1

Sarbanes-Oxley Section 404

June 29, 2005

2

SOX 404 Background 3

SOX 404 Goals 4

SOX 404 Requirements 5

SOX 404 Assertions 6

SOX 404 Compliance 7

COSO – Internal Controls 8

COSO – Internal Controls Framework 9

Why Do You Really Care About SOX 404?10

Things You Can Do11

Table of Contents

3

SOX 404 Background

Due to the scandals in corporate financial reporting, Congress enacted in 2002, the Sarbanes Oxley Act (“SOX”). The Security Exchange Commission oversees the compliance by publicly traded companies to the Act. The Public Companies Accounting Oversight Board (“PCAOB”) drives the compliance.

SOX Section 404 rules require each annual report to contain an internal control report which shall state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and contain an assessment of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

Filing due dates:

• Fiscal years ended on or after November 15, 2004 for accelerated filers (ie., market capitalization in excess of $75mm)

• Fiscal years ended on or after July 15, 2006 for non-accelerated filers.

4

SOX 404 Goals

no material weaknesses that must be reported at the registrant level by either management or the by external auditor;

no significant deficiencies that must be reported at the registrant level by either management or the external auditor to the Audit Committee of the Board of Directors; and

no material misstatements of the company’s financial statements

The goals of a SOX 404 program are to ensure that enterprise internal controls are of such quality that there will be:

5

SOX 404 Requirements

Client management must:

Document and test the internal controls over financial reporting

Issue an annual assertion on the effectiveness of internal control over financial reporting

External Auditors must:

Determine nature, timing, and extent of testing

Review work performed by management

Perform some independent tests of controls

Attest and report on:

• Management’s 404 assertion process

• Design and effectiveness of internal controls

6

In order to make the assertion, the client must:

Document and evaluate the design of controls

Evaluate the operating effectiveness of significant controls

Identify significant deficiencies or material weaknesses

Document the results of the evaluation

Communicate findings (e.g., significant deficiencies and material weaknesses) to the independent auditor

Note: Absence of sufficient evidence to support the Company’s assessment may constitute a significant deficiency that results in a report qualification by the external auditors.

SOX 404 Overview - Assertions

7

SOX 404 Compliance

8

COSO provides the PCAOB’s accepted basis for establishing internal control systems and determining their effectiveness.

Stands for “Committee of Sponsoring Organizations” Originally formed in 1985 to sponsor the National Commission on

Fraudulent Financial Reporting (aka “The Treadway Commission”)

The sponsoring organizations include: American Institute of Certified Public Accountants (AICPA)

The Institute of Internal Auditors (IIA)

Financial Executives International (FEI)

Institute of Management Accountants (IMA)

American Accounting Association (AAA)

Published two documents and one pending 1992 – Internal Controls – Integrated Framework

Mid 90’s – Internal Control on Derivative Issues

Early 2004 – Enterprise Risk Management Framework

COSO – Internal Controls

9

The control conscience of an organization. The

“tone at the top”

The evaluation of internal and external

factors that impact an organization’s performance

The policies and procedures that help ensure that actions

identified to manage risk are executed and timely

The process which ensures that relevant

information is identified and communicated in a

timely manner

The process to determine whether internal control is

adequately designed, executed, effective and

adaptive

COSO - Internal Control Framework

Components

Objectives

10

Non-profit (country clubs) and non-publicly traded (hotels) companies are not required to comply with SOX 404 requirements.

Reasons to care:

Why Do You Really Care About SOX 404?

• Board members, who are responsible for the establishment and maintenance of good corporate governance –ALL

• Financing sources (banks and investors) want assurance that the financial statements are not misrepresented – ALL

• Owners want assurance that the financial statements are not misrepresented – Hotels

• Risk of membership loss due to fraudulent practices disclosed to the public – Country Clubs

• If acquired by a publicly traded company, SOX 404 compliance is required - Hotels

11

Things You Can Do

Steps to take to enhance your internal controls:

• Establishment of an audit committee to provide financial reporting and internal control expertise, along with oversight on such matters

• Establish a “Whistle-Blower” policy to provide the means and safeguards to those who identify fraudulent practices

• Assess the risk associated with the processes that make-up your organization (ie., sales/revenue, cash, accounts receivable, fixed assets, accounts payable, payroll, etc.)

• For high risk areas and processes ask yourself, “What Could Go Wrong” and address the answers to the question (ie., segregation of duties)

Reference List: • http://www.aicpa.org/audcommctr/homepage.html

• http://www.pcaobus.org

• http://www.sec.gov/rules/pcaob.html