Imagine you’re an operations engineer for a large, publicly owned company. While reviewing some routine maintenance work at your plant, done the prior week by an external contractor, you discover that the contractor inadvertently switched certain security controls and, as a result, your plant has been releasing excess environmental emissions. Unfortunately, your plant now faces some significant fines because of these emissions. What would you do?
If this scenario occurred a decade ago, besides taking immediate steps to correct the contractor’s error, you’d also have alerted the proper authorities within your company. You’d likely still take these same steps today, but with an added degree of urgency and financial importance, due to the Sarbanes-Oxley (SOX) Act of 2002.
According to SOX, publicly owned companies are required to make sure that all parts of their operations have documented processes in place to track and report any significant material event that occurs. In the scenario presented above, no matter the cause or reason for the environmental error, if your company potentially faces a large fine that could adversely affect its finances, it must publicly divulge that information.
SOX was created to prevent accounting scandals such as those that have dominated the news in recent years. It requires the CEOs and boards of publicly owned companies to be far more accountable and responsible for the timeliness and accuracy of the financial information that they provide to regulators and investors. SOX also outlines and clarifies the relationship that’s expected between companies and their external accounting counsel.
From the standpoint of financial accuracy and disclosure, publicly owned companies have significantly heeded the terms of SOX. AMR Research Inc., a Boston-based industry advisory firm, estimates that companies spent $6.1 billion on SOX requirements in 2005. However, these efforts have been concentrated at the level of financial reporting. Organizations often overlook the need to extend the compliance focus to trace the complete source of their financial data back to their roots within the manufacturing environment.
From a plant-floor perspective, manufacturers have only begun to scratch the surface of what they could—or should—be doing to fully comply with SOX. Companies are linking their plant-floor automation systems to enterprise-level business systems, creating an environment where the traditional information technology (IT) and manufacturing worlds coincide. With the emergence of IT-class technologies on the plant floor, many manufacturers already have, or can readily implement, the means to automatically populate their financial reporting systems with such vital plant-floor data as raw-material consumption, yield, production counts and scrap. They now have the means to document and certify their operational data as readily as they can attest to their financial processes.
According to several recent rulings and interpretations by the Securities and Exchange Commission and other federal agencies charged with enforcing SOX, that’s exactly what companies should be doing: recording and archiving any
manufacturing-related operational data that affect company finances. Without tracing the complete lineage of financial source data, it’s impossible to ensure that the information is fully accurate and immutable. With this relatively new emphasis on tracking operational processes, companies are finding that the scope of SOX is far wider than when the act became law. Manufacturers must now rethink how production information is managed, secured and transferred.
Congress put some serious consequential teeth into SOX to make sure that companies and their employees would comply. But organizations that view SOX as simply a regulatory hassle are missing out on realizing its other potential benefits.
Even nonpublic companies that adopt SOX-related financial and operational practices can take advantage of more reliable and complete financial data, better-informed corporate decision making, fraud deterrence, safety improvements and reduced exposure to litigation. In fact, many publicly owned companies already require their primary suppliers--both public and nonpublic companies--to implement SOX standards within their organizations.
Litigation reduction was particularly important to a beverage company that had recently tightened its SOX compliance practices. A maintenance engineer at this publicly traded company introduced “forces” into a controller to override a troublesome sensor on a reject line of a conveyor. Thinking that this only affected the scrap line and not the main production line, the engineer didn’t document the change and waited for replacement parts to arrive. Several days later, the problem was corrected and the forces removed. What the employee didn’t realize was that the controller automatically reported scrap to the enterprise resource planning (ERP) level as a component of a production yield calculation. For several days, the company’s financials incorrectly showed an unusual increase in production efficiency.
The sections of SOX most relevant to manufacturing organizations are 401(a), 404 and 409, which generally describe management’s responsibilities for internal controls over financial reporting. A summary of each follows.
• Section 401(a): Disclosures in periodic reports; disclosures required. This section requires that each financial report be prepared in accordance with generally accepted accounting principles and “reflect all material correcting adjustments… that have been identified by a registered accounting firm….” Additionally, it states that each annual and quarterly financial report shall “disclose all material off-balance-sheet transactions” and “other relationships” that may have a material current or future effect on the financial condition of the issuer.
• Section 404: Management assessment of internal controls. This section requires the issuer to publish in its annual report an “internal control report” that states the scope and adequacy of its internal control structure and its procedures for financial reporting. It should also contain an assessment, at the end of the issuer’s fiscal year, of the effectiveness of the internal control structure and the issuer’s procedures for financial reporting. The issuer’s auditor must attest, within the same report, to the assessment made by the issuer’s management.
• Section 409 : Real-time disclosure. According to this section, issuers are required to disclose to the public, on an urgent basis, any information on material changes in their financial condition or operations. These disclosures must be presented in terms that are easy to understand and supported by graphical presentations of trend and qualitative data.
To illustrate how section 409 of SOX might come into play, imagine if the forces on the reject line mentioned earlier weren’t detected or corrected for several weeks. As a potentially adverse financial event, the company would immediately need to publicly disclose this information to be SOX-compliant. Urgency is key.
Unfortunately, many manufacturers aren’t accustomed to controlling, quickly tracking, analyzing and reporting on operational events that may have a material effect on the company. Such factors as operational access and security, change-control failures, and business continuity and risk management measures could all potentially affect a company’s finances. Even events that occur daily or seemingly innocuous changes in procedures can have an effect. In a worst-case scenario, if a company can’t adequately identify and report on a failure within one of these factors, which would prevent the company from complying with SOX, they face significant repercussions.
