Breakout Session

1
(No Transcript)
2
Sarbanes Oxley Internal Controls Strong Contract
Management Disciplines Requiredfor 404
Certification
Breakout Session 1005 Tom Reid Chief Problem
Solver Certified Contracting Solutions, LLC
www.certifiedcontractingsolutions.com Date April
24, 2007 Time 140 - 240
3
What is SARBOX?

• Sarbanes-Oxley (SARBOX) was enacted into law
  7/30/2002 (signed by President Bush)
• Applies to issuers, as defined by the
  Securities Exchange Act of 1934

4
Why SARBOX?

• Ken Lay (Enron) (deceased)
• Bernie Ebbers (WorldCom)
• 25 years
• 13,140,000 minutes,
• nights and weekends included,
• no roaming
• Arthur Anderson

5
Why SARBOX?

• Desire for legislative action
• Designed to restore investor confidence
• Hold corporate America more accountable

6
Comprehensive Law

• Title I Public Company Accounting Oversight
  Board
• Title II Auditor Independence
• Title III Corporate Responsibility
• Title IV Enhanced Financial Disclosures
• Title V Analyst Conflicts of Interest
• Title VI Commission Resources and Authority

7
Comprehensive Law

• Title VII Studies and Reports
• Title VIII Corporate and Criminal Fraud
  Accountability
• Title IX White Collar Crime Penalty
  Enhancements
• Title X Corporate Tax Returns
• Title XI Corporate Fraud Accountability

8
Intended Effect?

• To tighten accounting procedures
• Improve board oversight for public firms
• At least one member must be financially literate

9
Cost of Compliance

• 20 Billion since enactment (FY end 2006)
• Estimated 1.2 trillion loss in stock market
  value
• More than 8 in 10 CFOs say benefit does not
  outweigh cost
• Financial community judgment still outstanding

10
What Does Section 404 Require?

• Document internal controls
• Test internal controls
• Verified by independent auditors
• Certified to PERSONALLY by CEO CFO
• Knowing or Willful Failure to portray true
  conditions is a crime (section 906)

11
A Proper Control Environment

• Encompasses the attitudes and values of directors
  and executives
• Degree to which they they recognize the
  importance of
• Method
• Transparency
• Care in creation and execution of company
  policies and procedures

12
First Line of Defense

• A proper control environment provides the first
  line of defense
• Controls themselves become second line
• Makes people understand that it is NOT OK to
• Strike side deals
• Recognize revenue prematurely
• Conceal possible conflicts of interest
• Look the other way

13
How to Implement in Small Companies

• The key in SOX for all small companies is the
  evaluation of internal controls and paramount in
  determining this is to be realistic about what
  controls are in place.
• Do not create a control environment or rather
  control points that may be lofty! Audits of these
  controls will hold you to these lofty control
  aspirations.
• Just because they exist in larger companies, do
  not try to rationalize that you should also have
  them.
• DO NOT MAKE IT HARDER THEN IT NEEDS TO BE!!!

14
For Example

• The internal control documentation for a small
  bio-pharmaceutical RD company
• Its market cap exceed 75 million as of June 30,
  2006
• required them to adhere to SARBOX as of their
  next year-end.
• With the guidance of a consultant and the
  fervor of management, the internal controls were
  designed to include very lofty items.
• As the review proceeded, it was determined that
  these were just that LOFTY!
• A rewrite of many of these controls ensued
  resulting in additional expense preparing to
  comply with SOX requirements.

15
Internal Controls Defined

• The Committee of Sponsoring Organization of the
  Treadwell Commission (COSO) defined Internal
  Controls in a broad fashion that can be described
  as a process or set of processes designed to
  address operating efficiencies and effectiveness
  and reliability of financial reporting and
  compliance with laws and regulations.

16
Not Just a Compliance Approach

• COSO Internal Control Framework approaches the
  subject from a management perspective.
• A control framework relates, generally, to how
  extensively the organization addresses the
  controls over risks.

17
Internal Control Framework

• Key concepts of the COSO Internal Control
  framework
• Control Environment Sets the tone of the
  organization influencing the control
  consciousness of its people.
• Risk Assessment Identifying and analyzing
  relevant risks.
• Control Activities Policies and procedures
• Information and Communication Systems Support
  identifying, capturing and exchange of
  information that allows people to carryout their
  responsibilities.
• Monitoring - The process that assesses the
  quality of internal performance over time.

