capitalizing on sarbanes- oxley compliance to build supply
TRANSCRIPT
A Back-to-Basics Approachto Internal Control and Supply
Chain Transaction Integrity
Capitalizing on Sarbanes-Oxley Compliance to Build
Supply Chain Advantage
Table of ContentsPage No.
Introduction: Broken Chains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
The Sarbanes-Oxley Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Supply Chain Advantage and Sarbanes-Oxley . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Phase One: Defining and Linking Supply Chain Infrastructure Elements to
Financial Reporting Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Phase Two: Documenting and Assessing Critical Supply Chain Processes . . . . . . . . . . . . .10
Phases Three and Four: Control-Enabled Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
Taking Advantage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Sarbanes-Oxley: Compliance Deadlines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
About Protiviti Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
About APICS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
2 •
Introduction: Broken Chains
Executives rely on internal controls to provide a reasonable level of assurance that supply chain processes andfinancial transactions function as designed. The following scenarios demonstrate how the failure of supplychain “operational controls” can strain an organization’s ability to produce reliable and fairly presented finan-cial statements.
Scenario 1 – Company ABC is an industrial goods manufacturer that has undergone mergers andredesigns several times over the past five years. Various cultures, systems and processes wereintegrated quickly in the interest of getting the newly formed company operational. Employees wereprovided minimal training on systems, policies and procedures. The limited understanding of systemfunctionality created manual “work-arounds” that ultimately diminished faith in the integrity of theas-designed procure-to-pay process and the data supporting that process. Little trust in data integritycombined with poorly defined responsibilities and controls caused the company to experienceunreliable demand forecasts, chaotic scheduling, persistent parts shortages and expedited orders.These orders often circumvented receiving/inspection and, at times, were delivered directly to theproduction floor uninspected. Material requisition paperwork often lagged the physical transaction oreven failed to exist. Downstream production faced quality issues driven by the lack of inspectioncontrols. Parts shortages increased pilferage by employees from job order to job order and createdlarger than anticipated variances. Inventory controls were lax and balances throughout the chain wereinaccurately stated. Furthermore, vendors were inappropriately overpaid or paid multiple times,payables were not recorded, and warranty reserves and customer returns were understated. Ultimately,on-time delivery and customer satisfaction were negatively impacted.
Scenario 2 – Company XYZ is a middle-market, high-tech electronics manufacturer that spends 65 percent of its resources on materials, 20 percent on labor and the remainder on SG&A. Themanufacturing processes are considered make-to-stock, and 80 percent of the components andassemblies used on various products are common. The company had decided recently to release a newproduct whose quality and reliability were still yet to be fully determined, taking a risk in order to getthe product to market quickly. An aggressive sales and marketing team worked overtime to bring theproducts to market, and soon demand outpaced supply. Furthermore, the organization made little useof demand planning or enterprisewide collaborative planning practices. Operations, evaluated on theirability to meet on-time-delivery metrics, lacked effective utilization, efficiency, scrap-rate and yieldmetrics. The product performed fairly well in the market and received favorable attention despitequality problems. In an effort to maintain customer loyalty, sales personnel pulled favors for their
3 •
clients by swapping out finished goods with previously sold damaged goods. In some instances, salespersonnel offered self-determined pricing concessions resulting in increased sales allowances. Overallproduct-quality performance was not tracked accurately, returns were not measured, and cycle countswere rarely performed for finished goods and assemblies. Transaction paperwork was often lacking forreturned goods. As a result, sales and margins were overstated, reported inventory balances wereinaccurate, warranty reserves were inadequate, and customer satisfaction was ultimately diminished.Like a self-fulfilling prophecy, if the company gets hit with reduced demand and high returns as aresult of quality issues, management must confront the reality of excess inventory, warranty issues andcustomer returns. It is at times like these when management is often under pressure to perform.
These scenarios demonstrate the effect of internal control failures on operations. They also show howorganizations become strained to produce accurate financial reports when transaction integrity suffers. Inthese examples, poor inventory transaction controls led to:
• Inaccurate inventory balances (raw materials, work in process, finished goods, etc.)
