Ethics and Sarbanes-Oxley:Strategies for Compliance

American Public Power Association

Business and Financial Conference

Alan Bailey, City Utilities of Springfield, MO

September 27, 2005

Portland, Oregon

About Springfield

• 3rd largest city in Missouri.

• Metro Area Population 250,000

• Missouri State University plus 3 private colleges– estimated temporary student population 30,000

• 2 Regional Medical Centers

• Light Manufacturing - 2 industrial parks

• Regional Retail and Financial Services.

About City Utilities Financial Data

(Amounts in $ Millions as of 9-30-04)

Total Assets $ 915

Net Capital Assets $ 702

Operating Revenue $ 288

Net Operating Income $ 8.7

Annual Payroll $ 61

About City Utilities Statistical Data

(as of 9-30-04)

Annual Electric Sales = 3.6 billion kWh

Generating and Purchased Power Capacity 987,300 kW

97,000 Electric Customers (86,000 Residential)

79,000 Gas Customers (71,000 Residential)

75,000 Water Customers (68,000 Residential)CU also operates public transportation and telecommunications

1,033 Employees

About City UtilitiesFinance Area Structure

Chief Financial Officer (1)Directors (2)

Administrators (2) Support Staff (3) Treasury Operations (1) Forecasting (3)

Business Unit Reporting (5) Risk Management and Security (5)

Financial Reporting (8) Financial Technology (2)Disbursements - AP and Payroll (12)

Finance Total (43)

Finance does not include IT - 55 employees

About City Utilities Board of Public Utilities

• City Council appoints 11-member board, staggered 3-year terms.

• Board members and immediate families must be independent of City and CU. Cannot serve more than 2 consecutive terms, Cannot be hired by CU for 1 year after term ends.

• (Section 301-3 Independence)

• Board elects 4 officers - one-year term– Chair, Vice-Chair,Secretary and Assistant Secretary.

• CU General Manager (CEO) reports to the Board

• Executive Committee reports to General Manager– CFO, COO, Chief Internal Auditor, General Counsel, Associate

General Managers (4)

About City UtilitiesBoard of Public Utilities

Demographics of Current Board Members: (11)• Architect - Architectural Firm Principal*• CPA - Retired CFO Regional Medical Center*• Insurance Agent*• Attorney• VP of Marketing - Regional Bank• CFO - International Stainless Tank Manufacturer• Missouri State University Educator• Regional Administrator - Social Security Administration*• Legal Counsel for Hotel/Real Estate Developer• Chief Operating Officer - Community Blood Bank• Advertising Executive

*2005 Audit Committee Member

The Annual AuditAudit Requirements:• Springfield City Charter requires annual audit. • CU Bond Ordinance requires CPA firm of national standing (Big-4)

Audit Contract:• 5 year audit contract (1 year contract with 4 one-year options to renew)• Changed from 4- to 5-year contract in 2005 to coincide with new rotation

requirements for audit partners.• (Section 203-Audit Partner Rotation)

Audit Contract Protocol:• Audit Committee selects firm from bids received by management.• Audit Committee recommends selected firm to Board.• Board approves selection, authorizes management to enter contract.• Effect: Audit Committee hires auditors. Board re-emphasized that

auditors are hired by and report to Audit Committee. • (Section 204-Auditor Reports to Audit Committee)

The Audit Committee • Four member committee

• Elected by Board for one-year term

• A “financial expert” is preferred, but not required. Currently one audit committee member is a CPA.

• (Section 407-Disclosure of Audit Committee Financial Expert)

• Audit committee hires auditor. Auditor reports directly to audit committee.

• (Section 301-2 Responsibilities relating to registered Public Accounting Firms)

• Committee Receives annual audited financial statements and report from auditors. Committee recommends audited financials for acceptance by Board of Public Utilities.

Internal Controls DocumentationSarbanes-Oxley requires annual management assessment of internal controls. Auditors for SEC filer attest to and report on management’s assessment.

– (Section 404 Management Assessment of Internal Controls)

CU Logic:• Audit programs encompass Sarbanes-Oxley. • Auditors must review management assessment of internal controls.• Auditors won’t have two sets of audit programs. (SEC and non-SEC)• How justify to auditors (ongoing) why Internal Controls are not important

enough for CU management to document and periodically review. Generally recommended approach:• Document detailed work instructions (desk procedures)• Write accounting procedures (the 5 Ws)• Write accounting policy (15 - 20 words) • Document internal controls (narrative text and flow charts).

Sarbanes-Oxley at CU The Big Audit Adjustment of 2002

• Calculation of liability for unpaid Sick and Vacation Leave understated by $2.2 million ($14.9 recorded liability should have been $17.1)

– Error was discovered by auditor’s entry level staff during final days of audit field work in mid-November

– Called back and re-issued all 9-02 financial statements– Ledgers reopened to record audit adjustment– Auditor reported finding to Audit Committee and Board of Public

Utilities (televised meeting)

The Big Audit Adjustment of 2002 Post-Trauma Analysis Team Findings

• The same basic, year-end manual format used since 1972 to calculate the balance of S&V.

• 27 sequential, manual calculations were required.

• The preparer calculated the individual items correctly, but excluded one from the calculated worksheet total.

• The reviewer did not verify calculations or re-foot the totals.

• The preparer had performed the calculations and prepared the year-end adjustment for 17 consecutive fiscal years.

The Big Audit Adjustment of 2002 Post-Trauma Analysis Team Findings

• On the surface, changes in policy during the year for accruing upper layer sick pay, and retirements of highly compensated employees, appeared to support the decrease in liability. Analytic review approach failed.

