Sarbanes Section 404 Readiness Building a Sustainable Internal

Sarbanes Section 404 Readiness Building a Sustainable Internal Control Assessment Process

Methodology Plan the Project Assess Your Make Key Control Scope Environment Decisions Perform Build a Initial Controls and Ongoing Repository Tests 1. Plan the Project 2. Assess Your Control Environment 3. 4. Make Key Scope Decisions Build a Controls Repository 5. 6. Perform Initial and Ongoing Tests Monitor

Planning - Start with the End in Mind Consider a process that will support both Section 302 and 404 certifications Key Activities: • Perform an informal assessment of your current state – Decentralized vs. centralized operations – Existing control conditions – Support from the top? • Form a Steering Committee • Gain Audit Committee/Board support Questions to Consider: • What are the education and training needs of your company? • Will a self-assessment process be successful in your environment? • What technology will support your recurring internal control assessments?

Key Scoping Decisions • Project Approach: – – – SWAT Team or Delegated Responsibility? Resources, Internal and/or External Phased approach or simultaneous coverage? Define Deliverables Cost and Timetable • Prioritize Activities: – Defining “Materiality” or “key business processes” – Assess current stage of control reliability – Identify and inventory relevant risks

Defining Critical Business Processes Business Process Material financial statement line item or large $ spend Yes No Critical to achievement of major goals and objectives of the business Yes Key Business Process ! No Process not selected for review Relates specifically to compliance or disclosure under GAAP, SEC, or laws Yes No No Critical to achievement of financial control assertions Yes

Build Controls Repository • Define key control objectives • Map existing control activities against control objectives • Conclude – Is control objective satisfied? • Flowcharts, process maps or process descriptions – tying the pieces together

Controls Repository • Work may be required at the individual business process or sub-process level • Control objectives identification is a Critical step for auditor buy-in • Control activities – integrating both manual and automated/application controls in documentation exercise

Agenda 1: 00 - 1: 10 Introduction & Overview of Annual Certification of Controls - Dave Richards 1: 10 - 1: 17 Methodology - Sheryl Hildebrand 1: 17 - 1: 24 Testing the Controls - Gary Mc. Guire 1: 24 - 1: 30 FDIC Certification Experience - Brian Szabo 1: 30 - 1: 45 External Auditor Attestation - Gary Stauffer 1: 45 - 1: 50 Break 1: 50 - 2: 25 Questions & Answers - Panel 2: 25 - 2: 30 Concluding Remarks - Dave Richards