Executive Briefings

Is Your Supply Chain Ready for Sarbanes-Oxley?

It's a mistake to see the financial information reporting and documentation requirements of the act as the responsibility solely of either the CFO or the IT department. Sarbanes has many implications for supply-chain management.

Can any action born out of anger be productive?

If anything was birthed from outrage and frustration, it was what has come to be known as the Sarbanes-Oxley Act. However, its technical name, the Public Company Accounting Reform and Investor Protection Act of 2002, is more telling, hinting as it does at what needs to be reformed, who needs protection and what is now in the federal government's cross-hairs - publicly traded companies. All this because Sens. Paul Sarbanes and Michael Oxley, one from each major political party, acted on the anger surrounding the fraud scandals of Enron, WorldCom and others.

At its core, the Sarbanes-Oxley Act - or SOA, SarBox, or just plain Sarbanes - is about making sure that there are internal controls in every public enterprise that govern and document the information that winds up in financial statements. SOA also imposes a real-time reporting requirement in some instances, but like much legislation Sarbanes is fuzzy on the guidance it provides. So it is unclear just how real time real time is. One thing is clear, however. The onus of accurate public disclosure of financial information is on the CEOs and CFOs of public companies. They now have to personally sign off on audits, stating that the information is accurate. False declarations can merit jail time. That alone ensures that 'C' level managers are making sure that subordinates who pass information up the company food chain know what they are doing.

Can the anger that followed major corporate scandals produce anything good for business? Surprisingly, the answer is yes, according to interviews with experts and executives in consulting, technology development and research. They say the strictures of Sarbanes can only improve a company's business processes and supply-chain management.

Nevertheless, time is growing short. The first deadline for SarBox compliance is June 15, 2004. That's bearing down on many companies like a freight train. Will their supply chains be ready?
No, says Paul Matthews, vice president of supply-chain practice of the Americas at Cap Gemini Ernst & Young. "Clients that I deal with are so far behind with regard to their understanding and implementing," he says. "I get the feeling that when the deadline hits, there will be many companies in the Fortune 500 that will have underestimated what Sarbanes means to them."

That sentiment is common among consultants and others trying to prepare clients for the legislation's impact. Often the problem stems from the old "silos" mentality that has bedeviled management for years. Whose responsibility is SOA? Is it a finance department issue? Is it something for the IT people? The experts say it's everybody's baby, and Sarbanes certainly has a supply-chain management perspective to it.

"Very few traditional supply-chain executives really think about the financial area," Matthews says. For them, "it's very much on inventory balances, it's about on-time delivery, it's on procurement benefits, but rolling that up to the financial impact - there just isn't a true understanding of that."

He says it's no longer enough to know that your transportation management system is aligned with your warehouse management system. The act imposes an obligation on supply-chain managers to understand the financial implications of everything they do.

Accounting for Risk
Procurement exemplifies what Matthews is getting at. "At the end of the year, companies that buy a lot of material will be cutting deals and issuing contracts. And the traditional way of doing things is negotiating the deal for next year, and that deal could be anything from committing to a volume, some type of performance clause, some type of tiered pricing, or whatever, in the contract. Pre-Sarbanes, that was a fairly easy process: The procurement individual would negotiate the deal and project that next year there would be, maybe, a 15 percent saving on cost of goods based on these contracts. Well that's no longer acceptable. Because what's got to be reported is what are the risks and what are the actual implications of that contract over the life of it."

"Very few traditional supply-chain execs really think about the financial area."
- Paul Matthews of Cap Gemini Ernst & Young

He noted that a client recently tried to follow a common but unacceptable practice of reporting at end of year an immediate $1m upfront cash payment on a contract for a committed volume next year. But payment is not all that has to be reported now, Matthews says. "It's also putting the risk factor on what that $1m is for - this committed volume to this supplier for the next 12 months. That changes the whole contracting process with the supplier. The chief procurement officer has to go back and do an extensive analysis of not just the rebates, but the risks associated with the tier pricing as well as the volume commitments that have been made. What happens, for example, in second quarter [2004] if they have not reached those volume requirements?"

