When Congress adopted the Sarbanes-Oxley Act following a rash of corporate accounting scandals—most notably the Enron fiasco—the idea was simple enough: hold senior executives accountable for the accuracy of their corporate financial statements. The law, which over time has become widely known as SOX, requires senior executives at publicly traded companies to sign off on their financial statements. It also mandates that those executives and their auditors evaluate the effectiveness of their financial controls.
What few realized at the outset was that assuring that information was accurate and controls were tight would require them to dive deep into the inner workings of their business, that is, into the depths of their supply chain operations. That includes distribution, inventory, purchasing, international operations and even the operations and financial controls of key outsourcing partners.
Though Sarbanes-Oxley was passed in 2002, supply chain professionals are only now beginning to feel the impact."The reality is that folks inside larger organizations that have contact with the supply chain or distribution seem to be just now getting touched heavily with SOX compliance issues," says Ross Harris, a trained accountant and executive vice president of international freight payment company AIMS Logistics, who spoke about SOX at the Council of Supply Chain Management Professionals' annual conference last fall.
SOX threads run deep
The implications for logistics and supply chain managers extend far beyond just preparing some new reports for senior management. Writing last year in a Council of Supply Chain Management Professionals newsletter, Scott Sykes, principal of supply chain solutions for SAP America, offered this stark assessment of the risks of non-compliance: "SOX compliance is so important that failure to get it right puts our colleagues and our bosses at risk of going to prison."
Sykes added that C-level executives have realized the "inescapability of addressing supply chain visibility and control concerns in the SOX compliance process." The reason is simple enough, he explained: aggregated corporate numbers are only as good as the operational numbers used in their tallying. As a result, many CEOs and CFOs are demanding that the managers responsible for those numbers sign off themselves on the numbers' accuracy and the quality of the financial controls. In theory, that would push responsibility all the way back through the organization to a DC manager overseeing how inbound and outbound shipments are handled on the books.
Bill Steele, a principal with Deloitte Consulting LLP, described the effects of the law at a seminar held during the joint annual meetings of the National Industrial Transportation League, Intermodal Association of North America, and Transportation Intermediaries Association in Anaheim, Calif., last fall. The law affects the entire supply chain, he said. "It requires improving the transparency, accuracy, and timeliness of information, and showing the reliability of information at every step."
In October, the ARC Advisory Group published the results of research it had conducted among executives who attended the Logistics and Supply Chain Forum conference in May. The report, Risky Business: The Growing Importance of Supply Chain Risk Management, noted that Section 404, the section of the law that requires management to evaluate the effectiveness of internal controls, was having a particular impact on supply chain professionals. The ARC publication reported that many of the executives at the forum had noted that auditors were zeroing in on control points—access to internal systems, and how they were used. That potentially will have a direct impact on DC operations, among others. Steve Banker, the ARC researcher who prepared the report, wrote, "In the supply chain area, determining control points leads to questions such as: How is a 'shipment' defined? How robust are your receiving processes and how do they affect accounts payable? Are your bills of lading kept in a locked place?"
No doubt about IT
Any examination of controls and processes will inevitably lead to scrutiny of a company's information systems. Harris confirms that the major focus of auditors looking at supply chain controls is on IT. "They want to know how information is flowing into the general ledger—anything that touches that system: inventory, work in process. If you're using contract manufacturing or outsourcing, when does title pass back and forth?"
As Sykes sees it, the inherent interconnectivity of IT systems virtually assures that nothing will be exempt from the auditors' scrutiny. In his analysis for CSCMP, Sykes wrote that an October 2003 standard proposed by the Public Company Accounting Oversight Board, the industry watchdog set up by Sarbanes-Oxley, had linked the use of information technology with internal financial controls. "In laymen's terms, this accounting board issued a Section 404 'gotcha' for those of us who utilized IT systems to run our businesses," he wrote. "As a result of SOX, public companies now must document and secure all business processes related to financial results ... What this means is that essentially all business processes relate to financial results." (The emphasis is Sykes'.)
Moreover, the focus on controls means that simply having accurate information is not enough. "SOX has changed the game," Steele told the Anaheim audience. "You have to test the entire process with a focus on whether a material error could occur. It is not just about the numbers, but the process."
Operations that historically have had tight internal processes may have little to worry about. "[C]ompanies found the audit process to be less intrusive if they had an Internal Audit department or Quality department with a strong history of risk analysis, process documentation, and control," Banker wrote in the ARC research report.
But what about those who are just now getting around to evaluating their processes? Sykes offers this advice: Focus first on order-to-cash and procure-to-pay processes because they are directly tied to major financial flows—booking revenues and receivables and commitments to pay vendors.
The technologies involved in those processes include just about everything under distribution and logistics' purview. Sykes would include order management, inventory management, logistics execution (including warehousing and transportation), supply chain event management, supply chain collaboration and visibility, international trade management, procurement and contract management systems. And he believes many companies do not have a good understanding of the technology and systems used to monitor, control, and document their processes.
