment of the innocent and uninvolved; (anger)

• Some will only minimally comply; (resignation)

• However, something may strike a chord for CIOs; (acceptance):– Comparing and contrasting SOX reference architecture with your projects

– Can we re-position the portfolio of typical IT initiatives and projects?

– Will this make funding and resourcing more likely?

– Is this a good thing, ANYWAY?


Contact Information

• Tom Captain; Partner, Seattle– [email protected]

– 206.465.5622

• Carlos Munoz; Senior Manager, San Francisco– [email protected]

– 415.268.1211

• Deloitte website– www.dc.com

CIO COMMUNITY OF PRACTICE MEETING Leveraging Sarbanes-Oxley To Drive Enterprise Value

Documents

Transcript of CIO COMMUNITY OF PRACTICE MEETING Leveraging Sarbanes-Oxley To Drive Enterprise Value