2118 SOX brochure 1/28/04 2:35 PM Page 1

SARBANES-OXLEY SECTION 404 A TOOLKIT FOR MANAGEMENT AND AUDITORS

VOLUME 1

This volume addresses PwC risk management policies and audit methodology and is for internal distribution only. This toolkit volume should not be issued to clients or third parties. 2118 SOX brochure 9/3/03 2:15 PM Page 2

Sarbanes-Oxley Section 404 – An Introduction A Roadmap for

On May 27, 2003, the Securities and Exchange Commission (SEC) voted to adopt final rules on Management’s Report on Internal Control over Financial Reporting, as mandated by Section 404 of the Sarbanes-Oxley Act of 2002. STEPS The final rules will be effective for fiscal years ending on or after June 15, 2004 for SEC registrants with a public 1. Risk Assessment 2. Map Financial Statemen float >$75 million; other than foreign private issuers; or for fiscal years ending on or after April 15, 2005 for other line items to cycles/proc registrants, which includes small businesses and foreign private issuers. 3. Agree upon key risks an controls 4. Document existing Under Section 404, SEC registrants will be required to include processes (detailed with their annual filing: flowcharts and narrative 5. Identify controls in plac • A statement of management’s responsibility for establishing 6. Gap Analysis • Identify weaknesses and maintaining adequate internal control over financial • Assess impact • Identify compensatin reporting; controls • Fill gaps • A statement identifying the framework used by management 7. Test controls for effectiv to evaluate the effectiveness of internal control; 8. Gap Analysis 9. Deliver completed pack • Management’s assessment of the effectiveness of internal

control as of the end of the company’s most recent fiscal Key Ev year end; and Most US-based registrants will be required • A statement that the company’s external auditor has issued to meet the Section 404 requirements for fiscal years ending on or after June 15, 2004; an attestation report on management’s assessment The following co April 15, 2005 for foreign registrants. for an entity to Canadian companies will be impacted by the new regulations in Section 404: two ways. Foreign private issuers will be required to meet the new requirements starting in fiscal 2005. In addition, Canadian inbound subsidiaries of SEC registrants may be impacted by the new regulations for the 2004 fiscal year, • Management based on the parent’s assessment of the materiality of the subsidiary, in terms of the company’s overall internal the effectivene control structure. • Controls are The level of effort required by the audit team to conduct the attestation will depend primarily on the thoroughness implemented of management’s own assessment, and the level to which it is formally documented. Therefore, it will be beneficial objective (re and necessary for management and the auditor to work closely together to prepare for these requirements. In reporting) usin addition, while the extended implementation period may now cause some companies to re-evaluate their current •Control object readiness plans, the reality is that companies will ultimately need to address the requirements of this section, and need to be app they should not wait until the last minute for preparation. The extension provides companies with the opportunity to address control weaknesses prior to going “live” with the required 404 reporting requirements, including the • Management possibility of performing a “dry run” before the deadline. effectiveness financial repo Action Plan – A Suggested Timeline (on both the Major Project 2003 2004 2005 effectiveness o Activities Jul - Sept Oct - Dec Jan - Mar Apr - Jun Jul - Sept Oct - Dec Jan - Mar Some companie substantial docum controls, includin Project Initiation formal policy and Documentation and manuals, etc. Mo Evaluation will not have com Remediation of evaluation of their Identified Gaps the organization. documentation m Attestation “Dry Run” meet the demand Assertion and virtually all organ Attestation formal plan to add 2118 SOX brochure 9/3/03 2:16 PM Page 2

