how to make your sox process sustainable & cost-effective

1

6th Sustaining Sarbanes-Oxley Compliance Conference

San Francisco, CA

May 3 - 4, 2006

Optimizing Key Controls

Ron Stefani

Buckeye Technologies Inc.

2

Agenda◆Buckeye◆SOX Universe◆Key SOX Metrics for Years 1 & 2◆Rationalize Number of Key Controls◆Risk & Control Matrix Redundancy◆Unnecessary Assertion Coverage◆Automate Key Controls◆Summary◆Q&A

4

Buckeye Overview

◆ World leader in value-added cellulose-based specialty products– 2005 Net Sales of $712.8 million

– 2005 Adjusted EBITDA of $122.7 million

Nonwoven Specialty Fibers Materials Fluff Pulp Chemical Cellulose Customized Fibers

32% 18% 32% 18%

Wipes

Femcare

Baby DiapersTire Cord

LCD Screens Food Casings

Ethers(Thickeners)

Filters

CurrencyPapers

Table Top

5

Nonwovens Sites

Corporate Headquarters

Cotton Cellulose

Converting

Wood Cellulose

Intl. Sales Office

Brazil

Germany

SwitzerlandFlorida

North CarolinaTennessee

Canada / BC

◆ 67% of sales outside US

◆ 86% of sales denominated in US$

◆ 71% of products produced in US

North America42%

South America4% Other

6%

Asia10%

Europe38%

Based on fiscal 2005 net sales

Global Presence

6

Industry Ranking

Products / Applications

#1Specialty Cotton Papers

#1Filters

#1Film for Liquid Crystal Display (LCD)

#1Rayon Industrial Cord

#1Food Casings

#1High Purity Cotton Ethers (Thickeners)Chemical Cellulose

CustomizedFibers

Source: LMC International, Lockwood-Post, Nonwovens World and Company Estimates

#1Airlaid NonwovensNonwoven Materials

Market Leader in Attractive Niches

7

◆ Focus on technically demanding niche markets

◆ Develop and commercialize proprietary product innovations

◆ Strengthen long-term alliances with customers

◆ Provide our products at an attractive value

◆ Significantly reduce debt

Business Strategy

8

SOX UNIVERSE

9

◆9 Plants

◆7 Sales Offices

◆1 Corporate Office

◆52 Legal Entities

◆Operations in 9 Countries

◆3 ERP Systems

SOX Universe

10

SOX METRICS YEARS 1 & 2

11

SOX Metrics Years 1 & 2

Significant Items Year 2 Year 1

Accounts 19 30

Processes 28 61

Disclosures 7 8

SAS 70s 5 8

Total 59 107

12


Year 2 Year 1

External Costs(does not include external auditor costs and

internal resources)

$.5 million $2.0 million

F&A Key Controls 318 814

IS Key Controls 397 1,117

Total 715 1,931

13


Year 2 Year 1Assertions 6 6

F&A Risks (WCGW)

240 240

IS Risks (WCGW)(COBiT Based)

33 84

F&A RACMS(Risk & Control Matrix)

11 11

IS RACMS 3 3

14


Assessment Levels

Year 2 Year 1

1(comprehensive)

4 6

2(specific)

3 1

3(internal control review)

2 3

4(excluded)

4 2

15

RATIONALIZE NUMBER of KEY CONTROLS

16

◆In year 2 we reduced the number

of controls by 63% or 1,216

◆We did not reduce the number of

F&A risks

◆How did we accomplish this?

Rationalize Number of Key Controls

17

◆ Established objective of reducing costs and sustaining compliance

◆ Used guidance from PCAOB Staff Q&A dated May 16, 2005

◆ Involved external auditor in the entire process and sought alignment on all changes

◆ Improved our risk assessment knowledge and process

◆ Leveraged knowledge obtained in year 1


18

◆ Involved Key F&A managers in identifying key controls company-wide

◆ Standardized key controls

◆ Using the COSO model we focused on Risk Assessment, Control Environment and Monitoring

◆ Key controls centered around– Entity level controls

– Backstop controls

– Account reconciliations

– Segregation of duties

– Delegation of authority

– Unusual journal entries


19

◆ Most Significant Processes– Financial Statement Close– Financial Statement Presentation– Disclosures

◆ Key Learnings and Events

– Quality and robust risk assessment (RA) is key

to success and must be done first

– RA helps you decide on significant entities,

accounts, processes, controls, assertions, etc.


20

◆ Key Learnings and Events (continued)

– You must have alignment with your outside auditor – they have their own risk model

– Work to align your risk assessment with the outside auditor and resolve differences – in the end you can’t be too different

– Involve key managers throughout the process

– Continue to drive process down into the organization – line management

– Simplify and Simplify More


21

RISK & CONTROL MATRIX REDUNDANCY

22

◆ Number of risks driven by the number of significant accounts and assertions

◆ Identify significant accounts and assertions from RA

◆ Describe risks so they address multiple significant assertions

◆ Standardize risks company-wide by major processes i.e., compensation, financial close, accounts receivable and revenue

Risk & Control Matrix Redundancy

23

◆ Limit one key control per risk

◆ Focus only on key controls, eliminate operational

controls

◆ Resist the natural tendency to assign a majority of

accounts, processes and assertions as significant

Risk & Control Matrix Redundancy

24

UNNECESSARY ASSERTION COVERAGE

25

◆ Describe a risk so that it addresses multiple

assertions

◆ An assertion that does not present a meaningful

risk of misstatement should not be tested

◆ Standardize assertions and risks company-wide

by significant accounts & processes

Unnecessary Assertion Coverage

26

AUTOMATE KEY CONTROLS

27

◆ Three or Two Way Match

PO-Invoice-Receiver or PO-Receiver

◆ Cash Receipt Applications to Accounts

Receivable

◆ Work with your external auditor on benchmarking

automated key controls

Automate Key Controls

28

SUMMARY

29

◆ Risk Assessment is the key to reducing controls,

complexity and cost of compliance

◆ Must have a solid working relationship with your

outside auditor that is built on trust and openness

◆ Involve F&A and IT employees in the SOX

process

Summary

30

◆ Drive compliance responsibility down into the

organization

◆ Never stop improving and refining your process

◆ Implement “Lean Enterprise” into your compliance

process - use Value Stream Mapping and

technology to reduce costs and complexity

Summary

31

QUESTIONS

how to make your sox process sustainable & cost-effective

Documents