One year to go How fit are Swiss companies?*

Internal Control Systems One year to go How fit are Swiss companies?* Survey (November 2007)

Contents Introduction 3 Executive summary 4 How do risk assessment and scoping interlink? 6 How are internal controls effectively identified, documented and implemented? 7 Why is internal control effectiveness testing important for internal reporting on the ICS? 8 What about the people factor? 9 The way forward 10 Your contacts at PricewaterhouseCoopers 11

Introduction The amendments to the Swiss Code of Obligations designed to strengthen Internal Control Systems (ICS) over financial reporting became effective on 1 January 2008. While the quality of financial reporting and the public s trust in the financial information provided by companies will significantly improve following implementation, the required changes have imposed a substantial burden of time and resources on companies in Switzerland. To prepare for the December 2008 compliance deadline, companies will have to cover considerable ground to ensure that the appropriate controls are documented and in place. Many companies in Switzerland wish to deploy a sustainable, efficient and value-adding compliance process and are now looking for insights into how to do so. Senior managers are intent on reducing the cost of compliance and delivering real benefits from this process. PricewaterhouseCoopers is supporting Swiss companies with projects and knowledge-based activities to help them tackle this challenge. Most recently, in November 2007, it held half-day interactive workshops carried out across Switzerland. The main goal of these workshops was to ensure that ICS project leaders fully understood the requirements and implications of designing and implementing an efficient and effective ICS as well as to address their main challenges and concerns. In addition we wanted to assess their state of readiness to meet the requirements of Section 728a in conjunction with Section 716 of the Swiss Code of Obligations (CO). With one year to the compliance deadline, we wanted to find out whether companies felt confident with the concepts raised by the amendments to the Act that came into force on 1 January 2008 and how sure they are of becoming compliant during 2008. During these workshops, we used a survey tool to increase the learning effect and enhance the exchange of experience between participants. The findings and recommendations detailed in this document are the opinions expressed by more than 100 ICS project team leaders who participated in these workshops. Based on its practical experience with ICS projects for many companies, PwC believes these results are representative of the current situation for most Swiss companies. PwC would like to express its sincere thanks to the participants for sharing their knowledge and experience. Rainer van Alphen Leader Internal Control Services November 2007 3

Executive summary The large majority of ICS project team leaders at Swiss companies are confident of becoming compliant with the requirements for an ICS by the end of 2008. However, potentially the largest danger is that of having to repeat costs and efforts incurred to achieve year one compliance in the future unless steps are taken now to address a number of key challenges. Overall, the responses obtained were upbeat. An overwhelming majority of 91% of Swiss ICS project leaders who participated said they felt comfortable with the concepts of an ICS, their ICS initiative was well established and they would be compliant with 728a CO by the end of 2008. 70% of the enterprises represented, named the Chief Financial Officers as the sponsor and person with overall responsibility for their ICS initiative. Risk management or internal audit was reportet to be in charge at around 9% of companies represented. Less than 5% had appointed an ICS officer to take overall responsibility for their entire ICS efforts. 64% of those polled indicated that their ICS initiative covered more than just financial accounting and reporting. Instead, it appeared that most enterprises were taking the advantage of the new requirements to address further operational issues, such as business risks and process inefficiencies. There was also a clear concurrence among more than 70% that there were benefits to be gained from adopting a risk-based approach and concentrating on (direct) company level controls as well as on automation and prevention when designing and implementing an ICS. A substantial portion (more that one third of respondents) believed that there were advantages in determining the quality of their ICS through targeted testing to serve as a basis for reporting to Senior Management and Boards of Directors. Some 85% of Swiss ICS leaders surveyed explained that their organisation had goal-directed internal reporting on ICS matters covering the effectiveness, traceability and efficiency of internal controls as well as the reliability of business processes, controls awareness and integration with risk management. Why not look beyond year one? The intense focus on the deadline might prevent businesses from treating Sections 716 and 728 of the Swiss Code of Obligations projects as milestones on the way to the larger goal of sustainable compliance. The legislation 91% of Swiss ICS project leaders who participated said they felt comfortable with the concepts of an ICS... 4

ought to be seen as an opportunity to investigate operational processes, which often form the basis of reliable financial reporting, and to review them with a view to eliminating process inefficiencies. The ICS initiative should be seen as more than a standalone project with limited or no integration with other controls and compliance activities. Instead companies should be integrating it with other efforts such as process improvement and risk management. How do companies get the most out of technology? Companies should be taking full advantage of automation utilising both their existing in-house systems and dedicated ICS tools to assist with compliance. There is huge potential in the field of business critical systems where process controls can be automated (almost 30% of respondents had less than 30% of their controls automated and almost 50% did not know how many controls were automated) inherently providing for greater control efficiency; such controls are often preventive in nature thus ensuring early effectiveness in end-to-end processing of information. Why not challenge the status quo? Insights from ICS projects should be used as a powerful catalyst for change. The real rewards now are not just attaining compliance but cost savings, improved control and tangible business benefits through a process of controls optimisation resulting in having the right controls at the right cost for an organisation. In the section The way forward following the detailed survey findings and analysis, we offer some thoughts on how best in class organisations are addressing these challenges. 5

