Building Sarbanes-Oxley Compliance Into Your Purchasing Workflow

If you are like most people, you may be hearing more and more about the Sarbanes-Oxley Act (SOX) and wondering what it really means to your business.

While most people associate the Sarbanes-Oxley Act solely with email retention and document storage, SOX's real focus is on the management of internal financial controls. And, although not mandatory for privately held companies and small public companies, who can argue with an initiative that gives you better control?

Well publicized business failures and the introduction of the Sarbanes-Oxley Act was the beginning of a recent trend to place much more emphasis on managing risk throughout an organization. Consequently, companies of all sizes are adopting these "best practices" that provide a structured approach to help them develop their own unique risk management systems and strategies.

Unfortunately, navigating the internal processes of an organization can be tough. Some companies have been focusing on what they have to do in order to be compliant, rather than automating the process and making it repeatable. As a result, many businesses are far behind where they should be in terms of compliance or "best practices."

Compliance with Sections 302 and 404 of the Sarbanes-Oxley Act requires companies to:

1. Document the design and methodology of the financial reporting process
2. Assess the risks and effectiveness of those processes, which include:

• Processes speed to completion, flexibility, reliability and timing
• Patterns of internal fraud/theft
• Corporate management structure
• Data complexity, volumes, predictability, value and privacy concerns
• Process complexity, number of databases

3. Monitor and track processes
4. Evaluate processes effectiveness and vulnerability to risks
5. Identify the causes of weaknesses and problems
6. Fix problems
7. Automate manual processes
8. Repeat every year

Most companies now agree that automating internal processes is the key to addressing compliance with Sarbanes-Oxley. One of the most important internal processes a company can automate is the purchasing process. By automating the creation, management and approval of Purchase Orders, you make it less costly to perform and easier to test for violations of company policy and SOX non-compliance.

Some areas to examine while evaluating your compliance with Sarbanes-Oxley would be that:

• all purchase orders are authorized at the appropriate level of responsibility based on job function, budget and dollar value limits;
• new suppliers are reviewed and/or approved by management and purchases can only be procured from "approved" vendors;
• each purchase process is documented, automated and repeatable;
• every purchase requisition is monitored for compliance with company policies and verified with supporting documentation where necessary;
• any weaknesses or omissions in the purchase approval process can be quickly identified and corrected.

Businesses should be taking advantage of what their ERP systems offer to automate manual controls. If you would like more information on what you can do to better control your business, or for more information on Sarbanes-Oxley compliance, please contact Laura Kasman at lkasman@kastechco.com or 215-702-8155.