BEC 1 Corporate Governance Sarbanes Oxley Act of 2002 impacts fin rpting requirements of public companies for expanded

d disclosures by corporations and specific representations required by officers of public companies that must accompany published financial statements; TWO KEY COMPONENTS RELATED TO DISCLOSURES OF SARBANES OXLEY Title III Corporate Responsibility 1. Public Company Audit Committees that are directly responsible for appointment, compensation and oversight of the public acct firm work; auditors by pass managers and report to the committee; resolves disputes between auditor and management; a. Committee members belong to Board of Directors but are otherwise independent (cant accept compensation for consulting or advisory services) and not be affiliated w the issuer (public company) ie cant influence financial decision b. Members establishes procedures to accept reports of complaints regarding audits, accounting or internal controls (should be confidential, anonymous by the employees and should accommodate receipts and retention of complaints; and how to address these complaints. CEO or CFO corporate responsibility to sign certain representations of annual or quarterly rpt saying they have reviewed and rpt does not contain false or omitted info and follows GAAP. a. Assumed responsibility for internal controls (COSO) (material info has been made available, evaluated for effectiveness with 90 days of rpt; and their conclusion as to the effectiveness of the internal controls based upon their evaluations) b. Assumed responsibility for disclosures to the auditors for all significant deficiencies regarding the design or operations of internal controls which may adversely affect financials / rpts; and any frauds that involves mgmt. or any employee w. a significant role in IC. c. Any changes made to IC. That there were no improper influence on the conduct of audits (fraudulently or coercion) Non-Compliance by CEO and CFO= surrender of compensation including bonuses or incentives or gain on sale of securities

2.

3. 4.

Title IV - Enhanced financial disclosure Internal Control - > More transparency 1. 2. 3. 4. 5. 6. 7. Disclosure in Periodic report (GAAP compliance) Identify all transactions or material auditor entries or Offbalance sheet items; joint ventures; no false or omitted info Conflict of interest provision no personal loans to directors or executive officers (publicly traded companies) Disclosure of transactions involving mgmt. and principal stock holders Management assessment of Internal Control mgmt. responsible for adequate IC structure and made conclusion regarding the effectiveness of the IC structure and procedure for financial repting. (auditor must attest to mgmts assessment) Certain Exemptions (Investment Co) Code of Ethics for Senior Financial Officers (Note this doesnt mention CEO) Disclose who senior financial offers are who are subject to a code of ethics Tone at the Top (honest and ethical conduct, full, fair and accurate and timely disclosures; and compliance with laws, rules, regulations; Disclosure of Audit Committee Financial Expert one member of audit committee must be a financial expert that can serve as a resource for the audit committee. a. Expert qualifies through education, past experience as public acct, or financial officer b. Knowledge of GAAP, Internal control and audit committee functions, c. CPA does not automatically means financial expert d. BOD will regulate or evaluate the expertise for qualification

Internal Controls COSO Committee of Sponsoring Organization (aka Treadway Committee) independent Created this Integrated Framework to assist organizations in developing comprehensive assessment of internal control effectiveness. CRIME Key components of IC Control Activities Represents Policies and procedures to implement IC y Risk Assessment Integration: Should be designed to mitigate risk y Selection and Development segregation of duties; use org chart y Policies and Procedures periodic review y Information and Technology Risk Assessment Includes principles associated with mgmts consideration for the risk of FS Misstatement or Fraud y Financial Reporting Risk: What might interrupt their ability to present their info in accordance to GAAP; consider its process and personnel as well as info technology infrastructure in evaluating the risk; o Approaches to apply principle: mgmt. map its controls/procedures to each IC component (CRIME) to evaluate the likely effectiveness of those controls in achieving obj; y Fraud Risk: Incentives or pressures to commit fraud and the responsibility and accountability of fraud procedures; conduct fraud assessment and develop incident investigation processes Information and Communication Has to be timely and accurate y Identify, capture, process and distribute information supporting accomplishment of FS that are TIMELY, ACCURATE AND CURRENT. Monitoring Are the internal controls effective and report any deficiencies y Ongoing and separate evaluations; Are they effective? Environment (Control) Tone at the Top PHRASED; y Philosophy and operating style of mgmt. are congruent w effective fin rpting y Human Resource policies and procedures in place that are fully compatible with eff. IC and rpting

y y y y y

Reporting (Financial) competencies Co retains qualified personnel to handle fin rpting Authority and Responsibility assigned to individuals within org structure are appropriate to maintain eff. IC Structure (Organization) structure doesnt undermine the commitment to effective fin stmt and IC Ethical Values (and Integrity) High standards of integrity and ethics are adopted by top mgmt. and demonstrated thruout org Directors BOD actively involved in their oversight responsibility related to both fin reporting and IC

ENTERPRISE RISK MGMT (ALSO BEC 5) Issued by COSO y y Process effected by BOD, mgmt. and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within risk appetite, to provide reasonable assurance regarding the achievement of entity objectives ERM Framework encompasses the following theme o Aligning risk appetite and strategy o Enhancing Risk response Decisions o Reduce Operational surprises and losses o Identify and managing multiple and cross-enterprise risks o Seizing opportunities o Improving Demployment of Capital Four categories of Objectives of the enterprise per ERM: SORC o Strategic high level goals to achieve mission (increase shareholder value) o Operations Achievement objectives through the effective and efficient use of resources; (Return on invested capital) am I efficiently using capitals o Reporting achievement of reliable reporting (Internally and externally) o Compliance Ensuring compliance with laws and regulations Components of ERM The criterias for evaluating the effectiveness of ERM MEMORIZE IS EAR AIM o Internal Environment = Similar to Control Environment of IC; PHRASED C;  Philosophy of risk mgmt. shared beliefs and attitudes of mgmt. that impact the entire org are defined by risk mgmt. philosophy  Human Resource Commitment to hiring the most qualified ppl (min education and experience requirements, background checks, and demonstrate the commitment and promote individual and corporate responsibility  Risk Appetite Amount of risk an org will accept in pursuit of value; are factored into balancing strategy w return  Assignment of authority and responsibility the degree to which individuals are given appropriate authority to handle their responsibility and held accountable  Structure (organizational) organization structure that make sense that is logically organized  Ethical and integrity adoption and demonstration of high ethical values by leadership  Directors degree of involvement and appropriate oversight provided by BOD establishes an org wide tone that recognizes authority and accountability  Commitment to Competence mgmts judicious specification of competency level for each job function establishes org wide expectation of individual and corporate competence o Setting Objectives o Event Identification o Assessment of Risk o Risk Response o Activities (control) o Information and Communication o Monitoring reporting deficiencies