Professional Documents
Culture Documents
SOX and ERP
SOX and ERP
SOX
In the United States, a spate of high-profile corporate failures have shaken investor confidence
and placed corporate fraud and accounting abuses center stage before the public and the
government. The legislative response to these events was the rapid passage of the Sarbanes-
Oxley Act of 2002 (the Act), which transformed the landscape of financial reporting and
corporate responsibility virtually overnight.
• Transparency of disclosure
• Integrity of operations
• Financial accountability for accurate reporting
The driving purpose of this legislation is to demand corporate responsibility and accountability
from corporations and their executives to all stakeholders in order to re-establish investor
confidence. This legislative initiative is intended to address some of the questionable accounting
practices that have underpinned the recent deluge of corporate scandals.
Bringing organizations into compliance with new demands for corporate governance is having
immediate and long-term effects, not the least of which is the cost of compliance. Numerous
studies have gauged the cost of complying with Sarbanes-Oxley. A recent analysis in CFO
Magazine puts the cost for public corporations in the billions, with first-year cost per company
averaging half a million dollars. These costs reflect both the initial expense of retaining more
legal and accounting personnel to meet the greater demands of the new requirements, and the
ongoing burden of keeping compliance current as changes occur over time.
While the preponderance of Sarbanes-Oxley's provisions address the financial and reporting
practices undertaken by publicly traded concerns, other provisions of the Act address more
general operating concerns such as corporate transparency and employee ethics. These
standards will likely affect private companies as well, both directly and indirectly. Directly, the
implicit threat of heightened sanctions may become explicit for private companies through
government investigation and enforcement. Indirectly, public opinion and changing corporate
culture may dictate that the higher standards set by Sarbanes-Oxley be met voluntarily.
Much of the discussion of Sarbanes-Oxley has centered on its immediate impact on accounting
practices, financial reporting, and corporate governance. However, the impact of the Act goes
to the heart of corporate operations by directly mandating how companies must retain, control,
manage, and utilize their information assets. This process requires a top-down approach,
demanding constant oversight from those executives responsible for compliance. Under the Act,
companies must routinely report on compliance and identify any problems or aberrations found
with their compliance procedures.
Internal Controls
The concept of internal controls is at the heart of Sarbanes-Oxley, having a direct bearing on
information and records management. While this concept is well understood in the public
accounting domain, it is less familiar to those in information and records management. As the
global demand for corporate governance continues to increase, corporate executives must
ensure that their information and records management personnel become intimate with the
concept of internal controls, as it:
• Has a direct bearing on records management and reporting within the enterprise
• Provides a link between accounting, corporate governance, and records/information
management.
The SEC's definition of internal controls makes this scope apparent: "The term 'internal control'
over financial reporting is defined as a process designed by, or under the supervision of, the
company's senior executives and effected by the company's board of directors, management,
and other personnel to provide reasonable assurance regarding the reliability of financial
reporting and the preparation of financial statements for external purposes in accordance with
generally accepted accounting principles (GAAP), and includes those policies and procedures
that:
1. Pertain to the maintenance of records that in reasonable detail accurately and fairly
reflect the transactions and dispositions of the assets of the issuer
2. Provide reasonable assurance that transactions are recorded as necessary to permit
preparation of financial statements in accordance with GAAP, and that receipts and
expenditures of the issuer are being made only in accordance with authorizations of
management and directors of the issuer
3. Provide reasonable assurance regarding prevention or timely detection of unauthorized
acquisition, use, or disposition of the issuer’s assets that could have a material effect on
the financial statements.
In response to the legislation, manufacturers must ensure that their process in managing
business records supports Sarbanes-Oxley compliance needs. Information and records
management practices must be designed, implemented, enforced, and audited to ensure that
they sustain the organization's need for reliable financial information. They must also provide
executives confidence that the information they are certifying, as required by law, is accurate,
truthful, and can be substantiated by the company's business records and record keeping
processes.