• Reduced faith in system data
• Ad hoc and “just-in-case” purchasing and shop-floor ordering
• Rushed deliveries
• Poor manufacturing yields
• Reduced product quality and increased returns
• Sales allowances and credits from an operating perspective
• Understated reserves for financial reporting purposes
Skepticism about the accuracy of financial and operational data produced an environment in which ad hocand “at-will” supply chain transaction integrity became the cultural and acceptable norm. Operational heroicsbecame a substitute for controlled, predictable performance. The need for such heroics was created by thelack of trust in the formal system, which in turn created an environment where cutting corners became a wayof life. Integrity in financial reporting suffered because financial reports were created by the accumulation ofpotentially inaccurate transactions in this “corner-cutting” culture.
As we will present and discuss in the following pages, the Sarbanes-Oxley Act of 2002, and specificallySection 404 of the Act, compels executives to adopt a back-to-basics approach to understanding and priori-tizing infrastructure elements according to their material impact on the company’s financial statements. Inaddition, the process of this approach toward infrastructure elements facilitates a supply chain executive’sability to implement and maintain both the basic and critical processes as well as transaction disciplines andthe related internal controls. This, in turn, enables high-performance initiatives, networks and systems, allleading to increased competitiveness.
Protiviti Inc.May 2003
The Sarbanes-Oxley Act
The Sarbanes-Oxley Act (SOA), which became law on July 30, 2002, and the subsequent U.S. Securities andExchange Commission (SEC) release (issued August 29, 2002) require officers of public companies to certifyvarious representations regarding the fairness of financial statements and the effectiveness of disclosurecontrols and procedures. Sections 302 and 906 of SOA were intended to lay a foundation to help restoreinvestor confidence in the integrity of financial and other reports issued by public companies. Building onthat foundation, Section 404 of SOA requires management to file an internal control report with its annualreport (10-K). The internal control report must articulate management’s responsibilities to establish andmaintain adequate internal controls over financial reporting at year end and management’s conclusion on theeffectiveness of these internal controls. To that end, the SEC is requiring organizations to establish a soundinternal control structure and to manage and monitor that structure proactively.
In the scenarios cited in the introduction, the lack of financial and operational controls reduced management’sability to report and control operational performance. Furthermore, the scenarios show how transaction anddata integrity – and the poor fundamentals driving the planning, scheduling, production control and materialscontrol processes – increased skepticism about the accuracy and reliability of financial reporting. Thesebusinesses lost their competitive advantage due to management’s inability to retain control and the ineffi-cient, unpredictable and chaotic nature of the supply chain processes.
To evaluate the company’s internal controls, management needs criteria. Such criteria are provided by aframework such as the Committee of Sponsoring Organizations (COSO) Internal Control – IntegratedFramework introduced in the early 1990s. That framework includes the following control objectives:
• Efficiency and effectiveness of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
The interdependency among these control objectives drives the collaborative relationship between operationsand finance, including but not limited to their transactions, controls and outputs. As the scenarios detailedearlier demonstrate, strong operational controls support and help create strong financial controls. Conversely,ineffective supply chain operations not only drive inefficiencies but also increase the likelihood of financialmisstatement. It is critical for operations executives to understand this relationship and appreciate their rolesin helping their organizations comply with the public and financial reporting provisions of SOA.
Note: See Page 14 for a review of the Sarbanes-Oxley compliance deadlines as they pertain to supply chain management.
4 •
5 •
Supply Chain Advantage and Sarbanes-OxleyA Back-to-Basics Approach to Internal Control and Supply Chain Transaction Integrity
Becoming an agile and efficient organization is no longer just a strategic advantage; it is a requirement tosurvive in business today. The industrial world has turned to advanced technologies as well as highly complexsupply chain solutions while streamlining processes and reducing waste in an effort to maintain a competitiveedge. Oftentimes, however, such performance improvement initiatives are implemented without firstaddressing the basics of control and integrity in processes and other infrastructure components. This isaccomplished through dedication to disciplined process management, goals and controls, and clear andaccountable ownership.