How do risk assessment and scoping interlink? The aim of Section 728a CO is to establish an ICS which, as explicitly stated by the Swiss Federal Council (Bundesrat), is aimed at bookkeeping and financial reporting. In other words, Section 728a OR does not focus on operational or compliance processes. Pursuant to this Section, an effective (and efficient) ICS is intended to prevent material misstatements in annual financial statements. Such misstatements can arise when material internal and external risks (e.g. in business operations [i.e. markets, services, products], forms of financing, business and IT processes, etc.) to which an enterprise is subject are not detected and controlled on a timely basis. Risks in reporting and operations can, as a rule, be managed by way of controls. Following a thorough risk assessment process, the next logical step in any top down ICS project would be to determine the scope of entities and processes relevant for an effective controls framework. Of those surveyed, 63% acknowledged that a top-down, risk-based approach is not only acceptable but also a pragmatic starting point when it comes to systematically performing the risk assessment and ultimately scoping for their future ICS. 55% assessed risks by evaluating both the impact and likelihood of a risk materialising and leading to a potential misstatement in their financial statements. 47% of ICS project team leaders also stated that the financial statement items within the scope of the ICS were determined by materiality (which is impacted by risk) and that underlying relevant processes were in turn, determined by the significant financial statement items selected. A number of ICS project team leaders indicated that they would scope their ICS project intuitively. While in a large number of cases this method will result in an ICS of appropriate scope, we suggest ensuring that the thought processes are properly documented. However, to ensure that the scope of the ICS does not unintentionally exceed what is necessary for the organisation, we suggest calibrating the scoping slightly more finely on the basis of quantitative and qualitative measures. 63% acknowledged that a top-down riskbased approach was not only acceptable but also a pragmatic starting point... 6

How are internal controls effectively identified, documented and implemented? To efficiently determine what control structures should be designed and put in place, we recommend the concept of direct and precise controls at the entity level, overlaying process and business activities. Effective controls at the entity level potentially require fewer controls at the process levels. However, as business is conducted through business processes, these also need to be supported by effective controls at process level to ensure the orderly processing of transactions. With modern business systems there is great potential for automating controls and preventive measures can be installed at the beginning of transaction processing. 70% of respondents acknowledged that they are already realising or planing to realise synergies by starting to define solid top level management controls as opposed to concentrating on controls at the process level first. 73% of ICS project team leaders stated that when eventually identifying controls on process levels, they would seek to achieve a fine balance between preventive and detective as well as manual and automated controls. However, most agreed they still had quite a long way to go before they had implemented a qualitative and efficient balance of controls. Depending on the size of company represented, the need for and the benefits of using an ICS Management Tool varied considerably. Beyond a certain company size, however, the advantages of using a tool were not questioned. Dedicated ICS Management Tools have functions for graphically depicting process flows, recording and performing risk assessments, supporting the mapping and documenting of processes, risks and controls and probably most importantly supporting consistent (dashboard) reporting on ICS to the Management and Board of Directors. Companies in Switzerland have already realised a number of benefits as a result of using such tools. Among other things, they have been able to streamline the change management process (processes and controls), manage the remediation of issues and control weaknesses, reduce the redundant holding of data, and facilitate version controlling. Almost 65% of company representatives felt that either no dedicated tool for documenting and managing internal controls was required or stated that they had not planned for the use of such a tool. We propose companies define their own criteria for managing a sustainable system of internal controls and investigate the market to establish whether dedicated tools exist that can meet these requirements. 73% stated that they would seek to achieve a fine balance between preventive and detective as well as manual and automated controls... 7

