Is Sarbanes-Oxley a burden or blessing?
The jury's still out. But for now, procurement professionals are using its requirements to drive process changes.
David Hannon -- Purchasing, 2/3/2005 7:00:00 AM
The procurement world is still trying to decide how they feel about Sarbanes-Oxley (SOX), most notably Section 404, the portion of SOX which makes corporate officers responsible for establishing "adequate internal control structures and procedures for financial reporting."
At first glance, many procurement professionals saw the new regulation as restrictive and cumbersome—and just another reason for the chief financial officer (CFO) to be breathing down their necks.
"[SOX] will definitely be a burden," said procurement consultant Deborah Wilson during PURCHASING magazine's Global Procurement Conference last fall. "It's a burden because it is really ambiguous [as to] what exactly corporations are going to be expected to do first of all, and second what is going to end up working. It's going to be hard in the beginning and in the short term it may be painful.
"But, over time it will create tremendous opportunity," says Wilson, "Probably five or 10 years down the road, people will say this was a really good thing."
Wilson, an e-procurement and supply chain consultant who has her own consulting firm in Dunbarton, N.H., says there are four key areas where procurement can help drive compliance with SOX and minimize risk.
First, procurement can help by automating the bidding process and creating records of how bids were awarded and to whom. Second, by documenting approval for purchases, procurement can create a clear audit trail for each transaction. Third, implementing tighter controls over processes for valuing assets on the books starts with procurement's valuing of such assets. Fourth, by having documented all spend clearly, procurement can make it much more difficult for post-procurement accounting problems or scandals where expenses are made to look like assets.
Not surprisingly, some of the more "enlightened" companies, as analyst Lora Cecere with Boston-based AMR Research terms them, are already using SOX as a reason to implement processes and controls across the company the procurement organization had advocated all along: a centralized spend database, e-procurement, contract management and spend analysis tools and processes which help ensure transactions are made by the right people for the right amount and reason.
"In some organizations, the chief purchasing officer (CPO) does not even have a clue what SOX is and what they need to do about it," reports AMR's Cecere. "In some organizations, the CFO is pushing SOX initiatives and the CPO is trying to figure out how the initiative impacts them. And in other organizations they are asking how they can help the CFO and see it as a chance to get the new technology they have wanted."
The majority of the resistance to SOX, say most experts, will likely come from buyers out in the field where products or services are being sourced in a decentralized fashion by people without vision into the big picture of the company's risk strategy. Those buyers may lose a supplier or face new restrictions under SOX without fully understanding the new processes put in place.
When it comes to SOX implementation, companies fall into one of three classifications, says Cecere.
Enlightened companies see it as a chance to improve processes and work with trading partners. Second-tier companies are in a muddle of tools and processes and are struggling with it. The procurement organizations in the bottom tier feel under attack and just want it to go away.
An awakening
While ERP systems will help companies comply with SOX, they are not the final answer, says Cecere. There is a definite need for technology to control sourcing and spend analysis and understand the risk of existing contracts and the risks of vendor-managed inventory in relation to SOX.
Indeed, Greg Crow, vice president of product management at supplier management specialist Austin-Tetra of Irving, Texas, says many CFOs have been confused about what procurement needs in order to manage spending within a company and that SOX has driven an awakening among C-levels that many analytic tools and ERP tools are designed around the general ledger and not around management of spend or contracts compliance.
"One of the key learnings is that ERP and extensions are not helping procurement [achieve] their goals," says Crow. "[SOX has shown] there is a need for technology to control sourcing and spend analysis and [help companies] understand the risk of existing contracts, the risks of vendor-managed inventory, and the need to look at technologies to help manage risk in relation to SOX. So, similar to Y2K, companies are going to use SOX as the driver to make investments in business case controls and applications they should have done all along."
Consultant Wilson says SOX may have come at the right time because procurement finally now has the tools to address some of the issues raised under SOX—and adds that if SOX had come around much sooner, it would have been a much bigger problem.
"Spend analysis does not help so much in preventing or catching fraud within procurement but in catching it happening elsewhere," Wilson says. "If you know that your company is spending $20 billion in a particular category, but your balance sheet and your income statements say something totally different, this is a major red flag."
SOX will also help companies address problems in two key areas: design deficiencies and operating deficiencies in the procurement control environments, said Karen Weinstein-Millson, director of corporate procurement for Boston Scientific Corp., a Natick, Mass.-based medical device maker.
As she pointed out during PURCHASING's Global Procurement Conference webcast, design deficiencies are where one or more controls are missing from the procurement process or system.
"An example of [a design deficiency] is a missing approval step from the purchase order or authorization matrix, or any existing controls are not properly designed, which eventually results in control objectives not being met, even though the system is operating as it was designed to," said Weinstein-Millson. "Operating deficiencies are when categories include properly designed controls not operating as they were originally designed. I would add that process and transaction controls must exist throughout all automated and manual business processes."
Now Playing:
Become World Class in Supply Management
04/01/2004Become World Class in Supply Management
03/18/2004
