The SOX compliance journey at Trinity Industries
Trinity industries’ IT system prior to Sarbanese-Oxley Act (SOX) compliance
Changes of process and information technology in a firm are not usually voluntary and prompted by strategic goals. Rather, they might be imposed on firms by certifying agencies and regulatory bodies. Trinity was required to make changes to its process and information technology in order to comply with SOX requirements. Trinity was seen as a candidate that could have material weaknesses as recognized by SOX although it was a successful, disciplined and well operated firm that constantly delivered value to the shareholders via growth. However, in regard to SOX compliance, Trinity was faced with challenges that faced most firms, including, universal absence of documentation of process and control and lack of evidence of performance of control. Additionally the operations of the company were highly decentralized and diversified, with information systems being fragmented (Schultze, 2011). Majority of control weaknesses at Trinity industries related to compliance with SOX were control and reporting gaps, and the firm has effectively remedied these to stay compliance with SOX requirements.
Role of IT in Trinity’s SOX compliance and challenges that pre-SOX IT environment posed
Trinity was required to make changes to its process and information technology in order to comply with SOX requirements. Schultze (2011) notes that trinity had not implemented an integrated enterprise system by quoting the distinct requirements and nature of its twenty two business unit. This implied that Trinity depended on business planning and control system for cost accounting along with production scheduling systems in the production plants. Though the diverse versions operated on a AS/400 computing platform, they were however functioning in seven diverse control environments, meaning that diverse IT firms maintained them and implementations were customized differently. This resulted to development, maintenance and testing of separate controls set for every control environment. Regardless of these challenges, audits of SOX compliance had established that there were no material weaknesses at the company. Moreover, several SOX controls tested had halved yearly (Schultze, 2011).
The SOX requirements
The SOX was a federal law enacted in June 2002 in reaction to accounting and corporate outrages committed by organizations such as WorldCom and Enron. These scandals cost investors a lot of money and also shook the confidence of the public in the security markets of the nation. In an act comprising of eleven sections, SOX legislated improved financial reporting standards for public firms, individual responsibilities for corporate officers to be accurate in financial reports, an oversight body to control public accounting firms within their capability as exterior auditors. Public firms were required to have complied with SOX by December 2004, with most of companies needed to implement Section 302, concerned with interior certification of controls and Section 404, concerned with evaluation of interior controls. Section 302 commanded a series of internal processes intended to ensure precise financial disclosures. The signing officials had to attest that they were accountable for creating and sustaining internal controls and these internal controls were designed to make sure that material information related to the organization along with its consolidated subsidiaries was made known to these officers by others in the entities, especially during the time of preparation of periodic reports (Schultze, 2011).
Section 404 needed external auditors and the management to make reports on the satisfactoriness of the internal control of the company over fiscal reporting. This requirement was the most costly to implement as a result of the effort engaged in the documentation and testing of automated and manual controls. In addition, the management was needed to generate a report on internal control that conceded the liability of the management for the establishment and maintenance of sufficient structure of internal control and financial reporting procedures. The report also needed to have an evaluation, as the end of the most latest financial year of the firm, of efficiency of structure of internal control and practices of issuer for fiscal reporting (Schultze, 2011).
Year 1: 2003-2004
In the first year, Trinity made significant modifications to its process of financial reporting. It reengineered fiscal reporting and also standardized on a sole fiscal reporting scheme. This implied a sole centralized process replaced the 22 business units. Trinity’s four ledger packages were replaced with a single pack of Oracle financials. The company also created the accounting service center (ACS) which offered centralized routine organization wide transactions. This was a significant achievement since Trinity had previously experience challenges with huge scale IT projects and the resistance organizational employees toward outsourcing. Project team learned helpful lessons from the ACS and Oracle projects, entailing the significance of change management and project management. An analysis of financial processes within several businesses units showed absence of control and process documentation all through the company. It became clearer that Trinity had a lot to do in order to fully comply with SOX (Schultze, 2011).
