Sarbanes-Oxley: A Business Blessing in Disguise

Sarbanes-Oxley, a Business Blessing in Disguise

Even if your company is not required by law to comply with Sarbanes-Oxley, itís a great business yardstick to employ in uncovering and improving upon your Enterprise Resource Planning (ERP) systemís flat sides. In todayís fast-paced business environment, itís valuable to note that being aware of weaknesses inside your organization is every bit as important as knowing its strengths.

By the very essence of the Sarbox initiative in this country, there is keen insight for businesses showing that while exploiting strengths may get companies ahead, knowing weaknesses will keep them out of trouble.

Initiating Sarbox compliance can provide a significant barometer, because the heart of what Sarbox is about focuses on establishing good business practices and ensuring proper controls are in place to highlight potential issues. Even with firms as small as 100 people, having the proper business controls in place allow a company to know where its weak spots reside. Perhaps a company may not choose to act on an exposed ERP flat side immediately but having it illuminated, however, gives opportunity to monitor the situation, and offers a decided advantage in being able to make better decisions moving forward.

Often, small to medium companies truly are not aware of what their Enterprise Resource Planning (ERP) systems can do ó or they conversely have a false sense of security that their ERP is structured to prove Sarbox compliance. An ERP system may tout workflow, for instance, but the information isnít recorded for posterity or the company actually couldnít produce proof of compliance. Itís less of an issue with todayís improved software, as improved architecture makes for easier tracking, but nevertheless still is an issue to consider.

Sometimes small to medium businesses believe they are too small to be concerned with the types of controls that Sarbox compliance can bring forth. They are apprehensive that staff may consider such controls as "mistrust." As IT departments are so intricately entwined in almost every company, for example, an internal controls assessment can automatically become an IT audit as well. In truth, having well-thought-out internal controls is simply is good business practice for any company, regardless of size.

Sarbox and ERP ó the Dynamic Duo

Overall, itís compelling for an organization to understand that forcing business awareness through its ERP, and using a Sarbox audit as achievement standard, can provide any business a multitude of benefits.

Letís explore the issues at hand in determining the flat sides of an ERP system.

First, a firm needs to determine whether or not its system retains a history of areas such as approvals, master record changes and significant financial inputs. From this history, a company will be able to detect unusual business patterns and investigate any potential problems. Secondly, companies should evaluate their data storage methodology ó asking such questions asÖCan records be deleted? How secure is the data? How many people can access the data, and of those that have access, how many have a real business imperative to do so?

Finally, a company should assess its mechanisms for alerts ó and that could include everything from a portal dashboard eloquently pushing out an alert -- to the ability to deftly pull needed information from control reports. In other words, how easy is it for that company to detect irregular business patterns?

The critical point to consider here is that if the raw data isnít trapped, itís irrelevant to try and analyze it.

Details and Benefits

Another question quickly becomes apparent. Should a company make certain it has the tools in place for Sarbox compliance, or check first to make sure the ERP permits the processes needed for compliance? All the tools can be in place, but if the ERP system doesnít permit the needed processes, it is useless to pursue.

A rule of thumb for beginning to test how to proceed in determining where your organization stands in this arena would be getting to seriously understand your data storage architecture. Make sure that the way the data is stored is going to support the required compliance. Ask: "Will my system retain information and make it accessible?"

Accessibility is primary. One of the biggest Sarbox faux pas that causes companies to fail audits is accessibility, meaning a personís role in the company not aligning with their ability to access data. To avoid this pitfall, an internal controls audit is highly recommended.

Again, the Sarbox audit can more than fill the bill whether or not compliance is the end goal. A Sarbox audit provides a very thorough framework to test against issues such as:

  • Proper approvals of financial input
  • Confirmation that master records are created or changed in the appropriate manner
  • Validation that staff ERP access is synonymous with roles in the organization
  • Approval responsibilities reside at the appropriate level in the organization

Once testing is complete and itís understood where the ERP flat sides exist, itís a good idea to repeat the audit on an annual basis. Whether Sarbox compliance is or is not "required," companies will want the assurance that there is status quo or if things have developed that need exploration, attention or change. Itís a similar to having the electric company come to a private home to do an audit that tells owners where they are losing heat or air conditioning and gives a report explaining if certain actions are or are not taken, the cause and effect will be A, B or C.

In the end, rather than consider Sarbox an unpleasant business challenge that was borne out of the governmental effort to keep companies "honest," it would better viewed as the business boost it actually is. Sarbox audits can help any company of any size maximize their ERP systems. The process can illuminate how an ERP can streamline processes for efficiency and profitability, and provide an immediate ROI on the ERP investment by making it work to capacity.

About the Author

Debbie Preacher leads the ERP Practice at BST Global, a Tampa, FL-based organization that delivers value-added portal- and Web-based business solutions to professional services organizations throughout the world. She has more than 16 years extensive experience with ERP systems, accounting technology, professional services automation software and the development of comprehensive client support services.

More by Debbie Preacher

About BST Global

BST Global offers their clients a broad range of services related to enterprise solutions, business processes and performance enhancement, and strategic technology planning. Whether you are just beginning a business system implementation, refining your existing business processes or attempting to measure and increase performance, BST Global can help you manage and achieve your goals.