As of November 15, 2004, publicly-held companies with revenues in excess of $75 million are required by the Sarbanes-Oxley (SOX) Act to issue an annual report (signed by management and certified by external auditors) detailing the effectiveness of internal control structures and specifying the responsibility of management for monitoring and maintaining adequate financial management policies. Smaller companies have until July 15 of this year to comply with this portion of the act, known as Section 404. Under Section 409 of the act, all publicly-held companies must also have a plan to accurately and immediately disclose the material impact certain events have on the business.
With initial projects already completed at many manufacturing companies, or reaching a crescendo at others, we thought it an opportune time to provide SOX-compliance advice from leading consultants and corporate managers. (Click here to see a list of SOX-related resources.)
1) SOX is more than financial disclosure. To fully comply, companies must audit all relevant process from the plant floor through the back office. "If there's a significant event at an operation -- some kind of disaster that's going to have a prolonged, significant impact on the company -- it's something that the company needs to be able to show it can monitor and control under Sarbanes-Oxley," says Jorge Milo, industrial manufacturing leader for PricewaterhouseCoopers told Managing Automation last year.
2) Know your company culture -- and appetite for risk. According BearingPoint, companies are either "avoiders" or innovators in their approach to SOX compliance. Avoiders (the majority) seek to minimize exposure by only addressing specific SOX mandates such as Section 404. They do this through targeted remediation and focus on critical control deficiencies. Innovators, on the other hand, are looking to extend remediation efforts to enable continual process improvement and long-term compliance. They seek to use SOX to drive incremental value for the finance department; in other words, "to rethink processes and metrics to turn the finance function on its head," says BearingPoint's Anita Tilley, managing director and global Sarbanes-Oxley solution lead. "The interesting part of the story going forward, whether you're an innovator or avoider, is that everyone has to figure out how to make the SOX eco-system sustainable over time," she notes. "Brute force used in 2004 is not sustainable; that's why a partnership between IT and finance is invaluable."
3) Closely monitor regulatory activity. For instance, European companies with manufacturing or other physical presences in the U.S. have appealed to the Securities & Exchange Commission for relief. They want to forgo Section 404 compliance until calendar 2006. Also, some companies have asked for better definition around the "small company" classification. Expect the creation of a special task force and ruling in the next four to six months on this, says Glen Conway, a vice president at Visage Solutions LLC (Raleigh, NC), an operations and risk management consulting company. Don't expect any major changes, however, BearingPoint's Tilley advises. "Keep moving forward as if there aren't going to be any changes."
4) Build on initial success -- and think broadly. To meet stringent deadlines, many manufacturing companies quickly documented processes from design and engineering through purchasing, production and inventory and distribution management using off-the-shelf tools like Excel and Visio. These tools provided reasonable visibility into business processes and helped to jump-start the documentation exercise, which made initial audits possible. But, in many cases, these were stop-gap efforts.
Companies that bolted on a compliance framework might find that such an approach is inherently inefficient. Going forward, companies need to automate data collection and aggregation to function as a by-product of how they operate, Conway says. "At some point, some good automation tools will emerge to help organizations capture data, test it and help with assessment," PWC's Milo adds. Outside-the-box thinking can also show how SOX compliance can lead to down the road operational improvements. For instance, documenting security and access control to critical information and manufacturing systems led to a reexamination of resource utilization at Pemstar Inc. (Rochester, MN). "Instituting more management controls, like tracking which users are accessing ERP, is a good thing that is not necessarily SOX mandated, but is good to know," points out Christopher Towns, director of IT implementations. Adds BearingPoint's Tilly: "By leveraging SOX, finance organizations have something to use to catch up on things that should have been done for the last 10 years."
5) Have an expert third party conduct an upfront audit. Most companies lack the legal and accounting smarts to know how to tackle SOX compliance initiatives. If you aren't too deep into the process, you might want to consider having a third party go through your shop to prioritize what is necessary and what is nice before making any major decisions. "If I was to start over, I would get an auditing firm to come in and do an audit up front and find out things that ... we didn't have to do," Pemstar's Towns says. "None of us are in Congress, and not too many of us are lawyers." While SOX compliance work yielded necessary and useful documentation and flow charts that led to the institution of useful controls, the company at times went overboard in making sure it not only met but exceeded SOX compliance. "There wasn't anything we regretted doing, just that we regretted having to do them to get ready for the audit," he recalls.
6) Be flexible -- and be willing to adjust priorities. SOX will impact IT and business process work already under consideration or underway. "If you have five things on your plate, SOX projects will become among the top two or three," Towns says. Manufacturers must rethink how important these projects are compared with SOX -- and then draw a line in the sand. "You need to be totally honest. There are some things you wanted to do and can't, and other things that may never have been approved without having SOX, and here's your chance," he says. To juggle priorities, Towns suggests hiring outside contractors to free up internal resources for mission-critical work. "It may cost more with consultants, but that's life," he says. Tilly suggests applying tools from the COSO framework (The Committee of Sponsoring Organizations of the Treadway Commission) to help assess where your company is materially exposed (see resources page).
7) Realize that regulatory compliance is a never ending process. Internal knowledge transfer is critical. Once a SOX compliance framework is in place, apply key project management lessons to the next regulatory endeavor such as ROHS reporting of hazardous materials. Remember: SOX compliance is all about building a risk-control matrix that covers all material exposure points, BearingPoint's Tilly says. "No one gets everything the first time," she points out. "You must figure out where you are most exposed and put your finger in the dyke." For instance, many companies paid lip service to Section 409's requirement of real-time disclosure while focusing primarily on Section 404. "They need to get the essence of what management needs to look at on a daily, weekly, monthly and yearly basis that will drive out the data needed to have ... forward visibility." Most companies dealt with SOX compliance as a new project. As companies enter the home stretch and move on to year two and beyond, they need to look at ways of making SOX compliance part of their regular operations and not a project off to the side. One thing to consider, PWC's Milo says, is to figure out ways to push out responsibility for testing and updating of documentation to business process owners."
8) SOX compliance is no different than any other project. IT people know how to manage projects, but history has shown that they must work closely with business units to succeed. Make sure IT has the CFO's buy-in and that all department heads realize the cross-disciplinary contributions needed to successfully meet SOX compliance. Understand that finance may not have all the tools -- or data -- at its disposal to carry off an exercise of cross-enterprise proportions. "Finance often gets short shrift when companies' prioritize IT spend," Tilly states. "It's not sexy, but talk about forward visibility takes a great deal of forward strategic thinking to get there."