ISACA Greater Kansas City Chapter Control Rationalization Taking

ISACA Greater Kansas City Chapter Control Rationalization: Taking Action September 14, 2006

Agenda • Introductions • Getting to Know You • Control Rationalization Overview • General Computer Control (GCC) Challenges • GCC Control Rationalization Overview • Control Risk-Rating • Control Design • Risk-Based Testing • Cost Analysis • Working with your External Auditors • Leveraging Company Level Controls & Automation • Roadmap and Wrap-Up Copyright © 2004 Deloitte Development LLC. All rights reserved. 2

Polling Question What industry do you work in? 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Financial Services Manufacturing Technology, Media, and Telecom Entertainment Consumer Business Energy & Utilities Transportation Health Care & Life Sciences Public Sector Other Copyright © 2004 Deloitte Development LLC. All rights reserved. 3

Polling Question What is your position? 1. Internal Audit / IT Audit 2. Finance & Accounting 3. Information Technology 4. Sarbanes-Oxley Group 5. Other Copyright © 2004 Deloitte Development LLC. All rights reserved. 4

Polling Question Does your organization comply with Sarbanes. Oxley or perform testing of controls? 1. Yes 2. No 3. Don’t Know / No Answer Copyright © 2004 Deloitte Development LLC. All rights reserved. 5

Polling Question Do you feel your organization has too many key controls (business process and/or IT) that are tested? 1. Yes 2. No 3. Don’t Know / No Answer Copyright © 2004 Deloitte Development LLC. All rights reserved. 6

Polling Question Do you feel that you spend too much of your time focusing on non-critical controls? 1. Yes 2. No 3. Don’t Know / No Answer Copyright © 2004 Deloitte Development LLC. All rights reserved. 7

Polling Question Who is driving interest in control rationalization in your organization? 1. Internal Audit / IT Audit 2. Audit Committee / Executive Management 3. External Auditor 4. Sarbanes-Oxley Group 5. Business Units / IT 6. All of the above 7. None of the above 8. I’m just hear for the CPE and lunch Copyright © 2004 Deloitte Development LLC. All rights reserved. 8

Control Rationalization - Overview Control Rationalization Overview Outcomes Activities • Define updated approach • Discuss impact to company Control Risk. Rating Risk-Based Testing • Discuss approach • Define approach • risk-rate control objectives • Discuss process and impact to company • Determine impact on risk-rated controls • Understand Control Rationalization concepts • How to apply to company • Impact on test approach • Examples of based on risk applying -rating risk-rating • Examples of applying to company controls • Process to apply Copyright © 2006 Deloitte Development LLC. All rights reserved. Cost Analysis • Define cost analysis approach • Review modeling of cost savings • Modeling approach to cost savings Company Level Controls • Define CLCs and BMC’s and process focused Control Automatio n • Discuss short and long term impact • Identify CLCs that are relevant to company • How to identify and use CLCs Roadma p • Define roadmap approach • Discuss next steps • Wrap up • Understand benefits of leveraging automation • Next steps to apply Control Rationalization to company’s control program 9

Control Rationalization Overview Control Risk. Rating Risk-Based Testing Cost Analysis Company Level Controls Control Automation Roadmap

What is Control Rationalization? Control Rationalization is a top-down, risk-based approach to implement a lean and balanced control program. Strategic Controls Routine / Transactional Controls Copyright © 2006 Deloitte Development LLC. All rights reserved. Rationalize Strategic Controls Transactional Controls 11

Recent Regulatory Guidance PCAOB Top-Down Approach Response Identify and evaluate design of companylevel controls Pinpoint Company Level Controls that effectively mitigate location/account risks Identify significant accounts and disclosures Consider qualitative risk factors (e. g. , susceptibility of loss due to errors or fraud), not just quantitative significance 3 Identify relevant assertions for each significant account Direct level of effort based on risks related to relevant assertions 4 Link significant accounts to significant processes and major classes of transactions Risk-Rate major classes of transactions to appropriately focus efforts Identify the points at which errors or fraud could occur in the process Confirm that relevant financial reporting risks (including fraud and GCCs) are identified, and risk-rate control objectives 6 Identify controls to test that prevent or detect errors or fraud on a timely basis Rationalize controls and develop appropriate test plans 7 Clearly link individual controls with the significant accounts and assertions to which they relate Verify that design of ICFR addresses relevant risks 1 2 5 Copyright © 2006 Deloitte Development LLC. All rights reserved. 12

