June 10, 2003

T

ERNST & YOUNG

PT ERNST & YOUNG ADVISORY SERVICES

Sarbane Oxley 404 WorkshopHotel Arya Duta28 February – 2 March 2005

Introduction to Sarbane Oxley 2002

2

AGENDA

• Background

• Overview of Sarbanes-Oxley Act Section 404 Requirements

• Increased oversight by PCAOB and SEC

• Auditor Independence

• Corporate Responsibility

• Enhanced Financial Disclosures

• Penalty Enhancement and Increased Accountability

• Implications to management

• The role of internal audit

3

Background

• Historically, good corporate governance was not seen as a key to corporate sustainability and the provision of financial information to public was limited.

• However, the practices were assessed inadequate following major high-profile corporate fallouts:

• Worldcom – improper accounting including treatment of expenses and significant loan to officers amounted to $11 billion led to insolvency for the dotcom company.

• Enron – improper accounting practices led to Enron filed for bankruptcy and with it, the largest accounting firm in US – Arthur Andersen.

• Tyco International – improper accounting practices led to various restatements and recognition of accounting-related charge mainly due to corporate and managerial failure

• QWest Communication Int’l and others.

• The high-profile corporate failures, allegations of corporate fraud, and financial statement restatements led to the passing of Sarbane Oxley Act by US Congress and signed by US President in 24 July 2002.

• Among the main objectives of the Act was to protect investors of publicly-listed company by improving the accuracy and reliability of corporate disclosures.

4

Corporate scandals are not unique of the US, but on the contrary, pervasive around the world

• Parmalat, Italy (2003)

• Fraudulent accounting and corporate practices through misrepresentation of assets and inflation of financial accounts amounted to $10 billion led to insolvency and liquidation of the company.

• HIH, Australia (2001)

• The second largest insurance company in Australi collapsed in March 2001 with debts of around $3 billion US, leaving thousands with outstanding claims due to executive indulgence and inappropriate corporate expenditures.

What about Indonesia in 2004?

• Bank Global – misrepresentation of the company’s assets and investment

• Bank Dagang Bali

• Bank Asiatic

5

AGENDA

• Background

• Overview of Sarbanes-Oxley Act Section 404 Requirements

• Increased oversight by PCAOB and SEC

• Auditor Independence

• Corporate Responsibility

• Enhanced Financial Disclosures

• Penalty Enhancement and Increased Accountability

• Implications to management

• The role of internal audit

6

To enforce public company requirements, SOA 2002 increases oversight by PCAOB and SEC

Section 101 & 102

• Requires all public accounting firm to register with and supply information such as client names, fees charged etc to the newly established Public Company Accounting Oversight Board

• Audit firms must pay annual feed to Oversight Board to help subsidize Board expenses

Section 104

• Oversight Board shall conduct a continuing program of inspections to assess the degree of compliance of each registered public accounting firm with the Act

Section 108 & 109

• Issuers must pay annual fees, based upon market capitalization, to support the Board and FASB

Section 408

• Expanded SEC review of 10-K’s and 10-Q’s at least once every 3 years

Section 307

• Requires attorney to report evidence of a material violation of securities law

• Audit firm must annually register, meet Oversight Board requirements, and could be investigated and or disciplined by Oversight Board

• Issuers and audit firms must help subsidize annual Oversight Board expenses

• Improve documentation process to expedite responses to SEC comments upon review

REQUIREMENTS BUSINESS IMPLICATIONS

7

To enhance auditor independence, the Act prescribes various prohibited services for external auditor of a company

Section 201

• Prohibits auditor from providing 9 specific non-audit services

Section 202

• Requires pre-approval by Audit Committee of all services by audit firm

Section 203

• Requires lead and concurring audit partner rotation every five years

Section 206

• Requires ‘cooling off’ period of one year before an employee of the audit firm who worked on the account can be hired as CEO, CFO, controller, or any like position held by an individual of the issuer

• Validate/ensure the auditor does not provide any of the 9 prohibited services

• Transition newly prohibited non-audit services such as internal audit outsourcing and financial IT system services

• Establish pre-approval process for all services by audit firm

• Review audit partner rotation plans and any potential hires from audit firm

REQUIREMENTS BUSINESS IMPLICATIONS

8

In the area of corporate responsibility, the Act seeks to strengthen corporate governance