The risks don't stop there. Procurement is an area where many companies think their processes and strategies differentiate them from the competition. That certainly is the case in retailing, says Matthews. And the CPO he mentioned is "extremely nervous" about having to disclose information around the contract that he views as competitively advantageous. Being too open with that information is clearly risky in his view.

While top management needs to have a firm understanding of SarBox requirements, how far down in the enterprise must the word be spread? The consensus seems to be that anyone who has any type of budget control needs to understand the financial reporting and documentation requirements of the act.

While Matthews wouldn't drill down to the factory floor necessarily, he finds that the lower levels are going to be the largest influencers of what he calls the "aha's" - or problems. "So often deals are cut by the transportation manager where he commits to routings between A to B, he commits to less-than-truckloads, to warehouse space, he might even go out to 3PLs, and that then becomes an even bigger issue. I think it actually goes further down in the organization than most have thought. Most of the influencing of Sarbanes happens at a lower level than at a higher level."

None of this can sound very new to anyone in the supply-chain world, and most analysts and consultants acknowledge that. Seamless integration within and outside an organization, and information sharing aren't hot-off-the-press announcements. What's radical, some experts say, is the actual enforcement of these concepts that SOA brings.

It's one thing to talk about visibility across the value chain, it's another to actually have it. But Sarbanes mandates management of all the disparate groups - design, production, procurement, logistics, sales and marketing - to be much more by the numbers. Heavily, accurately documented numbers. That will require greater, more timely cooperation across all the divisions of an enterprise, or all companies under a single corporate entity.

Contract Management
Production penalties in contracts, and the contracts themselves, may change because of the reporting requirements of Sarbanes-Oxley, Matthews says. For example, breaches of performance contracts in the automotive industry traditionally were handled at what he refers to as the "relationship-type" level. Performance failures that could shut down an assembly line technically could have carried penalties in excess of the value of a multimillion-dollar contract. Historically, they weren't enforced, he says.

"Today, under Sarbanes, the auto maker has to report that as well as the supplier. So I think you're going to see wakeup calls in the industry where some of the traditional acceptable contractual language that has been out there is no longer acceptable. The automaker will not find anybody that could possibly agree to that kind of contract because on the flip side they will have to report that liability on their financial statement. And as soon as that's reported you can imagine the implications.

"The key point I would make is that contract management as it is known today is going to radically change over the next 12 months once the true understanding of Sarbanes hits home."

One of the understandings executives may come to have is that SOA can give them greater control over their supply chain, says Carol Ptak, vice president of manufacturing and distribution industries at PeopleSoft. She refers to a "magic triangle" with three legs to success - one for vision and one each for technology and business transformation. "To really have a holistic solution for Sarbanes-Oxley, you really have to have all three of those. Now, am I really doing Sarbanes-Oxley just to keep myself out of trouble with the government, or am I really going to have control of my business - which, oh by the way, results in Sarbanes-Oxley compliance? There are two different ways of looking at it."

When the business practice transformation is aligned with vision (aided perhaps by technology) enterprise control comes about. "And when a company has that kind of control over their supply chain," Ptak says, "Sarbanes-Oxley is really the result, not the cause."

Timing really isn't everything, she says. Many who started years in advance of Y2K still found themselves pushing that deadline. Picking the right tools for compliance and internal control is what is important. And that's true regardless of the nature of the company.

It helps to be on top of your business processes. In manufacturing, for instance, "the more in control your business process is, the easier it is to install the technology that controls that. Now, if your internal control processes are in poor shape, you're going to have a bigger problem."

Prudent companies already should have replaced legacy systems with systems with inherent controls, such as the capability to do accelerated filing. Unfortunately, many companies, especially in manufacturing, are too cumbersome to meet reporting deadlines.

"They have these systems scattered all over the place, and you have to do the consolidations and the closeouts and the management of all that," says Ptak.