Fine-tuning supply chain processes in lieu of, or in conjunction with, the implementation of advanced supplychain initiatives can result in significantly improved and predictable process performance and transactionintegrity. This attention to excellence in “the basics” first emerged several decades ago with the manufac-turing industry’s adoption of Class A MRP-II. Achieving Class A MRP-II demanded that the organizationachieve the highest standards of performance in all levels of planning, scheduling, execution and control.Furthermore, Class A MRP-II drove organizations to utilize a full set of integrated measures and controlsin areas such as:
• Customer service
• Sales and operations plan performance
• Sales forecasting/planning performance
• Master schedule performance
• Shop-floor control performance
• Supplier delivery performance
• BOM accuracy
• Inventory accuracy
• Routing accuracy
The Class A approach had an extremely positive impact on management’s ability to drive operational per-formance, further implement strategic measures, and have confidence in transaction integrity and financialreports. Leading organizations went on to apply TQM/JIT, Lean and other techniques to drive even greaterperformance and flexibility. Over time, however, many organizations have lost sight of the critical basicbuilding blocks such as integrated business planning, sales and operations planning, sales forecasting, andmaster production scheduling processes. Fundamental controls also have been impacted, including purchaseorder transaction controls, receiving/inspection controls, inventory and shop floor controls, and materialrequisition transaction controls, among others.
Supply chain executives need not become experts in financial disclosure controls or in SOA. However, it isvaluable to understand how supply chain leadership can contribute to the design and operation of pertinentoperational and financial controls while also driving excellence in planning, scheduling, execution and opera-tional controls. Effective financial and operational controls design can strengthen the foundations, whichenhance supply chain effectiveness and improve transaction integrity. Although Section 404 of SOA focuseson internal controls over financial reporting, the fundamental approach to achieving compliance has acomplementary impact on supply chain infrastructure design, transaction integrity and reporting measures,both in a financial and operational nature.
6 •
High-performance organizations rely on extensive information systems, complex networks and multilevelprocesses to support enterprise resource planning (ERP) implementation, vertical integration and collaborativeplanning. Each requires the basic building blocks of operations infrastructure and transaction integrity. TheSection 404 SOA compliance approach drives an organization to document and understand the linkage of itsinfrastructure components and reporting elements, and to assign ownership, accountability and responsibilitysuch that ongoing assurance is given as to their high performance. For supply chain-related processes, thissuggested approach begins by defining and linking six supply chain components, documenting and assessingcritical supply chain processes, designing and implementing controls, and reporting on the final state.
Phase One: Defining and Linking Supply Chain Infrastructure Elements toFinancial Reporting Elements
This multi-phased approach begins by establishing a practical model of an organization’s supply chain infra-structure. At the highest level, the six components of infrastructure are:
• Business strategies and policies
• Business processes
• Organization and people
• Management reports
• Models and methodologies
• Systems and data
“DEFINING AND LINKING SUPPLY CHAIN INFRASTRUCTURE ELEMENTS TO FINANCIAL REPORTING ELEMENTS”
PHASE ONE: Assess current state and identify relevant processes
Financial reporting requirementsEntity-level controlsRelevant processes
“DOCUMENTING AND ASSESSING CRITICAL SUPPLY CHAIN PROCESSES”
PHASE TWO: Document, design and evaluate critical processes and controls
Process risksControl designs
Control operations
PHASE THREE: Design solution for control gaps“CONTROL-
ENABLED
ADVANTAGE”PHASE FOUR: Implement solution for control gaps
“FUTURE STATE”
Report
Not discussed
7 •
Although these six infrastructure components are critical to supply chain strategic and tactical operations, theorganization’s focus should be on business processes, as the majority of a supply chain’s financial and operationaltransactions occur within them. Within the context of this paper, the systems and data component is consideredto be an enabler business process (as are other components) and maintained as a separate and distinct component.Automated and nonautomated transactions and controls are therefore to be considered part of business processes.Phases Two through Four of this approach should incorporate this distinction to facilitate the design andmonitoring of automated and nonautomated transactions and controls into processes. Building controls intoprocesses is preferable practice to building them onto processes.
The output of supply chain financial and operational transactions is referred to, respectively, as “financialreporting elements” and “supply chain reporting elements.” The identification of both financial and supplychain reporting elements by business process enables executives to prioritize transactions based on thesignificance of their impact on the organization. For instance, inventory transactions have a more directimpact on an organization’s financial statements than purchase requisition approvals.