Why is internal control effectiveness testing important for internal reporting on the ICS? The following diagram illustrates how the quality and operative effectiveness of internal controls typically deteriorate over time where there is no regular testing of such controls. Conversely, where regular and continuous assessment takes place, the quality of controls is often maintained in the bandwidth defined by the Board of Directors. While 35% of ICS project leaders stated that they had already tested and/or planned to test internal controls for effectiveness, about one quarter did not know whether they would embark on an internal self-testing programme. Goal-directed reporting depends on the concrete requirements specified, including the degree of controls maturity to be achieved. Matters of interest to the Management and Boards are typically: Risk environment, appetite and coverage Quality of enterprise-wide controls (e.g. control environment) Effective and efficient controls at the process level: Weaknesses and corrective measures that have been identified Costs and benefits Further need for optimisation. The vast majority of respondents, 79%, confirmed that internal reporting to Senior Management and the Board of Directors covered areas ranging from the effectiveness, traceability and efficiency of internal controls to the reliability of business processes, controls awareness and integration with risk management. Quality Optimised Level 5 Monitored Level 4 A Standardised Level 3 B Informal Level 2 Not very reliable Level 1 C Legend: A B C ICS quality requirement defined by the Board process with continuous assessment of control quality sporadic checks (improvement process not integrated) normal deterioration in control quality over time Time 8

What about the people factor? Probably the single most important factor for successful ICS projects is people. Manual controls and other monitoring functions are executed day-in, day-out by people. The sustainable and effective operation of internal controls depends on well trained employees who are fully aware of the need for internal controls and are conversant with the goals of their Board and Management in terms of the effective operation of the ICS. Training is paramount in running successful projects and knowledge sharing and transfer are key to a sustainable system of internal controls. Only some 25% of respondents stated that they had conducted training on matters relating to ICS and/or had a continuous training programme in place. A concerted effort should be made to transfer knowledge to educate the business about good internal control. Almost 75% of respondents said that internal training was not considered important and/or had not yet been planned. This could stand in the way of cost savings and the delivery of efficiencies going forward. To enable ICS projects to be executed more smoothly and efficiently, we recommend that ICS leaders promote this topic and ensure that it is addressed in a manner appropriate to their organisation. 25% of respondents stated that they had conducted training on matters relating to ICS and/or had a continuous training programme in place... 9

The way forward The survey findings reinforce the view that businesses have been taking a project-based approach to compliance. They also highlight tantalising opportunities to add value in the future by reducing the cost of compliance and enhancing finance function efficiency. Companies should be following the lead of best in class organisations by standing back and reviewing their financial reporting processes and controls environment with a view to ensuring that the costs and efforts associated with year one are not repeated. Key areas to focus on are as follows: Gradually broadening the scope beyond the financial accounting and reporting functions by assessing business risks in operational processes, increasing process efficiencies and implementing business controls which mitigate those risks and ensure process stability and reliability. Removing the burden of unnecessary complexity by reducing the number of key controls, prioritising remediation efforts, eliminating duplication and automating processes and controls. Enterprises that have embarked on programmes to centralise and standardise processes and controls typically realise the following benefits: Improved monitoring of business operations and clear organisation and ownership, roles and responsibilities Harmonised and integrated systems, processes and streamlined controls Robust controls environment with the focus on prevention and automation Improved data quality and data integrity fewer errors and reduced fraud risk Robust and reliable financial reporting, also for decision making Trust in financial reporting Reduced cost through elimination of redundant and ineffective/inefficient controls High degree of assurance that no revenues are lost as a result of ineffective process activities Heightened awareness of controls and better co-operation between functions Integration with risk management. Standardising systems, processes and controls by undertaking a structured programme to support the implementation of a one process and one set of controls approach. Centralising key processes and controls by evaluating the business case for centralising or outsourcing key back office processes across the organisation to support a homogenous control environment. 10

Your contacts at PricewaterhouseCoopers: Leader Internal Control Services Rainer van Alphen, Partner, Basel Tel. 058 792 57 04, E-Mail: rainer.van.alphen@ch.pwc.com for Banks Martin Schmidt, Director, Zurich Tel. 058 792 23 71, E-Mail: martin.w.schmidt@ch.pwc.com for Industrial Enterprises Cornelia Ritz Bossicard, Senior Manager, Zurich Tel. 058 792 22 91, E-Mail: cornelia.ritz@ch.pwc.com Dominique Perron, Senior Manager, Geneva Tel. 058 792 94 48, E-Mail: dominique.perron@ch.pwc.com Matthias Rist, Senior Manager, Basel Tel. 058 792 58 23, E-Mail: matthias.rist@ch.pwc.com for Insurances Alex Hofmann, Manager, Zurich Tel. 058 792 28 18, E-Mail: alex.hofmann@ch.pwc.com 2008 PricewaterhouseCoopers. All rights reserved. PricewaterhouseCoopers refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.

www.pwc.ch/ics