Copyright©2004 Cathy Cakebread Oracle Receivables and Sarbanes-Oxley Cathy Cakebread - Consultant Northern California OAUG July 2004

Copyright©2004 Cathy Cakebread Agenda What Is Sarbanes-Oxley? Who Is Impacted? Which Are the Main Sections That Impact Us? How are Your Internal Controls? Assess Risks and Controls Document Policies and Procedures Close and Reconcile the Period Control Revenue Recognition Sarbanes-Oxley Links

Copyright©2004 Cathy Cakebread Sarbanes-Oxley Act Public Company Accounting Reform and Investor Protection Act of Enacted by Congress – Signed July 2002 Major Concepts: Executive Accountability CEO and CFO Certify Accuracy of Financial Reports Document and Audit Internal Controls and Procedures Document Risks and Mediation Real Time Disclosure of ‘Material Events’ Proper Retention of Records

Copyright©2004 Cathy Cakebread Who Is Impacted? Organizations Publicly Traded Candidate for Merger or IPO International Company with Stock Traded in US Basically - Everyone Personal Responsibility CEO, CFO, President, Board? CIO? Internal Impact Finance, IT, Manufacturing, Sales … Whole Company!

Copyright©2004 Cathy Cakebread Section 302 – Corporate Responsibility for Financial Reports CFO, CEO Certify Financial Report Accuracy Document and Disclose Internal Controls and Procedures Identify Deficiencies, Weaknesses and Potential Fraud with Remedies

Copyright©2004 Cathy Cakebread Section Management Assessment of Internal Controls Establish and Maintain Proper Internal Controls and Procedures Assess Effectiveness of Internal Controls Insure That Company Transactions Are Properly Reported and Controlled Utilize a Controls Based Approach Perform Periodic Review of Controls

Copyright©2004 Cathy Cakebread How Are Your Internal Controls? Do you Have Proper Separation of Duties? Take advantage of Custom Responsibilities and Functional Security Have You Documented Your Processes, Policies, Procedures? Up to Date? Actually Used? What Controls Are in Place? Your Close Procedures Invoice Forms Cash Handling… Do You Use Spreadsheets for Critical Reporting?

Copyright©2004 Cathy Cakebread And… How Confident are You of the Accuracy of Your Data? Do You Control Manipulation of Your Data (e.g., By IT) Are You Using Approvals? For Adjustments? For Credit Memos? Are Your Customizations Still Controlled?

Copyright©2004 Cathy Cakebread Assess Risks and Controls Think About and Document How Someone Could Cheat Using the System? How Do You Prevent It? How Do You Know When It Happens (If It Can’t Be Prevented?) What Are You Doing to ‘Get Around’ the System and it’s Controls?

Copyright©2004 Cathy Cakebread User Controls Do You Utilize Unique Usernames and Passwords? Have You Defined Appropriate Limited Access? Frequent Review Of Responsibilities Define View Only Access As Needed Who Has Update Capabilities? Controls to Restrict Based on Need Watch Out For Customers and Who Can Perform Which Tasks Do You Check Record History? Who and When for Adds and Updates

Copyright©2004 Cathy Cakebread IT Controls Have You Controlled Data Correction? You May Have No Choice – Then How Controlled? Do You Avoid Shared Usernames and Passwords? – User and Database Do You Restrict Access to Data? View Only Limit What Can Be Viewed Update Strictly Controlled If Changes are Made, Document What, Why, How, When, and By Whom Include Patches and Upgrades

Copyright©2004 Cathy Cakebread Identify ‘Major Events’ How Do You Define These? How Will You Know When They Occur? How Will You Inform Your Executives? Who? When? How? Examples: Loss or Bankruptcy of Major Customer Major Payment Is Late Invoice/Order Over $X Major Write-offs Sales Expected to be Below Projection Major Project is Behind Schedule

Copyright©2004 Cathy Cakebread Document Policies and Procedures Document Policies Review and Document Procedures/Processes Utilizing Best Practices Identify Risks and Controls For Each Procedure What Are They? How to Avoid Risks? How Will You Know When Exceptions Occur? Actual Use of Policies and Procedures Validate Effectiveness Internally Auditors

Copyright©2004 Cathy Cakebread Key Processes Customer Maintenance Who Can Add, Change, Inactivate? Who Controls Credit Limits? Who Can Change Names? What Are Your Controls for Adding New Customers? Addresses? Inactivating? Invoices/Debit Memos/Credit Memos Do You Use Separation of Duties? Are the Actual Forms Locked up? Have All Interfaced Items Made It? How do You Know? Who is Responsible?