Section 204

• Increase communications between auditor and Audit Committee on critical accounting policies and practices, alternative accounting treatments and other required communications with management

Section 301

• Makes Audit Committee directly responsible for the selection and oversight of auditors

• Limits Audit Committee membership to independent directors

• Requires procedures for complaints from whistleblowers and others

• Requires company to provide Audit Committee with funding for auditors and other advisors as Audit Committee deems necessary

Section 402

• Prohibits future loans to officers and directors

Section 407

• Company must disclose whether it has a financial expert on the Audit Committee

• Reassess the composition of Audit Committee

• Ensure Audit Committee members are independent and include at least one ‘financial expert’

• Ensure that existing loans to officers and directors are not modified or extended, ensure that future loans qualify under recognized exceptions

• Develop a process for Audit Committee to oversee appointment and oversight of auditors and to receive alternative accounting treatment

REQUIREMENTS BUSINESS IMPLICATIONS

9

Enhanced financial disclosures are required by the Act to improve public company reporting

Section 302

• Management certifies that: The filing reflects in all materials respects the company’s financial position. The effectiveness of internal controls has been evaluated.

Section 401

• SEC to issue rules to enhance disclosures of off-balance sheet transactions and pro forma financial information

Section 404

• SEC to issue rules to require annual management report, and auditor attestation, on effectiveness of internal controls and procedures for financial reporting

Section 409

• SEC to issue rules for ‘real time’ disclosure of material changes in financial conditions or operations, including accelerated periodic reporting

• Consider changes, improvements, or additions to current disclosure procedures

• Implement process for certifying and assessing internal controls, preparing management report, and completing external auditors examination of internal controls

• Strong recommendation to develop disclosure committee and have process for identifying items where disclosures is necessary

• Identify and track all off-balance sheet transactions and pro forma financial information

REQUIREMENTS BUSINESS IMPLICATIONS

10

Enhanced accountability supported by broaden penalties are also introduced to improve public trust

Section 303

• Makes it unlawful for any director/officer or others acting at their direction to fraudulently influence, coerce, manipulate or mislead any independent auditor

Section 403

• Requires accelerated reporting of trades by insiders

Section 406

• Requires companies to disclose whether they have a code of ethics as well as any changes in or waiver from such codes

Section 806

• Makes it unlawful to retaliate against ‘whistleblowers’

Section 304

• Requires CEO and CFO to forfeit bonuses received or profits realized on the sale of securities in the 12 months following a financial report that is later restated due to material non-compliance of the Act

Section 906

• Increased criminal penalties for CEO/CFO who certifies the filing in bad faith

• Upgrade/develop code of conduct, process for insider trading and other ethical conduct matters

• Maintain process to ensure reporting of insider transactions within 2 business days

• Establish process for ‘whistle blower’ program

• Criminal provisions are now effective for inaccurate certifications, destroying documents or obstructing investigations

• CEO and CFO must disgorge profits from securities sales after restatements due to misconduct

REQUIREMENTS BUSINESS IMPLICATIONS

11

AGENDA

• Background

• Overview of Sarbanes-Oxley Act Section 404 Requirements

• Increased oversight by PCAOB and SEC

• Auditor Independence

• Corporate Responsibility

• Enhanced Financial Disclosures

• Penalty Enhancement and Increased Accountability

• Implications to management

• The role of internal audit

12

Among the SOA requirements, meeting the requirement of Section 404 represents a significant challenge for management

Section 404The Commission shall prescribe rules requiring each annual report required by SEC to contain an internal control report, which shall—

(1) state the responsibility of management for establishingand maintaining an adequate internal control structure and

procedures for financial reporting; and(2) contain an assessment, as of the end of the most recentfiscal year of the issuer, of the effectiveness of the internalcontrol structure and procedures of the issuer for financial

reporting.

