probably know that the Sarbanes-Oxley Act (SOA)
of 2002 will have a significant impact on the accounting
and reporting processes of companies listed on US
stock exchanges. You have probably started bringing
your company into compliance. The question is: Are
you approaching your SOA compliance initiative with
the right assumptions?
Some companies have begun their
SOA compliance projects with too limited a scope
and a presumption that many of their key processes
are SOA-ready. While the Act’s focus is on
financial statements and practices, meeting
its requirements demands that you look beyond your
financial processes into the operational side of
your business. This article presents an overview
of the four key areas where your compliance efforts
will be concentrated: internal controls, timeliness
of reporting, financial transparency, and authorizations.
Section 404 of the Act requires companies to provide an “internal
control report” that not only assesses the company’s control
structure and procedures, but also contains a statement of management’s
responsibility for the integrity of those controls. This means that companies
must first document their controls and then verify that they are not subject
to error or manipulation.
Controls need to be in place across your
business. For instance, you need to be able to show that the data for
an order placed into your SAP R/3 Sales and Distribution (SD) module remains
consistent as it moves to the SAP Financial (FI) module and then on into
SAP Business Information Warehouse (BW). The more complicated your system
landscape, the more complicated it will be to implement controls.
Let’s take an example. A global
company has grown significantly over the last few years through acquisition.
It has several divisions and dozens of sites, most of which are running
their own SAP R/3 system, but not all are on the same release. For a worst-case
scenario, assume that this company has not yet forced its divisions to
standardize its key business processes. Without consolidation of these
systems and processes, this global company will have to implement controls
for each site and then figure out how to reconcile all this data in a
manner that satisfies the SOA requirements.
|Just because your core financial reports have
served you well over the years, it doesn’t mean that you can
adequately document and verify their integrity to SOA standards or
produce them as quickly as the SOA demands. In fact, you might find
that some of your reports aren’t even accurate.
The trick to instituting SOA-compliant
controls is to automate the processes within your systems wherever possible.
Any manual handling of the data leaves that data open to change, whether
deliberate or accidental. The more manual handoffs of data, the more likely
it is you will raise a red flag with an auditor. Using flat files to transfer
data from one system to another (say, loading BW using an Excel spreadsheet)
would also be considered a questionable practice. Any custom code such
as a user exit, Business Add-in (BAdI), or update or transfer rule must
be documented to show that it does not alter data and undermine its integrity.
Likewise, you must be able to document where enhanced Business Content
or a custom Z-table gets its data.
What kinds of controls will satisfy the
SOA requirements? The US Congress has yet to define them. In the meantime,
most businesses are using standards set forth by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO). The document “COSO
Enterprise Risk Management Framework” is available at www.coso.org.
Any material changes in a company’s financial condition or operations
must be reported “on a rapid and current basis,” according
to Section 409 of the Act. No specific timeframes are given, but the US
Securities and Exchange Commission (SEC) has proposed rule changes for
financial reporting in response to the SOA (see www.sec.gov/rules/proposed/
33-8106.htm). This would require certain companies to file Form 10-K
and Form 10-Q more quickly, and all companies must file the 8-K form within
two business days following a “trigger event.” The SEC proposal
goes on to add new trigger events, including completion of an acquisition
or disposition of assets; a direct or contingent financial obligation
that is material to the company, such as a default; or exit activities,
including material write-offs and restructuring charges.
Trigger events often originate on the
operations side — a significant change in a minimum quantity guarantee
to a vendor or a large customer purchase order might require filing an
8-K form. It may be important, then, that your SAP system can capture
these events in time to produce the needed reports.
Companies might face several barriers
to preparing these reports within the SEC’s timeframes. Weak integration
with legacy systems might make it hard to reduce the time needed to produce
the reports. You also make it harder on yourself if you must gather data
from many different instances of SAP systems, each on a different release.
As you approach your compliance activities, ask yourself if consolidation
of instances will help produce reports faster, or make it easier to implement
internal controls and achieve financial transparency. According to a survey
conducted in May 2003 by CIO magazine and AMR Research, 65% of Fortune
1000 business and IT managers are considering consolidation of their ERP
instances in response to the SOA.
|The intent of the SOA is to create a higher
standard for financial accounting and reporting in the wake of a series
of high-profile corporate scandals. The Act applies not only to publicly
traded US-based companies, but also to US subsidiaries of companies
outside the United States.
Business Solution Architects Group
Call Upon This SAP Group of Trusted Advisors to Accelerate
Your Compliance Activities
SAP offers businesses worldwide strategic consulting services
in corporate governance and other key challenges now facing CFOs.
The Business Solution Architects Group is on the
cutting edge of strategic initiatives for finance organizations.
With this group comes the full power of SAP development, an expansive
view of compliance activities, and the preeminent thought-leaders
in finance, business, and analytic infrastructure and processes.
For more details, contact Ines Luther at firstname.lastname@example.org.
The ability to drill down from a report to the source documents allows
auditors, management, and outside directors to more easily confirm the
integrity of those reports. Here again, breaks in the automation of your
financial and operational processes will make this difficult, as you can
go back only to the point of the last manual handoff. Similarly, a fragmented
ERP system presents a problem if the source documents aren’t directly
accessible to the reporting application.
Beware of custom reports, too, if the
data in them might end up in a key financial statement. It’s not
uncommon for a company to use a custom report over time, only to find
out that it provides inaccurate data, usually due to a coding error or
data inconsistencies between two systems, say, a DataSource and BW. Even
if the custom report is accurate, it might prove difficult to provide
drill-down to source data. If you can replace a custom report with one
of SAP’s many standard reports, you are safer in terms of SOA compliance.
Without proper security authorizations, it will be almost impossible to
institute effective controls. You need to ensure that individuals do not
have more access to a process than they should. For example, the person
placing a purchase order should not also be the one to approve it. Such
authorizations have become more common as companies reduce headcounts
and remaining employees take on more responsibilities.
Keep in mind that Section 1102 of the
SOA contains severe penalties for anyone convicted of record tampering,
including fines and prison sentences of up to 20 years. Proper authorization
profiles within your SAP systems will minimize the opportunity for tampering
and increase accountability.
SOA Compliance Will Be Positive for Your Company
With SOA compliance, fewer system instances mean lower maintenance overhead.
The ability to trace data from the final report back to source documents
improves the visibility of your business for key managers as well as the
auditors. Effective internal controls and business performance management
systems can cut down on costly mistakes, and faster reporting allows you
to react to market changes more quickly.
Don’t think of your SOA-compliance
initiative as just some onerous task foisted upon you by government. It
is an opportunity for positive change in your key business processes,
and it will be an ongoing dimension of your business.