Sarbanes-Oxley Act Compliance in Purchasing

By managing compliance across all aspects of the supply management process not only can the CPOs sleep easy but can feel confident that they are also positively impacting corporate profitability through effective management and control. But what is driving compliance up the management agenda? And why, in detail, is the Sarbanes-Oxley Act (SOX) important to purchasing professionals and what exactly are the opportunities?

Compliance moving up the management agenda

In the wake of recent corporate fraud examples, such as that discovered at Enron, the capital markets are demanding greater security, transparency and legal responsibility from finance for increased shareholder protection. This, in turn, has led to the need for increased visibility and control as well as improved forecasting accuracy and timeliness of reporting. To support this many governments have introduced legislation to compel companies to adhere to good business practice and compliance. Whilst insecurity exists about what is required, how it will be enforced and what penalties will be levied it is widely acknowledged that, if it is executed correctly, compliance can lead to better business practices, improved performance and higher credit ratings.
SOX is just one of a number of regulatory acts that have been passed in recent years. Others examples include the International Finance Reporting Standards (IFRS), which determines how Europe’s leading listed companies are required to report their financial statements as of 2005. Others include Gramm-Leach-Bliley, which controls the sale of personal financial information, and the USA Patriot Act which vest the US Treasury Department with regulatory powers to combat corruption of US financial institutions for foreign money laundering purposes. However, it is SOX which draws most interest as it not only applies to US companies but also to non-US companies who list in the US or who have suppliers in the US.
SOX itself is not only about financial controls but, importantly, it does place accountability at the highest levels of the company. It primarily covers the areas of corporate governance, financial reporting, executive conduct and internal controls. However, Section 404, which deals with internal controls, is of most importance to purchasing, because in this section the executive management is obliged to

  • document internal controls,
  • assess the effectiveness of internal controls and
  • prepare a report on internal controls.

For the purchasing organization it is imperative that all transaction and process controls are implemented across all business processes – manual or automatic.

SOX and its opportunities for purchasing

There are essentially two approaches to compliance. Number one is to go simply through the motions to address compliance. An example of this approach is when a company collates all contracts in a database repository to “tick the box”. What is missing though is any control on the contracts or even the ability to manage them in this so called compliant state. On the other hand a more proactive approach would be to review all controls and business processes to ensure not only compliance, but also process optimization.

It is the latter approach that many leading companies are adopting and which is delivering results – for example the ability to take negotiated savings from an E-Auction automatically into a contract management system which, in turn, updates the E-Procurement tool. This will ensure that the notional savings identified during the sourcing process are taken to the bottom line. Not only is the process fully automated but the integrity of the information is maintained and is reportable.

Further SOX-related opportunities
Further SOX-related opportunities

The requirements of Section 404 – to establish, document and certify internal processes – opens the door for other opportunities. On the one hand purchasing people are forced to automate offline processes to ensure compliance with company controls and spending guidelines and to establish mechanisms to prevent fraud. The requirements are not limited to traditional financial systems, purchasing has to support all end-to-end processes. On the other hand this gives the opportunity to extend processes to include category-specific requirements and the full contract management lifecycle. Second, the requirements drive spend analysis for complete visibility. Last but not least it leads to the opportunity of full invoice management to obtain 100 percent compliance.

How SAP helps to support SOX compliance

SAP solutions are designed with many built-in controls, that when used properly, provide most of the features and functionality needed to aid the CEO and CFO certification of the data processing internal controls. Specifically SAP offers modules such as Management of Internal Controls, Enhanced Audit tools and “Whistle-Blowing” functionality to assist with SOX compliance. In the purchasing arena it is the underlying control features of mySAP Supplier Relationship Management (mySAP SRM) that provide the key areas of support.

  • Inherent Controls are delivered with SAP and embedded in the system logic – they do not need to be designed into the system. The document principle for example provides document level audit capabilities to ensure that every single posting can be tracked to its source.
  • Configurable Controls automatically set up at the time of installation. A good example is workflow which provides automated routing and escalation of key information with alert capabilities. This helps ensure the “right work is brought in the right sequence at the right time to the right people”.
  • Reporting Controls are created through standard or ad-hoc reports, for example to review change of master data.
  • Security Controls are guaranteed with user access and role-based usage depending upon status to ensure controls for approvals and delegation

Additionally, specific functionality within the Strategic Sourcing capabilities of mySAP SRM (comprising Negotiation and Contract Management) can assist companies in their compliance efforts under Sarbanes-Oxley and other regulatory legislation.

A trend beyond compliance

In a recent set of research results a strong message emerged regarding the exploitation of compliance projects to drive additional value for purchasing. An AMR Research study found that many firms want to leverage the potential synergy between SOX compliance work and downstream IT projects. It also highlighted that many are reprioritizing their project portfolios to support SOX compliance and get maximum benefits out of their investments. Another leading research company, Forrester Research, found in a study across 20 companies that compliance with Sarbanes-Oxley is a catalyst for smart CFOs to build proactive controls into processes like contract compliance. It went on to say that the CIO’s role is to build a technology infrastructure to enable process improvement with tools like an electronic controls library, workflow, and inline analytics applications. As a final validation of the proactive approach that many companies are taking a SAP-sponsored customer council found that ten out of the ten companies represented intend to use Sarbanes-Oxley to expand beyond the prescribed control process.
To maximize the benefits out of fully compliant processes many customers are exploiting SAP’s “Packaged Solutions” and “Category Management”. As a starting point these solutions can provide a structured approach using consistent methodology, standard software tools, and data analysis to support sourcing decision making. The objective being to establish standard procurement processes and apply them to sourcing strategy development and execution as well as the transactional, operational processes.

SAP is setting the agenda for purchasing

There is no doubt that increased regulation is driving corporate governance and therefore purchasing professionals must be aware of the implications for their business. Compliance needs are different for every company but process control is key and to exploit the opportunity fully many customers are looking beyond SOX. mySAP SRM provides the functionality to meet the requirements for purchasing compliance and by exploiting SAP’s “Packaged Solutions” & “Category Management” they are able maximise the benefits beyond the legal minimum. mySAP SRM is a complete platform for purchasing which is fully integrated with all core business processes and systems to close the loop for supply management.

Roger Phillips
Roger Phillips