how to make your sox process sustainable & cost-effective
DESCRIPTION
With lean staffs and rapidly changing business conditions, continuous improvement never fades as a key ingredient of successful companies. This presentation is a case study with real world examples on how to make your SOX process cost-effective and sustainable while strengthening your control environment.TRANSCRIPT
1
6th Sustaining Sarbanes-Oxley Compliance Conference
San Francisco, CA
May 3 - 4, 2006
Optimizing Key Controls
Ron Stefani
Buckeye Technologies Inc.
2
Agenda◆Buckeye◆SOX Universe◆Key SOX Metrics for Years 1 & 2◆Rationalize Number of Key Controls◆Risk & Control Matrix Redundancy◆Unnecessary Assertion Coverage◆Automate Key Controls◆Summary◆Q&A
4
Buckeye Overview
◆ World leader in value-added cellulose-based specialty products– 2005 Net Sales of $712.8 million
– 2005 Adjusted EBITDA of $122.7 million
Nonwoven Specialty Fibers Materials Fluff Pulp Chemical Cellulose Customized Fibers
32% 18% 32% 18%
Wipes
Femcare
Baby DiapersTire Cord
LCD Screens Food Casings
Ethers(Thickeners)
Filters
CurrencyPapers
Table Top
5
Nonwovens Sites
Corporate Headquarters
Cotton Cellulose
Converting
Wood Cellulose
Intl. Sales Office
Brazil
Germany
SwitzerlandFlorida
North CarolinaTennessee
Canada / BC
◆ 67% of sales outside US
◆ 86% of sales denominated in US$
◆ 71% of products produced in US
North America42%
South America4% Other
6%
Asia10%
Europe38%
Based on fiscal 2005 net sales
Global Presence
6
Industry Ranking
Products / Applications
#1Specialty Cotton Papers
#1Filters
#1Film for Liquid Crystal Display (LCD)
#1Rayon Industrial Cord
#1Food Casings
#1High Purity Cotton Ethers (Thickeners)Chemical Cellulose
CustomizedFibers
Source: LMC International, Lockwood-Post, Nonwovens World and Company Estimates
#1Airlaid NonwovensNonwoven Materials
Market Leader in Attractive Niches
7
◆ Focus on technically demanding niche markets
◆ Develop and commercialize proprietary product innovations
◆ Strengthen long-term alliances with customers
◆ Provide our products at an attractive value
◆ Significantly reduce debt
Business Strategy
8
SOX UNIVERSE
9
◆9 Plants
◆7 Sales Offices
◆1 Corporate Office
◆52 Legal Entities
◆Operations in 9 Countries
◆3 ERP Systems
SOX Universe
10
SOX METRICS YEARS 1 & 2
11
SOX Metrics Years 1 & 2
Significant Items Year 2 Year 1
Accounts 19 30
Processes 28 61
Disclosures 7 8
SAS 70s 5 8
Total 59 107
12
SOX Metrics Years 1 & 2
Year 2 Year 1
External Costs(does not include external auditor costs and
internal resources)
$.5 million $2.0 million
F&A Key Controls 318 814
IS Key Controls 397 1,117
Total 715 1,931
13
SOX Metrics Years 1 & 2
Year 2 Year 1Assertions 6 6
F&A Risks (WCGW)
240 240
IS Risks (WCGW)(COBiT Based)
33 84
F&A RACMS(Risk & Control Matrix)
11 11
IS RACMS 3 3
14
SOX Metrics Years 1 & 2
Assessment Levels
Year 2 Year 1
1(comprehensive)
4 6
2(specific)
3 1
3(internal control review)
2 3
4(excluded)
4 2
15
RATIONALIZE NUMBER of KEY CONTROLS
16
◆In year 2 we reduced the number
of controls by 63% or 1,216
◆We did not reduce the number of
F&A risks
◆How did we accomplish this?
Rationalize Number of Key Controls
17
◆ Established objective of reducing costs and sustaining compliance
◆ Used guidance from PCAOB Staff Q&A dated May 16, 2005
◆ Involved external auditor in the entire process and sought alignment on all changes
◆ Improved our risk assessment knowledge and process
◆ Leveraged knowledge obtained in year 1
Rationalize Number of Key Controls
18
◆ Involved Key F&A managers in identifying key controls company-wide
◆ Standardized key controls
◆ Using the COSO model we focused on Risk Assessment, Control Environment and Monitoring
◆ Key controls centered around– Entity level controls
– Backstop controls
– Account reconciliations
– Segregation of duties
– Delegation of authority
– Unusual journal entries
Rationalize Number of Key Controls
19
◆ Most Significant Processes– Financial Statement Close– Financial Statement Presentation– Disclosures
◆ Key Learnings and Events
– Quality and robust risk assessment (RA) is key
to success and must be done first
– RA helps you decide on significant entities,
accounts, processes, controls, assertions, etc.
Rationalize Number of Key Controls
20
◆ Key Learnings and Events (continued)
– You must have alignment with your outside auditor – they have their own risk model
– Work to align your risk assessment with the outside auditor and resolve differences – in the end you can’t be too different
– Involve key managers throughout the process
– Continue to drive process down into the organization – line management
– Simplify and Simplify More
Rationalize Number of Key Controls
21
RISK & CONTROL MATRIX REDUNDANCY
22
◆ Number of risks driven by the number of significant accounts and assertions
◆ Identify significant accounts and assertions from RA
◆ Describe risks so they address multiple significant assertions
◆ Standardize risks company-wide by major processes i.e., compensation, financial close, accounts receivable and revenue
Risk & Control Matrix Redundancy
23
◆ Limit one key control per risk
◆ Focus only on key controls, eliminate operational
controls
◆ Resist the natural tendency to assign a majority of
accounts, processes and assertions as significant
Risk & Control Matrix Redundancy
24
UNNECESSARY ASSERTION COVERAGE
25
◆ Describe a risk so that it addresses multiple
assertions
◆ An assertion that does not present a meaningful
risk of misstatement should not be tested
◆ Standardize assertions and risks company-wide
by significant accounts & processes
Unnecessary Assertion Coverage
26
AUTOMATE KEY CONTROLS
27
◆ Three or Two Way Match
PO-Invoice-Receiver or PO-Receiver
◆ Cash Receipt Applications to Accounts
Receivable
◆ Work with your external auditor on benchmarking
automated key controls
Automate Key Controls
28
SUMMARY
29
◆ Risk Assessment is the key to reducing controls,
complexity and cost of compliance
◆ Must have a solid working relationship with your
outside auditor that is built on trust and openness
◆ Involve F&A and IT employees in the SOX
process
Summary
30
◆ Drive compliance responsibility down into the
organization
◆ Never stop improving and refining your process
◆ Implement “Lean Enterprise” into your compliance
process - use Value Stream Mapping and
technology to reduce costs and complexity
Summary
31
QUESTIONS