The SOX-RFID Connection
published: cw 50, 2007 in Supply Chain Technology & RFIDCompanies expect to gain many benefits from implementing Radio Frequency Identification (RFID) technology. Perhaps the one cited most often is lower supply chain costs, which result from the improved inventory visibility that the technology affords. But there’s another, often overlooked advantage that supply chain managers should know about: RFID technology can help them fulfill the requirements of the Sarbanes-Oxley Act (SOX) if implemented and integrated properly. Conversely, RFID can complicate the already complex and costly internal mandates of SOX if the implementation is not approached the right way.
Sarbanes-Oxley was enacted in 2002 in the wake of the Enron and WorldCom financial disasters. The act sets tighter internal controls and reporting and auditing standards for publicly held companies in order to protect shareholders and others. (For more on Sarbanes-Oxley Act, visit the Government Accounting Office website.) Compliance is neither easy nor inexpensive. Companies are finding that compliance with the SOX provisions can entail significant costs and resources year after year.
Let’s take a closer look at the SOX-RFID connection. Last year, in collaboration with the Richmond Chapter of APICS-The Association for Operations Management, we organized a conference on future trends in supply chain management. RFID technology and SOX compliance were prominent among the topics discussed. During the conference, we observed that many of the distributors and manufacturers in attendance expected RFID to significantly increase supply chain efficiency and visibility. The intuitive feeling was that the enhanced visibility would make it easier to comply with the SOX reporting mandates.
Separately, two recent Supply Chain Management Review articles (“The Seven Success Factors of RFID,” September 2006 and “Looking for the Bang from the RFID Buck,” May/June 2007) shed some light on the success factors of RFID. Another timely article in the November 2006 issue (“Sarbanes-Oxley: Is It Good for Your Supply Chain”) highlighted how SOX can enhance security and visibility in the supply chain while improving processes. Building on these perspectives, we examined the advantages of a carefully conceived RFID implementation. We also looked at the underestimated consequences of poorly managed RFID deployments—those internal control problems that potentially can disrupt supply chain systems. From our dialogue with the operations professionals at the Richmond-APICS Conference, we sense that company teams responsible for internal control management under SOX might not fully appreciate the symbiotic relationship between that compliance effort and RFID. And vice versa.
Four Pitfalls to Overcome
Our research led us to conclude that RFID integration and SOX compliance must be linked. In fact, we believe that RFID technology can help companies improve their supply chain operations as well as facilitate SOX compliance. The key is for companies to integrate the RFID technology through their enterprise resource planning (ERP) systems. ERP would effectively act as the interface between RFID and the business processes. The ERP system would process the data collected by the RFID technology into valuable information to be used in the supply chain decision-making process. ERP systems, in fact, are essential for retaining and extracting process critical data quickly for an internal controls audit required by SOX.
As they move forward on their RFID and SOX initiatives, managers need to be mindful of four common pitfalls:
1. Emphasizing Technologies over Processes
RFID is basically a tracking technology. And as with any technology, it needs to be grounded on solid processes to be effective. It is worth remembering that in the early days of ERP, many managers saw it as the magic supply chain management elixir. Today, they understand that unless their business processes are aligned with the software’s algorithms, implementation will neither be painless nor cheap.
If a process is faulty or inefficient to begin with, implementing a new technology with the intent of doing things faster and more efficiently will only backfire. A team of researchers at Harvard Business School has identified one great example of how managerial policies can affect data accuracy. They reported on a retailer that had discouraged store managers from demanding credit from distribution centers for shipment errors that cost below a certain amount so as to minimize paperwork and auditing expenses. Because of this policy, the managers lacked the motivation to carefully check the accuracy of deliveries from the distribution centers. This example reinforces the importance of supply chain managers viewing RFID implementation not as a technological challenge but as business initiative with a technology component.
One of the seminar participants, Steve Holdych, Principal of Captech Ventures, an information technology consulting firm focusing on RFID technology, made the following observation: “RFID cannot be effectively driven as simply a technology project without addressing business and operational processes. If a company is treating SOX and RFID as two separate and isolated initiatives, they will experience problems.”