There are four particular Sarbanes-Oxley sections with relevance to ERP application systems
and their associated processes:
In addition there are accelerated SEC report filings requirements dictating rapid corporate
consolidation and close processes.
Section 302
Mandates CEO and CFO personal certification of financial statements and filings including:
Section 404
Requires annual filing of an internal control evaluation report, wherein companies are required
to document their existing controls that have a bearing on financial reporting, test them for
effectiveness, and report gaps and deficiencies. This requires the establishment and
maintenance of enterprise internal controls and procedures that conform to an identified
acceptable standard internal control framework for financial reporting (for example, COSO
Framework). The report statement must subsequently be attested to by the company's external
auditor.
Section 409
Mandates real-time disclosure to the public of information on a "rapid and current basis" of
material changes (events) to the firm's financial condition or operations.
Section 906
Mandates CEO and CFO personal certification ensuring that the 10-Ks, 10-Qs, and annual
reports, as well as all periodic reports containing financial information, fully complies with
Sarbanes-Oxley and the Securities Exchange Act of 1934, represent an accurate representation
of the firm's financial condition. This section adds criminal penalties for certification officers.
The scope of this discussion, as it pertains to Sarbanes-Oxley, is for the most part in its regard
of supporting and relationship to ERP-related software applications. Therefore, the primary
Sarbanes-Oxley component initiatives that will be focused upon will surround the following
issues as derived from the relevant aforementioned sections:
There are many and various specific and implied procedural, process, and system requirements
that lie behind the SOX sections indicated above which will be explored further in the following
discussions.
In parallel fashion, the certification and disclosure compliance process would appear to be
following a pattern such as below with the roll-out of technology advancements, enhancements
and implementations.
Applicable Regions
USA and all associated global operations
Applicable Corporations
Sarbanes-Oxley compliance is required of all publicly traded securities on a regulated market
under the jurisdiction of the U.S. Securities Exchange Commission. It is anticipated that the
requirements will be extended to privately held companies in the near future, including
companies initiating an IPO, companies seeking investment from the private investment
community, and companies seeking bank credit facilities.
Internal Control Over Financial Reporting
Sarbanes-Oxley-Section 404 compliance concerning Internal Control over Financial Reporting is
of great concern and confusion to many organizations on all business unit levels. What does
Internal Control mean? How is it achieved? Where does internal control over financial reporting
start and where does it end? Here we will look at a perspective on internal control, particularly
as it pertains to ERP-related applications.
The COSO Framework for Internal Control Evaluation diagram depicts a three-dimensional
perspective in the assessment of a corporation's compliance
The committee is comprised of a cross section of voluntary business leaders. The participants
sought to develop a conceptually sound framework providing integrated principles, common
terminology and practical implementation guidance to support entities' programs to develop or
benchmark their enterprise risk management processes. The objective of the Framework was to
improve the quality of financial reporting through business ethics, and effective internal control,
and general corporate governance. The COSO Framework has been recognized by the SEC as a
suitable and acceptable industry standard by which to assess organizations in their Internal
Control compliance. Accordingly, the majority of corporations have adopted this framework as
the basis for their compliance with SOX Section 404.
The Framework diagram presented is directly predicated on the COSO developed standard
definition of what "Internal Control" is for the purposes of evaluation:
Acknowledging the generic and broad nature of the stated definition, this particular definition
implies the following:
Internal Control is geared to the achievement of objectives in one or more separate but
overlapping categories.
It should be noted concerning the utilization of an internal control framework, whether utilizing
the COSO framework or an alternative guideline, that the actual application of the framework is
entirely unique to any particular corporation with regard to size, revenue and workforce,
industry sector, culture, global extension, etc. No two business entities will apply Enterprise
Risk Management in the same manner. Capabilities and needs differ dramatically, and one
company's application of the enterprise risk management framework will often look different
from another.
Technology-Enabled Accountability
Robust internal control over financial public reporting and disclosure involves IT hardware and
software systems which capture, calculate, process, manipulate, post, and store financial and
non-financial data. A host of standard and emerging software applications and tools contribute
to an organization's sound internal control for financial reporting compliance. The challenge is
to select the best mix of solutions among Enterprise Suites and Best-of-Breed applications.