Section 404 of SOA drives an organization to define its infrastructure, including its business processes andthe related reporting elements. The following graphic illustrates the first step of that effort.
SUPPLY CHAIN INFRASTRUCTURE
Business
Strategies
and
Policies
Business
Processes*
Organization
and People
Management
Reports
Models and
Methodologies
Systems
and Data
Supply chainmission, vision,goals and objectives
Channels andcustomers
Process goalsand strategies
Information andIT strategy
Organization
Business processes donot achieve strategy
People are unable toadequately perform
the necessaryprocesses
Current reports donot provide
information foreffective
management
Management’smethodologies do notadequately analyzerelevant information
Business systeminformation is not
available for analysisand reporting
Plan
Source
Produce
Store
Transport
Sell
Return
Skills and competencies
Training anddevelopment
Roles andresponsibility
Organizationdesign
Corporate culture
Revenue performance
Fulfillment
Time to market
Product cost
Supplier performance
Plan vs. actual
Efficiency
Forecast accuracy
Customer intelligence andforecasting
Capability analysis (ATP, CTP, etc.)
Capacity planning
Order promising
Network andwarehouse modeling
CAD
ERP
RCCP
APS
Strategic sourcing
eProcurement
DRP
WMS/TMS
Data integrity
* The seven business processes identified are adapted from the SCC SCOR Model.
8 •
For the purposes of linking financial reporting elements and supply chain reporting elements to transactions,the business processes component is further divided into the following sub-processes:
• Plan – Sales and operations planning, sales planning and forecasting, production planning,manufacturing resource planning (MRP-II), distribution requirements planning (DRP), and rough-cutcapacity planning and capacity requirements planning (RCCP & CRP)
• Source – Strategic procurement/sourcing, contract, category and supplier management, tacticalprocurement, and material control
• Produce – Manufacturing, conversion and production activity control
• Store – Inventory management and control, warehousing, and shipping
• Transport – Logistics/distribution
• Sell – Order fulfillment, order administration and customer relationship management (CRM)
• Return – Product returns
As demonstrated in the scenarios cited in the introduction, the effects of internal control failures strain anorganization to produce accurate financial reports. The above business processes (plan, source, produce,store, transport, sell and return) create hundreds – if not thousands – of financial transactions every day. Ifthey are not properly controlled, the cumulative effect can be material to an understanding of operationalperformance as well as competitive position and advantage. Ultimately, financial reporting is affected.
The following table lists the supply chain transactions occurring within the above business processes as wellas the financial and operational elements impacted as a result of supply chain transactions.
9 •
FINANCIAL REPORTING
ELEMENTS
(BALANCE SHEET)
• Raw materials • Accounts payable• Cash and debt
• Property andequipment (net)
• Accounts payable• Cash and debt
• Raw materials • Work in process • Accounts payable • Accrued expenses• Wages payable• Cash
• Raw materials • Work in process • Finished goods • Accounts payable• Accrued expenses• Wages payable • Cash
• Work in process • Finished goods • Accounts payable• Wages payable• Cash
• Accounts receivable (net)
• Finished goods • Warranty reserves• Commissions
payable• Cash
• Accounts receivable (net)
• Inventory reserves• Accounts payable• Warranty reserves• Commissions
payable• Cash
SUPPLY CHAIN
TRANSACTIONS
Raw materialspurchased
Purchase ofequipment,direct and indirectmaterial, and services
Products are manufactured or raw materials are converted
Raw materials, work in process, or finished goods arestored
Goods are transported
Products or servicesare sold
Sold goods arereturned
SUPPLY CHAIN
BUSINESS PROCESS
Plan
Source
Produce
Store
Transport
Sell
Return
FINANCIAL REPORTING
ELEMENTS
(INCOME STATEMENT)
• Cost of sales
• Depreciation • Taxes
• Cost of sales • Wages • Utilities
• Cost of sales • Wages • Utilities
• Cost of sales • Wages
• Net revenues• Cost of sales • Selling expenses• Marketing expenses• Commissions
• Net revenues
SUPPLY CHAIN REPORTING
ELEMENTS
(SOME EXAMPLES)
• Supplier deliveryperformance
• Cost and quality• Planned deliveries
• Supplier deliveryperformance
• Cost and quality • Planned deliveries
• On-time delivery• Quality and cost• Routing accuracy • Production plan
performance• Production schedule
performance• Scrap rate• WIP levels• Planned production
• Inventory accuracy• Queue, buffer and safety
stock levels• Inventory turnover• Scrap rate
• On-time delivery• Quality and cost• Scrap rate
• Sales plan performance• Customer service• Forecast accuracy• Percent sales order
changes• Order entry accuracy
• Quality and customer service
• Planned returns
ACTIVITY LEVEL
10 •
To further demonstrate how supply chain transactions impact financial reporting elements and supply chainreporting elements, consider the following:
• Poor inventory transaction control (“paperwork”) leads to inaccurate inventory balances, reducesfaith in operations and financial systems data, encourages ad hoc “just-in-case” purchases and rushdeliveries, expedites shop orders (which may lead to poor manufacturing yields), reduces productquality, and increases sales allowances and credits. Financial reporting result: understated reserves.
