More and more, enterprises are realizing the importance of adopting a holistic approach to their businesses from top down, and are beginning to harness an emerging strategic software category—governance, risk management, and compliance (GRC). To this end, their attention so far has been greatly focused on ensuring compliance with the US Sarbanes-Oxley Act (SOX). Chief financial officers (CFOs) and chief executive officers (CEOs) of publicly traded companies are now very much aware of the impact SOX has on their firms, as failure to comply with the law's strict standards and policies, even unknowingly, can essentially end the career of any executive, and often in a disgraceful manner. For a discussion on the relationship of SOX to other regulatory laws, see Thou Shalt Comply (and More, or Else).
Although the law included a number of new mandates, two sections have had clear implications for corporate information systems, while some are especially relevant to supply chain management (SCM). Namely, Section 404 (management assessment of internal controls) requires management to assess the effectiveness of its own internal controls and procedures for financial reporting each year. Section 409 (real time disclosure) requires companies to disclose material changes in their financial conditions or operations on a rapid and current basis. Section 404, which requires audit of internal controls, has made executives reexamine and sometimes replace operational systems that are not well integrated with their financial systems.
Section 401a (off-balance-sheet obligations disclosure) is an addition to the Securities Act of 1934. Section 401a requires disclosure of "material off-balance-sheet transactions, arrangements, obligations (including contingent obligations), and other relationships of the issuer [that is, the company itself, an issuer of securities] with other entities or persons" if these arrangements may have a current or future material effect on the firm's financial condition, operations, and so on.
This particularly affects service contracts, such as those typically written with ocean carriers and vendor managed inventory (VMI) arrangements undertaken to hedge risk and move assets off the balance sheet. Increasingly, businesses that adopt VMI practices to reduce current inventory assets may include some form of penalty clause in their contracts for failure to use materials or early cancellation of agreements, and Section 401a clearly requires time-phased listings of these potential obligations. Also, market conditions might change and cause firms to cancel long-term purchase agreements with suppliers, with cancellation penalties or restocking charges as a result. SOX requires enterprises to outline the precise details of these potential charges and penalties. Along similar lines, companies must report and document any early termination or cancellation fees in any lease agreements or letters of intent (which are sometimes used to aid with delivery schedules and manufacturing lead times for critical items).
While Section 401a has limited applicability to some supply chain contracts, Section 404 is broadly relevant to many SCM processes, including outsourcing arrangements. Outsourcing of processes and transactions comes under both Sections 401 and 404, whereby off-balance-sheet agreements with suppliers need to be reported (401) and subjected to effective internal controls (404). SOX is more demanding in this regard than traditional auditing standards. For instance, Section 404 directs the US Securities and Exchange Commission (SEC) to prescribe rules that require annual reports to include an internal control report. This internal control report must contain two elements: 1) it must state management's responsibility for establishing and maintaining controls (including policies, procedures, and processes) for financial reporting, and 2) it must contain an assessment of the effectiveness of these controls and procedures.
If the supply chain is to be truly controlled to the level required by SOX, then there must be a well-structured process that runs across multiple functions, and not merely a series of transactions pretending to be a process. CEOs will thus look to all leaders corporate-wide, including the SCM managers, to take a proactive and collaborative role in corporate governance, since everyone has to realize that passing audits is only one step to the improvement of corporate governance, and that auditors will never understand areas of the supply chain the same way SCM professionals do (and vice versa).
Firms that move aggressively in the direction mandated by Section 404 might even have a chance to improve the management of their supply chains (that is, achieve supply chain excellence), and to gain a competitive advantage on their rivals. This is particularly true given that other disclosure requirements (those instituted in the European Union [EU], for instance) can also support a more efficient and credible, competitive environment for businesses and their supply chains.
