ProCognis SOX 404 & COSO Implementation Presentation July 2006 This Presentation is intended to provide a demo of the implementation of the US SOX 404 law and the use of COSO © 2006, ProCognis, Inc. All Rights Reserved - http://www.procognis.com

SOX Implementation Background Sarbanes-Oxley law (SOX) became law following a number of high-profile accounting scandals SOX Requires Management to Certify (SOX 302) and Assess (SOX 404) Internal Controls over Financial Reporting Certification means that Management must take responsibility over the existence and effectiveness of their company’s financial controls Assessment means that Management must document and verify that the certified controls are effective. SOX is a law with many sections. Two of the most important sections (those that require specific action by companies) are Sections 302 and 404. The required deadline was staggered to allow companies time for implementation. © 2006, ProCognis, Inc. All Rights Reserved - http://www.procognis.com

COSO Framework SOX requires selection of a framework, however it does not mandate a specific framework COSO is the most frequently used framework COSO was developed to provide a framework to evaluate internal controls COSO requires that management assess risks to the reliability of financial reporting Control activities are then implemented to mitigate identified risks The COSO framework was originally developed for FDICIA but is applicable to any controls environment assurance. © 2006, ProCognis, Inc. All Rights Reserved - http://www.procognis.com

ProCognis SOX Tools & Methodology Developed specifically for SOX 404 compliance from customer input Based on the COSO framework Uses a Top-down, Risk-based approach Flexible and configurable to meet a variety of customer needs © 2006, ProCognis, Inc. All Rights Reserved - http://www.procognis.com

SOX Steps to Compliance Planning First steps to get you ready to begin the compliance process Documentation Communicate the systems, cycles and risks along with mitigating controls to involved parties Evaluation & Remediation Testing of actual controls and validating control effectiveness; Remediation will be required for controls that failed testing Reporting of Results Communicate results of testing and begin planning for next compliance activities © 2006, ProCognis, Inc. All Rights Reserved - http://www.procognis.com

SOX Planning Overview Planning Key Items: Enter company information & Identify systems Evaluate the overall control environment Map systems to financial statement assertions & edit and print the planning templates Gather necessary internal documentation and prepare staff for compliance © 2006, ProCognis, Inc. All Rights Reserved - http://www.procognis.com

SOX Planning Details Company information is gathered and a scoring system is used to determine the appropriate testing level Testing level may be over-ridden for specific tests Testing level plus Risk-scoring allows the user to define a minimum level of testing for all risks/controls © 2006, ProCognis, Inc. All Rights Reserved - http://www.procognis.com

SOX Documentation Overview Obtain a basic understanding of each system & Identify system steps (sometimes called cycles or processes) Consider inherent risks and evaluate their impact & determine if mitigating controls exist © 2006, ProCognis, Inc. All Rights Reserved - http://www.procognis.com

SOX Documentation Detail Financial Statement Correlation important to ensure that there are no gaps in coverage Checkboxes are provided to correlate systems to Financial Controls Financial Statement mapping is key to implementing the Top-down approach © 2006, ProCognis, Inc. All Rights Reserved - http://www.procognis.com

SOX Documentation of Systems Systems are defined to categorize the risks and associated controls Systems have Steps (actions that are performed as a part of operation of the System) Each Step has risks and each risk should have one or more controls; starting with risks defines the Risk-based approach The systems are tracked and the status of the testing is reported for each system © 2006, ProCognis, Inc. All Rights Reserved - http://www.procognis.com

SOX Evaluation/Testing Overview Design test plan for each Risk/Control Define population and select sample to test (sample created automatically to select items for testing) Software provides tools to select statistically valid sample using consistent methodology © 2006, ProCognis, Inc. All Rights Reserved - http://www.procognis.com

SOX Evaluation/Testing Risk-Scoring Risks may be Likely (high probability of occurring) or Significant (very material or damaging) or both Risk-scoring allows a numerical scale to quantify the relative Likelihood and Significance of each Risk High Likelihood & Significant risks are given a larger test sample size to improve confidence Risks that are not likely or significant may use a smaller risk scoring to reduce unnecessary testing © 2006, ProCognis, Inc. All Rights Reserved - http://www.procognis.com

SOX Evaluation/Testing Details Documentation of test results is important to validate conclusion If a failure is found, the user must select the status of the testing procedure If the test is considered a failure, remediation will be required Software provides tools to automate the remediation and to track testing status © 2006, ProCognis, Inc. All Rights Reserved - http://www.procognis.com

SOX Remediation and Retest Details Remediation is a retest of a failed test procedure Remediation will be tracked as a new test for the same risk/control Software provides tools to track remediation testing status © 2006, ProCognis, Inc. All Rights Reserved - http://www.procognis.com

SOX Reporting Overview Use final checklist to track progress Evaluate remaining failures and determine if material weakness(es) exists Based on results select sample language for financial reports Compile documentation and preserve testing details © 2006, ProCognis, Inc. All Rights Reserved - http://www.procognis.com

SOX Reporting Details Final Checklist contains the key details that tracks compliance status and remaining tasks Disclosure of Deficiencies and/or Material weaknesses will result in additional testing and control re-design Software helps track compliance to identify problem areas prior to disclosing weaknesses or deficiencies © 2006, ProCognis, Inc. All Rights Reserved - http://www.procognis.com

SOX Next Steps Following the procedure as defined in the Planning & Documentation phases, the compliance process will require Auditor sign-off and validation After the Auditors have validated SOX compliance, planning will begin for the next year’s efforts Lessons learned will be preserved to save time in the future © 2006, ProCognis, Inc. All Rights Reserved - http://www.procognis.com

Conclusions SOX compliance is a lengthy and involved process The end result is a simple conclusion based upon a vast amount of testing and validation of risks and controls by both Management and the Outside Auditor Software can significantly improve efficiency and quality of the compliance process and reduce unnecessary effort Compliance will not be a single year effort; the first year will require the most work but the requirement to comply will not diminish With good planning and implementation, the end result of compliance will be a higher level of confidence in the financial results © 2006, ProCognis, Inc. All Rights Reserved - http://www.procognis.com