Title: Breakout Session
1(No Transcript)
2Sarbanes Oxley Internal Controls Strong Contract
Management Disciplines Requiredfor 404
Certification
Breakout Session 1005 Tom Reid Chief Problem
Solver Certified Contracting Solutions, LLC
www.certifiedcontractingsolutions.com Date April
24, 2007 Time 140 - 240
3What is SARBOX?
- Sarbanes-Oxley (SARBOX) was enacted into law
7/30/2002 (signed by President Bush) - Applies to issuers, as defined by the
Securities Exchange Act of 1934
4Why SARBOX?
- Ken Lay (Enron) (deceased)
- Bernie Ebbers (WorldCom)
- 25 years
- 13,140,000 minutes,
- nights and weekends included,
- no roaming
- Arthur Anderson
5Why SARBOX?
- Desire for legislative action
- Designed to restore investor confidence
- Hold corporate America more accountable
6Comprehensive Law
- Title I Public Company Accounting Oversight
Board - Title II Auditor Independence
- Title III Corporate Responsibility
- Title IV Enhanced Financial Disclosures
- Title V Analyst Conflicts of Interest
- Title VI Commission Resources and Authority
7Comprehensive Law
- Title VII Studies and Reports
- Title VIII Corporate and Criminal Fraud
Accountability - Title IX White Collar Crime Penalty
Enhancements - Title X Corporate Tax Returns
- Title XI Corporate Fraud Accountability
8Intended Effect?
- To tighten accounting procedures
- Improve board oversight for public firms
- At least one member must be financially literate
9Cost of Compliance
- 20 Billion since enactment (FY end 2006)
- Estimated 1.2 trillion loss in stock market
value - More than 8 in 10 CFOs say benefit does not
outweigh cost - Financial community judgment still outstanding
10What Does Section 404 Require?
- Document internal controls
- Test internal controls
- Verified by independent auditors
- Certified to PERSONALLY by CEO CFO
- Knowing or Willful Failure to portray true
conditions is a crime (section 906)
11A Proper Control Environment
- Encompasses the attitudes and values of directors
and executives - Degree to which they they recognize the
importance of - Method
- Transparency
- Care in creation and execution of company
policies and procedures
12First Line of Defense
- A proper control environment provides the first
line of defense - Controls themselves become second line
- Makes people understand that it is NOT OK to
- Strike side deals
- Recognize revenue prematurely
- Conceal possible conflicts of interest
- Look the other way
13How to Implement in Small Companies
- The key in SOX for all small companies is the
evaluation of internal controls and paramount in
determining this is to be realistic about what
controls are in place. - Do not create a control environment or rather
control points that may be lofty! Audits of these
controls will hold you to these lofty control
aspirations. - Just because they exist in larger companies, do
not try to rationalize that you should also have
them. - DO NOT MAKE IT HARDER THEN IT NEEDS TO BE!!!
14For Example
- The internal control documentation for a small
bio-pharmaceutical RD company - Its market cap exceed 75 million as of June 30,
2006 - required them to adhere to SARBOX as of their
next year-end. - With the guidance of a consultant and the
fervor of management, the internal controls were
designed to include very lofty items. - As the review proceeded, it was determined that
these were just that LOFTY! - A rewrite of many of these controls ensued
resulting in additional expense preparing to
comply with SOX requirements.
15Internal Controls Defined
- The Committee of Sponsoring Organization of the
Treadwell Commission (COSO) defined Internal
Controls in a broad fashion that can be described
as a process or set of processes designed to
address operating efficiencies and effectiveness
and reliability of financial reporting and
compliance with laws and regulations.
16Not Just a Compliance Approach
- COSO Internal Control Framework approaches the
subject from a management perspective. - A control framework relates, generally, to how
extensively the organization addresses the
controls over risks.
17Internal Control Framework
- Key concepts of the COSO Internal Control
framework - Control Environment Sets the tone of the
organization influencing the control
consciousness of its people. - Risk Assessment Identifying and analyzing
relevant risks. - Control Activities Policies and procedures
- Information and Communication Systems Support
identifying, capturing and exchange of
information that allows people to carryout their
responsibilities. - Monitoring - The process that assesses the
quality of internal performance over time.
18Why SARBOX?