Company-Level Controls (“CLCs”) What are Company-Level Controls (CLCs)? Controls that have a pervasive impact on financial reporting either because they 1) are a component of the organization’s overall governance practices; or 2) address specific control objectives/risks within the organization’s business processes. Why do we care about CLCs? – Pervasive impact on transactional processing – Critical to operational performance – Often performed by senior management and/or specialized staff (i. e. the Accounting department) – More efficient to test • Lower frequency of operation • Often centralized Why can’t we rely on CLCs, and eliminate all the other controls? – Detective in nature – Almost always manual – PCAOB expressly prohibits auditors from relying on CLCs (AS 2, paragraph 54) Copyright © 2006 Deloitte Development LLC. All rights reserved. 13

General Computer Control (GCC) Challenges

Polling Question How would you describe the relationship and correlation of business process and IT controls in your organization? 1. Not integrated / operating in silos 2. Somewhat integrated 3. Highly integrated 4. Don’t Know / No Answer Copyright © 2006 Deloitte Development LLC. All rights reserved. 15

Under Pressure General Computer Control Challenges • Chief Information Officers, IT Compliance Directors and IT Audit Directors often find that IT-related Sarbanes-Oxley costs exceed expectations • Unfortunately, despite continued good faith efforts in Year 2, early evidence from 2005 proxy statements suggests that companies continue to identify weaknesses in controls related to IT – In effect, many efforts are not working to build a sustainable compliance program regarding general computer controls • And yet, there’s a continued focus on containing IT costs associated with Sarbanes-Oxley Companies seeking to manage costs without jeopardizing compliance should evaluate Control Rationalization as the likely first step Copyright © 2006 Deloitte Development LLC. All rights reserved. 16

Under Pressure What’s the problem with general computer controls? The following factors appear to remain at play at some companies: • Companies are not linking the IT risk assessment to a top-down business risk assessment resulting in over scoping of IT assets (i. e. , applications, databases, etc. ) • Companies are treating all general computer controls equally, even though the inherent risk of IT processes, transactions, controls, and technologies may vary • Companies are not applying IT control frameworks in a manner that is leveraging IT-related company level controls • Companies are still applying a short-term mindset versus a long-term strategy to address flaws in control design, and to drive continuous improvement • Where cost savings were realized in Year 2, companies are failing to reinvest some of those savings in higher risk areas Copyright © 2006 Deloitte Development LLC. All rights reserved. 17

Challenges and Opportunities Solution Companies should adopt a risk-based control rationalization approach to address current and future compliance challenges Definition - Control Rationalization Control rationalization is the continuous process of designing the most effective and efficient controls to address financial reporting risks. Guiding Principles • Management should have an informed understanding of the organization's financial reporting risks in order to drive control rationalization efforts. • Management should explicitly apply a top-down, risk-based scoping approach as a foundational first step toward control rationalization. • Control rationalization is a multi-year, continuous effort, which should be integrated into the company’s operations. • Control rationalization can result in immediate benefits; however more significant cost savings can be achieved by adopting a long-term strategic approach to sustained compliance. Copyright © 2006 Deloitte Development LLC. All rights reserved. 18

Key Principles Rationalizing General Computer Controls • Although a direct linkage to a company’s overall risk assessment in many cases may not be possible, risk rate GCC categories and control objectives in a manner that results in greater consideration to those areas or control objectives that more directly promote reliability, integrity of financial related processing, and segregation of duties • Apply a risk-rating approach towards GCC categories and control objectives to promote appropriate deployment of compliance efforts • Where GCCs are considered reliable, place a higher reliance on IT-related company level controls (e. g. , setting of consistent policy procedures for GCC areas, effective monitoring), particularly for lower risk areas • Take advantage of opportunities to focus on removing secondary or redundant controls from testing if an effective higher-level control can be identified • Consider testing GCC processes before performing detailed tests related to IT configurations for lower risk areas • Be sure to prioritize controls addressing multiple risks Copyright © 2006 Deloitte Development LLC. All rights reserved. 19