"Where it gets worse is with the real-time disclosure issue. Now think about that from a supply-chain perspective. How many companies do you know that have integration from their supply-chain planning through to the financial implications of a breach? Sarbanes-Oxley has really brought the focus back to sales and operations planning. Because if you think about it, it's where I can find the three parts of my firm: my sales plan, so I know what's going on on the revenue side; my operations ability to execute; and then the financial implication of the previous two.

"If I get a glitch in my supply chain, what's the implication? Do I have another way through my network to be able to work around it? Or am I just stopped dead?"

Actionable Information
Regardless of where a company is in its preparations for SOA, it should quickly make its financial reporting more real-time. "What is the role of financial management? Is it to close the books each month, or is it to provide actionable information for the business to be effective? I mean the world has passed from just providing monthly or quarterly or annual reports to providing real-time feedback to the business to point out that you're going off the road or out of your lane. This isn't just for the financial side. This is information for the operational side as well."

She says PeopleSoft's financials can save companies almost a $1m for every billion in revenue, and says Hackett Group research backs that claim up. In any event, in her view, solid internal operational controls are what's needed. "If you have that, then Sarbanes-Oxley is not a big issue."

Kai Trepte says forecasting and planning technology can greatly aid in helping companies substantiate the projections and risks that have to be reported under the act.

"We've been getting people up to speed on what planning and forecasting is and what its impact is on the supply chain," says Trepte, cofounder of John Galt Solutions and vice president of sales. "Another side effect that comes out of that is, now that you have a picture of the future, that needs to be tied in and integrated with all of your forward revenue projections and into reporting all the major events that are part of SOA.

"Originally, people tended to look at a forecast as their best guess at the future. Now they are thinking here are all the things that we need to document [under SOA] because it's no longer just a matter of growing 3 percent. It's now - 'we're going to grow 3 percent, here's the method we used, here are the people who participated, here is the approach we used, and here are the major assumptions.' Now they can give people the transparency of numbers and the certainty that they aren't just plucking numbers out of the air."

As C-level officers have to start signing off on forecasts, they must know that due diligence went into a plan and that there is a paper trail. Historically, plans might have taken into account effects on unit volume, but that isn't sufficient now, Trepte says. "They need to say what is the impact from a revenue perspective. You know - one product is becoming more popular and another is becoming less popular, what does that do to our margin? Those things were taken into account informally, but now they are taken into account in a much more formal way."

Trepte says he is surprised to see so many large enterprises - "$400m companies, in some cases" - with no forecasting and planning technology to help them. But he acknowledges that technology is only part of the solution. Educating lower-level managers about the financial repercussions of certain actions is crucial. He cites sales promotions and taking down production facilities as examples. "They have to understand what are the major actions that would contribute to the profit and loss of the company. And in our part of the world, what effect their actions have on the plan, on what's going to be produced, or on what's going to be sold."

Supply-chain Managers
Consultants have a role to play here, he says, particularly in helping to establish patterns of behavior that lead to consistent documentation.

Supply-chain managers are key players in his view because they are "holders of foundation-level information that talks about what's going to happen in future. They are the people most in contact with events taking place, and it's the supply chain that looks at the most cost-effective way to deal with situations." As a consequence, they have a heavy responsibility in helping companies with SOA reporting issues.

In one sense, it's not too late to prepare for Sarbanes - because it's never going away. "The important thing to remember is the deadline is June 15, 2004, but it doesn't stop there," says Mitch Dwight, product manager at IFS. "If you look at a normal audit report, there is a standard statement in there that says the auditors have investigated and they attest to the fact that the numbers are correct. There's likely to be a paragraph added to that that says they have investigated the internal controls and they have attested to their validity and the documentation provided. So every year [under SOA] you're going to have to prove that you have maintained those controls, so this is going to be an ongoing process."

Audits won't solely be about internal controls, she says, but about the security of a company's reporting and documentation systems. An external audit must identify the validity of a system - that there are no breaches in the controls or security process.

