210 likes | 227 Views
Sarbanes-Oxley and Your Supply Chain: Is SOX the “compelling event” many of us have been waiting for in the SCM community???. Scott R. Sykes Senior Principal SAP Charlotte, NC. Agenda . Context Challenges / Opportunities Insights and Suggested Actions Q & A.
E N D
Sarbanes-Oxley and Your Supply Chain:Is SOX the “compelling event” many of us have been waiting for in the SCM community??? Scott R. Sykes Senior Principal SAP Charlotte, NC
Agenda • Context • Challenges / Opportunities • Insights and Suggested Actions • Q & A
Context: SOX touches every corner of the enterprise The business process and information technology implications of the Sarbanes-Oxley Act of 2002 have been characterized as replacing Adam Smith’s “Invisible Hand” with Uncle Sam’s “Index Finger…” Our Call to Action: How can we turn an unpleasant reality into a force of good and opportunity? ”You there, in the Executive Suite…. ...Take off your clothes." ”If you’re going to be naked … …you better be buff!”
Context: Scandals accelerated a process already underway While it is true that the financial shenanigans of Enron, WorldCom (and others) served as visible catalysts for what ultimately became the known as “SOX,” the reality is that there was a subcurrent in the business sector already building with respect to openness, clarity and better reporting.
If you’ve had an SCM IT project sitting on the back-burner due to business case challenges, or resource constraint limitations, now is the time to dust off that recommendation report and re-submit your proposal The Punchline: SOX is an SCM “Gotcha” The challenges that Sarbanes-Oxley presents to our executive leadership teams creates a moment of opportunity to bring additional C-Suite attention and focus to supply chain management • Connecting the dots from SCM back to SOX Compliance puts SCM on the C-Suite Agenda … let’s be bold and play that card… SCM Professionals are going to get sucked into the SOX Projects sooner or later anyway! • Meeting the compliance requirements for controls and documentation places Supply Chain Processes and SCM Information Technology applications squarely in the center of this discussion
Context: The Supply Chain “Gotchas” in SOX Vague? Extends legislation beyond attestation to the numbers to also include a sign off on the control systems that fed those financial reports. “…the nature and characteristics of a company’s use of information technology in its information system affect the company’s internal control over financial reporting.” The SCM Implication: Section 404, coupled with the adopted auditing standards places SCM processes squarely in the SOX crosshairs. Public Co. Accounting Oversight Board (Auditing Standard 2003-017) October, 2003 The language that the Congress could settle upon to quickly get the legislation to the President’s Desk was unfortunately open-ended and vague, causing “ripple effects” in the business community that are still undulating today 24 months after the laws went into effect. “…to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes…” • Section • Requirements • 301 • Establish procedures for confidential, anonymous complaints • 302 • The CEO and CFO must certify financial reports • 401 Financial reports must contain adjustments found by auditors • 404 • Report on the adequacy of internal controls
Context: The Supply Chain “Gotchas” in SOX The Congressional ambiguity of the initial legislation has created an extremely “noisy” software industry environment, a confused SCM environment, and an extremely conservative auditing environment. The rapid death of Arthur Andersen after the Enron case has created an extremely conservative compliance environment. As one compliance officer was recently quoted, “No external auditor wants to take the starring role in Enron II.” Auditing Environment “SOX compliance in a box” “SOX in 90 days” “Free SOX with your next upgrade…” Software Environment • What if my Asian supplier doesn’t use systems to track their production, packaging, and shipping processes? • What do you mean I have to pre-pay my production capacity buys in Asia so that Finance has visibility to future obligations? • What if I don’t know which carriers handle each leg of a global multi-modal shipment? • We chose to outsource that process so we wouldn’t have to document and manage the processes! Now I have to do what? With what resources? By when? Huh? SCM Environment
