The Sarbanes-Oxley Act of 2002: Essential Provisions Impacting Board of Directors, Audit Committees and Management

Welcome from FEI Phil Livingston President Financial Executives International

Welcome from Grant Thornton Ed Nusbaum Chief Executive Officer Grant Thornton

Welcome to today's program Mike Starr Managing Partner, Assurance and Advisory Services

Group check What is your role in your company? board of director member executive leadership (CEO, president, CFO) audit committee member management other

Today's agenda Overview of the Act Refresher on board of director and audit committee issues Possible actions for board of directors and audit committees Refresher on management issues Possible actions for management CEO and CFO certifications Questions and wrap up

Karin French Bill Graham Today's presenters Karin French Partner, National Director of SEC Relations Bill Graham Partner, National Director of Practice Review

Overview of Sarbanes-Oxley Act of 2002 the Sarbanes-Oxley Act of 2002 (the “Act”) signed into law on July 30th 2002 some provisions effective July 30th 2002; others await SEC rule making law includes sweeping legislation on corporate and accounting reform, improved financial disclosure and enhanced penalties for securities fraud response to recent corporate scandals involving Enron, WorldCom and others

Overview of Sarbanes-Oxley Act of 2002 Provides clarity and certainty on a number of highly debated issues by: establishing new responsibilities for the board of directors, audit committees and management establishing several new public-company reporting requirements establishing the Public Company Accounting Oversight Board (the "Oversight Board"), an independent, full-time board for capital market participants oversight by the SEC

Overview of Sarbanes-Oxley Act of 2002 Provides clarity and certainty on a number of highly debated issues by (Cont.): defining “non-audit” services public accounting firms may not provide to clients strengthening penalties for corporate fraud requiring rules to address analyst conflicts of interest significantly increasing the responsibilities and budget of the SEC Act is subject to interpretation by the rule-making processes of the SEC and the Oversight Board issues by (cont.):

Today's agenda Overview of the Act Refresher on board of director and audit committee issues Possible actions for board of directors and audit committees Refresher on management issues Possible actions for management CEO and CFO certifications Questions and wrap up

Impact on the Board of Directors and Management an Audit Committee of independent Board members is necessary as a condition of listing securities on national exchanges (§301) if the issuer does not have an Audit Committee, the entire Board is deemed the Audit Committee Act prohibits directors (and executive officers) securities transactions during any "pension fund blackout period" (§306)

Impact on the Board of Directors and Management directors (and executive officers) are not permitted to enter into or renew loans from the issuer or through any subsidiary (§402) Act prohibits a director (or executive officer) from taking any action to fraudulently influence, coerce, manipulate or mislead the Auditor "for the purpose of rendering such financial statements materially misleading" (§303) Act provides for enhanced protection against corporate “whistleblowers” ( 806)

Impact on the Board of Directors and Management A director (or executive officer) may: be prohibited from acting as a director (officer) if the SEC deems the individual "demonstrates unfitness" (§305 and §1105) be required to repay bonuses, incentive and/or equity-based compensation, or profits from the sale of company stock during the 12-month period following the issuance of a non-compliant filing (§304) need to report certain director's and officer's securities transactions within two business days (§403)

Impact on the Board of Directors and Management federal courts authorized to grant any equitable relief to investors as a result of action brought by the SEC for violating the securities laws (§305) it is illegal for the Auditor to perform any audit service if the CEO, CFO, Chief Accounting Officer, Controller or any person in an equivalent position has been employed by the issuer's Auditor and participated in the audit of that issuer during the 1-year period preceding the audit (§206)

Impact on Audit Committees Audit Committee must be comprised of "independent" Board members (§301) "independent" means the member has not accepted any consulting, advisory, or other compensatory fee from the issuer or is an affiliated person of the issuer or any subsidiary thereof

Impact on Audit Committees Audit Committee must be comprised of "independent" Board members (§301) (cont.) issuer must disclose whether at least one member is a "financial expert" and if not, why not (§407) SEC proposed rules on October 22, 2002 defines “financial expert” requires disclosure of number and name of directors deemed financial experts and whether “independent” disclosures required in annual reports

Impact on Audit Committees is directly responsible for the appointment, compensation and oversight of the Auditor including resolution of disagreements the Auditor reports directly to the Audit Committee is directly responsible for pre-approving all audit and permitted non-audit services (unless the non-audit service is de minimus) may engage outside counsel or other advisors