A Roadmap for Section 404 Readiness The COSO Co

Financial Cycles / Controls Monitoring Statements Processes BENEFITS • Assessment of a • Sustainable STEPS Scoping system’s perfor 1. Risk Assessment Risk Assessment and Scalable • Focused 2. Map Financial Statement time. High Level Benchmark Approach line items to cycles/processes • Collaborative • Combination o 3. Agree upon key risks and Controls Maturity Model • Knowledge and separate ev controls Transfer 4. Document existing Data • Auditable • Management a processes (detailed Collection Inventory Policies Conclusions and Procedures supervisory act flowcharts and narratives) 5. Identify controls in place Controls Documentation • Internal audit a TEAM 6. Gap Analysis • Corporate • Identify weaknesses Maturity • Business Unit Assessment • Assess impact Gap Analysis and Remediation • Internal Audit • Identify compensating • External Audit Information & controls Communication • Fill gaps Validation & Control Environment Treasury Cycle 7. Test controls for effectiveness Testing • Pertinent inform Information and 8. Gap Analysis Communication Purchasing Cycle identified, capt 9. Deliver completed package Revenue Cycle Monitoring Controls communicated manner. • Access to intern Key Events: Agree Key Risks and Project Launch Controls to be assessed Re-assess Test Plan Deliver 404 Package externally gene information. • Flow of informa The following conditions are necessary allows for succ for an entity to be “auditable” under actions from in Section 404: responsibilities of findings for m • Management accepts responsibility for action. the effectiveness of control

• Controls are suitably designed and Audit of Financial Statements versus Internal Cont implemented to achieve the control 404 Controls Attestation The Committee objective (reliability of financial 1980’s with the Audit of Financial Statements Section 404 Attestation reporting) using established criteria publication in 1 •Control objectives and related controls • Understanding and • 100% controls-based assessing a struc consideration of internal approach. No comfort need to be appropriately documented Section 404 rep controls only to the extent from substantive/analytical recognized cont • Management assesses the necessary to develop the procedures broad distributio effectiveness of internal control over audit approach • Must evaluate and test framework that financial reporting and reports thereon • Overall objective is an controls across business (on both the design and operating makes reference opinion on the financial and functional areas to become the esta effectiveness of controls) statements, not to opine on opine on effectiveness Some companies may already have internal controls (broader and deeper) Under the COSO substantial documentation of their internal • Internal control reports have • Lack of errors, or material an entity’s board controls, including internal audit files, been very rare in practice adjustment, historically, in reasonable assu formal policy and accounting procedures and are the subject of financial statements is not categories: manuals, etc. Most companies, however, different attestation de-facto evidence onto • Effectivene will not have completed a comprehensive standards itself, of an appropriate • Reliability evaluation of their internal controls across internal control structure • Complianc the organization. In addition, the existing documentation may not be adequate to COSO identifies meet the demands of SOX 404. As such, control activities virtually all organizations will require a in place and int formal plan to address the new regulations. In preparing for which address a 2118 SOX brochure 9/3/03 2:16 PM Page 2

The COSO Controls Framework

Monitoring Control Activities • Assessment of a control • Policies/procedures that system’s performance over ensure management time. directives are carried out. • Combination of ongoing • Range of activities and separate evaluation. including approvals, authorizations, verifications, • Management and recommendations, supervisory activities. performance reviews, asset • Internal audit activities. security and segregation of duties.

Information & Communication • Pertinent information Risk Assessment identified, captured and • Risk assessment is the communicated in a timely identification and analysis manner. Control Environment of relevant risks to • Access to internal and • Sets tone of organization- achieving the entity’s externally generated influencing control objectives- forming the information. consciousness of its people. basis for determining • Flow of information that control activities. • Factors include integrity, allows for successful control ethical values, competence, actions from instructions on authority, responsibility. responsibilities to summary of findings for management • Foundation for all other action. components of control.

Internal Control Framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was charged in the mid 1980’s with the responsibility of defining an effective framework for systems of internal controls. Since its publication in 1992, the COSO framework has become widely accepted as the benchmark for establishing and assessing a structure for internal controls.

