SOX, ERP, and BPM: a trifecta that can make your business run better

Strategic Finance, Dec, 2008 by Kenton B. Walker

Assume that each pay period a payroll clerk must review and reconcile budgeted vs. actual payroll. If the difference is greater than 2%, the clerk must report the discrepancy and document the reason. If the difference is 4% or greater, it must be relayed to the department manager for an explanation and then to the finance director for review. At each stage, participants in the process can record any unresolved issues. The process continues until all issues are resolved and steps in the process are approved by the predetermined authority. Automated alerts tell the payroll clerk when it's time to reconcile payroll, route information for approvals, identify the location of the payroll reconciliation within the approval process, document issues, record the disposition of any issues noted in the process, and provide evidence to fulfill the requirements of SOX.

Providing evidence of these internal controls could take months in most ERP systems, and, if the processes or people change, reconfiguring the system may be expensive. BPM software can provide self-documenting and secure audit trails. Similar internal control functions are available for reconciliation and approval of general ledger entries, purchase-to-pay processes, and order-to-cash, including discount approvals, customer signatures, credit approvals, and contract approvals.

There are a number of BPM functions that management should look for in any software product:

* Documents and enforces business rules and internal controls for business processes across information systems applications and multiple lines of business.

* Develops a complete audit trail for corporate processes so auditors can immediately retrieve any transaction, see its routing and approval path, and review supporting documents and data.

* Monitors business processes in real time and delivers system-wide reporting capabilities to provide visibility into business processes and enable individuals to identify weaknesses or deficiencies in process controls.

* Provides real-time visibility into information content at every stage of a business process.

* Offers flexibility to address changing regulatory requirements, other compliance initiatives, and business management tools.

* Features a highly scalable, fault-tolerant, open architecture that accommodates growth in personnel, processes, and information across the enterprise and spans the gaps between departments and lines of business.

* Supports Lightweight Directory Access Protocol (LDAP), single sign-on, and digital signatures to meet SOX guidelines for nonrepudiation.

* Offers a secure, client-server environment to improve security and privacy of transactions to meet SOX requirements for acceptable data security.

SOX AS A CATALYST

For Cultural Change

SOX compliance initiatives have been the catalyst for significant organizational changes. The first change is to make organizations "informationally transparent." ERP systems provide the bulk of transaction information transparency, and BPM provides business process transparency. Permitting wide access to information supports an ethical business environment and drives organizations to improve performance because more individuals are able to view process transactions and activities, the interfaces between organizational boundaries, and performance of process activities. New and unbiased perspectives on organizational conduct are possible as individuals previously excluded from viewing information acquire access. Inadequate controls, loose audit trails, outdated document management strategies, and resistance to change are identified, and corrective action can be taken on a timely basis. Organizations become more nimble, relevant, and responsive to internal and external customers.