GCC Control Rationalization Overview

Apply Top-Down Risk-Based Scoping & Rationalize GCC Controls General Computer Control Rationalization In Scope 1 Perform IT risk assessment (identify relevant applications, platforms) Evaluate GCC areas & confirm relevance and risk-rating of GCC control objectives Relevance to financial reporting objectives and risk-rating of associated major classes of transaction 2 Evaluate GCCs for effective and efficient testing 3 Out of Scope Lean and Balanced Remove non-relevant IT applications and platforms Remove non-relevant control objectives Remove unnecessary controls from testing scope Re-designed Testing Approach Develop risk-based testing approach for GCCs 4 *Efficiency Evaluation Criteria • Remove secondary or redundant controls • Consider testing GCC processes before performing detailed tests related to IT configurations (e. g. , test process for granting access before password settings) • Prioritize controls addressing multiple risks Copyright © 2006 Deloitte Development LLC. All rights reserved. 21

Control Risk-Rating Control Rationalization Overview Control Risk. Rating Risk-Based Testing Cost Analysis Company Level Controls Control Automation Roadmap

What is a Risk-Rating? • A risk-rating process evaluates the risk of a material control weakness based on the magnitude and likelihood of misstatement (inherent risk) • risk-rating impacts: – Identification of significant accounts and processes – Nature, timing and extent of control testing – Reliance by external auditor on management’s work • Sample risk-rating classification: – High – Medium – Low – Remote Typically scoped-out of testing • risk-rating is typically applied to the control activity or control objective levels, although it can also be applied at the account, process and transaction levels Copyright © 2006 Deloitte Development LLC. All rights reserved. 23

Rationalize controls and redesign test plans From Phase 1: Significant accounts, relevant assertions, major classes of transactions Out of scope 1 Identify and riskrate Control Objectives (COs) 2 Leverage Process-Specific CLCs Consider removing related PLCs from testing scope Identify PLCs that fully address multiple COs Consider removing redundant PLCs from testing scope Identify PLCs that fully address single COs Consider removing ineffective PLCs from testing scope Within these PLCs, prioritize automated controls Consider removing redundant manual PLCs based on risk-rating 3 Set of controls to be tested (PLCs, CLCs, auto, manual) Copyright © 2006 Deloitte Development LLC. All rights reserved. Note: CLCs often do not have sufficient precision. If so, consider enhancing CLCs Note: However, in some cases two controls, which by themselves only partially meet the control objective, can in combination fully meet the objective Re-designed testing approach Note: In high-risk areas, consider retaining redundant controls Develop risk-based testing approach 24

Risk Based Approach for GCCs Risk rate GCC areas The illustration below depicts a sample company’s IT risk prioritization for general computer control categories. COSO defines general computer controls as, “Policies and procedures that help ensure the continued, properation of computer information systems… They include controls over data center operations, system software acquisition and maintenance, access security, and application system development and maintenance. ” Illustrative Purposes Only General Computer Control Category Risk Evaluation Considerations Examples of Qualitative Factors Application System Development & Maintenance • High volume of changes Information Security • High employee turnover Information Systems Operations • Mature monitoring Systems Software Support • Application dependencies • Complex architecture processes Risk Ranking H H M • Automated tools • Homogenous environment • Automated tools L Example Procedures • Test all three levels • Test predominantly IT company level and process level controls • Test predominantly IT company level controls NOTE: This illustrates a simplistic risk assessment for IT; consideration should be given to additional qualitative factors relevant to a company’s environment. Also, only selected GCC areas have been included in the example. Copyright © 2006 Deloitte Development LLC. All rights reserved. 25

Risk Based Approach for GCCs Rationalize controls After risk-rating general computer control objectives, specific control activities can be analyzed to further rationalize the testing approach. Control Objective #1 – Controls provide reasonable assurance that application changes are appropriately implemented and function consistent with management’s intentions. CL 01 The company uses a formalized system development methodology to guide all aspects of application development. (COBIT PO 11. 5) CL 02 An IT Steering Committee reviews and approves all major changes to the information systems environment. (COBIT PO 4. 1) CL 03 A project management and quality assurance office tracks and monitors all activity associated with significant changes to applications and infrastructure. (COBIT PO 11. 4) CL 04 The IT organization structure provides for appropriate segregation of duties. (COBIT PO 4. 10) PL 0 1 PL 0 2 Information requirements for changes to applications are reviewed and approved by management. (COBIT AI 1. 1) For this example, the three controls in bold text will be assessed, which represents a 50% reduction in testing. The organization’s SDLC has not changed in the fiscal year, accordingly, this control will not be evaluated. These two controls are redundant in nature, accordingly, only one control will be evaluated. This control activity is redundant in nature since test results are approved by users at a point later in the SDLC process, accordingly, this control will not be evaluated. A risk analysis is performed that considers the impact of planned changes on financial reporting processes. (COBIT AI 1. 8) Copyright © 2006 Deloitte Development LLC. All rights reserved. 26

