If you work in the United States, then you likely know about the Sarbanes–Oxley Act of 2002 (SOA). Congress passed this law to prevent the kind of accounting scandals and reporting problems brought on by the likes of Enron and WorldCom, and to rebuild public trust in companies. SOA applies to any company listed on a U.S. stock exchange, even if its headquarters are outside the country or it is a subsidiary of a non-U.S. company. What you might not yet know is the effect the act will have on how you implement, configure, and manage your company's SAP-based supply chain. Your counterparts in finance have the primary responsibility for ensuring compliance, but portions of SOA clearly have great significance to the operations side. For example, certain types of events must be reported within a specific timeframe, and you must be able to document and verify operational processes that influence your company's financial standing. “SOA isn't just a finance problem,” says Lindsey Sodano, a research analyst who follows the Act for AMR Research. “It is far-reaching into the bowels of the company.” Even if you believe that your supply chain system already performs the required tasks, it might not do so in a way that satisfies SOA. The act requires the ability to drill down to a transactional level, for instance, and it restricts who can manually handle the data. No matter how confident you are in your system's SOA readiness, the act demands that all companies must review and likely adjust how they carry out certain processes within their SAP supply chain systems. Complicating your task is the fact that Congress has yet to define all the requirements of SOA—most significantly, what constitutes an adequate control.

SOA and the Supply Chain

The Act's main goal is to increase the standards for financial accounting in terms of reporting and verifiability. You won't find the words “supply chain” in the Act, but anything that occurs within your company's supply chain that materially affects the financial standing of the company is held to the same standards. You must be able to document the process involved, report on the effect to the financials, and verify accuracy. You can break down the areas to be concerned about on the operations side into four categories:

• Reporting

• Business process controls

• Document management

• Security

Reporting. Section 409 of SOA requires companies to report material changes in their financial condition “on a rapid and current basis.” Consequently, the U.S. Securities and Exchange Commission (SEC) has increased the number of so-called “trigger events” that must automatically be reported. Added events on the operations side include:

• Substantial changes in purchasing commitments

• Material assets acquired by suppliers on your company's behalf

• Minimum quantity guarantees to vendors

• Ending or reducing a significant business relationship with a customer

• Material impairments

When any of these events occur, or facts about them that were previously filed with the SEC change, your company must file an 8-K form with the SEC. This form describes the nature of the event or change in event and makes a statement about the risk to the company's financial standing. Your supply chain system must be able to capture when these events occur, alert the appropriate people to them, and produce a report with the information required by the SEC. The SEC has greatly accelerated the reporting process for these events; the 8-K form must be filed within two business days if the company issues an earnings release. This requires a great deal of automation; your system must track these events relative to projections. For example, the creation of a blanket purchase order over a certain amount might result in a liability. So might the release of a purchase requisition of a large amount, or the issuance of a blanket purchase order with a minimum amount. Since your reports need to show how operations affects financials, your supply chain/logistics systems must be properly integrated with your financial system. Manual reconciliation of the two data sets will not fly by SOA standards. Business process controls. The intent of SOA Section 404 is that all business transactions are properly recorded, authorized, and reported in an ERP system, supply chain included, and that the process control is not prone to error or manipulation. “People need confidence that internal controls meet the requirements of SOA,” says Randy Hayes, director of Central Michigan University's management consulting concentration on the master of business administration curriculum, “not only in finance, but also for operations processes — contracts, who signs contracts, who is aware of them, how you track contacts.” The business process manager must take the responsibility for implementing these controls, according to Hayes. Those managers need to know where the relevant data is so that they can enable the appropriate drill-downs to prove that the controls are in place. This allows auditors or corporate management to see the original transactions, contracts, purchase orders, and so on. Any relevant offline processes, then, will present a problem, as they will be difficult or even impossible to verify to SOA standards. Offline processes will also be a barrier to meeting the faster reporting requirements. As with reporting, the level of integration with your financial systems directly affects your ability to verify the accuracy of your data. Missing links between the operational and financial side might make it impossible to meet Section 404's standards, as it prevents auditors and management from tracing back to the transactional level. Although Congress has not fully defined what is an acceptable internal control, auditors and consultants are advising companies to use the standards set forth by the Committee of Sponsoring Organizations (COSO)¹ in 1992. The COSO standards cover both financial and operational processes. Document management. The additional reporting requirements and controls imposed by SOAmean that operational managers need to know that the system is properly capturing and storing relevant records. Records not currently captured and recorded by your SAP system need to be identified and brought into the system — vendor invoices, for example. “Usually, incoming invoices are passed around for the appropriate person to sign off on (a physical signature on a white spot on the invoice),” says Ali Sarraf, managing director of consultancy ICM America. “Then they are entered into the system, and [the paper copies are] filed somewhere or shredded.” Sarraf is seeing increased demand for workflow-based optical archiving where the invoice is scanned as soon as it comes in. The image is attached to a workflow item and travels to the appropriate approver. Approval is performed online — after a check to see if a proper goods receipt was performed. The invoice is then recorded with a time stamp, which automatically completes the invoice verification process. The result is that the entire back end of the purchasing process is automated and electronically recorded in the system. All information is attached to the PO and readily available for reference. Security. Some of the scariest wording of SOA is in Section 1102, which outlines the penalties for altering, hiding, destroying, or otherwise making documents unavailable to “official proceedings” or impairing their integrity. Anyone convicted of record tampering can face up to 20 years in prison. This means that setting up the proper authorizations for your operations processes is essential. You can't assume that your current authorizations meet SOA standards. “With recent headcount reductions, one person might be doing the job of two or three people,” says AMR Research's Sodano. “That person might be authorizing transactions and doing steps that should be done by another person.” An example of an unacceptable authorization would be the same person requisitioning a purchase and releasing the requisition, rather than an authorized buyer. “Typical segregation of duty issues are performing the invoice verification function (entering and approving vendor invoices) and also running the payment program (the payment program cuts checks or initiates wire transfers for already verified and due invoices),” says Sarraf.