She says that IFS brings 3,600 business models already predefined within its IFS Applications software that customers can tailor to their own internal business processes.

John Hagerty, vice president of research at AMR Research, says documentation is where many companies may fall down. While they have been working toward compliance in spirit by instituting what they believe is an appropriate internal management control structure, they may not be able to prove that.

Consultants can help with that, but a balance must be struck, he says. "You know, if everyone documented everything that they do, that's a good exercise in general, but the idea behind Sarbanes-Oxley is to document processes that contribute to reporting, so therefore you want to start isolating what are the important ones. Number two, you want to make sure you don't go overboard because if this is looked at as a total documentation effort for the whole company - you could be doing it forever."

"With Sarbanes, when you're done, you're not done. It just keeps on going."
- John Hagerty of AMR Research

Some clients are taking the "short-term/long-term" approach to internal controls, he said. "Year One would be to document and understand what they need to do, and Year Two would be to make it sustainable and repeatable. "One of the things about Sarbanes that is different from other initiatives is that when you're done, you're not done. It just keeps on going, it's a quarterly and annual exercise from this point forward.

"Unlike Y2K - whether it worked or didn't work - this is a requirement for ongoing management control and documentation, and it will not go away. So forward-looking companies are looking to build this as repeatable processes."

Complicating matters are the unknowns, such as the real-time reporting requirements of Section 409 of the act, which has yet to receive the kind of specificity that the legislation requires of those it governs.

Hagerty acknowledges that there is money to be made by IT consultants and technology vendors, but says firms stand to gain from the improvements that the act mandates.

"There seems to be two major schools of thought when people talk about Sarbanes. No. 1 is, 'what do I have to do to comply?' The second is, 'this is giving me the opportunity to be able to really review my processes and controls to then either standardize them across the firm for less variability or potentially change them to have less exposure to areas of risk."

Still, there is cost involved, and it can be considerable, especially for diverse environments with different companies, polices and procedures operating under one corporate umbrella. The more decentralized the environment, the greater its complexity in terms of management structure and business systems, the more it will cost to comply with the act.

Hagerty has predicted for some time that the greatest expense will come from retaining advisors and consultants and not from outlays on technology.

In any event, it is important to remember that SarBox is not solely a financial matter. The act may start off with looking at key accounts, but it goes further: an audit will scrutinize the cost of goods sold, procurement practices, inventory, raw materials and finished goods, among other things.

"In the end, a lot of things in the operational side of the supply chain will be subject to a lot of scrutiny under Sarbanes," Hagerty says.

Is this any different from what prudent CEOs and CFOs always demanded to keep a lid on costs? Yes, because the reporting and documentation requirements are stricter. But Hagerty sees the upside: "This allows you to review yet again how you do certain things and if you discover there are any gaps in control you can make those changes."

On the Hook
Still, there is the personal aspect that can't be denied. Most companies have already documented their processes, but that was pre-Sarbanes, says Seamus Moran, director of financial applications development at Oracle.

"Now you've got to take [the audit] home, evaluate the risks and certify that you've addressed them. You are now on the hook. That's what Sarbanes-Oxley did for you."

Repeatability is key, because companies have to show their controls and documentation every time they file with the SEC. "That's where people like us come in." Moran says. "We make it repeatable. We put what you've done, in terms of reviewing everything, into a database so you can maintain it, you can update, you can view it as you go."

For one thing, Oracle's Internal Control Manager is designed to break your purchasing processes into subcomponents and evaluate them for risks, Moran says. He notes that tech is only part of the solution to compliance. "The larger part of it is the way in which you've reengineered your business." Echoing Hagerty, he says, "The simpler you make your business, the easier it is to become compliant."

From June 15, 2004, and on, public companies will have no choice about getting their supply chains Sarbanes-compliant. What management can do is either get angry - or see the mandates in a positive light. Hagerty seems to opt for the latter. "People look at this one of two ways - one is the cost of doing business and the other is the ability to get leverage for business improvements in place. It's trying to wring as much value out of the money you have to spend for overall corporate benefit.