• Materials are sourced and inadvertently delivered directly to the production floor, bypassing receivingand quality inspection with no timely record made of the transaction. Financial reporting result:overstated liabilities and understated inventory.
• Finished goods are sold and are defective, sales and marketing personnel replace or swap out damagedgoods for finished goods of acceptable quality, and transactions are not documented. Financialreporting result: overstated inventory and understated warranty reserves.
The output of Phase One provides an organization with a matrix that links financial and operational reportingelements to supply chain transactions. The resulting correlation allows management to prioritize effort bymaterial impact so that resources can be allocated to documenting and assessing the more critical supplychain processes (as is done in Phases Two through Four). Furthermore, a clear picture of the supply chaininfrastructure provides executives with better visibility of those processes they need to monitor or fine-tunemost often in order to achieve sustained and predictable levels of performance and to remain competitive.
Phase Two: Documenting and Assessing Critical Supply Chain Processes
Process-flow documentation is nothing new to supply chain executives. Organizational quality and perform-ance improvement initiatives such as Six Sigma, MRP-II, Process Re-engineering and ISO9000 often beginwith cataloging, defining and understanding supply chain processes. Many organizations have used detailedprocess flows to map disparate systems, supply chain processes and logistic networks, and to trace informationflow through ever-evolving process and technological complexities. Unfortunately, while this approachallows processes and transactions to be defined and mapped, ownership of controls often is not established.As a result, risk and control profiles can evolve without effective monitoring and reporting. Consider thefollowing scenario:
Scenario 3 – Company 123 completed a Six Sigma procure-to-pay process review within the pastthree years. In doing so, a team of Six Sigma “black belts” documented processes for the purposes ofscoping and bounding performance improvement. Since that time, the organization has replaced itslegacy business system with a state-of-the-art ERP package. This drove many process changes andrelated changes in the control environment. System controls were designed by outside consultantswho implemented the system.
Eight months after the implementation (four months after the company’s December 31 year end), theinternal audit department performed a post-system implementation review and found more than $1million in duplicate payments. Upon further investigation, the lead internal auditor determined thatmanagement had not assigned ownership to key “prevent and detect” controls that otherwise wouldhave averted this situation. Unfortunately, Company 123 had already issued its annual report at thetime of this discovery. As a result, it had to disclose the internal control deficiency and evaluatewhether the required adjustments to their financials were material. Company management not onlywas embarrassed by these revelations but also was concerned over the impact of these developmentson its public reports and the reaction of shareholders.
11 •
In this example, Company 123 was shocked at its oversight and perplexed because its Six Sigma function andimplementation team had designed and documented the processes. What it did not recognize is that thisdocumentation was created for the purposes of scoping performance improvement, defining current andfuture state conditions, and mapping information flows. Company 123 did not catalog infrastructure elementsnor did it assign ownership for monitoring pertinent controls. Furthermore, it did not perform a risk assessmentto identify additional controls that would have mitigated potential transaction errors.
