Improving Operational Performance through Sarbanes-Oxley Act (SOX)

SOX
In the United States, a spate of high-profile corporate failures have shaken investor confidence
and placed corporate fraud and accounting abuses center stage before the public and the
government. The legislative response to these events was the rapid passage of the Sarbanes-
Oxley Act of 2002 (the Act), which transformed the landscape of financial reporting and
corporate responsibility virtually overnight.

The effect of this development is an unparalleled worldwide emphasis on corporate governance-

which every corporate executive is now mandated to oversee directly. Corporate governance,
broadly defined, is operating a business in compliance with all applicable government and
agency laws and regulations.

The Sarbanes-Oxley Act is a push towards achieving:

• Transparency of disclosure
• Integrity of operations
• Financial accountability for accurate reporting

The driving purpose of this legislation is to demand corporate responsibility and accountability
from corporations and their executives to all stakeholders in order to re-establish investor
confidence. This legislative initiative is intended to address some of the questionable accounting
practices that have underpinned the recent deluge of corporate scandals.

Bringing organizations into compliance with new demands for corporate governance is having
immediate and long-term effects, not the least of which is the cost of compliance. Numerous
studies have gauged the cost of complying with Sarbanes-Oxley. A recent analysis in CFO
Magazine puts the cost for public corporations in the billions, with first-year cost per company
averaging half a million dollars. These costs reflect both the initial expense of retaining more
legal and accounting personnel to meet the greater demands of the new requirements, and the
ongoing burden of keeping compliance current as changes occur over time.

The Implications for Manufacturers

Sarbanes-Oxley compliance is required of all publicly traded companies on a regulated market
under the jurisdiction of the U.S. Securities Exchange Commission (SEC). It is applicable to all
U.S.-based corporations and their associated global operations.

While the preponderance of Sarbanes-Oxley's provisions address the financial and reporting
practices undertaken by publicly traded concerns, other provisions of the Act address more
general operating concerns such as corporate transparency and employee ethics. These
standards will likely affect private companies as well, both directly and indirectly. Directly, the
implicit threat of heightened sanctions may become explicit for private companies through
government investigation and enforcement. Indirectly, public opinion and changing corporate
culture may dictate that the higher standards set by Sarbanes-Oxley be met voluntarily.

Much of the discussion of Sarbanes-Oxley has centered on its immediate impact on accounting
practices, financial reporting, and corporate governance. However, the impact of the Act goes
to the heart of corporate operations by directly mandating how companies must retain, control,
manage, and utilize their information assets. This process requires a top-down approach,
demanding constant oversight from those executives responsible for compliance. Under the Act,
companies must routinely report on compliance and identify any problems or aberrations found
with their compliance procedures.

Internal Controls
The concept of internal controls is at the heart of Sarbanes-Oxley, having a direct bearing on
information and records management. While this concept is well understood in the public
accounting domain, it is less familiar to those in information and records management. As the
global demand for corporate governance continues to increase, corporate executives must
ensure that their information and records management personnel become intimate with the
concept of internal controls, as it:

• Has a direct bearing on records management and reporting within the enterprise
• Provides a link between accounting, corporate governance, and records/information
management.

The SEC's definition of internal controls makes this scope apparent: "The term 'internal control'
over financial reporting is defined as a process designed by, or under the supervision of, the
company's senior executives and effected by the company's board of directors, management,
and other personnel to provide reasonable assurance regarding the reliability of financial
reporting and the preparation of financial statements for external purposes in accordance with
generally accepted accounting principles (GAAP), and includes those policies and procedures
that:

1. Pertain to the maintenance of records that in reasonable detail accurately and fairly
reflect the transactions and dispositions of the assets of the issuer
2. Provide reasonable assurance that transactions are recorded as necessary to permit
preparation of financial statements in accordance with GAAP, and that receipts and
expenditures of the issuer are being made only in accordance with authorizations of
management and directors of the issuer
3. Provide reasonable assurance regarding prevention or timely detection of unauthorized
acquisition, use, or disposition of the issuer’s assets that could have a material effect on
the financial statements.

In response to the legislation, manufacturers must ensure that their process in managing
business records supports Sarbanes-Oxley compliance needs. Information and records
management practices must be designed, implemented, enforced, and audited to ensure that
they sustain the organization's need for reliable financial information. They must also provide
executives confidence that the information they are certifying, as required by law, is accurate,
truthful, and can be substantiated by the company's business records and record keeping
processes.