"I think if people look at the money they have to spend as something with potential benefits beyond just compliance, that's not a bad thing."

Can any action born out of anger be productive?

If anything was birthed from outrage and frustration, it was what has come to be known as the Sarbanes-Oxley Act. However, its technical name, the Public Company Accounting Reform and Investor Protection Act of 2002, is more telling, hinting as it does at what needs to be reformed, who needs protection and what is now in the federal government's cross-hairs - publicly traded companies. All this because Sens. Paul Sarbanes and Michael Oxley, one from each major political party, acted on the anger surrounding the fraud scandals of Enron, WorldCom and others.

At its core, the Sarbanes-Oxley Act - or SOA, SarBox, or just plain Sarbanes - is about making sure that there are internal controls in every public enterprise that govern and document the information that winds up in financial statements. SOA also imposes a real-time reporting requirement in some instances, but like much legislation Sarbanes is fuzzy on the guidance it provides. So it is unclear just how real time real time is. One thing is clear, however. The onus of accurate public disclosure of financial information is on the CEOs and CFOs of public companies. They now have to personally sign off on audits, stating that the information is accurate. False declarations can merit jail time. That alone ensures that 'C' level managers are making sure that subordinates who pass information up the company food chain know what they are doing.

Can the anger that followed major corporate scandals produce anything good for business? Surprisingly, the answer is yes, according to interviews with experts and executives in consulting, technology development and research. They say the strictures of Sarbanes can only improve a company's business processes and supply-chain management.

Nevertheless, time is growing short. The first deadline for SarBox compliance is June 15, 2004. That's bearing down on many companies like a freight train. Will their supply chains be ready?
No, says Paul Matthews, vice president of supply-chain practice of the Americas at Cap Gemini Ernst & Young. "Clients that I deal with are so far behind with regard to their understanding and implementing," he says. "I get the feeling that when the deadline hits, there will be many companies in the Fortune 500 that will have underestimated what Sarbanes means to them."

That sentiment is common among consultants and others trying to prepare clients for the legislation's impact. Often the problem stems from the old "silos" mentality that has bedeviled management for years. Whose responsibility is SOA? Is it a finance department issue? Is it something for the IT people? The experts say it's everybody's baby, and Sarbanes certainly has a supply-chain management perspective to it.

"Very few traditional supply-chain executives really think about the financial area," Matthews says. For them, "it's very much on inventory balances, it's about on-time delivery, it's on procurement benefits, but rolling that up to the financial impact - there just isn't a true understanding of that."

He says it's no longer enough to know that your transportation management system is aligned with your warehouse management system. The act imposes an obligation on supply-chain managers to understand the financial implications of everything they do.

Accounting for Risk
Procurement exemplifies what Matthews is getting at. "At the end of the year, companies that buy a lot of material will be cutting deals and issuing contracts. And the traditional way of doing things is negotiating the deal for next year, and that deal could be anything from committing to a volume, some type of performance clause, some type of tiered pricing, or whatever, in the contract. Pre-Sarbanes, that was a fairly easy process: The procurement individual would negotiate the deal and project that next year there would be, maybe, a 15 percent saving on cost of goods based on these contracts. Well that's no longer acceptable. Because what's got to be reported is what are the risks and what are the actual implications of that contract over the life of it."

"Very few traditional supply-chain execs really think about the financial area."
- Paul Matthews of Cap Gemini Ernst & Young

He noted that a client recently tried to follow a common but unacceptable practice of reporting at end of year an immediate $1m upfront cash payment on a contract for a committed volume next year. But payment is not all that has to be reported now, Matthews says. "It's also putting the risk factor on what that $1m is for - this committed volume to this supplier for the next 12 months. That changes the whole contracting process with the supplier. The chief procurement officer has to go back and do an extensive analysis of not just the rebates, but the risks associated with the tier pricing as well as the volume commitments that have been made. What happens, for example, in second quarter [2004] if they have not reached those volume requirements?"