Section 404 reporting requires that management’s evaluation of internal controls be based on a suitable, recognized control framework that is established by experts using “due process”; a process which includes the broad distribution of the framework for public comment. COSO is recognized as an example of an acceptable framework that would meet these criteria. The definition of internal control used in the final regulations also makes reference to the COSO framework. Accordingly, it is widely agreed that the COSO framework will become the established benchmark for Section 404 reporting. INTERNAL CONTROL-

Under the COSO framework, “internal control” is defined as a process, effected by INTEGRATED FRAMEWORK an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations Committee of Sponsoring Organizations of the COSO identifies five components of control (control environment, risk assessment, Treadway Commission control activities, information and communication, and monitoring) that need to be in place and integrated to ensure the achievement of each of these three objectives. The COSO framework is recommended as the In preparing for Section 404 reporting, management will need to consider controls benchmark for SOX 404 which address all five of these components. reporting. 2118 SOX brochure 9/3/03 2:15 PM Page 1

Assessing Controls Section 404 Prep

The most effective way to meet the enhanced legal requirements of Section 404 will depend on the size, nature and complexity of the entity, including the quality of business processes and internal control systems. Project Initiation Accordingly, it is recommended that an evaluation of the controls and procedures be made by developing an and Planning internal controls “maturity analysis” (see diagram below). An internal controls maturity analysis can make it easier for a company to evaluate how its existing control structure impacts the level of effort required to meet its control reporting requirements. In addition, the level of maturity can have a significant impact on the level of ■ Ensure that ■ Ma additional effort that will be required by management and the external auditor to meet SOX 404 requirements, continuous sta education takes bu which would require a level of at least “monitored” for significant controls. place, including: tha ■ Requirements an Internal Controls Maturity Framework ■ COSO/Internal dis Controls ■ Est ■ Form project team pe Unreliable Informal Standardized Monitored Optimized and align objectives ass - Unpredictable - Control activities are - Control activities are - Standardized controls - Integrated internal ■ Steering act Committee fin environment where designed and in place designed, in place with periodic testing controls with real time ■ Stakeholders acc control activities are not but are not adequately and are adequately for effective design monitoring by ■ Core Team co ■ designed or in place documented documented and operation with management and ■ Develop scope and ■ reporting to continuous project approach ■ management improvement ■ Develop training ■ plan for core team ■ members and De stakeholders un • Level 1 – Unreliable Int ■ Establish Ma – Unpredictable environment where controls are not designed or in place documentation ■ standards and Eva • Level 2 – Informal templates bu – Controls are designed and in place but are not adequately documented (auditability an ran – Controls mostly dependent on people requirements) ■ Develop project and – No formal training or communication of controls stakeholder • Level 3 – Standardized communication plan – Controls are designed and in place – Controls have been documented and communicated to employees ■ Project Charter ■ – Deviations from controls may not be detected ■ Project Plan F/S Pro ■ Training Plan • Level 4 – Monitored ■ Ris ■ Communications Ra – Standardized controls with periodic testing for effective design and operation with reporting to management Plan – Automation and tools may be used in a limited way to support controls • Level 5 – Optimized – An integrated internal control framework with real time monitoring by management with continuous improvement (Enterprise Wide Risk Management) Project Methodo – Automation and tools are used to support controls and allow the organization to make rapid changes to the control activities if needed In evaluating inter implementation plan

Companies with multiple business segments, geographic locations, or reporting units will need to determine 1. Form a projec which locations are relevant. Consideration should be given to the financial significance of the location, in terms timing of the potential for a material error, and the ability of the entity to commit the overall organization to financial risk. Specific risks that should be considered would include major systems changes, management turnover, a 2. Collect data o major acquisition, or a volatile business environment. 3. Prepare an inv

Individual locations or business units that are not individually significant may, when aggregated with other units, 4. Evaluate inter result in a group that could create a material misstatement. In this case, consideration should be given to whether there are entity-wide controls over this group of units that may provide comfort. The following diagram provides 5. Remediate the guidance on testing for companies with multiple locations: 6. Continue to m Multi-Location Testing Consideration The table above furt Is location or business unit individually important? Yes Evaluate documentation and test significant controls both management a at each location or business unit No Are there specific significant risks? Yes Evaluate documentation and test controls over specific risk No No further action required for such units Are there locations or business units that are not important Yes even when aggregated with others? Evaluate documentation and test entity-wide Yes Front cover: Lisandro Ser No controls over group © 2003 PricewaterhouseC Are there documented entity-wide controls No Some testing of controls at individual locations or business liability partnership, or, a over this group? units required is a separate and indepen 2118 SOX brochure 9/3/03 2:16 PM Page 1