Sarbanes-Oxley Act of 2002 Purpose and Scope

In 2001, the United States monumentally adopted a sweeping body of reform legislation - the
U.S. Public Company Accounting Reform and Investor Protection Act of 2002, known as the
Sarbanes-Oxley Act of 2002. Sarbanes-Oxley initiated a host of compliance and procedural
requirements. In an effort reduce fraud and conflicts of interest, the SEC sought to demand
corporate responsibility and accountability from corporate executives to all stakeholders in
order to increase financial transparency and re-establish investor confidence. The legislation is
intended to address some of the questionable accounting practices that underpinned the recent
corporate scandals, thereby reducing fraud and failures in corporate reporting. The act's
legislative requirements directly affect auditor firms, boards of directors, corporate executives,
and Wall Street analysts - their make up, relationships and responsibilities.

Enterprise Applications-Related Section Compliance Requirements

In general, the act requires public (and private in the future) corporations to validate the
accuracy and integrity of their financial management and reporting.

There are four particular Sarbanes-Oxley sections with relevance to ERP application systems
and their associated processes:

• Section 302 - CEO/CFO certification with internal controls evaluation

• Section 404 - Disclosure and auditor attestment of internal business process controls
• Section 409 - Rapid disclosure of material changes in financial condition or operations
• Section 906 - CEO/CFO certification of integrity of financial statements (Criminal
Provision)

In addition there are accelerated SEC report filings requirements dictating rapid corporate
consolidation and close processes.

Section 302
Mandates CEO and CFO personal certification of financial statements and filings including:

• Testifying to personal review and responsibility

• Verification that statements contain no false information, and assurance of no fraud
• Validation of compliance design, with an assessment of the effectiveness of the disclosed
controls (in place) and disclosure of any weaknesses to auditors and the audit
committee

Section 404
Requires annual filing of an internal control evaluation report, wherein companies are required
to document their existing controls that have a bearing on financial reporting, test them for
effectiveness, and report gaps and deficiencies. This requires the establishment and
maintenance of enterprise internal controls and procedures that conform to an identified
acceptable standard internal control framework for financial reporting (for example, COSO
Framework). The report statement must subsequently be attested to by the company's external
auditor.

Section 409
Mandates real-time disclosure to the public of information on a "rapid and current basis" of
material changes (events) to the firm's financial condition or operations.

Section 906
Mandates CEO and CFO personal certification ensuring that the 10-Ks, 10-Qs, and annual
reports, as well as all periodic reports containing financial information, fully complies with
Sarbanes-Oxley and the Securities Exchange Act of 1934, represent an accurate representation
of the firm's financial condition. This section adds criminal penalties for certification officers.

The scope of this discussion, as it pertains to Sarbanes-Oxley, is for the most part in its regard
of supporting and relationship to ERP-related software applications. Therefore, the primary
Sarbanes-Oxley component initiatives that will be focused upon will surround the following
issues as derived from the relevant aforementioned sections:

• Corporate accountability for financial reporting

• Disclosure and attestation of internal controls and processes for financial reporting
• Accelerated reporting deadlines — shorter period close requirements
• Identification and disclosure of "material events"
• Executive personal liability for accuracy of all figures

There are many and various specific and implied procedural, process, and system requirements
that lie behind the SOX sections indicated above which will be explored further in the following
discussions.

Compliance Program Implementation Phases

The Internal Control compliance process as demanded by Sarbanes-Oxley's Section 404
encompasses four basic phases and, in general, hold the following stages for an organization:

Phase I Discovery / Documentation

Phase II Gap Analysis / Attestation

Phase III Design / Remedial Action

Phase IV Monitor / Continuous Improvement

In parallel fashion, the certification and disclosure compliance process would appear to be
following a pattern such as below with the roll-out of technology advancements, enhancements
and implementations.

Phase I Manual check of numbers

Phase II Define, improve standardize processes

Phase III Real-time reporting and constant awareness

Applicable Regions
USA and all associated global operations

Applicable Corporations
Sarbanes-Oxley compliance is required of all publicly traded securities on a regulated market
under the jurisdiction of the U.S. Securities Exchange Commission. It is anticipated that the
requirements will be extended to privately held companies in the near future, including
companies initiating an IPO, companies seeking investment from the private investment
community, and companies seeking bank credit facilities.
Internal Control Over Financial Reporting
Sarbanes-Oxley-Section 404 compliance concerning Internal Control over Financial Reporting is
of great concern and confusion to many organizations on all business unit levels. What does
Internal Control mean? How is it achieved? Where does internal control over financial reporting
start and where does it end? Here we will look at a perspective on internal control, particularly
as it pertains to ERP-related applications.