18
Why SARBOX?

• Ken Lay (Enron) (deceased)
• Bernie Ebbers (WorldCom)
• 25 years
• 13,140,000 minutes,
• nights and weekends included,
• no roaming
• Arthur Anderson

19
Contract Management Responsibilities

• Contracts require a signature
• The company should be asking Who can sign for
  what?
• Management needs to know exactly what
  encumbrances or commitments it has outstanding,
  as well as what revenue it will be generating
  based on its active contracts.

20
Contract Management Job Descriptions

• Responsibilities must be clearly defined
• Signature authority sometimes follows positions
  rather than individuals
• Clear lines of authority improve communication
  flows
• Defines ownership of business processes
• Improves performance of temporary fill-ins and
  replacements
• Avoids rubber stamp signatures

21
Duties and Responsibilities

• The key tenet here is whether duties overlap
  causing a risk that the individual can create a
  false entry to offset a true entry. Obviously,
  the most recognized fraud would involve cash.
  However, contracting would have its own set of
  risks, for example, the approval of a contract
  with a fictitious contractor to provide services.

22
Signature Authority Delegations

• Each contract should be executed with the
  appropriate signature authority.
• Good business sense would ensure that only
  authorized or approved personnel can bind or
  encumber the organization by affixing their
  signature to a contract. This allows for
  controlling the original contract and any
  subsequent modifications and in general
  controlling your business.

23
Contract Management of Suppliers

• The extended enterprise can involve companies
  that do not maintain the same controls
• The extended enterprise may include companies
  that must be relied on for the 404 certifications
• Contract Managers ensure that these contracts
  provide the data and audit assurance that is
  required.

24
Contract Management Concerns re Financial Systems

• The central record keeping of organization, (esp.
  the financial system), causes SARBOX concerns to
  auditors and management.
• Revenue The impact of un-invoiced items due to
  improper recording of contracts
• Commitments The impact of unrecorded obligations
  and pending liabilities causing financial
  statements to under record liabilities.

25
Questions to Ask

• Where are contract records kept? Are they
  accessible?
• Can we track key data elements about our
  obligations?
• Effective expiration dates
• Revenue recognition terms and conditions
• Evergreen provisions
• Annual and total dollar values
• Effect of tiered pricing

26
More Questions to Ask

• How do we track and measure savings?
• Can we ensure full value for every dollar spent?
• Do our legacy systems give us accurate data?
• Can we identify all external supplier
  commitments?
• Are they part of our compliance system?
• Is the statement of work clear?
• Can we assess penalties if our compliance is
  affected by their actions?

27
Automated Systems

• Most companies will utilize some sort of
  automated system to record their contracts,
  usually not the financial system.
• The integration or lack of integration into the
  financial records will be under scrutiny with
  SARBOX.
• If the contracts are deemed a high risk area,
  which in governmental contracting it would be,
  auditors will be concerned over access to that
  system, the controls over the system itself the
  security access to the system, the passwords,
  where data resides, the back-up of data, and
  obviously functionality (the actual recording of
  the transactions).

28
Tools to Aid Compliance

• Effective policies and procedures
• Clarity in contract documents
• Internal audits
• Formal risk assessments
• Compliance matrices
• Training
• Timely contract closeout
• Effective record retention

29
What about Non-Publics or Non-Profits?

• The SARBOX standards have become the floor
  so-called best practices
• The only audits you can get in some cases is a
  full SARBOX audit
• This increases the costs to those to whom it was
  not supposed to apply
• Some states are passing Mini-SARBOX
• Some provisions apply anyway!

30
What Provisions Apply to ALL Businesses?

• Record retention
• Whistleblower protection

31
Criminal Aspects

• Knowing/Willful False Certification
• Securities Fraud
• Alteration of Corporate Documents
• Retaliation Against Whistleblowers
• Obstruction of Justice

32
Any Benefits?

• Some companies have used SARBOX to improve other
  systems
• Record keeping
• Employee records
• ISO 9000, Six Sigma, other quality programs
• Standardized processes
• Strict SARBOX compliance can help mitigate
  penalties under Sentencing Guidelines

33
MySpace Sites

• Official NCMA Group
• http//groups.myspace.com/officialncma
• Government Contracting Professionals
• http//groups.myspace.com/governmentcontractingpro
  fessionals
• My Site(!)
• http//www.myspace.com/GovernmentContractsGuru

34
Questions?

• www.Ask-Tom-Reid.com
• www.certifiedKsolutions.com
• www.governmentcontractingsolutions.com/blog
• www.govcon-solutions.com