Sarbanes-Oxley: Is It Good for Your Supply Chain?

By Mark Barratt, Matthew Savidge, and Ruth Barratt -- Supply Chain Management Review, 11/1/2006

The Sarbanes-Oxley Act (SOX), enacted July 30, 2002 and now administered by the Securities and Exchange Commission (SEC), is the most sweeping securities legislation in recent history. The act was introduced to close the gap between ownership (by shareholders) of publicly listed companies and control of such companies (by boards of directors and executive management teams) as well as to restore investor confidence following the widely publicized Enron, WorldCom, and Tyco cases.

Since its enactment, SOX has elicited a mixed response from the business community, suggesting that while the act's intention is well-meant the practical realities of compliance are causing a great deal of pain. With these concerns comes the question of whether SOX, in its current form and interpretation, actually benefits the publicly held corporations that must comply with its provisions.

Compliance can be expensive. The SEC estimated the original cost of compliance to be $90,000 per filing a year. However, companies are reporting that the actual cost of compliance is now in the region of $1 million for every $1 billion in company revenue. And these are external costs alone! In fact, a study commissioned by the Big 4 accounting firms and performed by CRA International in the spring of 2006 found the total cost (internal costs, external costs, and audit fees) are in excess of $8.5 million for larger public corporations.

Early on, most of the attention centered on the financial and accounting requirements of SOX. More recently, the focus has turned toward the related supply chain issues—and in particular the impact of Sections 401 and 404. These provisions of the act require publicly held corporations to disclose and document their business processes and evaluate internal controls related to financial reporting. They place a significant onus on a corporation's day-to-day supply chain operations, both at a broad and a very tactical level. Yet at the same time, these provisions afford supply chain executives an opportunity to take a proactive role in their company's corporate governance activities. Put another way, these managers have a chance to turn a compliance chore into a value-added activity for the business.

This article reviews the main elements and implications of SOX for publicly held corporations in terms of their day-to-day operations and supply management activities. We then discuss what is required to comply with the act, offering a series of practical steps as guidance. We end by suggesting a number of areas in which the SOX compliance process may actually benefit a corporation by improving the performance of its day-to-day operations and supply chain activities.

From a supply chain perspective, companies need to be aware of these sections of the act:

• Sections 301, 409, and 906, which are all primarily intended to restore investor confidence.

• Sections 401, 302, and 404, which relate to the disclosure and documentation of internal controls and business processes.

This article focuses in particular on Section 401 and 404 as well as on the “real-time” disclosure elements of Section 409 as discussed below. (The accompanying sidebar gives more information on these six sections of the act.) We begin by reviewing the requirements to record off-balance sheet transactions; the documentation of business processes and internal controls; and the need to report material changes. This is followed by an examination of those aspects of day-to-day supply chain processes that are affected by SOX.

SOX requires corporations to have transparency in their financial reports. Any deals and agreements must be visible; moreover, any deals and agreements that call for a financial obligation must be disclosed and accounted for. For more on the specifics of this requirement, see the full explanation of Section 401 (j), Off-Balance Sheet Transactions, in the accompanying sidebar. In that definition, the “issuer” refers to your organization, while the “unconsolidated entities or other persons” refers to your organization's suppliers, service providers, or customers.

From a supply chain perspective such off-balance sheet transactions include guarantee contracts and retained or contingent interests in assets transferred to an unconsolidated entity. These include long-term volume purchase contracts for goods, services, or manufacturing capacity but exclude short-term contracts. Note, however, that service contracts with ocean carriers are guarantee contracts and, therefore, are included regardless of the time frame. Characteristics of such service contracts are that they are legally enforceable, of short duration (usually one year or less), and are “take-or-pay” based on fixed commitments for volume. They also contain penalties for any failure to meet the commitment.

Section 401 (j)'s requirements also affect vendor-managed inventory (VMI) or similar arrangements where there is a retained or contingent interest in terms of ownership or payment. Such arrangements are commonplace in supply chains as corporations look to hedge risk by getting suppliers to manage their inventory. The corporation pays for such inventory only when it is sold at their retail outlets, thereby placing assets off the balance sheet. Under SOX, organizations must report any such unused inventory from a VMI arrangement. Supply chain managers must be certain to inform the accounting and reporting staff of these agreement details so that they can be properly evaluated in light of reporting requirements.

Section 404 has probably received the most attention from the business media. This section requires publicly listed corporations to document their business processes and the internal controls that ensure the accuracy of finance information generated from these processes. Many early filers have struggled with exactly how to document this information. SOX requires only that the processes and controls that have an impact on financial reporting be documented and assessed. But whether or not a process “has an impact on” financial reporting can be—and is—interpreted differently by each company. It's also interpreted differently by the company's external auditors, who must render an opinion of their client's internal controls.

