What is Sarbanes-Oxley, and what does it have to do with supply chain management? Those are good questions. And the answers are-an act passed by Congress and plenty.

CFOs and CEOs of publicly traded companies are very much aware of Sarbanes-Oxley (SOX). The Sarbanes-Oxley Act of 2002 grew from the corporate financial scandals of Enron and other companies. It was passed to "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws". Corporate governance is the focus. The Securities and Exchange Commission is responsible for the Act and for corporate compliance with it.

First we need to establish the structure of two key provisions that impact supply chain management, Section 401 and, especially, Section 404.

Section 401, Disclosures In Periodic Reports, states:

(a) DISCLOSURES REQUIRED.-Section 13 of the Securities Exchange Act of 1934 (15 U.S.C. 78m) is amended by adding at the end the following:
(j) OFF-BALANCE SHEET TRANSACTIONS.-…that each annual and quarterly financial report required to be filed with the Commission shall disclose all material off-balance sheet transactions, arrangements, obligations (including contingent obligations), and other relationships of the issuer with unconsolidated entities or other persons, that may have a material current or future effect on financial condition, changes in financial condition, results of operations, liquidity, capital expenditures, capital resources, or significant components of revenues or expenses.

For Management Discussion and Analysis (MD&A) for SOX, pertinent off-balance sheet arrangements for supply chain executives include certain guarantee contracts and retained or contingent interests in assets transferred to an unconsolidated entity.

Volume purchase contracts for goods, service or manufacturing capacity are the focus for supply chain management. Transport contracts are often short-term vehicles to present favorable pricing in exchange for a best-effort to use basis with no firm commitments by the shipper. These would not be considered for disclosure. However service contracts with ocean carriers are guarantee contracts.

Service contracts are legally enforceable, take-or-pay contracts with fixed volume commitments and penalties for failure to meet the commitment. These contracts usually have a short-term duration, often one-year. A service contract with commitment of 2000 containers and a $500 per container short-fall penalty begins as a $1,000,000 obligation. The remaining questions to the corporation are the risk of reasonably-likely to default on the contract guarantee and the material effect and importance of the commitment to the company's financial condition.

VMI (vendor managed inventory) or similar arrangements may be considered assets where there are retained or contingent interests for Section 401 MD&A purposes. These are often done to hedge risk and place assets off the balance sheet.

Section 404, Management Assessment of Internal Controls, states:
a) RULES REQUIRED- The Commission shall prescribe rules requiring each annual report required by section 13 of the Securities Exchange Act of 1934 (15 U.S.C. 78m) to contain an internal control report, which shall--

(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

The recommended framework for the internal controls is the Committee of Sponsoring Organizations of the Treadway Commission, or COSO. This framework has two parts.

The first involves three business objectives:
1) Effectiveness and efficiency of operations
2) Reliable financial reports
3) Compliance with laws and regulations

The second part involves eight interrelated components:
1) Internal control environment
2) Objective setting
3) Event identification
4) Risk assessment
5) Risk response
6) Control activities
7) Information and communication
8) Monitoring

Each business objective, coupled with the eight components, comprises the internal control framework and process.

With that foundation, supply chain executives must participate and lead especially with the objective of effectiveness and efficiency of operations for their supply chain and being able to document it for management to certify. Bringing the complexity, operating dynamics and vagaries of a global supply chain into the internal control structure can be a challenge.

Section 404 opens the opportunities for supply chain change. There are many topics to be addressed with SOX controls. They include, but are not limited to:

*Supply Chain Process. An effective supply chain process is horizontal and crosses much of the company. Is there a process to manage the supply chain, from suppliers through to customers' doors? Or is the "process" really a series of transactions that appear to be a process but are not. A corollary is whether a dominant silo has forced the process design in the organization. Or whether the process has been built to prop up a weak silo. With either, the result is flawed process and could be suspect to having the internal controls needed for Sarbanes-Oxley.

Meeting the specific needs of customers, tailoring to their respective requirements can run counter to the possible efforts to standardize the process for control simplification. SOX compliance does not demand standardization at the expense of customer's requirements. Identifying and controlling the process is the need.

Information technology is important with SOX. Visibility across the supply chain is very much needed. More is needed with visibility than knowing what is stocked at warehouses. From purchase orders at suppliers through to delivery orders for customers, companies need to see what is happening to their operations, their inventories and other assets and to financial results.

However firms should be aware of viewing a software package as the quick-fix panacea to Sarbanes-Oxley reporting and control requirements. Technology is a tool, not an answer; it is a means to an end, not the end. Control goes beyond tracking and similar approaches. Tracking data from inefficient processes could be an exercise in garbage in-garbage out.
Technology without process is not internal control. Companies should assess their supply chain, looking at gaps and also redundancies that can compromise control. Inefficient processes should be identified and remedied.

*Outsourcing. Outsourced activities, both business process and transactions, can be of interest for both Sections 401and 404. For 401, the need is to identify, define and report the off-balance sheet agreement. For Section 404, the need is adequate internal controls and safeguards by the outsourcing service provider. SOX is more stringent with outsourcing than is Statement of Auditing Standards No. 70 as to the internal controls of the outsource provider. Developing internal controls for external parties should be recognized. 3PLs and other outsource logistics services-and their customers--should understand their revised responsibilities to customers that are publicly traded companies subject to SOX.

*Disruption in Supply Chain Operation. Identifying and mitigating serious disruptions in the supply chain operation is important. This involves supplier and service provider performance and much more. Potential performance failures should be identified. The shutdown of the West Coast ports in 2002 affected supply chains by disrupting inventory replenishment and flow. Needed product was sitting on vessels or backed up at overseas suppliers, unable to be shipped. The impact was lost sales at Christmas and the need to then reduce prices to sale late arriving products.

Terrorist attacks are a serious threat. Attacks that originate through the import supply chains would have a significant disruption to commerce and the economy. Ports, ocean and/or air, could be closed for days, even weeks, after an incident in efforts to identify and contain any other threats. Risk mitigation may require more than using C-TPAT certified providers.

Supply chain assessment is needed to identify potential serious risks. Mitigation is needed then to reduce the impact. These, in turn, could put pressure on JIT, quick response, made-to-order and other inventory management programs.

Conclusion. The corporate financial scandals that created Sarbanes-Oxley and similar scandals in non-U.S. corporations eroded investor confidence and had serious economic impact. The conduct of business has changed. Supply chain executives have an opportunity here to assess their operations and make needed enhancements. All this can be done under the umbrella of SOX compliance.

The immediate and ongoing effects will be with contract management, supply chain operations and more. Companies can gain operations improvements and competitive advantage. Companies that are not subject to Sarbanes-Oxley should consider that competitors will be making improvements and should act accordingly to assess, improve and control their supply chain.

• HOME