Restoring investor confidence in the integrity of public reporting

Section 302 & 906

13

Section 302

• Requires CEO and CFO to certify quarterly and annually the effectiveness of their disclosure controls and procedures which include financial reporting controls

• Effective for periods ending after August 29, 2002

Section 906

• Increased criminal penalties for CEO/CFO who certifies the filing in bad faith

Section 404

• Requires the company to document and evaluate the effectiveness of internal controls and procedures for financial reporting

• Requires external auditor to attest to management’s assertions in the annual report

• Proposed rule – effective for fiscal year ends on or after April 15, 2005 for foreign private issuers ( June 15, 2004 for domestic US- SEC registrants and subsidiaries)

Section 302 and 906 present a basis to restore public trust, building on the foundation of Section 404 that requires management to file an internal control report

14

• Planning for Section 404 should begin today to provide ample time for the assessment and identify areas where corrective action is needed

• Need to agree to a common risk and controls framework – often, management, internal audit and the external auditor have different frameworks

• Misunderstanding that Section 404 is only a compliance exercise

Therefore, management needs to take action to start complying with Section 404 requirements

In Indonesia, only companies listed in US exchanges or subsidiaries of companies listed in US exchanges are

required to comply.

However, there is strong indications that SOA pronouncements will be adopted by Indonesia.

Furthermore, increased governance and enhanced financial reporting can be obtained through the adoption

of Section 404 methodology

15

AGENDA

• Background

• Overview of Sarbanes-Oxley Act Section 404 Requirements

• Increased oversight by PCAOB and SEC

• Auditor Independence

• Corporate Responsibility

• Enhanced Financial Disclosures

• Penalty Enhancement and Increased Accountability

• Implications to management

• The role of internal audit

16

The company’s internal audit function can play a pivotal role in the implementation of SOA 404 and 302

The recommended role for internal audit function in supporting the achievement of SOA 404 and 302 may include:

• Project oversight

• Consulting and project support

• Ongoing monitoring and testing

• Project audit

In addition, internal audit may also be engaged in various other services:

• as a source of consultants

• as a source of resources for documentation/testing

• as a source for Project Lead Manager

• as a source of training or information about controls

• as a certifier in the disclosure process

The key principle in internal audit’s involvement is for IA function not to

assume primary ownership over SOA 404 certification process and not be engaged in activities that may impair its independence or result in conflict

of interest

17

Through the various implementation stages, IA may perform a project oversight role of the activities

• Participate on project steering committee providing advice and recommendations to the project team and monitoring project and direction of the project

• Act as facilitator between external auditor and management

18

In a consultant and project support, IA can offer a wealth of technical knowledge and expertise

• Provide existing internal audit documentation for processes under scope

• Advice on best practices – documentation standards, tools and test strategies

• Support management and process owner training on project and risk and control awareness

• Perform quality assurance review of process documentation and key controls prior to handoff to external auditors

19

In an ongoing monitoring and testing role, IA may be one of the key player in supporting management to meet regulatory requirements of Sarbane Oxley

• Advise management regarding the design, scope, and frequency of tests to be performed.

• Independent assessor of management testing and assessment processes.

• Perform tests of management s basis for assertions.

• Perform effectiveness testing (for highest reliance by external auditors)

• Aid in identifying control gaps and review management plans for correcting control gaps

• Perform follow-up reviews to ascertain whether control gaps have been adequately addressed

• Act as coordinator between management and the external auditor as to discussions of scope and testing plans.

• Participate in disclosure committee to ensure that results of ongoing internal audit activities and other examination activities, such as external regulatory examinations, are brought to the committee for disclosure consideration.

20

Through its traditional assurance role, IA can also perform project audit to increase stakeholders’ comfort on the company’s implementation of SOA 404

• Assist in ensuring that corporate initiatives are well managed and have a positive impact on an organization. Their assurance role supports senior management, the audit committee, the board of directors, and other stakeholders.

• Use a risk-based approach in planning the many possible activities regarding project audits. Audit best practices suggest internal auditors should be involved throughout a project s life cycle not just in post-implementation audits.

21

In other involvements, IA may play a value-added role in the 404 certification process as long as they do not impair independence and objectivity

• Source of consultants

• Recommend control to address risk

• Identify, evaluate and implement risk and control assessment methodology

• Source of resources for documentation and testing

• Document internal controls but not in a decision-making role

• Participate in the design and execution of tests for control effectiveness

• Source for lead project manager

• Perform project management administrative tasks such as monitoring progress of project, communicating project result, and monitoring adherence to project timetable

• Source of training and information about controls

• Provide training and/or information on internal control identification and assessment, risk assessment, and test plan development

• Certifier in disclosure process

• Provide certification or issue an opinion on financial controls (design and operating effectiveness) supported by adequate and appropriate audit evidence

SOA