A typical question with regard to this requirement is, “Does a company need to assess the processes at their third-party logistics provider (3PL), or does it just need to assess the process in place to record invoices from their logistics provider?” Management is responsible for making this determination. In practice, however, the company's external auditors also have to concur with the decision.

Supply chain managers must be aware of the effects of Sections 409 and 302 on their outsourcing activities. The outsourcing of goods and services is a fundamental make-or-buy procurement decision. Supply chain organizations are held responsible for ensuring that those decisions are sound, that vendor relationships are stable, and that all contracts are executed as agreed.

If the provider of the outsourced service experiences a supply disruption, the corporation must identify and mitigate the related risk of disruption not only for themselves but also for their suppliers and service providers. Consider the impact of the shutdown of the West Coast ports in 2002, an event that seriously disrupted inventory replenishment and flows across the country. This led to lost revenues for many organizations because product arrived at the stores too late in the selling season. A similar situation could unfold in the event of a terrorist attack that disrupts supply chain channels. SOX requires organizations to consider the impact of a supply chain disruption on their inventory management programs and develop contingency plans and processes (and controls) to mitigate the risks. Although the act does not mandate specific controls for preventing or detecting supply disruptions, it does require that mechanisms be in place to identify and disclose such disruptions.

Some experts have suggested that supply chain managers and their corporate executives (CEO and CFO) should proactively collaborate to implement a corporate governance scheme. The belief is that this would help ensure that the corporation's supply chain organizations are SOX compliant. This makes sense on several levels. As written in Section 302 of the act, CEOs and CFOs need to certify all financial statements. Yet more and more corporate executives are requiring their supply chain executives and managers to attest to the fact that their processes are SOX compliant. This practice is known as “cascading certification.” Under this approach, CEOs and CFOs, prior to signing the financial statements, ask their direct reports to sign a certification of compliance. These executives, in turn, ask their direct reports to sign a similar certification, and so on.

An interesting paradox has developed around SOX with regard to the supply chain. While the act's requirements have implications for many supply chain activities, the act itself does not tell the corporations exactly how to comply with the requirements. To illustrate, SOX does not determine, or clearly define, what is a “material event” or “action” or “material change” that will have an effect on the organization. Instead, it leaves those definitions up to the individual corporation. In fact, the SEC has recognized that this lack of clear definition or guidance has created challenges for companies and has issued a request for public comment on second-year SOX experiences. Specifically, the agency has asked if further direction on this matter would be helpful. This raises the questions as to how SOX affects supply chain executives and managers and their daily activities.

We have identified a number of supply chain areas in which these impacts will be felt. They can be broadly categorized as supply chain processes, outsourcing and procurement, and inventory management including logistics. (See also Exhibit 1.)

Compliance with the SOX requirements implies the need for supply chain process visibility that spans the length of the supply chain, incorporating suppliers, service providers, and customers. Further, all those involved with the products and services passing through the supply chain should have that visibility. The supply chain leaders in the organization should be the champions of such process visibility.

Achieving real visibility into supply chain processes, however, can be a tough task. In many cases, what appears to be a single process may, in reality, be a series of smaller independent processes among your organization and your suppliers and customers. When this is the case, process synchronization becomes very difficult. Without tight synchronization, the internal controls for such processes are likely to be deficient from a SOX perspective. Note that the mandate to comply with SOX does not prevent companies from tailoring processes to support their customer's individual needs. But it does require them to develop appropriate controls for each of these customer-specific processes.

Visibility is critical if companies are to manage these complex supply chain processes within the SOX framework. So in this sense, the act gives technology providers a perfect opening to promote their supply chain visibility software. But achieving true visibility means more than simply buying a solution. It also requires having the right processes and controls. Once the company has these in place, technology can then help them manage and maintain visibility—while providing some economies of scale. In short, supply chain visibility is more than just knowing what is stocked at the warehouses and distribution centers. It also means knowing what is happening across the entire supply chain—from procurement of raw materials to delivery of products to final customers—and having the capability to track the location of all inventories and assets across it.

As the scope and scale of outsourcing expands, Sections 401 and 404 of the act assume additional relevance. Section 401 requires the organization to identify, define, and report off-balance-sheet agreements and transactions. Section 404 calls for adequate internal controls and safeguards by the provider of the outsourced services. SOX is much more stringent on outsourced service providers regarding their internals controls than the Statement of Auditing Standards No. 70 (SAS70) reviews, which have not historically focused on financial reporting internal controls. (SAS70 is an internationally recognized auditing standard of a company's control activities.) Since the enactment of SOX, companies are having SAS70 reviews performed specifically to provide comfort to their customers regarding financial reporting controls (as per Section 404 of the act).