Impact Audit Committees Audit Committee (§301) (cont.) determines the appropriate level of funding of the Auditor and other advisors must establish procedures for the receipt, retention and treatment of complaints about accounting, internal control this includes a process for handling anonymous and confidential submissions by issuer employees

Possible Board of Director actions exercise mandate to define and maintain director independence conduct periodic self-evaluations of Board performance position the Audit Committee to succeed with qualified independent directors (considering exchange listing requirements and SEC proposed rules)

Possible Board of Director actions implement meaningful compliance program take a more conservative approach to accounting and reporting establish or increase focus on internal audit function improve accounting management

Possible Board of Director actions increase effectiveness of the independent audit audit committees should be asking probing questions increased CFO and audit committee communications between meetings increase independence of CFO function establish protocol for approval of audit, audit related, and permitted non-audit services

Possible Board of Director actions establish expectations with management with respect to their internal control attestation and supporting internal monitoring and documentation establish policies and infrastructure to support receipt, retention, and response to complaints about accounting, internal control, and auditing matters assess the need for the Board/Audit Committee to engage advisors

Possible Board of Director actions reassess compensation and other relationships with board members generally reassess meetings schedule in light of new responsibilities for the external audit and other relationships with the audit firm and the need to address new management certifications and assertions evaluate existing non-audit engagements and consider with management the options for prohibited services

Possible Board of Director actions evaluate options with respect to loans outstanding to Directors and Officers establish/evaluate a code of ethics for executive officers and senior financial officers SEC proposed rules on October 22, 2002 disclosures required in annual report code to be filed as an exhibit changes or waivers reported promptly in Form 8-K or on internet website

Group check How comfortable are are you with the Board of Directors taking appropriate actions? Very comfortable: already implemented several actions Comfortable: starting to implement actions Some what comfortable: begun to evaluate actions Not comfortable: have not considered any actions

Today's agenda Overview of the Act Refresher on board of director and audit committee issues Possible actions for board of directors and audit committees Refresher on management issues Possible actions for management CEO and CFO certifications Questions and wrap up

Management responsibilities Act provides for two new executive officer certifications first pursuant to SEC rules (to be enacted) under Sections 13a and 15d of the Securities Exchange Act of 1934 (the "Section 302" certification) second pursuant to an amendment of the United States Code according to the "White-Collar Crime Penalty Enhancement Act of 2002" (the "Section 906" certification)

Management responsibilities Internal Control Report - section 404 each annual report must include an internal control report containing management’s assessment of the effectiveness of the internal control structure and procedures for financial reporting of the company. The Auditor must attest to, and report on, the assessment made by management in the report SEC proposed implementation rules on October 22, 2002

Management responsibilities: Under section 302… CEO and CFO are required to prepare a statement for each annual and quarterly report certifying that the signing officer has reviewed the report based on their knowledge, the report does not contain any untrue statement of material fact or omit a material fact based on their knowledge, the financial statements and related financial information in the report fairly present, in all material respects, the financial position, results of operations and cash flows of the issuer for all periods presented

Management responsibilities: Under section 302… signing officers are responsible for establishing and maintaining “disclosure controls and procedures” designed disclosure controls and procedures to ensure that material information about the issuer and its consolidated subsidiaries is known by officers of the issuer and its subsidiaries during preparation of financial information have evaluated internal control operating effectiveness within 90 days prior to the report have presented their conclusions about the effectiveness of the disclosure controls and procedures

Management responsibilities: Under section 302… signing officers must disclose to the Auditor and the Audit Committee any fraud, whether material or not, involving management or other employees who have a significant role in the internal control structure all deficiencies in the design or operation of internal controls that would adversely impact the issuers ability to record, process, summarize and report financial information signing officers must indicate in the filing whether there were any significant changes in internal controls including any corrective actions taken

Proposed Changes: Sections 302 and 404 proposed amendment to Item 307 of Regulation S-K would require not only an annual internal control report, but also quarterly disclosures requiring management to evaluate effectiveness of design and operation of the internal controls and procedures for financial reporting, as well as its disclosure controls and procedures to be made as of the end of the period covered by the report

