“The Impact of Sarbanes Oxley,An Evolving Best Practice”

Ellen C. WolfSenior Vice President & Chief Financial OfficerAmerican Water

National Association of Regulatory Utility CommissionersCommittee on Water February 2008

2

American Water

Founded in 1886

Largest investor-owned water and wastewater utility in the United States

Serves approximately 16.2 million people

Operations in 32 states and Ontario, Canada

Approximately 7,000 employees

3

Agenda

SOX Benefits to Companies

Continuing Evolution of SOX

Initial SOX Compliance Experience

An Evolving Best Practice

Beyond SOX – Enterprise Risk Management

Controls Rationalization

Top Down Risk-Based Approach

4

Benefit of SOX Compliance

According to a survey entitled “Oversight Systems Financial Executive Report” conducted with 222 Corporate finance leaders:

– 74 percent said their company benefited from SOX

– 79 percent reported “significantly stronger” or “somewhat stronger” internal controls as a result of SOX

– 46 percent said SOX compliance benefits the company by ensuring accountability

– 75 percent said they would vote to keep Section 404 if they were members of Congress

5

Benefits of SOX Compliance

Positive influence on maintaining investor confidence (and long-term share price) through increased transparency and fewer surprises

– Investors are requiring successful risk management

– Rating agencies are increasingly focused on qualitative factors around risk management

More timely and reliable financial reporting

Improved overall control culture

Better business risk information for Audit Committees and Management

Enhancement of processes and the underlying control structure to drive operational effectiveness and cost efficiencies

Improved Corporate Governance Process

Back to the basics: strengthening foundational controls that had received less attention prior to SOX

Alignment of IT with the business

Elimination of outdated, redundant and ineffective processes and controls

Easier employee on-boarding process

6

SOX Benefits to Customers and Regulators

Enhances capital attraction at appropriate rates

– Avoids a risk penalty

Transparency

– Enhances regulatory and public confidence

More pro-active Board of Directors Oversight

Greater financial accountability

Attracts and improves quality of employees

7

Initial 404 Compliance Experience

Most companies faced various challenges around their initial SOX compliance exercise:

– Reliance to heavily on manual controls and under utilized IT potential

– Lack of a risk-based approach and performed repetitive, manual tasks

– Had disparate IT systems, making access to data very difficult

– Identified a very high number of key controls

• Detect and manual controls were, in many instances, prevalent

– Staffing issues

• Lack of sufficient resources

• Employees who lacked clear roles, responsibilities and goals

Sarbanes Oxley was key to companies rethinking many of these issues

8

An Evolving Best Practice

e f

f i

c i

e n

c y

c o s t

Top-Down Risk Assessment

& Scoping

Risk Based Testing & Evaluation

Optimization & Standardization

of Controls

Leveraging Monitoring Controls

Controls Automation& Continuous

Controls Monitoring

Risk Convergence-

Consistent Risk & Control

Framework

Coverage of Fraud Risk & Controls

Process & Controls

Improvement

strategic

operations

financial

compliance

i n v e s t m e n t

v a

l u

e Making the Business Better: Leverage 404 efforts to invest in a comprehensive control

environment, drive efficiency and create value to the company

9

Beyond SOX: Enterprise Risk Management

Evolution of Enterprise Risk Coverage as a “Best Practice”

– Coordinated approach to address strategic, financial, operational and compliance risks (leverage the SOX compliance documentation to extend risk assessment beyond financial reporting)

– Enhanced risk assessment process, which fully considers the business strategy, business drivers and initiatives

– Enhanced change management processes across the company

– Entity-level controls are leveraged

Risk Management as a Competency

– Embedded in the organization, its management processes and functions

– SOX compliance seen as an evolving process, not a project

– Achieved through a framework of activities to improve the management of an organization’s constantly evolving risk profile

10

Controls Rationalization

Rationalization: Removing controls that are not significant or are unnecessarily redundant

Optimization: Selecting controls that are more efficient to test than other controls which mitigate the same risk (e.g., automated vs. manual controls), leveraging strong entity-level controls to reduce the need to rely solely on transaction-level controls

Improvement: Modifying, re-designing or re-engineering a process and underlying control structure to drive operational efficiency and effectiveness

Objective: To create value and promote efficiency

11

Top Down Risk-Based Approach

Financial Statement Risk Assessment

Company-Level Controls

High Risk Accounts, Processes, and Locations

Pervasive Coverage

Materiality

All OtherAccounts and Locations

-Top-down approach begins by identifying, understanding, and evaluating the design of company-level (entity level) controls. Entity-level controls include:

-Controls within the control environment, such as tone at the top, organizational structure, commitment to competence, human resources policies and procedures;

-Management’s risk assessment process;

-Control to monitor other controls; and

-The period-end financial reporting process.

PCAOB – FAQ 38

12

In Closing

Benefits of SOX (beyond compliance)

– Capital attraction

– Improved processes and controls

– Stakeholder confidence

– Enhanced governance and culture

– More engaged and informed audit committees and Board of Directors

– Enhanced Customer Service

Continuing Evolution of SOX

– New SEC Management Guidance and PCAOB Auditing Standards

– The ability to leverage SOX efforts for Enterprise Risk Management and increased rigor over non-financial processes

Q&A