The effort required to ensure that outside providers have adequate internal controls will vary by provider. Some of the larger 3PLs, for example, are well known to already have strong internal controls in place. So controls verification may not be a major issue when dealing with them. Further, the issuance of a clean SAS70 report related to Section 404 controls is a good indicator that the provider has solid controls in place. In all cases, however, companies need to consider the cost of assessing the controls at a service provider. So if a key vendor has not performed a SAS70 review or does not plan to do so, the customer company would incur additional costs by having their own personnel assess such controls at that vendor.

SOX has a significant impact on the company's procurement function as well. A key aim of Section 404 is to ensure controls over the authorization of transactions. Thus, purchase-order approvals become critical. Receiving cut-off is another critical issue. Receiving cut-off sets the time parameters by which goods are considered to be received within the enterprise or are in transit. Traditionally, if the auditors noted a discrepancy in receiving cut-off, they would propose an adjustment, which was then booked by the company's accountants. Now, should the auditors find a significant discrepancy, they will likely consider it an internal controls deficiency. Therefore, companies need to have appropriate mechanisms and visibility in place to ensure that in-transit items and received items are tracked and identified and that these items are properly accounted for based on the agreed-upon shipping terms.

For most companies that produce a product, inventory is a major financial statement line item. It also drives the revenue line item and the cost-of-sales account. Not surprisingly then, inventory gets a lot of attention in most company's Section 404 compliance efforts. Some of the issues to be addressed include authorization for inventory movements and releases and controls to protect inventory (including physical storage controls and security to prevent theft). Ownership of inventory is another issue that merits close attention. Accounting needs to know if the organization owns the inventory, which means it can be recorded as an asset. Similarly, accounting needs to know when inventory ownership is transferred so it can be recorded either as a gain or revenue. The timing of these transactions are critical to cut-off—for example, was the sale to be recorded in 2005 or 2006?

Inventory on consignment also must be adequately controlled. The company must ensure not only that the inventory is where the consignee says it is but also that the consignee has adequate controls in place for this inventory. Inventory reserves need to be closely monitored, too. This means making sure that reporting of excess and obsolete inventory is accurate and that this information gets to accounting. Controls in all of these areas should be strong, further reinforcing the need for both supply management people and company accountants to have enhanced visibility. To illustrate this point, a purchasing manager knowing the exact status of all incoming inventory is not enough. The accountants also need this information so that they can post the proper accruals.

Supply chain leaders and managers charged with compliance responsibilities need to identify areas of inherent financial-reporting risk within their business processes as well as opportunities for fraud. Risk areas include anything that could go wrong that would prevent the company from making certain assertions in their financial statements. This can sometimes get tricky as many supply chain managers are not intimately familiar with financial statements and financial-statement assertions. At the same time, accountants who are versed in financial assertions are not supply chain experts. The message here is that supply chain and accounting professionals within the organization need to work closely and collaboratively to identify areas of risk, poor internal controls, and any other weaknesses that could subvert compliance.

The following steps, depicted in Exhibit 2, summarize what a company needs to do to become SOX compliant:

1. Establish a project team. The team should include process owners (financial controllers, plant managers, managers responsible for inventory management, and so forth). It is important that the team be multidisciplinary so that all of the potential knowledge gaps are filled.
2. Identify relevant processes within the organization. Simple questions need to be addressed, such as: Which processes need to be documented and assessed? How deep into the processes do you go? To answer these kinds of questions, you need to determine which processes drive transactions in each financial-statement account. If the process drives large dollar amounts or drives large volumes of transactions, the process is generally included within the scope of Section 404.
3. Document relevant processes. This involves the development of process maps and narratives, supported by risk and control matrices for the analysis and management of commonly related processes and procedures. These activities can often result in two or three unique sets of documentation being developed around the same process.
4. Test and assess the effectiveness of controls. This step represents a significant annual investment in time and cost. However, such assessments help ensure that the controls continue to operate as designed, giving management assurance that things are working correctly. Overall, this step validates the accuracy of much reporting, including inventory reporting.
5. Assess internal controls at business partners/third-party providers. To fully evaluate their overall control environment, companies need to carefully assess the controls in place at their external partners. A deficiency at a third-party logistics firm, for example, could automatically mean a deficiency for the company.