What You Can Do Now

Most companies have not progressed beyond the documentation phase of their SOA compliance initiatives — identifying aspects of their business processes and their ERP systems that will likely need to change. What follows are key questions that your SAP supply chain team should start answering now to assess your SOA worthiness: What operational processes are partially online or not online? In other words, you need to map what's handled automatically in the system and what's handled manually. For the manually handled items, you need to decide if they are relevant to SOA. For those that are, it's time to start planning how to automate those manual processes within the SAP system. You might also categorize the manual processes according to how difficult it will be to bring them online. “As companies deploy ERP, they tend to put the most repeatable parts in [the system],” says Torsten Weirich, executive vice president of Acorn Systems Inc.² The more variable a process, the harder it is to automate, he says, so it is handled manually. Those variable processes will present the biggest challenge in terms of automation. Are the currently used reports and reporting tools up to the task? Any SOA-relevant report that provides only a summarized view with no drill-down will have to be replaced. If the current reporting tool is not capable of this, then you should identify one that can handle SOA reporting. For example, you might consider SAP's Business Information Warehouse (BW) and Strategic Enterprise Management (SEM) applications, which not only can provide drill-down capability, but also have the potential to offer an auditor/management-friendly view of the data. What new operational reports are needed, and is the system capable of producing them? For example, some of the “trigger events” mentioned earlier might currently be included as part of a larger report or not reported at all. Review your options for producing these reports and identify the people to whom they should go. Your system might not capture all the data necessary for the new SOA reports, or the required data might be spread among different, unlinked systems. You need to learn where the data you need is stored in the system and identify access problems. What bottlenecks might keep you from meeting the reporting deadlines? Automating the manual processes and sorting out the other reporting problems will go a long way to speeding the reporting process to SOA levels. However, you should look for other potential problem areas. For example, how soon is the relevant data currently being entered in the system? How consistent is your company's SAP supply chain system from site to site? If your company has made acquisitions or has upgraded its systems in a haphazard manner, then your operational processes and systems might differ from one site to the next. This makes it harder to implement the kinds of controls that SOA requires. Instead of one process for, say, handling raw materials orders from factory to factory, you might have five, each one of which requiring its own controls. Different sites working on different versions of SAP supply chain management software — or software from different vendors — increases the likelihood of integration issues. Who should be authorized to perform key business process tasks? Review your current authorization policies. In particular, pay close attention to tasks where documents can be manipulated or misdirected. Anyone who stands to directly gain from changing or deleting a document should not have the access to do so. Who else in your organization should you be consulting with? Your counterparts in finance probably have experience with the kinds of controls you need to put in place for your operational processes. They also can help fill in the blanks on how operational data relates to the balance sheet. If your company uses a data warehousing application, work with the team supporting it to learn how you can use the data warehouse to meet your SOA goals. How can you take advantage of SOA to gain more benefits from your SAP supply chain system? Some companies have decided to make lemonade from the lemons that SOA hands them. They are using the situation to make system improvements that increase efficiency and help improve ROI. For example, SOA requires reporting on certain material events that affect a company's financial performance. You can take this one step further and use your supply chain system to give you early warning that such an event might occur, possibly giving you the chance to take action and keep the event from happening. SOA can also be a catalyst to fully implement supply chain functionality that you've wanted, or to fine-tune processes that aren't working to your satisfaction — even if they have little or no bearing on SOA compliance. SOA presents a golden opportunity to pitch management on other projects that you can piggyback on the main initiative. One final piece of advice: Read the Act itself. It will have a profound effect on how your company conducts business and how you manage the areas for which you are responsible. See https://www.socompliance.com for details. You may contact the author at michael.nadeau@wispubs.com. If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.