Seminar in Accounting & SocietySOX – Section 404April 23, 2008

2

Seminar in Accounting & SocietySOX Section 404 – April 23, 2008

• Rick Andrews

Partner

KPMG

• Dana Plonka

Director, Internal Audit

Sigma-Aldrich Corp.

3

Agenda

• Introductions/Background

• Overview – What is Sarbanes-Oxley?- SOX 302 & 404

- Management’s Certifications

• Impact of SOX – An Internal Perspective

• Costs & Benefits of SOX

• Impact of AS5

• Questions

4

About Sigma-Aldrich

• $2B global Life Science Company

• Publicly traded on NADAQ as SIAL

• Develops, purchases, produces & sells biochemical and organic chemical products for use in scientific research, biotechnology, pharmaceutical development, the diagnosis of disease, and as key components in pharmaceutical and other technology manufacturing

• 7,900 employees in 36 countries

• Over 130,000 products

• 64% of Sales outside the US

5

About KPMG

• KPMG LLP is a provider of audit, tax and advisory services

• KPMG LLP is #1 in the St. Louis market auditing 42% of St. Louis’ Top 50 Public Companies

• KPMG LLP is the U.S. member firm of the KPMG international network with a presence in ~ 150 countries

• KPMG has been recognized as a great place to work by Fortune, Working Mother, the Human Rights Campaign, Business Week, The Women’s Alliance, the Black Collegian, DiversityInc and others

• KPMG LLP consists of 22,000 partners and staff across the U.S. The St. Louis office is supported by approximately 250 employees serving in the capacity of client support delivery or client service support functions

6

What is Sarbanes-

Oxley? What is SOX 302?

What is SOX 404?

What is AS5?

7

SOX 302 at Sigma-Aldrich

• Quarterly disclosure controls and procedures implemented in 2002

• Robust certification process includes 130 managers worldwide

• Extensive questionnaire addresses multiple areas and implies personal responsibility

• Disclosure Committee reviews all responses to determine actions

• Certifying Officers (CEO & CFO) and external auditors receive unedited, complete reports

8

SOX 404 at Sigma-Aldrich

• Implemented web-based software to manage internal control documentation, assessments and testing in 2003

• Control documentation required for all Sigma-Aldrich sites; updated annually by Business Process Owners at sites

• SOX 404 testing performed by Internal Audit on behalf of management

• Deficiencies reported to sites, management, KPMG, Audit Committee

9

Management’s Certifications

The CEO and CFO must personally certify to the:

• Accuracy of financial statements

• Adequacy & effectiveness of disclosure controls and procedures

• Adequacy & effectiveness of internal controls over financial reporting

• Completeness of all disclosures that materially impact the financial statements or relate to frauds involving management with a significant role in internal controls over financial reporting

10

SOX at Sigma-Aldrich

SOX 404 & 302 had a significant impact on:- Board of Directors’ responsibilities

- Management’s responsibilities

- Internal Audit Department resources and responsibilities

- Costs of compliance

11

Impact on Board of Directors

• Increased liability & responsibility for Audit Committee members

• Qualifications for Audit Committee members more stringent (“financial expert” requirement)

• Director, Internal Audit reports directly to the Chairman of the Audit Committee

• Whistleblower Policy implemented with reports to the Audit Committee Chair

12

Impact on Board of Directors

As a result, the Audit Committee has:

• Increased focus on internal controls & audit results

• Demanded swift remediation of internal control weaknesses

• Supported the addition of Internal Audit resources to support compliance efforts

• Initiated discussion over business risk management strategies across the organization

13

Impact on Management

• Certifying officers (CEO & CFO) are personally liable for undisclosed issues and significant financial misstatements

Potential for large $$ penalties and prison sentences

• Increased accountability to Board with respect to maintaining internal controls and SOX compliance processes

14

Impact on Management

As a result, Management has:

• Increased focus on internal controls & audit results

• Demanded swift remediation of internal control weaknesses

• Placed reliance on transparency of quarterly disclosure certification process

• Continued to set a strong “Tone at the Top” with respect to establishment and adherence to policies & controls

15

Impact on Internal Audit

General:

• SOX compliance role & responsibilities Vary by Company May drive strategy &/or perform SOX 404 testing May perform evaluation of quarterly disclosure controls &

procedures

• Balance of work shifted to routine detail tests

• Stature of audit profession raised

• Bubble of demand for auditors

• Increased salaries

16

Impact on Internal Audit

At Sigma-Aldrich:

• Significant resource drain in Years 1 & 2 of compliance

• Risk of turnover due to “less challenging” compliance work

• Department expanded by 33% to support SOX compliance

• Increased leverage for control weakness remediation

• Increased level of control documentation to support our work

17

Sigma-Aldrich SOX Timeline

2003SOX 404

Compliance Startup

2008•5th year of compliance•IA time remains at 25%

2007•4th year of compliance•AS5 released•25% of IA time

2006•Re-engineered our approach•Reduced # of controls tested •by 45%•40% of IA time

2005•2nd year of compliance•70% of IA time

2004•1st year of compliance•Addition of 2 Sr. Auditors•90% of IA time

2002SOX 302

Certification Process

18

Cost of SOX 404Dollars:

• Costs of compliance $1M - $1.2M annually for Years 1 & 2

• 60% of cost related to internal resources

• After reengineering and AS5, reduced annual cost to $650K and 30% internal resource cost

Other Costs:

• Internal resources diverted from more value-added activities

• After reengineering, able to strike balance with resources

19

Benefits of SOX 404 & 302

• Increased knowledge of internal controls throughout the organization

• Ownership of internal controls embedded within the organization

• More rapid remediation of significant control deficiencies

• Increased transparency over events that may impact the financial statements and disclosures (SOX 302)

20

Impact of AS5

General, from Management’s perspective:

• External audit no longer opines on management’s approach to forming their opinion on internal controls over financial reporting

• Scales are balancing with more focus on a risk-based approach

• Management has increased flexibility in developing its compliance plan

21

Impact of AS5

At Sigma-Aldrich:

• Significant resource reductions achieved via reengineering project undertaken in 2006 in anticipation of AS5

• Internal Audit efforts rebalanced with only 25% of resources devoted to SOX compliance vs. 70% in Year One

22

Agenda

• Introductions/Background

• Overview – What is Sarbanes-Oxley?

• Impact of SOX – An Internal Perspective

• Costs & Benefits of SOX

• Impact of AS5

• Questions

23

Questions???