An ERP (or any other) application or system can presumably provide the automated process
controls and tools that enable an enterprise to achieve compliance with reporting and disclosure
regulations. However, an application/system does not make an enterprise compliant, and an
application/system is not "compliant" in and of itself.
There is heated and ongoing debate within the IT, financial and analyst professional
communities as to the role of ERP systems in Sarbanes-Oxley compliance - along with
conflicting published survey results. To many, the Sarbanes-Oxley Act does not appear to have
much to do with ERP systems. However, others believe the Act has everything to do with ERP
systems and the IT groups that run them. ERP systems enable a company to gather and control
all financial information centrally. The ERP systems are all about recording, reporting, and
rolling up all the financial data. As indicated above, ERP systems work with a landscape of
software tools and applications to provide full compliance technology driven support.
It has been duly noted that Sarbanes-Oxley, as well as, the SEC's implementation of rules
related to the act, threaten to spread far beyond the finance and accounting organizations and
activities, spilling over into operations reporting as well. It has been thought the provisions of
Sarbanes- Oxley only concerned corporate finance, independent auditing, and equity research.
However, Sarbanes-Oxley also covers such disparate corporate functions as information
technology, human resources, compensation, environmental compliance, shop floor, and
warehousing. All these areas- and a host of others - directly affect company performance and
their resulting financial reporting.
As in any evaluation of software applications and tools, it makes sense to assess ERP
applications in the context of supporting or satisfying the critical internal control components of
the COSO framework as this provides a method of assessing its control features and functions
with regard to all processes which affect financial reporting.
Following are some highlights and implications of the individual management activity
components in which an ERP system may play a role.
In evaluating enterprise software applications and tools, the COSO Framework provides a
method of assessment of its control features and functions in regards to all processes which
affect financial reporting.
Control Activities
• Policies and procedures that help ensure management’s risk responses are carried out at
all levels and in all functions in an organization
• Prevention and detection
• Manual, computer, and management
• Typed by specified control objectives, such as ensuring completeness and accuracy of
data
• Include approvals, authorizations, verifications, reconciliations, reviews of operating
performance, security of assets and segregation of duties.
• Pertinent information is identified, captured and communicated in form and time frame
that enable people to carry out their responsibilities.
• Managing enterprise risks and making informed decisions relative to objectives.
• Effective communication occurs flowing down, across and up the organization.
• All personnel understand their own role in enterprise risk management and how
individual activities relate to the work of others. They must have a means of
communicating significant information upstream.
Monitoring
Therefore, utilizing the various defined component dimensions of the standard COSO
Framework, as shown above, we can begin to see an outline of ERP-related features and
functions to support a sound Internal Control environment for internal reporting across all
business units of an enterprise.
• System/application security
• Process security
• Information Security—validation, completeness, integrity, authorization
• Communication Security—documents, collaboration
• Process Automation and Maps—enterprise consistent standards
• Process Workflow—authorizations and approvals
• Enterprise Operations Visibility—inventory, credit, performance
• Data error detection, validation, auditing
• Continuous Process/Controls Monitoring— manufacturing, distribution, administration
• Continuous Enterprise Scorecard analysis—KPIs, strategic objectives
• Optimized Close Process—sign-off, consolidation, reconciliation, speed, visibility
• Event / Exception Alerts—initiate remedial action and disclosure
Financial Reporting Internal Control Related — Ensuring the accuracy and reliability of:
Conclusion
Sarbanes-Oxley Act of 2002 provides excellent and invaluable opportunities for public and
private corporations to make significant improvements to their overall operational performance
and financial results. Thus, the overall enterprise value will increase to its shareholders, as a
result of the corporate governance regulatory compliance initiatives.
Glossary
The following abbreviations are commonly used in Corporate Governance publications:
EC European Commission
EU European Union
Recompiled by:
Ramesh Natarajan, Finance (Systems) Analyst, Dubai