The Sarbanes – Oxley Act What it Means to You November 2004 David Kaufman.

The Sarbanes – Oxley Act

What it Means to YouNovember 2004

David Kaufman

2

Acquis Background

• Company Type: Private management consulting firm

• Founded in 1998; profitable since inception; headquarters in New York City

• Client Profile: Main focus on Global Fortune 1000; core industries served include Pharmaceutical, High-Tech, Financial Services, Travel, Government

• Examples of Collective Client Experience: Pfizer, Bank of Tokyo-Mitsubishi, Cadbury, National Semiconductor, Mitsubishi International, NYC Government, Interpublic Group, AstraZeneca

• Staff Background: 90% of consultants have worked on European and North American initiatives, primarily in the travel area

3

Quick Facts

In 2003, corporations, conventions, and associations spent $44.7 Billion on meetings and conferences…

Meetings & Conventions Magazine, 2004 Report

…yet 68% of corporations have no standard process to control this costAmerican Express Global T&E Expense Management Study

4

What is Sarbanes-Oxley?

• Enacted in 2002 to increase corporate responsibility and accounting standards

• Requires CFO / CEO signoff on financial statements• Companies must also attest to internal controls in

place

Congressional Act Named after Senator Paul Sarbanes and Congressman Michael Oxley

Sen. Paul Sarbanes Rep. Michael Oxley

5

Sarbanes – Oxley: Also Known As

We asked 100 people (including Paul Sarbanes and Michael Oxley) :

What is Sarbanes – Oxley also known as?

6

SOX Applies to Which Companies?

• Publicly traded companies in the US• Non-US public multinational

companies engaging in business in the US

• Voluntary compliance for private firms but seen as “Best Practice”

7

Section 404 Compliance Dates

Original

6/15/2004

New

11/15/2004

Original

4/15/2005

New

7/15/2005

Accelerated Filer

A U.S. company with market capitalization over $75 million that has filed at least one annual report with the SEC

Fiscal Year ending on or after:

Compliance dates have been extended

Accelerated Filers Non-Accelerated Filers

8

Key Elements of SOX Section Requirement Frequency

302

CFO / CEO certify completeness and accuracy of statements. Identify control weaknesses and changes to internal controls.

Quarterly Annual

404 (a)Provide a report that demonstrates appropriate internal controls and control effectiveness.

Annual

404 (b)Registered external auditors must attest to controls report.

Annual

409 Rapid disclosure of changes in financial conditions or operations.

Ad-Hoc

404 (a)Provide a report that demonstrates appropriate internal controls and control effectiveness.

Annual

404 (b)Registered external auditors must attest to controls report.

Annual

9

Three Key Controls

• Authorization - Controls to confirm the appropriate approvals of expenditures

• Safeguarding assets - Controls to prevent theft, fraud, waste, and abuse

• Financial reporting - Controls to ensure the appropriate reporting of expenses

10

Why is SOX Important to Planners?

Affects almost every aspect of the meeting planning process

RFP Site

Selection Planning /

organization

• Meeting objectives• Executive approvals• Budgets• Locations• RFPs / Site selection

criteria• Standard contracts /

Negotiations• Preferred suppliers• Payment methods

• Marketing• Announcements• Registration

strategy• Travel

arrangements• Event management• Miscellaneous

Expenses

• Invoice payments• Account

reconciliation• Financial reporting• Attendee evaluation

surveys• ROI calculation

On-site Activities

Post Meeting

11

What Should Planners Look At?• Interactions with travel agencies and event

management suppliers• Contracts, commitments, financial liabilities,

and operational risks• Current controls on manual processes • Allocation of costs to the correct budgets• Current use of technology• Safety of attendees• Extravagant meetings

12

What is Extravagant?

• Roman themed party where guests are greeted by chariots and gladiators

• Events held in a Sardinian resort where rooms start at $1200 a night

• Flying Jimmy Buffett and his band to an island at a cost of $250,000

• A 7-day event including partying, jet skiing, sailing, golfing, and feasting for 75 guests

• Charging half the costs of the party to the company$2.1MM birthday party for the former Tyco

CEO’s wife

13

Case Study One

Can Susan make an exception and plan the event?

• Susan is planning the annual shareholders meeting

• Tyler, her cousin, manages sales for a major hotel • Susan’s company has a strict event vendor selection policy and Tyler’s hotel is not a preferred vendor

14

General Approach

• Document end-to-end current processes

• Identify important, manual, and risk prone processes

• Evaluate existing controls• Develop and execute strategy to

remedy deficiencies• Evaluate success and document risks

15

SOX DocumentationDocumentation

of Processes Documentation

of Controls

Covers initiation, authorization, recording, processing, and reporting of transactions

Identify process risks and demonstrate appropriate control activities and measures

• Process Flowcharts

• Policy Manuals• Accounting

Manuals• Budget Guides

• Preventative / Detective

• Control Matrices• If – Then Narratives• Process Redesign

Docs

Are these current, complete, and readily available?

16

The COSO FrameworkCommittee of Sponsoring Organization (COSO) has developed a framework for internal controls:

• Framework supported by the SEC and PCAOB• Most popular framework in the United States

Control Environment

Control Activities

Risk Assessment

Monitoring

Information & Communication

17

Types of Controls

Less Effective Most Effective

Complex / Multi-step

Single control

Post-event controls

Data analytics

Manual control

Simple / Single-step

Multiple controls

Real-time controls

Transaction monitoring

Automated control

What controls do you currently have in place?

18

The Use of Technology• Enforce a consistent process for your

meeting planning spend• Automatically record a clear and

comprehensive audit trail of all activities• Provide evidence of compliance through

built-in reports and notifications• Increase planning and registration

process efficiency

19

Technology Providers

• Meeting planning checklists

• Standardized RFPs

• Meetings-sourcing databases

• Attendee management

• Preferred supplier flags

• Company policy / best practices notification

20

Case Study Two

Who is SOX compliant?

• Highly documented policy and process

• Extensive process controls on planning activities

• No formal preferred supplier policy

• Policies developed ad-hoc and not documented

Robert

Shelly

• Uses Excel spreadsheets to track meetings

• Manual RFP process

• Uses automated online RFP process• Utilizes online resources to document

planning steps

21

Opportunities Beyond SOX

• Building a true end-to-end process• Integration with Travel programs• Increased process efficiency with

technology• Improved vendor relationships • Strategic sourcing opportunities

22

Review Survey

We asked 100 auditors:

What type of documentation in the meeting planning area will help ease your concerns?

23

David KaufmanPartnerAcquis Consulting Group299 Broadway, 12th FloorNew York, NY 10007212.233.5677