Clearly, manufacturing organizations must begin thinking about ways to synchronize, streamline and secure their information between databases to be fully SOX-compliant. IT directors and plant management alike should have SOX-compliant policies and procedures in place, from the plant floor to ERP systems, to ensure that their production and business-level data are current and reliable.
But how and where should manufacturers begin? By finding answers to the following key questions:
• Does the control environment materially affect the company and/or report to the company’s financial system? This question, purposely broad, is the most obvious starting point for a company to consider. In most manufacturing organizations the answer is “yes,” although, perhaps, in ways they might not realize.
For instance, pursuing SOX compliance can help a company document security and access control to critical information and manufacturing systems. A company with a proprietary recipe or process would want to make certain that unauthorized employees can’t gain access to such information and use it in ways that could negatively affect the company. Being able to track which users are accessing which information and when can have a long-term benefit to an organization.
• Is the company able to extend the same controls, from an IT perspective, across all devices on the manufacturing floor, as well as to the ERP system? If not, how can data synchronicity be ensured? To determine the best answer, a company may wish to hire an external auditor or consultant, well-versed in automation data and SOX compliance, to assess the company’s ability to obtain and utilize its operational data.
Hiring an external auditor or consultant will likely prevent the company from making unnecessary moves and expenditures to become SOX-compliant because not only do most companies lack the knowledge and experience of what it takes to become SOX-compliant from an operational standpoint, they also lack the staff time to devote to this effort. Would you want your control engineers to devote months to initiating SOX compliance? By conducting an audit before making any SOX-related purchasing decisions, you’ll be better able to prioritize your needs.
• Are the company’s employees prepared to follow through on SOX compliance? A company’s efforts to comply with SOX from an operational standpoint can’t begin and end with its IT, legal and accounting departments. To ensure success, all relevant employees, particularly on the shop floor, must be informed about SOX compliance.
By educating employees about the need for SOX compliance, not only are companies more apt to comply with this law, they will also be better able to keep the company’s efforts fresh and current. SOX compliance isn’t a one-time proposition but rather a continual process that should become part of the company’s ongoing operations.
• What tools are available to help manufacturers with SOX compliance? Plant-floor personnel are the front line of defense to help ensure SOX compliance. By enforcing appropriate reporting processes and using technology that aids compliance, manufacturing can help ensure the integrity and security of production information. To improve
information-flow accuracy, it’s essential to bridge the gap between the factory floor and enterprise-
level systems. Integrated control and information systems can help companies create that critical link across the factory floor and seamlessly share information with ERP systems.
In addition, by implementing change-management software, plant-floor personnel can help support a
SOX-compliant organization. Change-management software secures individual access rights to assets, files and configuration tools based on predefined user roles and parameters. These allow only those individuals with the right skills to perform certain functions. It can also track changes to programs and processes to help management monitor system changes that cause downtime and create lax safety environments, and to identify product-quality issues to prevent scrap and waste. In addition, the software’s central repository automatically backs up program versions, so management can quickly restart operations after interruptions due to human error, acts of god or intentional sabotage.
By some accounts, as many as 90 percent of all publicly traded manufacturing organizations with integrated shop-floor-to-IT information systems aren’t currently SOX-compliant from an operational standpoint, and are thus exposing themselves to SOX-related violations. Manufacturers must begin addressing this situation now. To achieve the most from SOX compliance, internal advocates should work to create a fully engaged mindset among management, as opposed to a bare-minimum approach.
Bare-minimum thinkers view SOX compliance as a need-to-do item. They’re most concerned with identifying and correcting the most critical control deficiencies within the company, selectively targeting only what’s absolutely necessary to comply and not extending their SOX compliance efforts any further.
Fully engaged thinkers, on the other hand, use SOX compliance as a springboard to achieve complementary financial benefits within the organization. They seek long-term compliance and ways to create continual process improvements. For instance, these advocates can readily see how operational SOX compliance can boost the knowledge and abilities of other departments (such as finance) within the company.
Pursuing SOX compliance can also greatly aid a company’s efforts and ability to archive and tap its operational data. That can save significant time during difficult events or circumstances.
For example, a brewery was experiencing production difficulties with one of its packing lines. To determine the nature of the problem, the brewery shut down the line for more than 24 hours, and its engineers began troubleshooting. After several days of work and hundreds of control changes made to help pinpoint the problem, the engineers realized that the problem was entirely mechanical; they hadn’t needed to change the control settings. But how could they get back to the original settings? Fortunately, thanks to the company’s SOX-compliance efforts, including change-management software, the company had a complete record of its original control settings. The brewery quickly and correctly reset its controls.
Beyond the regulatory benefits, manufacturing companies that implement SOX-compliant standards can enjoy auxiliary benefits, including higher productivity, reduced downtime, greater safety, better security, higher product quality, and improved integrity and accuracy of company data.
No longer can companies think that the responsibility for SOX compliance resides with a select few at headquarters. It must extend to the manufacturing floor and involve those who are most directly knowledgeable about and accountable for plant-floor processes.
Companies that attempt to hedge their bets and get by with only the bare minimum needed to comply with SOX from an operational standpoint will be unpleasantly surprised when they begin to see the legal and financial consequences of acting in this manner. Rather than wait for this sizeable shoe to drop, it’s far better to kick-start SOX compliance efforts within your organization now. You’ll be taking a vitally important step toward safeguarding your company’s data--and its financial security.
As the director of maintenance and security business for Rockwell Automation, Glenn B. Schulz is one of the company’s leading authorities for manufacturing operations optimization. His expertise as a certified information system security professional (CISSP) as well as an information system security architect professional (ISSAP) specializing in cryptography has been called upon by corporate executives, manufacturers, and critical infrastructure organizations to help achieve operational excellence and guide security strategies. During his career, Schulz has served as an engineering and division manager, as well as an electrical, reliability and software engineer.