The risks don't stop there. Procurement is an area where many companies think their processes and strategies differentiate them from the competition. That certainly is the case in retailing, says Matthews. And the CPO he mentioned is "extremely nervous" about having to disclose information around the contract that he views as competitively advantageous. Being too open with that information is clearly risky in his view.

While top management needs to have a firm understanding of SarBox requirements, how far down in the enterprise must the word be spread? The consensus seems to be that anyone who has any type of budget control needs to understand the financial reporting and documentation requirements of the act.

While Matthews wouldn't drill down to the factory floor necessarily, he finds that the lower levels are going to be the largest influencers of what he calls the "aha's" - or problems. "So often deals are cut by the transportation manager where he commits to routings between A to B, he commits to less-than-truckloads, to warehouse space, he might even go out to 3PLs, and that then becomes an even bigger issue. I think it actually goes further down in the organization than most have thought. Most of the influencing of Sarbanes happens at a lower level than at a higher level."

None of this can sound very new to anyone in the supply-chain world, and most analysts and consultants acknowledge that. Seamless integration within and outside an organization, and information sharing aren't hot-off-the-press announcements. What's radical, some experts say, is the actual enforcement of these concepts that SOA brings.

It's one thing to talk about visibility across the value chain, it's another to actually have it. But Sarbanes mandates management of all the disparate groups - design, production, procurement, logistics, sales and marketing - to be much more by the numbers. Heavily, accurately documented numbers. That will require greater, more timely cooperation across all the divisions of an enterprise, or all companies under a single corporate entity.

Contract Management
Production penalties in contracts, and the contracts themselves, may change because of the reporting requirements of Sarbanes-Oxley, Matthews says. For example, breaches of performance contracts in the automotive industry traditionally were handled at what he refers to as the "relationship-type" level. Performance failures that could shut down an assembly line technically could have carried penalties in excess of the value of a multimillion-dollar contract. Historically, they weren't enforced, he says.

"Today, under Sarbanes, the auto maker has to report that as well as the supplier. So I think you're going to see wakeup calls in the industry where some of the traditional acceptable contractual language that has been out there is no longer acceptable. The automaker will not find anybody that could possibly agree to that kind of contract because on the flip side they will have to report that liability on their financial statement. And as soon as that's reported you can imagine the implications.

"The key point I would make is that contract management as it is known today is going to radically change over the next 12 months once the true understanding of Sarbanes hits home."

One of the understandings executives may come to have is that SOA can give them greater control over their supply chain, says Carol Ptak, vice president of manufacturing and distribution industries at PeopleSoft. She refers to a "magic triangle" with three legs to success - one for vision and one each for technology and business transformation. "To really have a holistic solution for Sarbanes-Oxley, you really have to have all three of those. Now, am I really doing Sarbanes-Oxley just to keep myself out of trouble with the government, or am I really going to have control of my business - which, oh by the way, results in Sarbanes-Oxley compliance? There are two different ways of looking at it."

When the business practice transformation is aligned with vision (aided perhaps by technology) enterprise control comes about. "And when a company has that kind of control over their supply chain," Ptak says, "Sarbanes-Oxley is really the result, not the cause."

Timing really isn't everything, she says. Many who started years in advance of Y2K still found themselves pushing that deadline. Picking the right tools for compliance and internal control is what is important. And that's true regardless of the nature of the company.

It helps to be on top of your business processes. In manufacturing, for instance, "the more in control your business process is, the easier it is to install the technology that controls that. Now, if your internal control processes are in poor shape, you're going to have a bigger problem."

Prudent companies already should have replaced legacy systems with systems with inherent controls, such as the capability to do accelerated filing. Unfortunately, many companies, especially in manufacturing, are too cumbersome to meet reporting deadlines.

"They have these systems scattered all over the place, and you have to do the consolidations and the closeouts and the management of all that," says Ptak.

