Sisyphus and serendipity
The monumental task of meeting Sarbanes-Oxley will push companies toward truly integrated enterprise systems
By Angie Pantages, contributing editor -- Manufacturing Business Technology, 10/1/2003 12:00:00 AM MDT
A deep sigh of relief emanated from executive offices when the Securities and Exchange Commission (SEC) recently told public companies they had an additional nine months to file the new internal controls reports called for by the 2002 Sarbanes-Oxley Act.
Section 404 of Sarbanes-Oxley demands continuous improvement of all controls that ensure public companies are accurate in their financial reporting and diligent in preventing or detecting events that impact financial performance.
Given the new law, CEOs and CFOs will think twice before fudging the numbers. But the broad scope of the regulation also might profoundly impact information systems used in financial reporting, and perhaps even more significantly, how manufacturers' actually run their operations.
Originally, the information called for in Section 404 was to be available beginning September 15, in the annual reports of companies whose fiscal year ended on or after that date. Given the scope of work, the SEC moved the deadline to June 15, 2004.
"But this is no time to relax," cautions Scott Taub, deputy chief accountant of the SEC, in a recent speech. "The need to document existing internal controls, consider whether other controls should be added, and design and perform tests of controls indicates a lot of time is necessary [if management is] to be in a position to conclude as to the effectiveness of the company's internal controls over financial reporting."
Systems impact
"When all this legislation came out, it was old news for us. Controls have always been important; financial integrity has always been important," says Ted Naughton, vice president and controller with printer maker Zebra Technologies, Vernon Hills, Ill. "We've never had off-balance transactions; we've never played revenue recognition games. And we don't need whistleblower provisions to maintain our ethics or integrity."
Some companies, like Zebra, may be all set (see sidebar, Sarbanes-Oxley is old news), but others may be in a world of hurt when it comes to having the visibility into operations the regulation requires, whether because of too many stand-alone legacy systems, too many ERP or general ledger system instances, or simply just too much reliance on spreadsheets.
"There are two serious disconnects," says Kraig Haberer, director of financial products with enterprise systems vendor SAP. "One is architectural, having to do with integration of core transaction systems."
In June, Boston-based AMR Research, in a report titled Prioritizing IT Investments for Sarbanes-Oxley Compliance, indicated most public companies it surveyed planned IT changes as part of their efforts to comply. Of those, 65 percent planned ERP instance consolidation, with costs estimated as $10 million per $1 billion of company annual revenue.
Less-drastic solutions exist. "The real issue is data consolidation," says Haberer. "We've now made our Business Consolidations product OLAP-based, providing more power to take multiple data structures and merge them into a common financial reporting network."
The second disconnect for many companies, says Haberer, is that "they may not have a performance management system. These companies may have ERP but still lack analytical tools to do planning, reporting, and risk management."
Enterprise performance management is a term coined by AMR to denote the evolution of business applications from a focus on transactions to greater concern with decision support based on analysis of current and historical information. Perhaps serendipitously, "performance management" encapsulates many capabilities integral to Sarbanes-Oxley compliance. These may include establishing key performance metrics; event-based planning, improved visibility, and collaboration in real-time reporting; and business intelligence from financial analytics.
Another kind of enterprise business system that can help companies comply with Sarbanes-Oxley is business process management (BPM), used to model business processes and create workflows across heterogeneous systems.
Mike Malwitz is senior product manager for BPM solutions with Sunnyvale, Calif.-based financial applications vendor Hyperion Solutions. He says the strict accountability set by Section 302 of Sarbanes-Oxley, for example, requires that "I know all my people have signed off. That's called delegated certification. Newer software solutions include an audit trail that allows executives and auditors to see the names and the date/time stamp."
This increasing need to supplement financial numbers with context means another kind of business system, the content management system, also is being drawn into the Sarbanes-Oxley vortex. As a vendor, Hyperion, for example, is working with content management solutions provider Documentum, and its "corporate governance and compliance platform," which includes:
-
repositories for the most current version of relevant policies and procedures; financial disclosure data; and releases, speeches, and conference calls related to public disclosure;
-
dashboards that take performance or financial "snapshots," and report, communicate, and close 10Qs and 10Ks; and
-
digital workplaces for content development.
Out into the supply chain
All this might be child's play compared to the potential impact of Sarbanes-Oxley on how manufacturing operations are conducted.
Says Malwitz, "Each publicly traded company has to disclose on a rapid and current basis additional information concerning material changes in financial condition or—and this is key—in operations."
What is called an 8K report must be filed with the SEC within 48 hours of a "material" event. Right now, says Malwitz, it's required only for previously issued financial statements. "If in the year-end statement you said my revenue is "x," based on some assumptions or reserves that didn't pan out, there's a requirement to disclose that material event through restatement."
Things get hairy if what many people see as a real possibility actually comes to pass. Malwitz says the SEC may eventually require real-time disclosure of material events that affect the future. In other words, he says, "If you are having supply chain problems today that will impact next-quarter results, you'll have to file an 8K to that effect within 48 hours."
Whether this comes to pass or not remains to be seen. There is no doubt, however, that "CFO's in manufacturing are being asked for more detailed information about the physical supply chain: issues with suppliers, vendors holding inventory, and work-in-process," says Malwitz. "So part of the attestation on internal controls will be a solid viewpoint from the CFO regarding controls over the physical supply chain."
Thus, as should be clear by now, Sarbanes-Oxley is having a domino effect, from financials to operations, and even business basics.
"Ineffective supply chain operations not only drive inefficiencies, but also increase the likelihood of financial misstatement," asserts a report by APICS and internal controls consultant Protiviti, Menlo Park, Calif., titled Capitalizing on Sarbanes-Oxley Compliance to Build Supply Chain Advantage.
The report asserts that the law "compels executives to adopt a back-to-basics approach to understanding and prioritizing infrastructure elements according to their material impact on the company's financial statements."
For example, a make-to-stock electronics maker takes a chance, and in a rush to market releases a new product that hadn't been fully tested. Sales and marketing work overtime to promote and sell it. Demand outpaces supply, and quality problems arise. The sales department swaps out the damaged goods and offers price concessions. The returns aren't measured accurately, inventory balances are thus inaccurate, and warranty reserves prove inadequate. In short, "organizational heroics" end up compromising supply chain and financial integrity.