Proposed Changes: Sections 302 and 404 What constitutes “Internal Controls and Procedures for Financial Reporting”? SEC has proposed to define the term consistent with the AICPA’s Codification of Statements on Auditing Standards (AU) Section 319 the proposed rule refers to the 1992 study conducted by COSO, which may be helpful for management in considering how to assess internal controls and procedures

Proposed Changes: Sections 302 and 404 Internal Controls and Procedures for Financial Reporting Vs. Disclosure Controls and Procedures the definition of internal controls and procedures is designed to ensure that the financial statements are prepared properly, while the disclosure controls and procedures are intended to ensure that the non-financial and other information in the reports is accurate, complete and timely disclosed SEC is proposing to change officer certifications by CEOs and CFOs to also cover internal controls and procedures for financial reporting

Management responsibilities: Under section 906… CEO and CFO required to certify that periodic report complies with the requirements of sections 13a and 15d of the Securities Exchange Act of 1934 (as revised by the Act) the information contained in the report fairly presents in all material respects, the financial condition and results of operations of the issuer penalties for willfully and knowingly violating these certifications are a fine of not more than $5,000,000 and/or up to 20 years in prison

Possible Management actions identify controls and procedures that management uses and relies upon to prepare SEC reports if the controls and procedures are not clearly documented, consider preparing more formal documentation of the systems, controls and processes consider the following in identifying existing controls or potential improvements in controls establish a disclosure committee adopt detailed procedures for closing the books, preparing the financial statements and footnotes, drafting reports, and concluding on accuracy and completeness

Possible Management actions consider the following (cont’d) utilize checklists for compliance with SEC disclosure requirements use of external professionals (legal counsel) to prepare or review SEC reports requiring internal certifications or representation letters from members of management consider engaging independent accountants to perform an evaluation of the design and operation of controls and to assist in formulating a remediation plan

Possible Management actions evaluate financial reporting: compliance with GAAP any need to record audit adjustments previously passed any need for additional disclosures about off-balance sheet transactions any need to revise/enhance disclosures of pro-forma information

Possible Management actions consider options and make recommendations to the Board of Directors/Audit Committee with respect to replacement of prohibited non-audit services currently provided by the external auditor loans outstanding to directors and officers policies and infrastructure to support receipt, retention, and response to complaints about accounting, internal control and auditing matters establish a process for timely reporting of director’s and officer’s securities transactions

Group check To what degree have you begun implementing management actions similar to those discussed? have not considered any actions begun to evaluate actions starting to implement actions implemented several actions

Today's agenda Overview of the Act Refresher on board of director and audit committee issues Possible actions for board of directors and audit committees Refresher on management issues Possible actions for management CEO and CFO certifications Questions and wrap up

CEO and CFO certifications What needs to be done? identify the controls and procedures beyond existing internal controls over financial reporting that ensure SEC reporting compliance consider scope and results of recent assessments of the design and operation of disclosure controls and procedures, including internal controls over financial reporting assess whether results of disclosure controls and procedures have been timely, accurate and complete

CEO and CFO certifications What needs to be done? assess whether financial statements and related disclosures are fairly presented determine whether there are any material deficiencies or material weaknesses in internal controls that should be reported to the audit committee know and understand existing GAAP and SEC disclosure requirements and make sure there is a process for communicating requirements to appropriate areas and individuals

CEO and CFO certifications What needs to be done? review existing procedures for closing the books and preparing the financial statements and footnotes, including flow of material information needed to prepare reports review company policy and procedures manuals consider “what could go wrong” in the preparation of the financial statements consider documenting the sources of, and controls over, non-financial information

CEO and CFO certifications What needs to be done? review draft of report to be filed review letters from auditors or recent internal audit reports relating to control deficiencies and determine if weaknesses have been corrected determine whether there have been recent significant changes in internal controls consider documenting process followed in preparing for certification

Questions and wrap up Contact information Dorsey Baskin dorsey.baskin@gt.com Gary Illiano gilliano@gt.com Sam Marcozzi smarcozzi@gt.com Doug Reynolds dreynolds@gt.com Mark Scoles mscoles@gt.com www.grantthornton.com

Thank you for attending today's program We're interested in your feedback, so please comment on the value of today's program. I found the program to be: 4) Very valuable: Helped shape my plans in response to S-O 3) Valuable: Good update, learned some new actions to take 2) Some what valuable: Food for thought 1) Not valuable: Did not learn any new information