“the impact of sarbanes oxley, an evolving best practice” ellen c. wolf senior vice president...
TRANSCRIPT
“The Impact of Sarbanes Oxley,An Evolving Best Practice”
Ellen C. WolfSenior Vice President & Chief Financial OfficerAmerican Water
National Association of Regulatory Utility CommissionersCommittee on Water February 2008
2
American Water
Founded in 1886
Largest investor-owned water and wastewater utility in the United States
Serves approximately 16.2 million people
Operations in 32 states and Ontario, Canada
Approximately 7,000 employees
3
Agenda
SOX Benefits to Companies
Continuing Evolution of SOX
Initial SOX Compliance Experience
An Evolving Best Practice
Beyond SOX – Enterprise Risk Management
Controls Rationalization
Top Down Risk-Based Approach
4
Benefit of SOX Compliance
According to a survey entitled “Oversight Systems Financial Executive Report” conducted with 222 Corporate finance leaders:
– 74 percent said their company benefited from SOX
– 79 percent reported “significantly stronger” or “somewhat stronger” internal controls as a result of SOX
– 46 percent said SOX compliance benefits the company by ensuring accountability
– 75 percent said they would vote to keep Section 404 if they were members of Congress
5
Benefits of SOX Compliance
Positive influence on maintaining investor confidence (and long-term share price) through increased transparency and fewer surprises
– Investors are requiring successful risk management
– Rating agencies are increasingly focused on qualitative factors around risk management
More timely and reliable financial reporting
Improved overall control culture
Better business risk information for Audit Committees and Management
Enhancement of processes and the underlying control structure to drive operational effectiveness and cost efficiencies
Improved Corporate Governance Process
Back to the basics: strengthening foundational controls that had received less attention prior to SOX
Alignment of IT with the business
Elimination of outdated, redundant and ineffective processes and controls
Easier employee on-boarding process
6
SOX Benefits to Customers and Regulators
Enhances capital attraction at appropriate rates
– Avoids a risk penalty
Transparency
– Enhances regulatory and public confidence
More pro-active Board of Directors Oversight
Greater financial accountability
Attracts and improves quality of employees
7
Initial 404 Compliance Experience
Most companies faced various challenges around their initial SOX compliance exercise:
– Reliance to heavily on manual controls and under utilized IT potential
– Lack of a risk-based approach and performed repetitive, manual tasks
– Had disparate IT systems, making access to data very difficult
– Identified a very high number of key controls
• Detect and manual controls were, in many instances, prevalent
– Staffing issues
• Lack of sufficient resources
• Employees who lacked clear roles, responsibilities and goals
Sarbanes Oxley was key to companies rethinking many of these issues
8
An Evolving Best Practice
e f
f i
c i
e n
c y
c o s t
Top-Down Risk Assessment
& Scoping
Risk Based Testing & Evaluation
Optimization & Standardization
of Controls
Leveraging Monitoring Controls
Controls Automation& Continuous
Controls Monitoring
Risk Convergence-
Consistent Risk & Control
Framework
Coverage of Fraud Risk & Controls
Process & Controls
Improvement
strategic
operations
financial
compliance
i n v e s t m e n t
v a
l u
e Making the Business Better: Leverage 404 efforts to invest in a comprehensive control
environment, drive efficiency and create value to the company
9
Beyond SOX: Enterprise Risk Management
Evolution of Enterprise Risk Coverage as a “Best Practice”
– Coordinated approach to address strategic, financial, operational and compliance risks (leverage the SOX compliance documentation to extend risk assessment beyond financial reporting)
– Enhanced risk assessment process, which fully considers the business strategy, business drivers and initiatives
– Enhanced change management processes across the company
– Entity-level controls are leveraged
Risk Management as a Competency
– Embedded in the organization, its management processes and functions
– SOX compliance seen as an evolving process, not a project
– Achieved through a framework of activities to improve the management of an organization’s constantly evolving risk profile
10
Controls Rationalization
Rationalization: Removing controls that are not significant or are unnecessarily redundant
Optimization: Selecting controls that are more efficient to test than other controls which mitigate the same risk (e.g., automated vs. manual controls), leveraging strong entity-level controls to reduce the need to rely solely on transaction-level controls
Improvement: Modifying, re-designing or re-engineering a process and underlying control structure to drive operational efficiency and effectiveness
Objective: To create value and promote efficiency
11
Top Down Risk-Based Approach
Financial Statement Risk Assessment
Company-Level Controls
High Risk Accounts, Processes, and Locations
Pervasive Coverage
Materiality
All OtherAccounts and Locations
-Top-down approach begins by identifying, understanding, and evaluating the design of company-level (entity level) controls. Entity-level controls include:
-Controls within the control environment, such as tone at the top, organizational structure, commitment to competence, human resources policies and procedures;
-Management’s risk assessment process;
-Control to monitor other controls; and
-The period-end financial reporting process.
PCAOB – FAQ 38
12
In Closing
Benefits of SOX (beyond compliance)
– Capital attraction
– Improved processes and controls
– Stakeholder confidence
– Enhanced governance and culture
– More engaged and informed audit committees and Board of Directors
– Enhanced Customer Service
Continuing Evolution of SOX
– New SEC Management Guidance and PCAOB Auditing Standards
– The ability to leverage SOX efforts for Enterprise Risk Management and increased rigor over non-financial processes
Q&A