To begin with, the following diagram depicts a three-dimensional perspective providing a

framework in the assessment or evaluation of a corporation's internal control environment or
Risk Management Program. This particular framework was developed by the Committee of
Sponsoring Organizations of the Treadway Commission, or COSO.

The COSO Framework for Internal Control Evaluation diagram depicts a three-dimensional
perspective in the assessment of a corporation's compliance

The committee is comprised of a cross section of voluntary business leaders. The participants
sought to develop a conceptually sound framework providing integrated principles, common
terminology and practical implementation guidance to support entities' programs to develop or
benchmark their enterprise risk management processes. The objective of the Framework was to
improve the quality of financial reporting through business ethics, and effective internal control,
and general corporate governance. The COSO Framework has been recognized by the SEC as a
suitable and acceptable industry standard by which to assess organizations in their Internal
Control compliance. Accordingly, the majority of corporations have adopted this framework as
the basis for their compliance with SOX Section 404.

The Framework diagram presented is directly predicated on the COSO developed standard
definition of what "Internal Control" is for the purposes of evaluation:

A process, affected by an entity's board of directors, management and other personnel

designed to provide reasonable assurance regarding the achievement of objectives in the
following categories:
 • Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations

Acknowledging the generic and broad nature of the stated definition, this particular definition
implies the following:

• Internal Control is a process. It is a means to an end, not an end in itself.

• Internal Control is affected by people. It’s not merely policy manuals and forms, but
people at every level of an organization.
• Internal Control can be expected to provide only reasonable assurance, not absolute
assurance, to an entity’s management and board.

Internal Control is geared to the achievement of objectives in one or more separate but
overlapping categories.

It should be noted concerning the utilization of an internal control framework, whether utilizing
the COSO framework or an alternative guideline, that the actual application of the framework is
entirely unique to any particular corporation with regard to size, revenue and workforce,
industry sector, culture, global extension, etc. No two business entities will apply Enterprise
Risk Management in the same manner. Capabilities and needs differ dramatically, and one
company's application of the enterprise risk management framework will often look different
from another.

Additionally, enterprise risk management is a dynamic process, a continuous task of

establishment, monitoring, taking remedial action or changing internal controls, policies and
procedures to meet ever-changing economic and industry landscapes or environments.

Compliance Support with Software Applications and Tools

"Sarbanes-Oxley does not regulate technology; however, using technology effectively can
reduce the cost, time and risk of an enterprise’s compliance activities" - Gartner 2003

"Although Sarbanes-Oxley doesn’t directly regulate information technology, IT is the backbone

of the financial processes that the law regulates." — Gartner 2003

Technology-Enabled Accountability

Robust internal control over financial public reporting and disclosure involves IT hardware and
software systems which capture, calculate, process, manipulate, post, and store financial and
non-financial data. A host of standard and emerging software applications and tools contribute
to an organization's sound internal control for financial reporting compliance. The challenge is
to select the best mix of solutions among Enterprise Suites and Best-of-Breed applications.

• ERP applications (manufacturing, distribution, accounting...)

• Best-of-breed Financial (consolidations, revenue management...)
• Business Process Management
• Business Performance Management - Analytics/BI
• Document and Records Management
• Risk and Reporting
• Compliance Management
• Basic IT system infrastructure - Security
• Basic IT system infrastructure - Collaboration (e-mail, storage and tracking)
 • Auditor Tools

Software Compliance Assistance and Enterprise Corporate Responsibility

An ERP (or any other) application or system can presumably provide the automated process
controls and tools that enable an enterprise to achieve compliance with reporting and disclosure
regulations. However, an application/system does not make an enterprise compliant, and an
application/system is not "compliant" in and of itself.

The extent to which a software application aids or contributes to corporate governance

compliance is based entirely on how well and to what depth a given application is set up,
implemented, utilized, and monitored. A complete compliance program includes the balanced
combination of people, processes, and technology working together.

What Role do ERP Applications Play in Corporate Governance Compliance?

There is heated and ongoing debate within the IT, financial and analyst professional
communities as to the role of ERP systems in Sarbanes-Oxley compliance - along with
conflicting published survey results. To many, the Sarbanes-Oxley Act does not appear to have
much to do with ERP systems. However, others believe the Act has everything to do with ERP
systems and the IT groups that run them. ERP systems enable a company to gather and control
all financial information centrally. The ERP systems are all about recording, reporting, and
rolling up all the financial data. As indicated above, ERP systems work with a landscape of
software tools and applications to provide full compliance technology driven support.

