By Mark A. Stephens & Aaron R. Runk

Visum Solutions, Inc.

ConfidentialE-Paper

Sarbanes-Oxley ComplianceDrives Need for

Collaborative ManagementTimely Compliance with Sarbanes-Oxley

Sections 302, 404 and 409

2© 2004 Visum Solutions, Inc.All Rights Reserved.

SO

LU

TI

ON

S

IntroductionAfter a string of corporate failures, see Enron, et al. The US Legislature passed the most sweepingfinancial reporting rules and regulations ever enacted, the Sarbanes-Oxley (SOX) Act, July 2002.In summary, the intention of the Act is to help restore public trust in US business and corporatereporting. SOX requires public organizations (market capitalization of $75 M +) to more activelyreport their current financial status.

Much of SOX deals with requirements for public accounting firms, detailing how they mustexpand their current reporting procedures for firms they are auditing. However, there are also ahandful of sections that have specific requirements organizations must act upon. These sections,in general, require target organizations to dynamically maintain and display business process andperformance information.

How can your organization build-up compliance with these complex new financial reporting rules?And, more importantly, how can your organization get this capability in place in time? Three majorsections of SOX (302, 404 and 409) must be supported with technology, to both enable thecapturing of complex business financial information, and to speed the implementation to complywith the required enactment dates.

In order to support SOX requirements by the deadline, avoiding any possible penalties and/orcriminal prosecution. We propose using a Collaborative Management Suite (CMS) and your businessfinancial reporting expertise. We will accomplish this by using QPR Software’s CollaborativeManagement Software (ProcessGuide, ScoreCard, and Web Portal).

Further, using QPR’s Collaborative Management Software will enable your organization to moreeffectively document and communicate process and performance information in general, greatlyenhancing the organization’s strategic effectiveness.

“Anybody who

thinks that we’re

going to come

back anytime soon

and amend the act

just simply hasn’t

followed the history

of the Congress.”

Congressman John Oxley

Business EffectsIn a recent survey of Fortune 1000 companies by AMR Research, they found that:

• Fortune 1000 companies have earmarked more than $2.5B this year in Sarbanes-Oxley Actinvestigation and initial compliance-related work

• 85% of companies predict that SOX will require changes in IT and application infrastructurethat support the business

• 79% are unsure what implications the act will have for their company• 61% expect business process change will be required• Importantly, many forward-thinking CIOs view Sarbanes-Oxley compliance as the

“compelling event” to kick-start specific system and process improvement initiatives longstalled because of other IT spending priorities, thoughts that are reminiscent of the ERPcraze Y2K kicked off in the 1990s

A combination ofprocess and businessperformance reporting,initiative and actionmanagement, documentsharing, feedbackmanagement, andalerting which Gartnerhas termed ”CollaborativeManagement Software”.

CollaborativeManagementSoftware?

Timelines and Penalties

Although the required enactment dates for SOX have slipped a bit, it looks like the legislature isready to start enforcing these rules. Current estimates are that much of SOX must be recognizedand reported by June 15, 2004. In our estimation, most public companies are nowhere near beingprepared to report this information.

Penalties as documented in SOX are severe for organizations not complying with the new reportingrules, including the filing of fraud and obstruction of justice charges against all named officers of theoffending organization. SOX has criminal penalties for those who destroy records, commitsecurities fraud and fail to report fraud, whereas it also provides protection for the whistleblowers.

SO

LU

TI

ON

S

© 2004 Visum Solutions, Inc.All Rights Reserved.

3

SOX and Technology

While the overall SOX act is very convoluted and complex, there are somespecific calls for action by target companies, and in turn opportunities fortechnology to help support that action. There are two overall themes thatwould be well supported with technology: business process mapping andstrategic theme reporting. These two themes are reflected in the followingthree Sections of SOX:

Section 302 – Financial Reports

Title III – Corporate Responsibility - Section 302 – Financial Reports - states in part:

“[the signing officers] have designed such internal controls to insure that material informationrelating to the issuer […] is made known to such officers by others within those entities,particularly during the period in which the periodic reports are being prepared”

In other words, organizations must document the design and methodology of their financialreporting process. Given the potential complexity of this process, with financial and otherinformation streaming from multiple sources, this requirement calls for the use of a powerfulbusiness process modeling (BPM) software tool. This BPM tool must allow multiple users to designand maintain the model, communicate themodel to interested parties inside and outsidethe organization, and maintain this model in arepository for future review.