Phase Two requires organizations not only to understand and document transactions but also assign owner-ship for controls, and perform a concurrent assessment of process risks along with the design and operatingeffectiveness of process controls. As it pertains to a Section 404 compliance approach, documenting supplychain process steps and transactions in a sequential order helps to flush out potential risks and opportunitiesand to identify current controls and gaps. Furthermore, thorough documentation drives process ownershipsuch that necessary attention is given to the evolving process, risk and control environment.
Although not all infrastructure elements have a material impact on the financial statements (as noted in PhaseOne), it is necessary to understand exactly how information flows are controlled through these processes andare represented fairly in performance goals, metrics and reports (whether financial or operational in nature).Developing a Process Classification Scheme (PCS)1, in addition to creating process-flow diagrams andcataloging infrastructure elements, can facilitate management’s efforts to assign process and control ownershipwith the greatest clarity.
1Process Classification Scheme (PCS) – Index of organization processes and sub-processes.
12 •
Phases Three and Four: Control-Enabled Advantage
A back-to-basics approach to the supply chain suggests process and transaction control should exist throughoutall automated and nonautomated business processes. These processes should be controlled so that their designand operation ensure the business operates in a way that will satisfy its goals. While ERP implementation,vertical integration and collaborative planning aid in the achievement of these goals, they also can introducemore complexity into supply chain processes. Furthermore, these activities may increase the number of financialtransactions and the quantity of necessary controls, and actually increase the need for accuracy and assurance.
Properly designed controls should consider that technology-driven supply chains could perform financial andoperational transactions at an increased rate. Additional ownership and monitoring should be provided toensure design and operating deficiencies do not exist. These types of deficiencies are defined as follows:
• Design deficiencies:
� A necessary control is missing, or
� An existing control is not properly designed, so that even when the control is operating as designedthe control objective is not always met.
• Operating deficiencies:
� A properly designed control is not operating as designed, or
� The person performing the control lacks the necessary authority or qualifications to perform thecontrol effectively.
The end goal of a Section 404 SOA compliance project is an annual internal control report that articulatesmanagement’s responsibilities to establish and maintain adequate internal controls over financial reporting,and management’s conclusion on the effectiveness of these internal controls.
One possible way to view financial reporting objectives is to borrow from the provisions of the ForeignCorrupt Practices Act, which states that such objectives require an organization’s internal accounting controlsto provide reasonable assurance that:
• Transactions are executed in accordance with management’s general and specific authorization.
• Transactions are recorded as necessary.
• Access to assets is permitted in accordance with management’s general or specific authorization.
• The recorded accountability for assets is compared with the existing assets at reasonable intervals, andappropriate actions were taken with respect to any difference.
Similar consideration should be given to these objectives when designing controls that govern supply chainprocesses and transactions. However, the cost of the control should not outweigh its benefit.
Taking Advantage
Implementing this four-phase methodology is not as daunting as one might think. The approach suggestedin this booklet to comply with Section 404 of SOA is not new. Most likely your supply chain processes andcontrols have been documented as a result of redesigns and changes relating to systems implementations,mergers and acquisitions, and quality and performance improvement initiatives. Existing documentation canbe leveraged, decreasing the time required to document, assess and improve your supply chain processes,transactions and controls.
The current focus on process and control documentation is being driven towards SEC reporting companies.However, organizations should not view this as a burden. Rather, the internal control reporting requirementis an asset. It offers an opportunity to revisit and redesign the organization’s infrastructure, and return to thebasics of supply chain and operations processes, transaction and controls integration, and data integrity. Notonly is this essential for SOA purposes, but it also creates the foundation for supply-and-demand planning,for scheduling, and for execution. The information used by executives and operations for decision makingand decision execution is entirely dependent on process and transaction controls.
Supply chain executives will agree that competitive advantage is about timing. The faster you act, the sooneryou achieve that advantage. However, the opposite also holds true – acting slowly will lead to a competitivedisadvantage in the marketplace. The following chart demonstrates the benefits of having achieved well-documented, well-understood and well-controlled supply chain processes.