Context: The Supply Chain “Gotchas” in SOX The Congressional ambiguity of the initial legislation has created an extremely “noisy” software industry environment, a confused SCM environment, and an extremely conservative auditing environment. Supply Chain Complexity combined with the tightening regulatory environment will play “Gotcha” on Somebody… “A typical cross-border shipment…changes hands more than ten times, involves completing and filing about 35 documents, interfacing with about 25 parties, and being in compliance with over 600 regulations and 500 trade agreements that are constantly changing.” Source: ARC Advisory Group: “Linking Supply Chain Security with Sarbanes-Oxley and the Bottom Line” (2004-August) The rapid death of Arthur Andersen after the Enron case has created an extremely conservative compliance environment. As one compliance officer was recently quoted, “No external auditor wants to take the starring role in Enron II.” Auditing Environment “SOX compliance in a box” “SOX in 90 days” “Free SOX with your next upgrade…” Software Environment • What if my Asian supplier doesn’t use systems to track their production, packaging, and shipping processes? • What do you mean I have to pre-pay my production capacity buys in Asia so that Finance has visibility to future obligations? • What if I don’t know which carriers handle each leg of a global multi-modal shipment? • We chose to outsource that process so we wouldn’t have to document and manage the processes! Now I have to do what? With what resources? By when? Huh? SCM Environment
Agenda • Context • Challenges / Opportunities • Insights and Suggested Actions • Q & A
“Niche” Players by the 100’s Challenges: The Cost of Compliance & the Software Landscape The numbers vary significantly depending upon a few key variables (# facilities, # ERP instances, # of trading partners, # SKUs, etc.), but the key take-away is that irrespective of where you reside, or what industry sector you compete in … this is going to be costly, and resource intensive. -- Cost Elements -- • Staffing increases • Consulting fees • Audit fees • Legal fees • Director fees • Insurance premiums • Incremental Technology Infrastructure • Incremental Applications investment • On-going incremental due diligence costs -- Software “Suspects” -- Cost of SOX Compliance ~ $1M for every $1B in revenue Source: Financial Executives International Research
Challenges: The Cost of Compliance & the Software Landscape The analysis and literature on this topic points to the existing financials companies being the “safest bets” for developing and deploying SOX Compliance applications. For firms with heterogeneous landscapes, the jury is still out on whether a “forced consolidation” and standardization is in the offing … or if a “third alternative” will prevail (e.g., a separate data warehouse solution). Strengths Challenges • Suite of Apps (SCM written to integrate to Financials) • Scalable Infrastructure • Compliance Apps Developed for new SAP Product Release (Netweaver Platform) -- requiring customers to do an upgrade to use applications • Suite of Apps (SCM written to integrate to Financials) • Scalable Infrastructure • Prerequisite for an Oracle Database. • More Money than God • Windows and .Net Platform Positions • Miniscule Business Applications presence for Public Co. Financials and SCM Operations • No applications of their own • Platform Independent • Trusted Advisor role to clients • Financial stability of start-up firms • Business risk assessment of auditors assigning “bad grades” to clients with un-familiar software application brands. • Price and Speed to Market • No “legacy” footprint to contend with in developing a “clean sheet of paper” compliance application “Niche” Players by the 100’s
SCM Plays Here. Opportunities: SAP Management of Internal Controls Continuous Improvement Management Auditor Scoping and Set-Up Document Processes & Controls Assess Control Design & Remediate Issues Test Operating Effective- ness Sign-Off, Prepare Certification / Internal Control Report Attest and Report CEO / CFO Internal Control Manager Org.Unit Manager Process Group Owner(s) ~ Purchasing, Logistics, Customer Service Control Owner(s) Evaluator Tester Issue & Remediation Plan Owner Internal & External Auditor
RFID Transported Intelligence is in this layer An Example: Order-to-Cash is a primary SCM Business Process to be documented, controlled and managed for SOX Compliance What SAP is seeing in our business is more and more of our customers' concentration on complete business processes, such as order-to-cash. Such processes cut across business software applications and companies. As such, capturing, documenting, and controlling the macro process with accuracy and rigor is an essential part of becoming a best-in-class compliance management firm. • Role-based portal views of the business process • Secure access and controls • Compliant and accurate record-keeping • Multi-enterprise business processes • Multi-lingual documentation requirements • Multi-currency transaction flows • Client-specific Custom Apps (e.g., Class II Narcotics Tracking) • SAP Applications • 3rd Party Applications • Master Data Management • Business Intelligence • Exchange Infrastructure • Enterprise Portal • Auto ID Infrastructure (for RFID enabled business processes) Source: Werner Brandt Presentation to Morgan Stanley Conference, 2004-11-18, Barcelona, Spain To the extent that the financial outputs of the Order-to-Cash business process are not adequately captured , stored and controlled to the satisfaction of the legislation’s guidelines, the compliance project efforts in 2005 should be creating continuous improvement priorities for 2006, 07, and beyond. This will become a “corporate DNA” initiative going forward for leading companies.