Control requires visibility across the process (from ordering components to delivering finished goods and services to customers), and information technology (IT) may be a necessary aid to achieving this total visibility. Yet IT alone is not sufficient to constitute SOX-level control. Meaning, the mere tracking of inventory cannot substitute for efficiency and effectiveness in all SCM activities. For example, with regards to inventory management and inventory write-offs, most enterprises still have the responsibility of controlling inventory and fixed assets. However, SOX implications would now instill the requirement that inventory values are correctly stated, whereby CFOs can no longer "defer" inventory write-downs to avoid write-off losses on quarterly income statements. In other words, SOX demands more accurate and timely accounting to ensure that the material is physically present, its condition is correctly stated, and inventory values are accurately recorded within the accounting system.
As for material transfers and poor inventory accuracy, most enterprises still have the responsibility for material control activities. In the past and all too often, material transfers and inventory transactions would not be processed in a timely manner, thereby creating a true inventory that is "out of kilter" with the expected-on-records situation. SOX, however, states that all movements of inventory or fixed assets must now be recorded in a timely fashion. In other words, all movements will have a definitive financial impact on the company, and the recording of accurate financial information is the foundation of SOX.
Further, an accounts payable (AP) system that does not systematically match purchase orders (POs) and receipts to vendor invoices prior to payment might be vulnerable to fraud, or even to a situation where someone creates fictitious employees or suppliers to then "pay" them, and pocket the money himself or herself. Traditionally, SCM departments within enterprises (for example, engineering departments) have accommodated "internal customers" to "sanitize" so-called "after the fact purchase order" commitments. Under SOX regulations, however, if policies and procedures specifically outline requisitioning and procurement authorities, and if these clearly state that SCM departments are not authorized to issue confirming commitments, then such actions by SCM departments would be an apparent SOX violation. The "charge" would be failure to adhere to internal controls with regards to commitment of company funds and in accordance with company policies and procedures.
All this accentuates the importance of instituting the so-called segregation-of-duties (SOD) for possible conflict-of-interest practices in the procure-to-pay processes, which include receiving, order placement, invoice processing, and establishing vendor (supplier) master data and setups. Section 404 is all about ensuring that companies have adequate approval processes and procedures in place to preempt fraud or theft, as well as making sure what controls and testing are performed to guarantee that these safeguards are working.
Other examples of good SOD practices are to not allow an engineering manager to both select and pay suppliers, because some of these suppliers could, for instance, be family members or best buddies of the manager. Software developers should not perform quality testing on their own applications. Also, an invoicing system that is not integrated with shipping might allow a manager to improperly recognize revenue that has not yet been earned. Many enterprises now also use numerous contemporary tools, such as procurement cards, e-procurement applications, and blanket order releases, to either assist or monitor execution of company expenditures. The aim of SOX is to ensure that businesses institute adequate controls to monitor expenditures and commitments to make certain that company assets are safeguarded and policies are complied with.
An SAS 70 Type II Report may also need to be included within the outsourcing proposal request. For those not familiar with the report, SAS 70 is an auditing standard designed by the American Institute of Certified Public Accountants (AICPA) to enable an independent auditor to evaluate and issue an opinion on a service organization's controls. The service auditor's report contains the auditor's opinion, a description of the controls placed in operation, and a description of the auditor's tests of operating effectiveness (if the report is a Type II).
The audit report can be shared with the service organization's customers (user organizations) and their respective auditors. The service organization is responsible for describing its control objectives and control activities that would be of interest to user organizations and their respective auditors. In other words, the report allows each outsource provider to have a single assessment account, and precludes the need for them to have each client review their processes on an individual basis. It is a mechanism for outsource providers to demonstrate the sufficiency of their controls design and to verify that their controls are operating effectively.
The problem of SOX reporting is particularly acute for firms with multiple operating units and decentralized systems. This is because in recent years, many enterprises have grown both organically and through acquisitions, and thus, accurately reporting on these business units requires a significant number of "manual" accounting processes and adjustments. Such companies will either need to adopt a common financial reporting system, perhaps integrate multiple systems with a financial reporting layer at the corporate level, or implement a performance management solution to provide near real-time analytics (see Financial Reporting, Planning, and Budgeting As Necessary Pieces of EPM).