Risk rate control objectives for applicable assertions • Provides foundation for risk based test plan and control rationalization efforts • Assists in prioritizing remediation efforts, and making concluding process more efficient • Assists in confirming the risk rating of the major classes of transactions and subsequent work planning efforts The approach 1 14 16 11 2 7 17 5 8 9 10 13 19 15 3 12 21 23 18 20 22 24 4 6 Low Why risk rate Control Objectives (COs)? Magnitude of Potential Error High Extending the risk assessment to the control objectives provides the foundation for varying the nature, timing and extent of control testing. Control Objective Assessment Grid High Low Likelihood of Potential Error a) Understand the flow of transactions. Identify the points within the process where risks of financial misstatement could occur b) List control objectives based on the relevant assertions identified in Phase 1 step 3 c) Risk rate (using magnitude and likelihood of potential error) the individual control objectives within the major classes of transactions (MCOT). [COs related to low risk rated MCOTs can be classified as low. COs related to high risk MCOTs are more likely to be rated high. However, MCOTs with a high risk rating may have individual COs that are risk rated M or L Copyright © 2006 Deloitte Development LLC. All rights reserved. 27

Example Risk-Ranked Heat Map Copyright © 2006 Deloitte Development LLC. All rights reserved. 28

Exercise: Risk-rate the control risks below Financial Reporting: General Computer Controls Control: Access to test and production environments are appropriately restricted and segregated Risk Factor (inherent risk) Rating Rationale (example) Susceptibility of loss or misstatement due to fraud Account and reporting complexities Subjectivity of account affected by process Frequency of transactions processed through the account or process Volatility of transactions (unpredictability, instability) Nature of the process (automated vs. manual) Changes from the prior period in process or supporting technology characteristics Final Rating Copyright © 2006 Deloitte Development LLC. All rights reserved. 29

Control Design

Polling Question How many controls (business process and IT) does your organization have in place that are considered for testing? 1. Over 1, 000 2. 750 – 999 3. 500 – 749 4. 250 – 499 5. Under 249 6. Don’t Know / No Answer Copyright © 2006 Deloitte Development LLC. All rights reserved. 31

Polling Question Do you feel your organization has duplicative, or non-unique, controls? 1. Yes 2. No 3. Don’t Know / No Answer Copyright © 2006 Deloitte Development LLC. All rights reserved. 32

Standardizing Control Design – Best Practices • Develop a standard set of risks to evaluate across LOBs – Align to assertions • Tailor standard risk set to the LOB – include specific risks and omit irrelevant risks – include rationale for additions and omissions • Develop model control activities to link to each standard risk – provides a consistent starting point for control documentation – generic in nature; must be tailored to the LOB • Document control points in high-level process flows – identify areas where controls should be strengthened – improves method for selecting key controls Copyright © 2006 Deloitte Development LLC. All rights reserved. 33

Risk-Based Testing Control Rationalization Overview Control Risk. Rating Risk-Based Testing Cost Analysis Company Level Controls Control Automation Roadmap

Implementing a risk-based test plan Once management has designed appropriate controls to address financial reporting risks, it has the additional opportunity to reduce costs by designing risk-based test plans. Risk-based test plans vary the nature, extent and timing of testing based on risk. Classification Of risks High Nature: Testing of both PLCs and process-specific CLCs Management’s testing approach (example) Evidence: Re-performance; extensive inquiry; expanded scope of testing Timing: Test closer to yearend with roll-forward testing (as necessary) Extent: Greater number of sample selections Performed by Auditor impact Medium Low Nature: Increased testing of process-specific CLCs and reduced testing of PLCs Nature: Primary focus on testing CLCs; minimized testing of PLCs Evidence: Inquiry with documentation; some reperformance Evidence: Inquiry with observation Timing: Any time with basic roll-forward testing; consider benchmarking application controls Extent: Medium number of sample selections Timing: Any time; minimize roll-forward testing; consider benchmarking application controls Extent: Minimum number of sample selections Competent and objective resources (e. g. , internal audit) with focused oversight. (Deploy best resources to riskier areas) Competent and objective resources (e. g. , selfassessment) with high- level oversight Reliance: May place limited or no reliance on management’s testing Reliance: May rely on certain amount of management’s testing (if objective & competent) Reliance: May place significant reliance on management’s testing (if objective & competent) Copyright © 2006 Deloitte Development LLC. All rights reserved. 35

