The Sarbanes – Oxley Act What it Means to You November 2004 David Kaufman

2 Acquis Background Company Type: Private management consulting firm Founded in 1998; profitable since inception; headquarters in New York City Client Profile: Main focus on Global Fortune 1000; core industries served include Pharmaceutical, High-Tech, Financial Services, Travel, Government Examples of Collective Client Experience: Pfizer, Bank of Tokyo- Mitsubishi, Cadbury, National Semiconductor, Mitsubishi International, NYC Government, Interpublic Group, AstraZeneca Staff Background: 90% of consultants have worked on European and North American initiatives, primarily in the travel area

3 Quick Facts In 2003, corporations, conventions, and associations spent $44.7 Billion on meetings and conferences… Meetings & Conventions Magazine, 2004 Report …yet 68% of corporations have no standard process to control this cost American Express Global T&E Expense Management Study

4 What is Sarbanes-Oxley? Enacted in 2002 to increase corporate responsibility and accounting standards Requires CFO / CEO signoff on financial statements Companies must also attest to internal controls in place Congressional Act Named after Senator Paul Sarbanes and Congressman Michael Oxley Sen. Paul Sarbanes Rep. Michael Oxley

5 Sarbanes – Oxley: Also Known As We asked 100 people (including Paul Sarbanes and Michael Oxley) : What is Sarbanes – Oxley also known as?

6 SOX Applies to Which Companies? Publicly traded companies in the US Non-US public multinational companies engaging in business in the US Voluntary compliance for private firms but seen as “Best Practice”

7 Section 404 Compliance Dates Original 6/15/2004 New 11/15/2004 Original 4/15/2005 New 7/15/2005 Accelerated FilerA U.S. company with market capitalization over $75 million that has filed at least one annual report with the SEC Fiscal Year ending on or after: Compliance dates have been extended Accelerated FilersNon-Accelerated Filers

8 Key Elements of SOX Section RequirementFrequency 302 CFO / CEO certify completeness and accuracy of statements. Identify control weaknesses and changes to internal controls. Quarterly Annual 404 (a) Provide a report that demonstrates appropriate internal controls and control effectiveness. Annual 404 (b) Registered external auditors must attest to controls report. Annual 409 Rapid disclosure of changes in financial conditions or operations. Ad-Hoc 404 (a) Provide a report that demonstrates appropriate internal controls and control effectiveness. Annual 404 (b) Registered external auditors must attest to controls report. Annual

9 Three Key Controls Authorization - Controls to confirm the appropriate approvals of expenditures Safeguarding assets - Controls to prevent theft, fraud, waste, and abuse Financial reporting - Controls to ensure the appropriate reporting of expenses

10 Why is SOX Important to Planners? Affects almost every aspect of the meeting planning process RFP Site Selection Planning / organization Meeting objectives Executive approvals Budgets Locations RFPs / Site selection criteria Standard contracts / Negotiations Preferred suppliers Payment methods Marketing Announcements Registration strategy Travel arrangements Event management Miscellaneous Expenses Invoice payments Account reconciliation Financial reporting Attendee evaluation surveys ROI calculation On-site Activities Post Meeting

11 What Should Planners Look At? Interactions with travel agencies and event management suppliers Contracts, commitments, financial liabilities, and operational risks Current controls on manual processes Allocation of costs to the correct budgets Current use of technology Safety of attendees Extravagant meetings

12 What is Extravagant? Roman themed party where guests are greeted by chariots and gladiators Events held in a Sardinian resort where rooms start at $1200 a night Flying Jimmy Buffett and his band to an island at a cost of $250,000 A 7-day event including partying, jet skiing, sailing, golfing, and feasting for 75 guests Charging half the costs of the party to the company $2.1MM birthday party for the former Tyco CEO’s wife

13 Case Study One Can Susan make an exception and plan the event? Susan is planning the annual shareholders meeting Tyler, her cousin, manages sales for a major hotel Susan’s company has a strict event vendor selection policy and Tyler’s hotel is not a preferred vendor

14 General Approach Document end-to-end current processes Identify important, manual, and risk prone processes Evaluate existing controls Develop and execute strategy to remedy deficiencies Evaluate success and document risks

15 SOX Documentation Documentation of Processes Documentation of Controls Covers initiation, authorization, recording, processing, and reporting of transactions Identify process risks and demonstrate appropriate control activities and measures Process Flowcharts Policy Manuals Accounting Manuals Budget Guides Preventative / Detective Control Matrices If – Then Narratives Process Redesign Docs Are these current, complete, and readily available?

16 The COSO Framework Committee of Sponsoring Organization (COSO) has developed a framework for internal controls: Framework supported by the SEC and PCAOB Most popular framework in the United States Control Environment Control Activities Risk Assessment Monitoring Information & Communication

17 Types of Controls Less EffectiveMost Effective Complex / Multi-step Single control Post-event controls Data analytics Manual control Simple / Single-step Multiple controls Real-time controls Transaction monitoring Automated control What controls do you currently have in place?

18 The Use of Technology Enforce a consistent process for your meeting planning spend Automatically record a clear and comprehensive audit trail of all activities Provide evidence of compliance through built-in reports and notifications Increase planning and registration process efficiency

19 Technology Providers Meeting planning checklists Standardized RFPs Meetings-sourcing databases Attendee management Preferred supplier flags Company policy / best practices notification

20 Case Study Two Who is SOX compliant? Highly documented policy and process Extensive process controls on planning activities No formal preferred supplier policy Policies developed ad-hoc and not documented Robert Shelly Uses Excel spreadsheets to track meetings Manual RFP process Uses automated online RFP process Utilizes online resources to document planning steps

21 Opportunities Beyond SOX Building a true end-to-end process Integration with Travel programs Increased process efficiency with technology Improved vendor relationships Strategic sourcing opportunities

22 Review Survey We asked 100 auditors: What type of documentation in the meeting planning area will help ease your concerns?

23 David Kaufman Partner Acquis Consulting Group 299 Broadway, 12 th Floor New York, NY