"Where it gets worse is with the real-time disclosure issue. Now think about that from a supply-chain perspective. How many companies do you know that have integration from their supply-chain planning through to the financial implications of a breach? Sarbanes-Oxley has really brought the focus back to sales and operations planning. Because if you think about it, it's where I can find the three parts of my firm: my sales plan, so I know what's going on on the revenue side; my operations ability to execute; and then the financial implication of the previous two.

"If I get a glitch in my supply chain, what's the implication? Do I have another way through my network to be able to work around it? Or am I just stopped dead?"

Actionable Information
Regardless of where a company is in its preparations for SOA, it should quickly make its financial reporting more real-time. "What is the role of financial management? Is it to close the books each month, or is it to provide actionable information for the business to be effective? I mean the world has passed from just providing monthly or quarterly or annual reports to providing real-time feedback to the business to point out that you're going off the road or out of your lane. This isn't just for the financial side. This is information for the operational side as well."

She says PeopleSoft's financials can save companies almost a $1m for every billion in revenue, and says Hackett Group research backs that claim up. In any event, in her view, solid internal operational controls are what's needed. "If you have that, then Sarbanes-Oxley is not a big issue."

Kai Trepte says forecasting and planning technology can greatly aid in helping companies substantiate the projections and risks that have to be reported under the act.

"We've been getting people up to speed on what planning and forecasting is and what its impact is on the supply chain," says Trepte, cofounder of John Galt Solutions and vice president of sales. "Another side effect that comes out of that is, now that you have a picture of the future, that needs to be tied in and integrated with all of your forward revenue projections and into reporting all the major events that are part of SOA.

"Originally, people tended to look at a forecast as their best guess at the future. Now they are thinking here are all the things that we need to document [under SOA] because it's no longer just a matter of growing 3 percent. It's now - 'we're going to grow 3 percent, here's the method we used, here are the people who participated, here is the approach we used, and here are the major assumptions.' Now they can give people the transparency of numbers and the certainty that they aren't just plucking numbers out of the air."

As C-level officers have to start signing off on forecasts, they must know that due diligence went into a plan and that there is a paper trail. Historically, plans might have taken into account effects on unit volume, but that isn't sufficient now, Trepte says. "They need to say what is the impact from a revenue perspective. You know - one product is becoming more popular and another is becoming less popular, what does that do to our margin? Those things were taken into account informally, but now they are taken into account in a much more formal way."

Trepte says he is surprised to see so many large enterprises - "$400m companies, in some cases" - with no forecasting and planning technology to help them. But he acknowledges that technology is only part of the solution. Educating lower-level managers about the financial repercussions of certain actions is crucial. He cites sales promotions and taking down production facilities as examples. "They have to understand what are the major actions that would contribute to the profit and loss of the company. And in our part of the world, what effect their actions have on the plan, on what's going to be produced, or on what's going to be sold."

Supply-chain Managers
Consultants have a role to play here, he says, particularly in helping to establish patterns of behavior that lead to consistent documentation.

Supply-chain managers are key players in his view because they are "holders of foundation-level information that talks about what's going to happen in future. They are the people most in contact with events taking place, and it's the supply chain that looks at the most cost-effective way to deal with situations." As a consequence, they have a heavy responsibility in helping companies with SOA reporting issues.

In one sense, it's not too late to prepare for Sarbanes - because it's never going away. "The important thing to remember is the deadline is June 15, 2004, but it doesn't stop there," says Mitch Dwight, product manager at IFS. "If you look at a normal audit report, there is a standard statement in there that says the auditors have investigated and they attest to the fact that the numbers are correct. There's likely to be a paragraph added to that that says they have investigated the internal controls and they have attested to their validity and the documentation provided. So every year [under SOA] you're going to have to prove that you have maintained those controls, so this is going to be an ongoing process."

Audits won't solely be about internal controls, she says, but about the security of a company's reporting and documentation systems. An external audit must identify the validity of a system - that there are no breaches in the controls or security process.

She says that IFS brings 3,600 business models already predefined within its IFS Applications software that customers can tailor to their own internal business processes.

