The following article was prepared by Mike Taylor, C.P.M.

Sarbanes Oxley Act of 2002 (SOX)

February 2004

Do you have a monkey on your back? Is there someone who second-guesses the decisions you make when awarding purchase orders and contracts? For those of us fortunate enough to work in the government arena we get plenty of oversight from big brother. Internal auditors, DCAA auditors, customer process reviewers, the IG, the GAO and a few more organizations all review buyer's procurement decisions.

With the spreading implementation of the Sarbanes Oxley Act of 2002 (SOX), buyers in commercial companies are starting to get more 'help' as well. As a result of SOX, Corporate and independent auditors are much more concerned about management of the procurement process. Your Finance Department may already be working on a compliance review. Very soon, if not already, they will be contacting procurement.

Basically SOX places more liability on senior company officials for ensuring that the company is acting in a fiscally responsible manner. [Lately it seems like a lot of companies in the news need help] . Senior managers have direct liability if the company misstates earnings, liabilities, financial position, company value, etc.

So what does this have to do with purchasing? I'm glad you asked. ]. Section 404 of the SOX Act, Management Assessment of Internal Controls, includes this phrase "…. adequate internal control structure…….". That is, does your company have internal controls to prevent financial loss and fraud? This would include the financial liabilities associated with procurement and subcontracting.

Consider how much of your company's annual budget is spent in the procurement process. Thirty percent, fifty percent or even 80 percent? Whatever the number, if even a small part of that money is being misappropriated, it could have a big impact on the financial health of the company and its investors. Not to mention the large financial risks associated with contract claims and litigation? Since procurement handles so much of the money, it's a major area where the risk of fraud needs to be managed and controlled.

[Have you ever heard of a buyer being asked to change the effective date on a contract or invoice because of the way it impacts the company financial reporting for month end? Gee, I wonder if that could be construed as fraud by one of the investors?]

Under SOX, 'procurement' risk is a source of personal liability for senior managers. Thus internal and external auditors get the green light to investigate and ensure that 'adequate management controls' are in place. The net result is that those of you in commercial companies will soon enjoy the benefits of increased audit attention that we in government have always had. Welcome to the club.

Has this change affected commercial companies? You bet. The January 26, 2004 issue, Business Week magazine reported that an increasing number of public companies were going private, since SOX was enacted. [Hmmmm, wonder if that's because the CEO wants to have the freedom to tweak the numbers or is it just because he doesn't like auditors?]

The bottom line is buyers in both government and commercial companies end up with auditors looking over their shoulder as they make contracting decisions. These audits can be onerous when the reviewer believes that the buyer's actions were not in accordance with sound business practices.

Greg Hutchins of Quality Plus Engineering has been discussing SOX as it relates to procurement in his workshops.

Also, here is one copy of the SOX Act found on the Internet, 


How can we better prepare to defend our contracting decisions? Here are several suggestions.

For management:

  1. Hire, train and support a professional Supply Chain staff. The vast majority of Supply Chain Professionals I know, bust their buns to do an honest job for the company. But they need support to attend training programs, staff to assist with mountains of paperwork and adequate time to investigate and administer contracts.
  2. Enact and enforce a reasonable ethical policy for Supply Chain Management. By treating Suppliers fairly and ethically we go a long way towards sound financial management. Practices which limit reasonable competition, are likely to increase subcontracting risk and opportunities for fraud. Reference ISM Principles and Standards for example 
  3. Make sure sound internal controls separate requesting, buying, receiving and paying functions. At the least there should be strong checks and balances with regular reviews.
  4. Consider the financial and audit risks of poor procurement management and not just the negative impact of procurement controls on production.

For Buyers and Contract administrators:

  1. Don't just 'make' decisions as a mater of course. Make contracting decisions deliberately and with due diligence.
  2. Document your decisions and analysis in a timely manner so that an outside reviewer can understand what you did and why you did it.
  4. Take the time to consider how an auditor could misinterpret your actions.
  5. Recognize your obligation to notify management when processes are broken or poor Supply Chain decisions are impacting the company.
  6. Don't be ambiguous by doing one thing and saying another.

Here is a real life example of how a Buyer's actions were misinterpreted by an auditor with major consequences to the company. This is a recent GAO protest decision. In this case the evaluation process was very elaborate and was designed to obtain the most realistic competitive proposal.

When all was said and done, the GAO determined that one offeror was prejudiced when the final decision wasn't made as planned. Thus the best contractor may not have been selected. [under SOX, this could mean that the company was fiscally out of control.] 

Part of the reason the decision went against the buyer was because of the ambiguity between the buyer's actions and the file documentation.

Here are some excerpts from this protest decision worth noting: 

In this case the protest was sustained, meaning the buyer lost. If this was an internal auditor or a SOX audit, we might end up with some serious explaining to do. Under SOX, an auditor could say this failure increased risk and cost to the company. The CEO or CFO could be held accountable and you know what happens to us at the bottom, when senior management gets some heat at the top.

With shareholders driving the train, auditors will dig deeper into our procurement decision making process and second guess even more of our actions.

Hope this helps you understand the link between SOX and the Supply Chain.

MLTWEB is owned by Michael L. Taylor, C.P.M.  Mail:  
Materials prepared by Mike may be shared for supply chain education, provided that this source is credited and no fee is charged. The rights for any other use are withheld.
Copyright;  Michael L. Taylor, C.P.M.