SOX and the supply chain

While the popular perception is that Sarbanes-Oxley (SOX) compliance is a necessary burden laden mainly on the shoulders of corporate financial officers, in fact there are distinct supply chain advantages that accompany the compliance process.

"SOX is far reaching and touches every component and function and division and branch within a company," says Les Stone, associate partner, Finance & Performance Management Service Line, with Accenture. As Stone views the controls sought by SOX, he observes, "It isn't anything new. The importance placed on internal controls was always there — both from a corporate standpoint as well as an auditor's perspective."

Some sections in the Sarbanes-Oxley Act of 2002 are quite clear in spelling out what is expected in reporting, how to reach conclusions and what consequences derive for failure to meet requirements. Stone points to Section 302, which deals with CEO and CFO signoffs; and Section 906, with penalties and rules around record retention and board audit committee responsibilities. He characterizes these sections as fairly black-and-white in their approach.

However, Section 404 presents an entirely different face — it requires the filingof an internal control report along with a company's annual report (10-K).

"Many people expected after regulations were postponed three times that the U.S. Securities and Exchange Commission (SEC) and Public Company Accounting Oversight Board (nicknamed "Peek-a-Boo") would come out with a definitive set of guidelines," Stone notes. "Many thought they would issue a holy grail , if you will, showing companies how to perform internal control compliance." That didn't happen.

The SEC did not issue what would have been a cookie-cutter approach to evaluating controls as required in Section 404, nor did it provide a checklist. Instead, it asks companies to define their own framework and then to explain that to the SEC. As it turns out, most companies use criteria issued in a 1990s framework by the Committee of Sponsoring Organizations (COSO) in its "Internal Control — Integrated Framework."

"Everyone is going down a path using COSO," says Stone, "but Peek-a-Boo suggests that you don't need to evaluate 100% of your controls, just your critical controls and those that are most likely to cause reporting irregularities. You are going to have different controls in different businesses — computers and banking, for example."

With so many differences from company to company — even within the same manufacturing sector — the process of complying with Section 404 is a factor in gaining a supply chain edge. Section 404 compliance necessitates a great deal of pre-work that has to happen in terms of documentation and evaluation against a framework like COSO.

"If people are only looking at Section 404 to comply with SOX," notes Stone, "they are missing a huge opportunity to gain a competitive advantage."

"Although Section 404 focuses on internal controls over financial reporting, the fundamental approach to achieving compliance has a complementary impact on supply chain infrastructure design, transaction integrity and reporting measures, both in financial and operational nature," states a white paper produced by educational society APICS and risk management consulting firm Protiviti.

To provide a framework for companies seeking to link financial and supply chain data in order to understand their status, APICS/Protiviti suggest that supply chain processes be broken down into seven activities — plan, source, produce, store, transport, sell and return (see Table 1). Then, they suggest companies adopt a four-phase program to achieve a competitive edge based on "well-documented, well-understood and well-controlled supply chain processes" (see Table 2).

Simply stated, in moving to meet the requirements of SOX, companies can turn to data gathering techniques (e.g., activity-based costing) and technology (e.g., enterprise resource planning). With accurate data available and a clear vision for all departments into internal controls, the means to achieve a true supply chain edge are at hand, as is the ability to meet the requirements of SOX.

One of the key aspects of SOX is that it refers to reporting transparency, which is more than just looking at numbers. It's understanding what's behind those numbers. When looking at gross margins, for example, companies need to focus on where there are material, labor, overhead and transportation cost variances. The question then becomes: What are we doing within our supply chain to address those variances?

Stone points out that from a vendor perspective within the supply chain, it's necessary to understand what's happening in the marketplace, i.e., what types of new programs vendors and suppliers are offering, or should be offering.

"I remember when it was common to push suppliers to put material on premises on consignment to be paid for it as it was used," he says. "Today people are looking at fill rates and lead times, and other aspects of the market — whether it's competitive information or understanding a company's markets and its segments. But within the supply chain, those are the things that must be managed."

There is a cautionary note to be heeded in approaching SOX compliance. If a company is not properly utilizing its cash, inventory, receivables and payables and is being "creative" in terms of establishing programs with its customers and suppliers, the company will eventually lose all the value it could have derived from the compliance effort.

As Stone notes, "As companies develop a map telling them where they want to go and execute against that map — as they understand what the key value drivers are and how to manage future value — they become the companies that are going to be better rewarded in the marketplace."

One of the keys, he says, is how a company takes SOX compliance and leverages that to allow it to gain a competitive advantage. "At the end of the day, it's just that simple."

Source: Protiviti/APICS