Copyright©2004 Cathy Cakebread Corrections Credit Memos What Controls Do You Have? Who Can Create Credit Memos? What is Your Monitoring Mechanism? Especially if Over $x Adjustments Do You Really Use Limits? And Varying Levels of Limits? Check For Multiple Adjustments on Single Item?

Copyright©2004 Cathy Cakebread Receipts Payments Received Utilize External Lockbox? Control Cash Received in House? Handling of Non-AR Cash? Credit Card Processing Prevent Fraud? Pre-Authorize? Protect Customer’s Credit Card Information? How do You Deal with ‘Stuck’ Items?

Copyright©2004 Cathy Cakebread Visibility Collections Restrictions on Who Can See What? On What Collectors Can Do? Reporting of Doubtful Accounts and Bankruptcies? Disputes? Reporting Who Can View Key Reports? Who Can Run Key Reports?

Copyright©2004 Cathy Cakebread Close Process Make Faster and More Efficient Insure Proper Controls in Place Perform Reconciliation with Aging Verify Reconciliation with GL Create Month End Packet Retain as Needed See for Close Checklist and Paper on Improving Close Processwww.cathycakebread.com

Copyright©2004 Cathy Cakebread Control Revenue Recognition SAB 101 – SEC – Staff Accounting Bulletin SOP 97, 98 – AICPA – Statement of Position Hot Topic! Lots of Scrutiny and Visibility!

Copyright©2004 Cathy Cakebread Key Concepts Persuasive Evidence of an Arrangement Exists, Delivery Has Occurred or Services Have Been Rendered, The Seller’s Price to the Buyer Is Fixed or Determinable, And Collectibility Is Reasonably Assured

Copyright©2004 Cathy Cakebread Sensitive Areas Deferred Revenue Maintenance/Support/Subscriptions/Service Items Where Acceptance Is Required Where You Can’t Start Recognition Until Another Event Occurs And Sales of Future Items Arrangements (Related Sales) Standard Terms and Exceptions Return/Refund Policies

Copyright©2004 Cathy Cakebread Revenue Recognition Questions to Ask Do You Have Items Where Revenue Can’t Be Recognized Upon Shipment? Does the Person Entering the Order Know When the Revenue Should Be Recognized? When Do You Know? How? What Determines When Revenue May Be Recognized? Do You Have Standard Payment Terms? Do You Ever Have Exceptions?

Copyright©2004 Cathy Cakebread And Do You Have a Return Policy? E.G., Full Money Back in 30 Days? Do You Use ‘Arrangements’ With Your Customers (Where the Revenue for One Invoice May Not Be Recognized Until the Subsequent Items Ship)? How Do You Deal With the Revenue for Invoices Where You Don’t Expect to Receive Payment?

Copyright©2004 Cathy Cakebread And Do You Use Standard Pricing? How Do You Deal With Variable Pricing and Revenue Recognition? How Do You Handle Discounts With Bundled Products? Do You Sell ‘Beta Products’? Or ‘Future’ Products How Does This Process Impact Your Reporting of Cost of Goods Sold?

Copyright©2004 Cathy Cakebread Conclusion This Is a Positive Thing! Potential Results: Better Run Department (Best Practices) Detailed User Documentation and Training Materials Confidence With Accuracy of Data Assurance That Proper Controls Are in Place Risks Are Mitigated

Copyright©2004 Cathy Cakebread Links for Sarbanes-Oxley The Actual Act – in a PDF American Institute of Certified Public Accountants Securities Exchange Commission FAQs Price Waterhouse Coopers Site on Sarbanes Oxley CF30074D66C Nice Synopsis With Effective Dates direct.com/cfopublic.nsf/vContent/MSRA-5QJQ6C?open

Copyright©2004 Cathy Cakebread Contact Information Cathy Cakebread (650) AR List Server