Section 404 Preparedness and Attestation Continuous Improvement Management Auditor Assertions and Project Initiation Risk Assessment Documentation EvaluationFinancial Reporting Attest Report and Planning and Prioritization Objectives Scoping, Understanding, Evaluating, Validating and Reporting Project Management Support Key Elements ■ Ensure that ■ Map financial ■ Inventory existing ■ Review existing ■ Based on evaluation, ■ Review ■ Opine on SARBAN continuous statements to internal control documentation for document assertions management’s management’s education takes business processes documentation for design effectiveness on financial supporting assertions pertaining place, including: that drive financials appropriate ■ Test operating reporting, based on: documentation for to financial reporting ■ ■ Requirements and financial entities / business effectiveness of Classes of 404 assertion objectives ■ SECTION COSO/Internal disclosures units, etc. internal control transactions and ■ Design tests of ■ Leverage AT501 Controls ■ ■ events Establish criteria to Compile an ■ Determine current client’s key control reporting guidelines ■ Account balances ■ Form project team perform risk inventory of known state of internal procedures for internal control A TOOLKIT FOR MANAGEMEN ■ Presentation and and align objectives assessment of control issues with ■ Execute testing and attestations and controls assigning Disclosure ■ Steering activities supporting financial reporting “as-is” maturity evaluate results make appropriate financial statement significance (internal ■ Provide 404 adjustments based Committee rating ■ Assess any known ■ Stakeholders accounts audit, external assertion to external on final 404 ■ Use exception internal control ■ Core Team considering: audit, etc.) audit firms standards handling process for weaknesses ■ F/S Assertions ■ ■ Develop scope and Develop and issues encountered identified by ■ Balance project approach communicate during control management ■ Complexity ■ Develop training documentation evaluation during their 302 ■ Judgment standards to plan for core team ■ Review issues with certification process ■ Develop project team members and management to understanding of ■ stakeholders Collect internal obtain consensus Internal Control ■ Establish control on areas needing Maturity Framework documentation documentation for improvement ■ each component of standards and Evaluate identified ■ Establish a plan, COSO templates business processes assigning ■ (auditability and establish risk Develop exception responsibility requirements) ranking handling process for and timeline for ■ Develop project and internal control remediation efforts stakeholder issues disclosed in communication plan Evaluation Phase Deliverables and Work Projects ■ Project Charter ■ Inventory of exiting ■ Internal control ■ Management ■ Controls evaluation ■ Attestation report ■ ■ Project Plan F/S to Business documentation evaluation findings assertion documentation (and management Process Map ■ for internal use assertion) filed ■ Training Plan Templates ■ Risk Assessment ■ Documentation ■ Remediation plan annually with SEC ■ Communications Ratings ■ Action Registry Plan

Project Methodology

In evaluating internal controls for the Sarbanes-Oxley 404 certification process, PwC recommends an implementation plan for management that addresses the following critical tasks:

1. Form a project team to allocate responsibilities, assess resources, decide on an approach, and establish timing

2. Collect data on the current controls environment, by assessing areas of risk and reviewing existing practices

3. Prepare an inventory of existing and available documentation

4. Evaluate internal controls and prepare a gap analysis to identify areas of concern requiring further follow up

5. Remediate the identified gaps and validate that these areas have been fully addressed

6. Continue to monitor progress of remediation efforts towards sign-off of 404 assertions by management

The table above further indicates the key elements of a Section 404 project plan, and identifies responsibilities for both management and the external auditor.

Front cover: Lisandro Serrano. Photographed by: Pia Cosmelli. © 2003 PricewaterhouseCoopers LLP, Canada. “PricewaterhouseCoopers” refers to PricewaterhouseCoopers LLP, Canada, an Ontario limited liability partnership, or, as the context requires, the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.