• Other “sexier” high-profile issues were in process at year-end, including a software upgrade project. Preparer and reviewer of entry were performing in dual-roles.

• Other than notes and tick-mark explanations on the worksheet, no written procedures existed for the analysis and entry.

Quality Assurance Review of 2003

• In January 2003, CU General Manager called for a Quality Assurance Review to be completed by September 30, 2003.

• CFO established a Quality Assurance Review Committee (QARC)– Corporate Reporting Administrator (facilitator), Comptroller,

Director of Disbursements, Director of Financial Reporting and Administrator - Financial Reporting.

– Priority over everything for entire finance staff.– Committee to meet at least bi-weekly until project completed.

Quality Assurance Review of 2003

Initial QARC Planning Phase: (March 6-18, 2003)• Established 22-week project work plan

– 112 standard journal entries procedures to document and review – Organized work plan by functional area.– Initial target completion date 9-1-03

• Adopted a new “Journal Entry Standards” document – addressed referencing techniques, preparer and reviewer responsibilities,

supporting documentation requirements, order of assembly and archiving.– 90 minute training session for all finance staff.

• After one month, expanded scope of project to include procedures for general ledger reconciliations and PeopleSoft allocations (Revised target date 9-30-03)

Quality Assurance Review of 2003

April - September QARC met every two weeks:• Tuesday: Committee only - review draft of procedures.• Friday: committee met with functional area to review proposed changes

Written bi-weekly project status reports to CFO and GM.

All changes completed and implemented for October 2003 ledger. (start of fiscal year)

Final written report delivered to General Manager December 4, 2003.

Accounting Policies Project - 2004

• During the QARC project of 2003, the need for a centralized Accounting Policy Manual (APM) was identified.

• Assigned Corporate Reporting Administrator as facilitator, as follow-up project for QARC. To be completed by September 2004.

• Finance work-groups are responsible for documenting APM for their own area.

• Standardized Accounting Policy Template established.

• APM set up on shared drive.• (enables word search)

Accounting Policies Project - 2004

• To facilitate long-term maintenance of the manual, the structure uses generic functions instead of current work-group names. – (e.g. section titles are “Accounts Payable, Accounts Receivable-Customers,

instead of “Business Unit Reporting, Financial Reporting, Forecasting and Risk Management”)

• Starting point for APM was the summary of significant accounting policies in the audited financial statements.

• 61 accounting policies documented as of 9-04. Two added so far in fiscal 2005.

• First round of annual staff review and updates - Summer 2005

Internal Controls Documentation - 2004-5• Internal Control Charts were developed concurrently with Accounting Policy

Manual. Started with written process narrative (from external auditor)

• The first objective of documenting internal controls was to help identify additional accounting policies to document.

• Became a means of identifying and analyzing effectiveness of internal controls. • (Sarbanes Oxley Section 404 Management Assessment of Internal Controls)

Guidelines for CU Internal Control documentation:• Use Excel flow-chart functionality.• One excel workbook file = complete process, “cradle to grave”• Individual worksheet tabs = one function. Use connectors to link tabs. No more

than two pages when printed.• Design flow charts to print on a standard letter size page, in large enough font

to be read with the naked eye.

Where to Start?Recommended work approach (order of preparation):• Document detailed work instructions (desk procedures) CU -2003• Write accounting procedures (address the 5 Ws) 1 to 2 pages CU-2004• Write accounting policy (15 - 20 words) CU-2004• Document internal controls (text and flow charts). CU-2004-5A good starting point: Read Sarbanes-Oxley Act of 2002 (Almost a soap opera plot)

Comments: • Don’t confuse accounting procedures with accounting policy. If your policy

is more than 15-20 words, it’s probably documenting procedures instead of policy.

• After doing the first two steps, you should be able to write the accounting policy in 15 minutes or less.

• Flow charts are quick work when the work procedures have been documented and reviewed.

• Plan for frequent reviews (CU reviews annually) – (Section 404 Management Assessment of Internal Controls)

Sarbanes-Oxley Auditors or Consultants?

• 2003 CU Common Cost Study used another Big-4 firm as a consultant. (3 to 4 month project)

• When invited to bid on the CU audit contract in 2005 this same firm appeared to be more interested in consulting work.

• (Section 201 Services Outside the Scope of Practice of Auditors)

• There is a shrinking pool of CPA firms to provide consulting or audit services. – 6 firms were eligible for CU 2000 Audit Selection Process– Only 4 eligible firms in 2005– Big 4 firms have “released” some smaller audit clients– Consulting work still appears to be more profitable for CPA firms

Sarbanes-Oxley Ethics Issues - Early Training 2004

In-house Sarbanes-Oxley training, July 2004. CU Executive committee and all of finance staff.

• Summary of history and requirements of act. • All non-SEC issuers subject to document destruction and

whistleblower protection rules.• Discussed potential indirect effects (audit committee rules,

auditor independence requirements, internal controls reliance, ethics, etc.)

• Discussed concerns with “cascade effect” where state legislatures and local governments voluntarily adopt Sarbanes-Oxley.

Sarbanes-Oxley Next Steps

Ethics Training:• Company-wide ethics sessions, required. January 2006.

• (Section 406-Code of Ethics for Senior Financial Officers)

– Introduce new anonymous hotline, discuss purpose and structure.– Review CU Ethics policy. (Policy 4.16) – Employee signs that has read and understands policy.

Complaints Hotline:• CU to set up a 24-hour, independently-operated hotline to receive and log

anonymous complaints.• Complaints can be logged on-line or through 800 number. • Internal Auditor and Supervisor of Security receive reports.• Internal Auditor report annually to Audit Committee, ad hoc as necessary

• (Section 301-4 Complaints)