Expand +



Approach Sarbanes-Oxley Compliance with the Right Assumptions

by Hans-Dieter Scheuermann | SAPinsider

October 1, 2003

by Hans-Dieter Scheuermann, Senior Vice President, Business Solution Architects Group, SAP AG SAPinsider - 2003 (Volume 4), October (Issue 4)

You probably know that the Sarbanes-Oxley Act (SOA) of 2002 will have a significant impact on the accounting and reporting processes of companies listed on US stock exchanges. You have probably started bringing your company into compliance. The question is: Are you approaching your SOA compliance initiative with the right assumptions?

Some companies have begun their SOA compliance projects with too limited a scope and a presumption that many of their key processes are SOA-ready. While the Act’s focus is on a company’s financial statements and practices, meeting its requirements demands that you look beyond your financial processes into the operational side of your business. This article presents an overview of the four key areas where your compliance efforts will be concentrated: internal controls, timeliness of reporting, financial transparency, and authorizations.

Internal Controls
Section 404 of the Act requires companies to provide an “internal control report” that not only assesses the company’s control structure and procedures, but also contains a statement of management’s responsibility for the integrity of those controls. This means that companies must first document their controls and then verify that they are not subject to error or manipulation.

Controls need to be in place across your business. For instance, you need to be able to show that the data for an order placed into your SAP R/3 Sales and Distribution (SD) module remains consistent as it moves to the SAP Financial (FI) module and then on into SAP Business Information Warehouse (BW). The more complicated your system landscape, the more complicated it will be to implement controls.

Let’s take an example. A global company has grown significantly over the last few years through acquisition. It has several divisions and dozens of sites, most of which are running their own SAP R/3 system, but not all are on the same release. For a worst-case scenario, assume that this company has not yet forced its divisions to standardize its key business processes. Without consolidation of these systems and processes, this global company will have to implement controls for each site and then figure out how to reconcile all this data in a manner that satisfies the SOA requirements.

Just because your core financial reports have served you well over the years, it doesn’t mean that you can adequately document and verify their integrity to SOA standards or produce them as quickly as the SOA demands. In fact, you might find that some of your reports aren’t even accurate.

The trick to instituting SOA-compliant controls is to automate the processes within your systems wherever possible. Any manual handling of the data leaves that data open to change, whether deliberate or accidental. The more manual handoffs of data, the more likely it is you will raise a red flag with an auditor. Using flat files to transfer data from one system to another (say, loading BW using an Excel spreadsheet) would also be considered a questionable practice. Any custom code such as a user exit, Business Add-in (BAdI), or update or transfer rule must be documented to show that it does not alter data and undermine its integrity. Likewise, you must be able to document where enhanced Business Content or a custom Z-table gets its data.

What kinds of controls will satisfy the SOA requirements? The US Congress has yet to define them. In the meantime, most businesses are using standards set forth by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The document “COSO Enterprise Risk Management Framework” is available at

Timeliness of Reporting
Any material changes in a company’s financial condition or operations must be reported “on a rapid and current basis,” according to Section 409 of the Act. No specific timeframes are given, but the US Securities and Exchange Commission (SEC) has proposed rule changes for financial reporting in response to the SOA (see 33-8106.htm). This would require certain companies to file Form 10-K and Form 10-Q more quickly, and all companies must file the 8-K form within two business days following a “trigger event.” The SEC proposal goes on to add new trigger events, including completion of an acquisition or disposition of assets; a direct or contingent financial obligation that is material to the company, such as a default; or exit activities, including material write-offs and restructuring charges.

Trigger events often originate on the operations side — a significant change in a minimum quantity guarantee to a vendor or a large customer purchase order might require filing an 8-K form. It may be important, then, that your SAP system can capture these events in time to produce the needed reports.

Companies might face several barriers to preparing these reports within the SEC’s timeframes. Weak integration with legacy systems might make it hard to reduce the time needed to produce the reports. You also make it harder on yourself if you must gather data from many different instances of SAP systems, each on a different release. As you approach your compliance activities, ask yourself if consolidation of instances will help produce reports faster, or make it easier to implement internal controls and achieve financial transparency. According to a survey conducted in May 2003 by CIO magazine and AMR Research, 65% of Fortune 1000 business and IT managers are considering consolidation of their ERP instances in response to the SOA.

The intent of the SOA is to create a higher standard for financial accounting and reporting in the wake of a series of high-profile corporate scandals. The Act applies not only to publicly traded US-based companies, but also to US subsidiaries of companies outside the United States.

Business Solution Architects Group

Call Upon This SAP Group of Trusted Advisors to Accelerate Your Compliance Activities

SAP offers businesses worldwide strategic consulting services in corporate governance and other key challenges now facing CFOs. The Business Solution Architects Group is on the cutting edge of strategic initiatives for finance organizations. With this group comes the full power of SAP development, an expansive view of compliance activities, and the preeminent thought-leaders in finance, business, and analytic infrastructure and processes.

For more details, contact Ines Luther at

Financial Transparency
The ability to drill down from a report to the source documents allows auditors, management, and outside directors to more easily confirm the integrity of those reports. Here again, breaks in the automation of your financial and operational processes will make this difficult, as you can go back only to the point of the last manual handoff. Similarly, a fragmented ERP system presents a problem if the source documents aren’t directly accessible to the reporting application.

Beware of custom reports, too, if the data in them might end up in a key financial statement. It’s not uncommon for a company to use a custom report over time, only to find out that it provides inaccurate data, usually due to a coding error or data inconsistencies between two systems, say, a DataSource and BW. Even if the custom report is accurate, it might prove difficult to provide drill-down to source data. If you can replace a custom report with one of SAP’s many standard reports, you are safer in terms of SOA compliance.

Without proper security authorizations, it will be almost impossible to institute effective controls. You need to ensure that individuals do not have more access to a process than they should. For example, the person placing a purchase order should not also be the one to approve it. Such authorizations have become more common as companies reduce headcounts and remaining employees take on more responsibilities.

Keep in mind that Section 1102 of the SOA contains severe penalties for anyone convicted of record tampering, including fines and prison sentences of up to 20 years. Proper authorization profiles within your SAP systems will minimize the opportunity for tampering and increase accountability.

SOA Compliance Will Be Positive for Your Company

With SOA compliance, fewer system instances mean lower maintenance overhead. The ability to trace data from the final report back to source documents improves the visibility of your business for key managers as well as the auditors. Effective internal controls and business performance management systems can cut down on costly mistakes, and faster reporting allows you to react to market changes more quickly.

Don’t think of your SOA-compliance initiative as just some onerous task foisted upon you by government. It is an opportunity for positive change in your key business processes, and it will be an ongoing dimension of your business.

An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!