Cost Analysis Control Rationalization Overview Control Risk. Rating Risk-Based Testing Cost Analysis Company Level Controls Control Automation Roadmap

Testing: Cost Analysis* Based on any potential changes to testing effort based on risk-ratings, an organization can assess the impact on management’s testing resources. A standard framework can be used to measure resource requirements for the risk -based testing program, and provide comparisons to current testing costs. *Note: the example below is included solely for illustrative purposes and does not imply in any way that these or any other savings are likely or possible. The framework relates only to management’s testing, not auditor testing. Risk-Rating Category High Medium Low Risk. Based Approach 800 500 400 1, 700 Avg Hrs/Control 10 hrs 6 hrs 3 hrs 7 hrs 9. 5 hrs Total time spent 8, 000 hrs 3, 000 hrs 1, 200 hrs 12, 200 hrs 15, 300 hrs Number of Control Activities Copyright © 2006 Deloitte Development LLC. All rights reserved. Original Approach Impact (Savings) (20%) 37

Working with your External Auditors

Working with your External Auditors Develop rapport with external auditors on concepts that lead to more efficient and effective compliance. Concepts include: • Role that likelihood of errors and error magnitude should play in scoping decisions for SOX framework testing. • Scoping of compliance testing should be risk-based. Copyright © 2006 Deloitte Development LLC. All rights reserved. 39

External Auditor’s CR Considerations • Auditor’s use of management’s work – Depends on nature of control – Depends on objectivity and competence of the person who tested it • Focus on risk associated with a particular control or area • Overriding consideration is obtaining principal evidence • Self assessment “trade-off” – auditor may need to do more testing to gain assurance Copyright © 2006 Deloitte Development LLC. All rights reserved. 40

Leveraging CLCs & Automation Control Rationalization Overview Control Risk. Rating Risk-Based Testing Cost Analysis Company Level Controls Control Automation Roadmap

How Can CLCs Be Applied to CR? Certain CLCs, termed process-specific CLCs, may be leveraged to further rationalize the control framework. What are Company Level Controls (CLCs)? The PCAOB describes company-level controls as those that are associated with the control environment, centralized processing, period end financial reporting, monitoring results of operations, etc. As such, they may reside at the entity-level and at the process-level In the Control Rationalization approach, CLCs that are effective in achieving process-level control objectives are referred to as process-specific CLCs To be effective in addressing process-level control objectives, process-specific CLCs possess the following characteristics: • Relevance: Addresses process level risk • Frequency: Operates with enough regularity to enable timely detection of errors or fraud • Precision: Operates at a sufficiently precise level of detail to adequately address risk of misstatement (e. g. , precise enough to detect at least “greater than inconsequential” errors in financial reporting. A detective control designed to detect a “material misstatement” is not precise enough to reduce likelihood of material misstatement to remote) Note: Effectiveness of system-dependent CLCs relies on an underlying set of strong general computer controls (GCCs) and application controls Copyright © 2006 Deloitte Development LLC. All rights reserved. 42