Stakeholders Board Disclosure Monitoring C-level Executives SAP and Partner Regulation Specific Composites CRM SAP NetWeaver SCM People Integration Compliance Executive Dashboard, Scorecards, Alerts PLM Information Integration Knowledge Mgmt, Records Mgmt, Archiving, Reporting Security Mgmt Auto ID Infrastructure 3rd Party Apps SRM Process Integration Business Process Automation, Monitoring, Workflow Regulatory Capabilities within ERP FI, HR, QM, Mgmt Internal Controls, Operational Risk Opportunities: Use SOX Catalyst to Establish a “Platform for Better Governance” This project is not subject to the “value proposition and business case” discussions that many projects must succeed in … it is compulsory. As such, the opportunity exists to do more than “Simply stay out of jail,” but to rather use the budget and the focus to improve the operation of the business -- Representation of SAP Prescribed Scope for Best Practice Compliance --
Agenda • Context • Challenges / Opportunities • Insights and Suggested Actions • Q & A
Insights: Where are we now? Strategic approach • Gain competitive advantage • Drive higher stakeholder trust Stakeholder Value Don’t just comply, achieve process improvements Just get it done approach Business Performance
Tactical approach Cost of compliance Long-run approach # of compliance projects Insights: Be Proactive and Strategic for Long-Run Value Creation and Sustainable Process Improvement This project is not subject to the “value proposition and business case” discussions that many projects must succeed in … it is compulsory. As such, the opportunity exists to do more than “Simply stay out of jail,” but to rather use the budget and the focus to improve the operation of the business The case for a strategic investment approach: • Gain process efficiencies • Establish end-to-end supply chain process visibility and event documentation • Bolster data accuracy • Eliminate delays in reporting • Lead with better insight • Management credibility • Increase corporate reputation • Enhanced stock performance “The benefits will come in the long haul, with greater credibility in the marketplace and higher stock price multiples.” -- William H. Donaldson, Chairman, SEC, December, 04
Insights / Actions We have in SOX a “burning platform” business issue that creates the opportunity to turn a complex problem into an innovation catalyst. Get your SCM Leaders engaged in the SOX process, and create the platform of capabilities to ensure your ability to stay in front of this new requirement. SOX is Driving the Sense of Urgency Business Objectives(Control, Certification & Risk Management) Many companies are working with SAP’s SOX solution. Reporting Controls Configurable Controls Security Controls Inherent Controls “After attending the Sarbanes Oxley conference in Washington DC, I was thoroughly impressed on the thought and care SAP has put into developing the Management of Internal Controls (MIC) solution. ... In light of this, PG&E would like to become an early-adopter of the MIC tool” Manual & Procedural Controls mySAP Business Suite SAP NetWeaver Peter Tam, PG&E Technology People
Insights / Actions For the SCM Organization, it is crucial that you take proactive steps in the SOX arena. If you do not do this project with Finance and IT, they will “do the project to you.” Either way, you’ll be involved… better to influence and shape the outcome to reflect your current and future SCM plans. • Action Item #1 • Do whatever it takes to pass the first test. • Action Item #2 • Identify and Prioritize the focus areas for improvement projects in 2005, 2006 and 2007 • Action Item #3 • Secure a permanent seat at the SOX Table for the supply chain organization • Action Item #4 • Deploy your senior personnel for this effort.
Agenda • Context • Challenges / Opportunities • Insights and Suggested Actions • Q & A
Q & A Note: The published article on which this presentation is based is available on my website: http://www.scottsykes.com/publications