John Hagerty, vice president of research at AMR Research, says documentation is where many companies may fall down. While they have been working toward compliance in spirit by instituting what they believe is an appropriate internal management control structure, they may not be able to prove that.

Consultants can help with that, but a balance must be struck, he says. "You know, if everyone documented everything that they do, that's a good exercise in general, but the idea behind Sarbanes-Oxley is to document processes that contribute to reporting, so therefore you want to start isolating what are the important ones. Number two, you want to make sure you don't go overboard because if this is looked at as a total documentation effort for the whole company - you could be doing it forever."

"With Sarbanes, when you're done, you're not done. It just keeps on going."
- John Hagerty of AMR Research

Some clients are taking the "short-term/long-term" approach to internal controls, he said. "Year One would be to document and understand what they need to do, and Year Two would be to make it sustainable and repeatable. "One of the things about Sarbanes that is different from other initiatives is that when you're done, you're not done. It just keeps on going, it's a quarterly and annual exercise from this point forward.

"Unlike Y2K - whether it worked or didn't work - this is a requirement for ongoing management control and documentation, and it will not go away. So forward-looking companies are looking to build this as repeatable processes."

Complicating matters are the unknowns, such as the real-time reporting requirements of Section 409 of the act, which has yet to receive the kind of specificity that the legislation requires of those it governs.

Hagerty acknowledges that there is money to be made by IT consultants and technology vendors, but says firms stand to gain from the improvements that the act mandates.

"There seems to be two major schools of thought when people talk about Sarbanes. No. 1 is, 'what do I have to do to comply?' The second is, 'this is giving me the opportunity to be able to really review my processes and controls to then either standardize them across the firm for less variability or potentially change them to have less exposure to areas of risk."

Still, there is cost involved, and it can be considerable, especially for diverse environments with different companies, polices and procedures operating under one corporate umbrella. The more decentralized the environment, the greater its complexity in terms of management structure and business systems, the more it will cost to comply with the act.

Hagerty has predicted for some time that the greatest expense will come from retaining advisors and consultants and not from outlays on technology.

In any event, it is important to remember that SarBox is not solely a financial matter. The act may start off with looking at key accounts, but it goes further: an audit will scrutinize the cost of goods sold, procurement practices, inventory, raw materials and finished goods, among other things.

"In the end, a lot of things in the operational side of the supply chain will be subject to a lot of scrutiny under Sarbanes," Hagerty says.

Is this any different from what prudent CEOs and CFOs always demanded to keep a lid on costs? Yes, because the reporting and documentation requirements are stricter. But Hagerty sees the upside: "This allows you to review yet again how you do certain things and if you discover there are any gaps in control you can make those changes."

On the Hook
Still, there is the personal aspect that can't be denied. Most companies have already documented their processes, but that was pre-Sarbanes, says Seamus Moran, director of financial applications development at Oracle.

"Now you've got to take [the audit] home, evaluate the risks and certify that you've addressed them. You are now on the hook. That's what Sarbanes-Oxley did for you."

Repeatability is key, because companies have to show their controls and documentation every time they file with the SEC. "That's where people like us come in." Moran says. "We make it repeatable. We put what you've done, in terms of reviewing everything, into a database so you can maintain it, you can update, you can view it as you go."

For one thing, Oracle's Internal Control Manager is designed to break your purchasing processes into subcomponents and evaluate them for risks, Moran says. He notes that tech is only part of the solution to compliance. "The larger part of it is the way in which you've reengineered your business." Echoing Hagerty, he says, "The simpler you make your business, the easier it is to become compliant."

From June 15, 2004, and on, public companies will have no choice about getting their supply chains Sarbanes-compliant. What management can do is either get angry - or see the mandates in a positive light. Hagerty seems to opt for the latter. "People look at this one of two ways - one is the cost of doing business and the other is the ability to get leverage for business improvements in place. It's trying to wring as much value out of the money you have to spend for overall corporate benefit.

"I think if people look at the money they have to spend as something with potential benefits beyond just compliance, that's not a bad thing."