- Ken Lay (Enron) (deceased)
- Bernie Ebbers (WorldCom)
- 25 years
- 13,140,000 minutes,
- nights and weekends included,
- no roaming
- Arthur Anderson
19Contract Management Responsibilities
- Contracts require a signature
- The company should be asking Who can sign for
what? - Management needs to know exactly what
encumbrances or commitments it has outstanding,
as well as what revenue it will be generating
based on its active contracts.
20Contract Management Job Descriptions
- Responsibilities must be clearly defined
- Signature authority sometimes follows positions
rather than individuals - Clear lines of authority improve communication
flows - Defines ownership of business processes
- Improves performance of temporary fill-ins and
replacements - Avoids rubber stamp signatures
21Duties and Responsibilities
- The key tenet here is whether duties overlap
causing a risk that the individual can create a
false entry to offset a true entry. Obviously,
the most recognized fraud would involve cash.
However, contracting would have its own set of
risks, for example, the approval of a contract
with a fictitious contractor to provide services.
22Signature Authority Delegations
- Each contract should be executed with the
appropriate signature authority. - Good business sense would ensure that only
authorized or approved personnel can bind or
encumber the organization by affixing their
signature to a contract. This allows for
controlling the original contract and any
subsequent modifications and in general
controlling your business.
23Contract Management of Suppliers
- The extended enterprise can involve companies
that do not maintain the same controls - The extended enterprise may include companies
that must be relied on for the 404 certifications - Contract Managers ensure that these contracts
provide the data and audit assurance that is
required.
24Contract Management Concerns re Financial Systems
- The central record keeping of organization, (esp.
the financial system), causes SARBOX concerns to
auditors and management. - Revenue The impact of un-invoiced items due to
improper recording of contracts - Commitments The impact of unrecorded obligations
and pending liabilities causing financial
statements to under record liabilities.
25Questions to Ask
- Where are contract records kept? Are they
accessible? - Can we track key data elements about our
obligations? - Effective expiration dates
- Revenue recognition terms and conditions
- Evergreen provisions
- Annual and total dollar values
- Effect of tiered pricing
26More Questions to Ask
- How do we track and measure savings?
- Can we ensure full value for every dollar spent?
- Do our legacy systems give us accurate data?
- Can we identify all external supplier
commitments? - Are they part of our compliance system?
- Is the statement of work clear?
- Can we assess penalties if our compliance is
affected by their actions?
27Automated Systems
- Most companies will utilize some sort of
automated system to record their contracts,
usually not the financial system. - The integration or lack of integration into the
financial records will be under scrutiny with
SARBOX. - If the contracts are deemed a high risk area,
which in governmental contracting it would be,
auditors will be concerned over access to that
system, the controls over the system itself the
security access to the system, the passwords,
where data resides, the back-up of data, and
obviously functionality (the actual recording of
the transactions).
28Tools to Aid Compliance
- Effective policies and procedures
- Clarity in contract documents
- Internal audits
- Formal risk assessments
- Compliance matrices
- Training
- Timely contract closeout
- Effective record retention
29What about Non-Publics or Non-Profits?
- The SARBOX standards have become the floor
so-called best practices - The only audits you can get in some cases is a
full SARBOX audit - This increases the costs to those to whom it was
not supposed to apply - Some states are passing Mini-SARBOX
- Some provisions apply anyway!
30What Provisions Apply to ALL Businesses?
- Record retention
- Whistleblower protection
31Criminal Aspects
- Knowing/Willful False Certification
- Securities Fraud
- Alteration of Corporate Documents
- Retaliation Against Whistleblowers
- Obstruction of Justice
32Any Benefits?
- Some companies have used SARBOX to improve other
systems - Record keeping
- Employee records
- ISO 9000, Six Sigma, other quality programs
- Standardized processes
- Strict SARBOX compliance can help mitigate
penalties under Sentencing Guidelines
33MySpace Sites
- Official NCMA Group
- http//groups.myspace.com/officialncma
- Government Contracting Professionals
- http//groups.myspace.com/governmentcontractingpro
fessionals - My Site(!)
- http//www.myspace.com/GovernmentContractsGuru
34Questions?
- www.Ask-Tom-Reid.com
- www.certifiedKsolutions.com
- www.governmentcontractingsolutions.com/blog
- www.govcon-solutions.com