bws sox compliance

Sox CompliancePurchasing Departments

Face Intense Scrutiny

Purchasing requisition

Purchase order

inVoice

three-Way Matching

Copyright © 2008 Bellwether Software. All rights reserved. �

Sox Compliance Purchasing Departments Face Intense Scrutiny

The Sarbanes–Oxley Act, SOX, is an on-going migraine headache for corporate America because compliance is expensive, confusing and increasingly stringent. Companies are justifiably nervous about the uncertainty surrounding internal controls since no govern-ing bodies have precisely determined what compliance with Section 404 actually means.

Purchasing functions, especially, come under close scrutiny during a SOX audit because this is the place where fraud can easily occur. More than ever, finance leaders—like CFOs, Comptrollers and Internal Auditors—need to know the source of the data they use, and they need to understand how the systems work in order to gather reliable, accurate business data. Historically, however, interest in changing the process of how a company purchases its goods and services has not held much executive interest, and, therefore, a lack of internal controls makes the whole procurement process vulnerable to questionable practices, whether inten-tional or not.

Fortunately, purchasing automation solutions make SOX compliance much less of a risk and a headache. Purchasing Management eXtra, SOX compliant purchasing software, provides an audit trail, which traces purchases from requisition to invoice payment or “purchase to pay,” making the job of compliance easier and, more importantly, accurate enough to pass the most stringent of audits.

Both public and private companies alike have reason to be concerned about SOX compli-ance. Because SOX is officially directed at publicly traded companies, most public companies require all their vendors to be SOX compliant. There is a comfort level that comes with using SOX compliant vendors, so it is only a matter of time until all companies, public or not, will require SOX compliant vendors.

External auditsReliable business systems that provide detailed transaction records generate management reports and audit trails are critical to SOX external audit compliance. Under SOX, Section 404, both the external auditors and management of a company must report on the adequacy of the company’s internal control over financial reporting (ICFR). If the external auditors’ report does not agree with management’s report, accountability comes into play—account-ability at the very highest levels of an organization. Non-compliance can result in jail time, huge fines and a bad reputation for the company. No wonder companies spend great sums of



money to help ensure that they are in compliance. This audit is the most costly aspect of the legislation for companies to implement because documenting and testing important financial controls requires enormous effort. The assessment involves an agreed-upon top-down risk assessment (Public Company Accounting Oversight Board [PCAOB] approved Auditing Standard No. 5, which replaced No. 2 in July, 2007):

Both the management and the external auditors must review operating ef-fectiveness, flow of transactions and other assessments as listed. Hopefully, management will have evaluated all transaction-related business and put in place the processes needed to be able to pass the external audit before the actual audit takes place.

Assess both the design and operating effectiveness of selected internal controls re-lated to significant accounts and relevant assertions, in the contest of material mis-statements risks;

Understand the flow of transactions, including IT aspects, sufficient enough to iden-tify points at which a misstatement could arise;

Evaluate company-level (Entity-level) controls, which correspond to the components of the COSCO framework;

Perform a fraud risk assessment;

Evaluate controls designed to prevent or detect fraud, including management over-ride of controls;

Evaluate controls over the period-end financial reporting process;

Scale the assessment based on the size and complexity of the company;

Rely on management’s work based on factors such as competency, objectivity and risk;

The auditor is allowed to rely on knowl-edge from prior audits;

Evaluate controls over the safeguarding of assets; and

Conclude on the adequacy of internal control of financial reporting.

•

•

•

•

•

•

•

•

•

•

•



Three Way Matching for clear audit trailsTo get ready for an external audit, management should ask itself what controls it has in place to identify fraud if it should occur. They should review how detailed and complete their audit trails are. If purchase orders get changed a lot, how are they handled? Who approves pur-chase requests, and who deletes them? Purchasing Management eXtra’s three-way matching of purchasing requisition, purchase order and invoice leaves no doubt in an audit process. Each transaction is highly visible and clearly accounted for from “purchase to pay.” Purchasing Management eXtra provides the tools that enable users to meet external audit requirements as stated in PCAOB.

automate the Purchasing ProcessThe requirements of SOX can be overwhelming, but the key is to make compliance simple by keeping the details organized, consistent and easy for external auditors to access—a near impossible task if purchasing processes are not automated.