Year 2: 2005
According to Schultze, (2011), in the second year of complying with SOX, Trinity focused on a top down risk management model to testing and rationalization of controls across business units. These schemes halved the figure of control activities SOX tested by Trinity in 2005. The risk management approach meant that the company wouldn’t test every control but recognize material areas that posed a risk to financial statements. Only important procedures and key transaction classes within these processes would require auditing for SOX. Risk orient modeled minimized the figure of control activities chosen as key controls partly since their description greatly focused upon what threats these controls caused for material misstatement of financial results of the company.
There was streamlining, standardization and automation of control activities for particular processes. There was analysis of all business units control documentation was analyzed and it was identified that there was significant overlap and inconsistency in description of controls. Also, redundant controls were looked at and it emerged that some business units depended on several controls to achieve a similar objective. Through looking across business units, it was simple to identify redundant control activities and establish best practices which could be duplicated across business units. This process improvement step lessened inventory controls by approximately 25 percent (Schultze, 2011).
Internal testing in the second year led to discovery of novel challenges. It was discovered that the IT group of Trinity appeared unconscious that SOX compliance was a new actuality but not a one step effort. Compliance to SOX had not been offered the essential priority in the information technology department which resulted to recognition of 48 gaps within the IT control activities. These gaps entailed privileged and programmer access rights for the central systems like BPCS and on and off boarding of the company’s staff, which entailed management of their rights to access applications and network (Schultze, 2011)..
Year 3: 2006
Whilst the initial two years of Trinity’s SOX compliance were guided through an approach of project management, it increasingly became clear to the CEO and other steering committee members that needed to shift away from the SOX project and put a governance process in place. This implied that the mindset and language had to change. The controls required to become deeply entrenched in the company’s processes and they were identical to employees’ sense of excellent business practices. Therefore, SOX description, for instance, SOX controls and SOX steering committee were removed and replaced with new labels like financial controls and governance steering committee respectively (Schultze, 2011).
Trinity began to benchmark its SOX processes and activities with other firms in the industry to recognize further opportunities for lessening controls and streamlining SOX testing. A control streamlining effort in IT showed replica controls caused by incoherent wording and numbering. Numerous controls had manifold control owners and these efforts lessened controls in IT from 92 to 39. IT controls were categorized into a grouping system similar to COBIT, with this process improvement endeavor leading to minimization in IT controls and minimization gaps in IT controls (Schultze, 2011).
Year 4: 2007
There was stabilization of control activities assessed in the 4th year of compliance to SOX. Around 1000 changes were made to SOX control activities. Additionally, changes to the control activities were undertaken in reaction to novel business processes along with gaps that were recognized during testing. The governance steering committee increasingly screened for proposal for initiatives for organizational change like system upgrades and process improvements. Screening aimed at recognizing the implications of SOX of a suggested change and influence business driven schemes so as to improve the control environment of Trinity. While it was hard to present a business case for implementation of systems and changes of process with the aim of lessening costs of SOX compliance, improvements that served more strategic aims could be utilized as a scheme of accomplishing this goal (Schultze, 2011).
Next phase of SOX compliance journey
The queries that arose on the next steps on the company’s SOX compliance journey was how the company could go on reducing compliance costs considered that the figure of tested controls was lean due to relative decentralization of the company’s IT infrastructure. Several SOX controls were manual and the question that arose was whether it was time to make investment in a firm wide sole-instance enterprise resource planning system, a strategy that had been pursued by several global manufacturing companies. Another question was if there schemes of leveraging Trinity’s present IT to automate several of its numerous manual controls and in addition to centralizing controls and standardizing controls via integrating systems, if there were additional strategies that the company could depend on to additionally lessen the SOX compliance cost. Also, there were queries on the integrity of the whole control infrastructure since the company only did tests on A controls for SOX and had not tested B controls (Schultze, 2011).
Conclusion
Trinity was required to make changes to its process and information technology in order to comply with SOX requirements. Majority of control weaknesses at Trinity industries related to compliance with SOX were control and reporting gaps, and the firm has effectively remedied these to stay in compliance with SOX requirements. The company reengineered and standardized its financial reporting process. The company developed a single pack of Oracle financials which replaced it four ledger packages. It also created an accounting service center which provided central routine organization wide transactions.
Read More