Also, while the first few years since SOX enactment have been devoted mostly to financial issues, in 2007 and beyond, the law's mandates will likely delve deeper into organizational structures and significantly touch SCM, human resources (HR), and IT departments. Even now, SOX requires disclosure of risks and strategies that will go into effect after such disruptive events as hurricanes, accidents, and threats or actual instances of terror, to mitigate their effects.
Although the law included a number of new mandates, two sections have had clear implications for corporate information systems, while some are especially relevant to supply chain management (SCM). Namely, Section 404 (management assessment of internal controls) requires management to assess the effectiveness of its own internal controls and procedures for financial reporting each year. Section 409 (real time disclosure) requires companies to disclose material changes in their financial conditions or operations on a rapid and current basis. Section 404, which requires audit of internal controls, has made executives reexamine and sometimes replace operational systems that are not well integrated with their financial systems.
Section 401a (off-balance-sheet obligations disclosure) is an addition to the Securities Act of 1934. Section 401a requires disclosure of "material off-balance-sheet transactions, arrangements, obligations (including contingent obligations), and other relationships of the issuer [that is, the company itself, an issuer of securities] with other entities or persons" if these arrangements may have a current or future material effect on the firm's financial condition, operations, and so on.
This particularly affects service contracts, such as those typically written with ocean carriers and vendor managed inventory (VMI) arrangements undertaken to hedge risk and move assets off the balance sheet. Increasingly, businesses that adopt VMI practices to reduce current inventory assets may include some form of penalty clause in their contracts for failure to use materials or early cancellation of agreements, and Section 401a clearly requires time-phased listings of these potential obligations. Also, market conditions might change and cause firms to cancel long-term purchase agreements with suppliers, with cancellation penalties or restocking charges as a result. SOX requires enterprises to outline the precise details of these potential charges and penalties. Along similar lines, companies must report and document any early termination or cancellation fees in any lease agreements or letters of intent (which are sometimes used to aid with delivery schedules and manufacturing lead times for critical items).
While Section 401a has limited applicability to some supply chain contracts, Section 404 is broadly relevant to many SCM processes, including outsourcing arrangements. Outsourcing of processes and transactions comes under both Sections 401 and 404, whereby off-balance-sheet agreements with suppliers need to be reported (401) and subjected to effective internal controls (404). SOX is more demanding in this regard than traditional auditing standards. For instance, Section 404 directs the US Securities and Exchange Commission (SEC) to prescribe rules that require annual reports to include an internal control report. This internal control report must contain two elements: 1) it must state management's responsibility for establishing and maintaining controls (including policies, procedures, and processes) for financial reporting, and 2) it must contain an assessment of the effectiveness of these controls and procedures.
If the supply chain is to be truly controlled to the level required by SOX, then there must be a well-structured process that runs across multiple functions, and not merely a series of transactions pretending to be a process. CEOs will thus look to all leaders corporate-wide, including the SCM managers, to take a proactive and collaborative role in corporate governance, since everyone has to realize that passing audits is only one step to the improvement of corporate governance, and that auditors will never understand areas of the supply chain the same way SCM professionals do (and vice versa).
Firms that move aggressively in the direction mandated by Section 404 might even have a chance to improve the management of their supply chains (that is, achieve supply chain excellence), and to gain a competitive advantage on their rivals. This is particularly true given that other disclosure requirements (those instituted in the European Union [EU], for instance) can also support a more efficient and credible, competitive environment for businesses and their supply chains.
Control requires visibility across the process (from ordering components to delivering finished goods and services to customers), and information technology (IT) may be a necessary aid to achieving this total visibility. Yet IT alone is not sufficient to constitute SOX-level control. Meaning, the mere tracking of inventory cannot substitute for efficiency and effectiveness in all SCM activities. For example, with regards to inventory management and inventory write-offs, most enterprises still have the responsibility of controlling inventory and fixed assets. However, SOX implications would now instill the requirement that inventory values are correctly stated, whereby CFOs can no longer "defer" inventory write-downs to avoid write-off losses on quarterly income statements. In other words, SOX demands more accurate and timely accounting to ensure that the material is physically present, its condition is correctly stated, and inventory values are accurately recorded within the accounting system.