Just sign here
Another section of the Sarbanes-Oxley law that no supply chain manager can ignore is Section 302, which requires corporate officers to verify the accuracy of financial statements. It is this section that has led many companies to implement a process of "cascading signatures," Banker says in the ARC report—processes that reach down to vice presidents, their direct reports and even further.
Harris explains that this is largely driven by executives' desire to cover themselves: "One of the big things in SOX is to get executives to swear that everything they write about the financials is correct. They say they can't monitor everything, that they rely upon their people. So they are pushing down to the next level and the next level, requiring you to certify your area. That way the CFO can point to those."
This has caused some consternation among senior managers and directors, Harris notes. "As these sub-certification programs roll out, everyone is getting a little antsy," he observes, most likely because they suspect there are weak points in their systems. "A good director of distribution already is going to know in his gut where there are control weaknesses," he says. "I give the example of returns. Very few people have good control of returns. They don't have the time and resources."
But it's no longer safe to let those weaknesses go unaddressed. SOX brings new pressure to bear on managers to let senior management know about any such issues, says Harris. "If you know you have a weakness," he warns, "you'd better come clean."
Similarly, distribution and logistics executives should be prepared to alert management to anything that threatens to snarl the supply chain. Another section of the law, Section 409, mandates that companies be able to identify significant events that could have a material effect on financial results—and then report that publicly within three days. Steele says events like port shutdowns or weather issues that affect shipping could well fall under that requirement.
Not public? It may not matter
Next on the agenda: a greater focus on third parties and international issues. Steele says, "In year one, it did not hit outsourced operations or foreign operations as hard as it could have. I expect a lot more of that beginning this year."
Because so many companies outsource many of their operations, the issue of third parties' financial controls is assuming greater importance. A particular area of emerging concern is what responsibilities businesses have to ensure that their third-party service providers have financial reporting controls in place to ensure the accuracy and reliability of numbers they provide, which roll up into those aggregated corporate numbers.
As Harris explains it, the law's intent here is clear: to prevent companies from wiggling out of the responsibility to ensure accuracy. "First and foremost, auditors want to make sure a company is not trying to subvert internal controls by outsourcing the function," he says. "You cannot say that it is not your responsibility. If you use [a third party], you have to understand the internal control structure of the outsourcer and know that it is working effectively."
As a result, even privately held third parties may find themselves drawn into the SOX compliance frenzy—particularly if their customers are publicly traded companies. Though the law may not demand compliance—Sarbanes-Oxley technically applies only to public companies—their customers may well demand SOX-compliant controls.
Many businesses ask their third-party partners to provide a form called an SAS (Statement of Auditing Standards) 70, Type II, which is essentially an auditor's report on the controls the company has in place and the effectiveness of those controls. "Many companies have approached this with a check-the-box mentality," Harris says. "That is nowhere near sufficient. If the company is doing a significant job, then you need to understand its control structure." For instance, he says, an SAS 70 may not address security practices, but that may be a crucial issue if the company is handling high-value goods.
Harris admits that it's not clear when an SAS 70, Type II might be required. That determination, he says, hinges on what constitutes a "significant" contribution by the outsourcing partner to the customer's financials. "It is not an objective standard," he says.
Then there's international business, and the complications global issues can produce. Suzanne Richer, executive director of Customs & Trade Solutions Inc. in New Jersey, a firm that helps customers with international documentation, offers this example. She says that documentation issues that can cause headaches with Customs could also come back to haunt people responsible for SOX compliance. "Sometimes, in the rush to get the freight out, the shipping document and the billing document don't match," she says. Whenever documents from different parts of the same transaction fail to match up, companies can face fines by Customs. And that sort of error could create SOX issues as well. "One of the core issues is when the exporter or importer generates documents from a system that is stand-alone," she says. "The program does not feed into the general systems. If there is a disconnect, you may not find it in the SOX review, but it could be picked up in a Customs audit."
Is it all worth it?
Have the shareholder protections promised by Sarbanes-Oxley been worth the pain and disruption? Executives who participated in the ARC study had mixed feelings. Some felt the law was too big a burden for too little benefit. Others complained that compliance efforts had diverted resources away from other business needs.
But a number also report that they have seen benefits. They cite better communication through the company about potential risks, increased recognition by senior management of supply chain issues, and better documentation of supply chain processes—not to mention the opportunity to have an outside auditor provide an objective evaluation of their processes.
And while some may gripe that SOX compliance has siphoned off money that might otherwise go toward new equipment or systems, others report the opposite. SOX, they say, actually helped them get approval to invest in new systems, as long as they contributed to compliance.
Plus, they say, fears of running afoul of SOX have prompted companies to halt practices like "stuffing the channel" near the end of a financial reporting period. In order to boost revenue numbers at the end of a fiscal quarter, Harris explains, "It was the practice in certain industries ... to load trailers and cite those goods as sales." But now, that kind of padding would be a clear violation of SOX. Most companies have ended that and similar practices, he says. "[B]ut ... if that's still being done, it's only a matter of time."
Harris says that some supply chain managers "have made lemonade from lemons. They know before they have a SOX compliance role where weaknesses are—and they are finally getting the resources to fix those things."
Gartner, Inc.