Leveraging CLCs Identify the Process Level Control Activities that are adequately covered by the CLCs. Assuming that the CLCs satisfy the criteria of precision, specificity, frequency, etc. , they can be used to reduce the extent of reliance placed on related PLCs. The CLCs that address control objectives with a high degree of precision can be used to reduce or eliminate related PLCs from the scope of management’s internal control assessment Company level controls Perform Business Performance Review 1 EL 01 - Actual orders are compared to a predictive model by, for example, seasonality, product line, customer, and region (RE 826). 2 EL 02 Sales are compared to forecast and for pricing against orders by, for example, seasonality, product line, customer, and region (RE 826). 3 EL 03 - Activity, including sell-through and returns, are tracked by customer (by retail outlet) and flagged if outside expected ranges (RE 509/612) 4 EL 04 - A review of the aging analysis of all customer accounts (and by segmentation) is performed (RE 614). Copyright © 2006 Deloitte Development LLC. All rights reserved. Possible process level controls covered by CLCs 1 PL 03 -Invoices are approved based on comparison to priced order and shipping source documents (RE 834) 2 PL 05 - Customers enter and/or cancel orders automatically using EDI protocols (RE 807). 3 PL 12 - Signed delivery notes are received for all shipments made. The sequence of signed delivery note is accounted for (IM 201). 4 PL 16 - Order cancellation data is matched to the original order (RE 825)(RE 801). 5 PL 18 - List prices of composed products are automatically calculated based on the list prices of components of such products (IM 256). 6 PL 20 - Invoice and credit note data is edited and validated; identified errors are corrected promptly (RE 202). 43

How Can Automation be Applied to CR? Companies should consider enabling functionality in existing IT applications and/or implementing new technology to minimize reliance on people-based controls (requires a strong general computer controls foundation). Impact on control testing • More reliable • Can potentially decrease cost of testing: – Extent: Much less extensive; typically require lesser number of sample items (because likelihood of an exception is low) Areas to consider for adding new technology • • • Manage segregation of duties conflicts User access provisioning Transaction-level controls monitoring System change management Fraud detection programs Automation of controls – Timing: ‘Benchmark’ certain application controls so that testing frequency can be reduced (e. g. every 3 rd year) – Nature: More efficient to conduct testing • Lower cost to perform the control (compared to manual) Copyright © 2006 Deloitte Development LLC. All rights reserved. 44

Roadmap Control Rationalization Overview Control Risk. Rating Risk-Based Testing Cost Analysis Company Level Controls Control Automation Roadmap

Example Roadmap • Pilot effort for a single business area • Benchmarking of key controls, recommendations to streamline • Perform management testing to validate operating effectiveness CR Pilot Control Rationalization Workshop Top-Down Scoping • Top-down scoping across divisions, geographies, offices, etc. • Prioritize major areas for rationalization based on risk and savings opportunities Copyright © 2006 Deloitte Development LLC. All rights reserved. Control Rationalization Line of Business/Cycle 1 Line of Business/Cycle 2 46

Wrap-Up • What we covered today: – Control Rationalization concepts – Applying a risk-based approach – Risk-based testing – Leveraging CLCs and automation – Cost analysis model – High-level roadmap • Closing Remarks Copyright © 2006 Deloitte Development LLC. All rights reserved. 47

Presenters Rex Johnson, CISA, PMP Senior Manager, Deloitte & Touche LLP Audit & Enterprise Risk Services 816. 802. 7733 rejohnson@deloitte. com Devin Amato, CISA, CIA Manager, Deloitte & Touche LLP Audit & Enterprise Risk Services 816. 802. 7255 damato@deloitte. com Copyright © 2006 Deloitte Development LLC. All rights reserved. 48

About Deloitte, one of the nation's leading professional services firms, provides audit, tax, consulting, and financial advisory services through nearly 30, 000 people in more than 80 U. S. cities. Known as an employer of choice for innovative human resources programs, the firm is dedicated to helping its clients and its people excel. "Deloitte" refers to the associated partnerships of Deloitte & Touche USA LLP (Deloitte & Touche LLP and Deloitte Consulting LLP) and subsidiaries. Deloitte is the U. S. member firm of Deloitte Touche Tohmatsu. For more information, please visit Deloitte's Web site at www. deloitte. com/us. Deloitte Touche Tohmatsu is an organization of member firms devoted to excellence in providing professional services and advice. We are focused on client service through a global strategy executed locally in nearly 150 countries. With access to the deep intellectual capital of 120, 000 people worldwide, our member firms, including their affiliates, deliver services in four professional areas: audit, tax, consulting, and financial advisory services. Our member firms serve more than one-half of the world’s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. Deloitte Touche Tohmatsu is a Swiss Verein (association), and, as such, neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte, ” "Deloitte & Touche, " "Deloitte Touche Tohmatsu, " or other, related names. The services described herein are provided by the member firms and not by the Deloitte Touche Tohmatsu Verein. For regulatory and other reasons, certain member firms do not provide services in all four professional areas listed above. Copyright © 2006 Deloitte Development LLC. All rights reserved. 49