As for material transfers and poor inventory accuracy, most enterprises still have the responsibility for material control activities. In the past and all too often, material transfers and inventory transactions would not be processed in a timely manner, thereby creating a true inventory that is "out of kilter" with the expected-on-records situation. SOX, however, states that all movements of inventory or fixed assets must now be recorded in a timely fashion. In other words, all movements will have a definitive financial impact on the company, and the recording of accurate financial information is the foundation of SOX.
Further, an accounts payable (AP) system that does not systematically match purchase orders (POs) and receipts to vendor invoices prior to payment might be vulnerable to fraud, or even to a situation where someone creates fictitious employees or suppliers to then "pay" them, and pocket the money himself or herself. Traditionally, SCM departments within enterprises (for example, engineering departments) have accommodated "internal customers" to "sanitize" so-called "after the fact purchase order" commitments. Under SOX regulations, however, if policies and procedures specifically outline requisitioning and procurement authorities, and if these clearly state that SCM departments are not authorized to issue confirming commitments, then such actions by SCM departments would be an apparent SOX violation. The "charge" would be failure to adhere to internal controls with regards to commitment of company funds and in accordance with company policies and procedures.
All this accentuates the importance of instituting the so-called segregation-of-duties (SOD) for possible conflict-of-interest practices in the procure-to-pay processes, which include receiving, order placement, invoice processing, and establishing vendor (supplier) master data and setups. Section 404 is all about ensuring that companies have adequate approval processes and procedures in place to preempt fraud or theft, as well as making sure what controls and testing are performed to guarantee that these safeguards are working.
Other examples of good SOD practices are to not allow an engineering manager to both select and pay suppliers, because some of these suppliers could, for instance, be family members or best buddies of the manager. Software developers should not perform quality testing on their own applications. Also, an invoicing system that is not integrated with shipping might allow a manager to improperly recognize revenue that has not yet been earned. Many enterprises now also use numerous contemporary tools, such as procurement cards, e-procurement applications, and blanket order releases, to either assist or monitor execution of company expenditures. The aim of SOX is to ensure that businesses institute adequate controls to monitor expenditures and commitments to make certain that company assets are safeguarded and policies are complied with.
An SAS 70 Type II Report may also need to be included within the outsourcing proposal request. For those not familiar with the report, SAS 70 is an auditing standard designed by the American Institute of Certified Public Accountants (AICPA) to enable an independent auditor to evaluate and issue an opinion on a service organization's controls. The service auditor's report contains the auditor's opinion, a description of the controls placed in operation, and a description of the auditor's tests of operating effectiveness (if the report is a Type II).
The audit report can be shared with the service organization's customers (user organizations) and their respective auditors. The service organization is responsible for describing its control objectives and control activities that would be of interest to user organizations and their respective auditors. In other words, the report allows each outsource provider to have a single assessment account, and precludes the need for them to have each client review their processes on an individual basis. It is a mechanism for outsource providers to demonstrate the sufficiency of their controls design and to verify that their controls are operating effectively.
The problem of SOX reporting is particularly acute for firms with multiple operating units and decentralized systems. This is because in recent years, many enterprises have grown both organically and through acquisitions, and thus, accurately reporting on these business units requires a significant number of "manual" accounting processes and adjustments. Such companies will either need to adopt a common financial reporting system, perhaps integrate multiple systems with a financial reporting layer at the corporate level, or implement a performance management solution to provide near real-time analytics (see Financial Reporting, Planning, and Budgeting As Necessary Pieces of EPM).
Also, while the first few years since SOX enactment have been devoted mostly to financial issues, in 2007 and beyond, the law's mandates will likely delve deeper into organizational structures and significantly touch SCM, human resources (HR), and IT departments. Even now, SOX requires disclosure of risks and strategies that will go into effect after such disruptive events as hurricanes, accidents, and threats or actual instances of terror, to mitigate their effects.
No comments:
Post a Comment