It has been duly noted that Sarbanes-Oxley, as well as, the SEC's implementation of rules
related to the act, threaten to spread far beyond the finance and accounting organizations and
activities, spilling over into operations reporting as well. It has been thought the provisions of
Sarbanes- Oxley only concerned corporate finance, independent auditing, and equity research.
However, Sarbanes-Oxley also covers such disparate corporate functions as information
technology, human resources, compensation, environmental compliance, shop floor, and
warehousing. All these areas- and a host of others - directly affect company performance and
their resulting financial reporting.

As in any evaluation of software applications and tools, it makes sense to assess ERP
applications in the context of supporting or satisfying the critical internal control components of
the COSO framework as this provides a method of assessing its control features and functions
with regard to all processes which affect financial reporting.

Following are some highlights and implications of the individual management activity
components in which an ERP system may play a role.
In evaluating enterprise software applications and tools, the COSO Framework provides a
method of assessment of its control features and functions in regards to all processes which
affect financial reporting.

Control Activities

• Policies and procedures that help ensure management’s risk responses are carried out at
all levels and in all functions in an organization
• Prevention and detection
• Manual, computer, and management
• Typed by specified control objectives, such as ensuring completeness and accuracy of
data
• Include approvals, authorizations, verifications, reconciliations, reviews of operating
performance, security of assets and segregation of duties.

Information and Communication

• Pertinent information is identified, captured and communicated in form and time frame
that enable people to carry out their responsibilities.
• Managing enterprise risks and making informed decisions relative to objectives.
• Effective communication occurs flowing down, across and up the organization.
• All personnel understand their own role in enterprise risk management and how
individual activities relate to the work of others. They must have a means of
communicating significant information upstream.

Monitoring

• Separate and on-going management evaluations of establish controls

• A process that assesses the presence and functioning of its components over time.
• Built into the normal, recurring operating activities of an entity.
 • Performed on real-time basis, reacts dynamically to changing conditions and is ingrained
in the entity.

Therefore, utilizing the various defined component dimensions of the standard COSO
Framework, as shown above, we can begin to see an outline of ERP-related features and
functions to support a sound Internal Control environment for internal reporting across all
business units of an enterprise.

ERP-Related Features and Functions supporting an Internal Control Framework:

Operations Internal Control Related mechanisms — Obtaining efficiency and effectiveness

meeting business objectives

• System/application security
• Process security
• Information Security—validation, completeness, integrity, authorization
• Communication Security—documents, collaboration
• Process Automation and Maps—enterprise consistent standards
• Process Workflow—authorizations and approvals
• Enterprise Operations Visibility—inventory, credit, performance
• Data error detection, validation, auditing
• Continuous Process/Controls Monitoring— manufacturing, distribution, administration
• Continuous Enterprise Scorecard analysis—KPIs, strategic objectives
• Optimized Close Process—sign-off, consolidation, reconciliation, speed, visibility
• Event / Exception Alerts—initiate remedial action and disclosure

Financial Reporting Internal Control Related — Ensuring the accuracy and reliability of:

• Enterprise Data Harmonization

• Disparate systems Business Unit Integration
• Enterprise Financial Results transmission — unit consolidations, XBRL, accelerated
• Rapid Audit — internal and external
• Business Unit Operations process/performance reporting monitoring
• Intermediary financial performance real-time monitoring
• Integration with non-financial Information
• Optimal business unit and segment analysis, reconciliation and reporting
• Secure collaboration and consolidation interfaces

Conclusion
Sarbanes-Oxley Act of 2002 provides excellent and invaluable opportunities for public and
private corporations to make significant improvements to their overall operational performance
and financial results. Thus, the overall enterprise value will increase to its shareholders, as a
result of the corporate governance regulatory compliance initiatives.
Glossary
The following abbreviations are commonly used in Corporate Governance publications:

EEA European Economic Area

EC European Commission

EFRAG European Financial Reporting Advisory Group

EU European Union

FASB Financial Accounting Standards Board (US)

GAAP Generally Accepted Accounting Principle(s)

IAS International Accounting Standard(s)

IASC International Accounting Standards Committee

IASB International Accounting Standards Board

IFAC International Federation of Accountants

IFRS International Financial Reporting Standard(s)

IFRIC International Financial Reporting Interpretations Committee of the IASB

IOSCO International Organization of Securities Commissions

SEC Securities and Exchange Commission (US)

SIC Interpretation(s) issued by the Standing Interpretations Committee of the IASB

Recompiled by:
Ramesh Natarajan, Finance (Systems) Analyst, Dubai