Part of our Collaborative Management Suiteincludes QPR ProcessGuide, an interactivesoftware solution that commits people toprocesses. ProcessGuide is a powerful, easy-to-

25% of survey

respondents say the

Sarbanes-Oxley law

is “very confusing,”

according to an April

2003 Parsons Group

survey.

What about MultinationalCorporations?The Act governs not only all the publicly tradedfirms that list their stock on any US-based financialexchange, but also any firm, irrespective of their placeof origin as long as they trade their stocks in theUnited States.

Financial ControlProcess View

Daily Process Controls Period Process Controls Reporting Procedures Process

4© 2004 Visum Solutions, Inc.All Rights Reserved.

SO

LU

TI

ON

S

COSO

use, web-enabled tool that helps organizations realize the benefit of process and knowledgemanagement.

With QPR ProcessGuide, you have the ability to create multi-level process maps that canaccommodate even the most complex financial processes and make them understandable toeveryone inside and outside of your organization. Attach documents to process steps, collaborateonline, and even do dynamic simulation of your processes. The versatility of QPR ProcessGuidemakes for a powerful tool that will help you in your quest for SOX compliance.

Section 404 – Management Assessment and Reportingof Internal Controls

Title IV – Enhanced Financial Disclosures – Section 404 – Management Assessment ofInternal Controls – states in part:

“[Each annual report shall contain an internal control report, which shall] contain anassessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of theinternal control structure [of the organization]”

Simply put, companies must document their internal control structure, and communicate thisinternal control structure as part of their annual report. Internal control structures have beenfurther defined and documented in various frameworks, including the popular COSO framework(see inset).

Once again, the QPR Collaborative Management Software easily supports this requirement byseamlessly integrating QPR ProcessGuide and QPR ScoreCard. QPR ScoreCard is a completelyversatile, web-enabled software solution for automating any strategic performance managementsystem. By integrating these two powerful tools into one portal, we are able to complete theCollaborative Management Suite and manage internal controls using the COSO framework.

Monitoring• Assessment of a control

system’s performanceover time

• Combination of ongoingand separate evaluation

• Management andsupervisory activities

• Internal audit activities

Control Activities• Policies/procedures that

ensure management directivesare carried out

• Range of activities includingapprovals, authorizations,verifications, recommendations,performance reviews, assetsecurity and segregation of duties

Information and Communication• Pertinent information identified, captured

and communicated in a timely manner• Access to internally and externally

generated information• Flow of information that allows for

successful control actions from instructionson responsibilities to summary of findingsfor management action

Control Environment• Sets tone of organization

influencing controlconsciousness of its people

• Factors include integrity,ethical values, competence,authority, and responsibility

• Foundation for all othercomponents of control

Risk Assessment• Risk assessment is the

identification andanalysis of relevant risksto achieving the entity’sobjectives forming thebasis for determiningcontrol activities

© 2004 Visum Solutions, IncAll Rights Reserved.

5

SO

LU

TI

ON

SS

OL

UT

IO

NS

© 2004 Visum Solutions, Inc.All Rights Reserved.

5

Collaborative Management and COSO

Monitoring – Using the QPR Collaborative Management Software you are able to monitor your processes at everylevel. With the ability to assign metrics to process steps and “drill down” to monitor performance, you will alwaysknow how your processes are performing and when to make necessary adjustments.

Information & Communication – Using the QPR Portal as a repository for important documents allows for on-demand information that can be accessed internally or externally in a timely manner.

Control Activities – Policies and procedures can be built-in and published at ever step in your processes, alongwith a documented verification process.

Control Environment – Because QPR’s Collaborative Management Software is a real-time environment, allinformation is available to people in your organization on-demand in an understandable framework.

Risk Assessment – With the tool’s capability to do dynamic simulation of processes, you have the ability to assessthe risks associated with achieving your objectives.

Section 409 – Real Time Issuer Disclosures

Title IV – Enhanced Financial Disclosures – Section 409 – Real Time Issuer Disclosures – states in part:

“Each issuer reporting … shall disclose to the public on a rapid and current basis such additionalinformation concerning material changes in the financial condition or operations of the issuer, inplain English, which may include trend and qualitative information and graphic presentations”

The key elements in this phrase are the disclosures of material financial change and therequirement to disclose this information on a rapid and current basis. We interpret this asmeaning information must be disclosed as soon as it is discovered, not just as part of a standardfinancial or annual report. This means your organization must (1) have access to materialfinancial information, and (2) be able to disclose this information on a rapid and current basis.