Purchasing automation systems, like Purchasing Management eXtra, make compliance easy, not only with its three-way match of requisition, purchase order and invoice, but also because Purchasing Management eXtra goes a step further by connecting vendor bids and receiving reports, and there is an automatic reconciliation before an invoice is ever paid.

If a public company is big enough to fall under the Sarbanes–Oxley Act, automating pur-chasing along with other business processes is essential. But, before buying the software packages that are going to save the day, a careful review of business systems is a must, and identification of the specific software functionality a company will need is necessary so that it does not wind up with a very expensive software package(s) that promises everything but delivers very little. It is important to keep in mind that the most expensive software system is not necessarily the best one. Purchasing Management eXtra is SOX compliant software that has the look, feel and functionality of a much larger system, yet it is affordably priced.

Easy access and review of records is another key to SOX-compliance success; but with-out automation, it is a very difficult, if not impossible task. Business processes that talk to each other, like purchasing and accounting, are ideal because they feed information back and forth, eliminate redundant work and offer up information in real time. Purchasing Manage-ment eXtra can generate audit- ready reports with a keystroke if the purchasing process is automated. Automation will keep companies in compliance, greatly improve their business processes and provide the added bonus of saving money that goes straight to the bottom line.



This is especially true for Purchasing Departments that are vulnerable to fraud, i.e., bogus vendor accounts.

Automation will save money on auditing costs.Automation provides peace of mine, knowing that financials are secure and accurate.Automation will eliminate maverick spending and reduce the temptation for em-ployee fraud.

Automation greatly reduces human error, puts stringent accountability into the business process, eliminates redundancies, reduces cycle time and imposes budget restraints.

Bellwether Software’s Purchasing Management eXtra, PMX, maintains an audit trail of all detail transactions, from the point of entering a purchase requisition to entry on the invoice for the material. Its three-way match of PO, Invoice and Receiving ticket provides a stream-lined, clear audit trail that meets SOX requirements.

Keep FocusedA business process that is working well does not let employees get sidetracked. It keeps them focused. Guidelines are specific, and there is no fudging the facts. Automating the purchas-ing process helps assure that the process remains healthy, reliable and ongoing.

With Bellwether’s Purchasing Management eXtra (PMX), specific processing rules can be established in PMX that require users to follow corporate guidelines.

•••

Purchasing requisition

Purchase order

inVoice

Three-Way Matching

soX compliance requires a clear audit trail with all sign-offs in place



document Maintenance is Mission criticalMaintenance of process documentation is critical. It is an ongoing process, and, to be suc-cessful, consistency must be there, year after year.

Too many companies focus on the short-term goal of getting through the audit, but many fail to (Best Practices):

Regularly review policies and procedures for needed process changes.Maintain a central inventory of critical process documents.Have an automated way of making sweeping changes quickly that is easily accessed across all the content.

Because of the uncertainty of what compliance is, may business leaders are using the “more is safer” approach and investing heavily in the updating, refining and documentation of internal controls. Building stronger internal control processes through technology will deliver busi-ness value that reaches beyond meeting Section 404 compliance. The businesses best pre-pared for the results of upcoming audits and compliance revelations will be those that took the required changes and transformed them into an opportunity to establish better business relationships, efficiencies and processes.

automation of the purchasing processBellwether Software’s Purchasing Management eXtra (PMX) supports Sarbanes–Oxley, Section 404 because it captures a complete audit trail of all transaction-related activity and provides tools to generate an “internal control” report that:

Establishes and maintains an adequate internal control structure and financial re-porting procedures.Provides a “purchase to pay ” audit trail.Provides end-of-the year fiscal assessment of the internal control structure and pro-cedures for financial reporting.

Purchasing Management eXtra interfaces with many accounting packages. This is important for companies’ efforts to comply with SOX. When business processes marry up to share critical information, better decisions, accessibility, and improved compliance are realized.

Contact Bellwether Software to learn how integrating PMX into your business processes can make compliance easier.

•••

1)

2)3)

BEllwEthEr SoftwarE CorporatE hEadquartErS

9900 Shelbyville Road Suite 6BLouisville, KY 40225

Phone: 502-426-5463Fax: 502-423-8963

[email protected]

www.bellwethercorp.com