Sarbanes Section 404 Readiness Building a Sustainable Internal Control Assessment Process

Methodology Plan the Project Make Key Scope Decisions Assess Your Control Environment Build a Controls Repository Perform Initial and Ongoing Tests Monitor Make Key Scope Decisions Plan the Project Assess Your Control Environment Make Key Scope Decisions Build a Controls Repository Perform Initial and Ongoing Tests Monitor Make key sope decisions consists of: Project planning, prioritize, map key components

Planning - Start with the End in Mind Consider a process that will support both Section 302 and 404 certifications Key Activities: Perform an informal assessment of your current state Decentralized vs. centralized operations Existing control conditions Support from the top? Form a Steering Committee Gain Audit Committee/Board support Questions to Consider: What are the education and training needs of your company? Will a self-assessment process be successful in your environment? What technology will support your recurring internal control assessments?

Key Scoping Decisions Project Approach: Prioritize Activities: SWAT Team or Delegated Responsibility? Resources, Internal and/or External Phased approach or simultaneous coverage? Define Deliverables Cost and Timetable Prioritize Activities: Defining “Materiality” or “key business processes” Assess current stage of control reliability Identify and inventory relevant risks

Defining Critical Business Processes Material financial statement line item or large $ spend Business Process Yes No Critical to achievement of major goals and objectives of the business Yes Key Business Process ! No Process not selected for review Relates specifically to compliance or disclosure under GAAP, SEC, or laws The focus of the Auditing Services project was the identification and documentation of existing control activities and gaps within the AWS baseline internal control structure. Baseline controls represent the bare minimum set of procedures required for an effective internal control system. The baseline control activities identified by this project should not be considered an all inclusive list of controls. Additional control activities may be warranted to improve the effectiveness and efficiency of a given business process. The methodology outlined below was applied to select the key business processes to be reviewed in this project. The same methodology was applied to identify baseline control activities and gaps within the key business processes. Yes No No Critical to achievement of financial control assertions Yes

Build Controls Repository Define key control objectives Map existing control activities against control objectives Conclude – Is control objective satisfied? Flowcharts, process maps or process descriptions – tying the pieces together Do flowcharts, process maps or process descriptions exist? Are they required?

Controls Repository Work may be required at the individual business process or sub-process level Control objectives identification is a Critical step for auditor buy-in Control activities – integrating both manual and automated/application controls in documentation exercise

Agenda 1:00 - 1:10 Introduction & Overview of Annual Certification of Controls - Dave Richards 1:10 - 1:17 Methodology - Sheryl Hildebrand 1:17 - 1:24 Testing the Controls - Gary McGuire 1:24 - 1:30 FDIC Certification Experience - Brian Szabo 1:30 - 1:45 External Auditor Attestation - Gary Stauffer 1:45 - 1:50 Break 1:50 - 2:25 Questions & Answers - Panel 2:25 - 2:30 Concluding Remarks - Dave Richards