As amazing as it seems, it has been our experience that many organizations really have no idea howthey are performing financially or strategically in real-time. They have not taken the time to identify

6© 2004 Visum Solutions, Inc.All Rights Reserved.

SO

LU

TI

ON

S

SCORECARDS

critical strategic elements in their organization, nor have they built them into an automated systemfor constant review. Instead, most companies rely on paper systems to track and report thisinformation, often many months after the fact. This approach is simply not acceptable, norsupportive of SOX requirements.

QPR Collaborative Management Software uses an intuitive web-based interface to communicate real-time critical financial and strategic information. Financial scorecards can be constructed withmeasures that aid target-setting and performance measurement in areas critical to financialperformance and SOX compliance. Because of the flexibility and simplicity of maintaining multiple“scorecards” in QPR ScoreCard, you are able to customize the application specifically for monitoringsection 409 metrics and disclose them in real-time. The performance management concept builtaround “scorecards” supports planning and implementation by federating the actions of all parts ofan organization around a common understanding of its financial goals and requirements.

Financial Analysis View

Financial Scorecard View

SO

LU

TI

ON

S

© 2004 Visum Solutions, Inc.All Rights Reserved.

7

Briefing Booklet

Using the Briefing Booklet feature of theQPR Collaborative Management Softwareenhances the capability of an organization tomonitor its critical metrics and processes.These dynamic Briefing Booklets arereported in real-time or can be scheduledand published on regular intervals —making them ideal for internal viewing andanalysis or for external disclosure.Furthermore, it is possible to set up e-mailalerts to notify users immediately when ametric changes, enters certain parameters, orif values are missing. This idea of “PushTechnology” ensures that SOX initiatives andrequirements will not be overlooked.

Technology

QPR Collaborative Management Software includes: QPR ScoreCard, a robust performancemanagement tool, QPR ProcessGuide, an easy to use multi-level process mapping and managementtool, and QPR Web Portal, an easy to use and customize web portal.

QPR ScoreCard users can view real-time strategy maps, hierarchical and analysis scorecards, as wellas individual measures. Users can also collaborate by writing comments, creating action plans,lessons, and/or attaching documents.

QPR ProcessGuide is a comprehensive process mapping tool that allows users to create multi-levelprocess maps with the ability to attach documents and metrics to process steps, run dynamicsimulations, and collaborate by writing comments, action plans, and lessons. By seamlesslyintegrating QPR ScoreCard and QPR ProcessGuide into one convenient portal, QPR has created themost powerful collaborative management application on the market today.

Easy to use: QPR ScoreCard and QPR ProcessGuide can have an unrestricted amount ofsimultaneous users in dispersed locations. This means that users can view changes in a modelimmediately. User rights can be individually set and defined.

Web-enabled: QPR ScoreCard and QPR ProcessGuide are completely web-enabled software thatsupports information deployment via a browser and can therefore be used as an enterprise-wide system.

ConclusionSarbanes-Oxley is no longer a future possibility, but is now a current reality. If your organizationfalls into the target for SOX, then you probably already know the enforcement dates and penaltiesfor non-compliance.

There are three SOX sections that require your organization to map business processes andcommunicate financial performance. These requirements must be supported with technology(not just consulting) that allows for the automation of business process information and thecommunication of near-real-time financial changes.

QPR Collaborative Management Software is the perfect set of software tools to support theserequirements, with process mapping and performance visualization capabilities built into asingle end-user interface. With our suite, not only can you comply with SOX requirements,but you can also map and communicate your entire strategic direction, supportingyour organizations future by helping communicate strategic effectiveness nowand in the future.

“As CFOs prepare to

meet these new

regulations, many

will look to technology

solutions to support

an overall financial

compliance strategy.”

Henry Morris, Group VPfor Applications &Information Access at IDC“Sarbanes-Oxley: A Catalystfor a New Category ofAnalytic Applications?”April 2003

VISUM SOLUTIONS, INC.5001 American Boulevard West, Suite 655

Bloomington, MN 55437tel: 952.835.4131fax: 952.835.5412

sales@visumsolutions.com

www.visumsolutions.com

“Many firms will utilize the Sarbanes-Oxley Act as a means of improving

business efficiency, going beyond what is merely required to comply”

META Group Inc.