13 •
Phase One:
Defining and linking
elements
Phase Two:
Documenting and
assessing critical
supply chain
processes
Phases Three and
Four:
Control-enabled
advantage
Report
Phase One:
Prioritization of objectives and resources for improvement
initiatives; recognition of processes have a significant effect on an
organization’s financials
Phase Two:
Clear depiction of supply chain network, understanding
information flows, assigning ownership of processes and
controls, benchmarking processes and controls against the
Capability Maturity Model and industry best practice, evaluating
design and operating effectiveness
Phases Three and Four:
Understand the organization’s resiliency and capacity to change
given its current resources and systems; focus on improving
performance, increasing management confidence in running the
business, improving reliance on business information systems,
reducing costs, strengthening control, increasing quality
Report:
Documented baseline increases in an organization’s agility and
ability to react to changing strategic and tactical needs
Supply Chain
Competitive
Benefits
Sarbanes-Oxley: Compliance Deadlines
The final SOA Section 404 rules were adopted by the SEC on May 27, 2003. If your company is listed andmust comply with the accelerated filling requirements, you will need to comply with the new rules by yourfiscal year ending on or after June 15, 2004. For example, calendar-year reporting companies will berequired to file their first internal control report, including the attestation by the external auditor, by March1, 2005 (60 days after year end). Other companies, such as small business and foreign issuers, must be incompliance by their fiscal years ending on or after April 15, 2005. By deferring the originally proposedeffective date, the SEC intended to provide companies more time to do a better job.
Your company will want to complete Phases One and Two this year at least to conclude the evaluation ofdesign effectiveness, so that design deficiencies in internal control over financial reporting can be addressedtimely before the end of the year through completion of Phases Three and Four. During the following year,management should focus on validating operating effectiveness and on understanding and managing theeffects of change. While companies may choose to stay the course and “early adopt” by issuing an internalcontrol report in their 10-Ks filed for this year (which also requires completion of the evaluation of operatingeffectiveness), other companies may choose to take advantage of the additional time given them by the SECand spread the effort over two years. In either case, management will want to position their companies tosend a positive message to shareholders, analysts and others about their commitment to reliable and fairfinancial reporting.
14 •
About Protiviti Inc.
Protiviti is the leading provider of truly independent internal audit and business and technology risk consultingservices. We help clients identify, measure and manage operational and technology-related risks they facewithin their industries and throughout their systems and processes. And we offer a full spectrum of internalaudit services, technologies and skills for business risk management and the continual transformation ofinternal audit functions.
About Protiviti’s Supply Chain Risk Consulting Practice
As a risk consulting firm, Protiviti helps companies reduce and improve the management of supply chain risk.Risks inherent in supply chain processes span areas such as purchasing leverage, supplier performance, contractcompliance, customer dissatisfaction, excess and obsolete inventory, idle production capacity, supply continuityinterruption, delivery performance and quality, product development performance, supplier innovation, out-sourcing risk, process inefficiency risks, global sourcing, and employee/third party fraud risk, among manyothers. Protiviti develops and implements supply chain solutions that help our clients identify, measure andmonitor risks, and improve supply chain performance.
Our scope of services encompasses the entire supply chain, including the planning, sourcing, production,storage and transporting of goods. Our portfolio of services includes assessments, benchmarking, strategydevelopment, re-engineering, Lean, optimization/modeling, project management, implementation, anddata/spend analysis.
Protiviti consultants have considerable supply chain and operations leadership credentials in industry man-agement and in consulting. Our professionals have advanced degrees and many certifications, includingCPA, CPIM, CIRM, CPM, PMP, CIA, CISA, CPEA and CSE.
For more information, please visit our website at www.protiviti.com, or contact Philip O’Keeffe or JonRydberg with Protiviti’s Supply Chain Risk Consulting Practice.
Philip O’Keeffe Jon RydbergDirector Senior ManagerProtiviti Inc. Protiviti Inc.(312) 476.6393 (213) [email protected] [email protected]
About APICS
APICS is an educational society founded in 1957 to provide production and inventory management professionalsand their companies with education and certification. For more than 40 years, APICS has been setting thestandard as the recognized global leader and premier provider of education and information. APICS providesongoing learning opportunities to nearly 60,000 individuals from 20,000 companies worldwide, enablingmembers, enterprises and individuals to add value to their business performance. Visit www.apics.org to learnmore about APICS.
15 •