2. The Silo Syndrome
Business experts and authors have long cautioned that organizational and functional silos can impede cross-functional teamwork. Yet the “silo syndrome” remains all too common within many companies. A March 2005 survey by the Institute of Internal Auditors found that only 14 percent of respondents said that their SOX compliance teams pulled from multiple functional areas of their organizations. The two units primarily responsible for SOX compliance were internal auditors (37 percent) and finance (28 percent).¹ A May 2006 Aberdeen Group survey of supply chain professionals who were designing and implementing technology initiatives found that 63 percent of the respondents listed silo-based supply chain processes as their top challenge.
How do these findings speak to the relationship of RFID and SOX? If the right hand is the SOX compliance team, then the left hand is the RFID implementation team. These two must get together and collaborate on the RFID-SOX interface. They need to strive for intra-firm standardization of compliance. Importantly, suppliers should be made aware of the compliance efforts. After all, a supply chain can only be as strong as its weakest link. Supplier issues should be part of every planned audit, and supply chain managers need to make sure that suppliers meet company quality control standards and specifications.
Senior management within the organization must ensure that there is a constructive dialogue and free flow of information among the SOX compliance team, the RFID implementation team, other affected areas within the organization, and the company’s suppliers.
3. The People Factor
In almost every technology implementation scenario, the main barrier is people—and quite often, lack of senior management buy-in. If top management does not carefully assess the benefits of RFID and its relevance to SOX compliance, the technology will never realize anything close to its full potential. RFID, like any technology, is an enabler of efficiencies. Indeed, as Stanford professor Hau Lee points out “technology can break the company as well as enable the company to be hugely successful. The distinction is how people use their technology. It depends on the people.”² A 1999 survey on ERP development issues within Fortune 500 firms by Deloitte & Touche found that the top three issues were people, business processes, and information technology.
Comments like these have long been directed at ERP. Now they can be applied with equal veracity to RFID. Consider the following example. Upscale fashion retailer Prada opened its New York store in SoHo in 2001 with the goal of bringing high-tech to fashion retailing, including a RFID network that was supposed the change the shopping experience. Three years later, however, most of the technology deployed was either not working or nowhere to be found. Reportedly, the main cause of the problems with the RFID part of the project was the implementation approach. According to a report in Stores magazine, the retailer “tried to merge different technologies without a solid infrastructure” and rushed for a quick implementation.” ³ This impatience, however, created an unintended consequence: the associates never accepted the new technology. In effect, the RFID implementation became a people problem.
Launching any new technology requires training and buy-in by the users. In this case, there was nothing wrong with technology selection. But companies need to recognize that technology will change the wway the users conduct their business—and no one likes change. Rushing implementation does not allow people to digest the change. In short, technology for technology’s sake never works. It’s the people who make the difference
4. Cultural and Infrastructural Differences
In the rush toward globalization, it is easy to overlook the cultural and infrastructural differences in supply chains that can complicate global integration and standardization. As Bill Allen, global marketing communications manager at Texas Instruments pointed out in that same Stores article referenced above, “Before a company rolls out RFID, there are software issues to be addressed, cultural hurdles to overcome and environmental concerns that need to be tackled.”4
From an infrastructure standpoint, the lack of a single global standard for RFID poses major difficulties. Similarly, different radio frequency standards in some countries have impeded RFID integration. Consider that Japan refuses to allow UHF, which is the frequency of choice in the United States. Fragmented standards can even offset gains made in lowering the costs of tags. Gillette found this out the hard way in Europe. The company had purchased 500 million tags at less than 10 cents apiece; unfortunately, they soon found out that these tags were not compliant with European standards. North American firms operating in France, in particular, will find that RFID integration is currently not possible there. The reason: the UHF standard is not accepted in France because it interferes with the country’s military bands. One supply chain scholar even goes as far as warning that the lack of global interoperability “virtually renders RFID systems useless overseas.” 5
Despite the tireless efforts of EPCglobal—the organization leading the development of worldwide standards—commercial standards adoption has been a rocky road. To cite one more example, the Chinese government as of July 2007, has remained silent about where the national RFID standard is heading.
Intra-industry and cross-industry RFID standardization is further hampered by a confusing array of proprietary systems offered by the major RFID manufacturers. As a result, dueling frequencies and protocols collide across various applications and industries. For instance, rail, truck, air traffic control, and tolling authorities all have standards based on incompatible RFID systems. Standardization progress cannot be made without RFID manufacturers finding common ground. Supply chain managers need to be involved in finding the needed commonality across industries.
One might argue that the implementation of any new technology will encounter these same four pitfalls. So, what are some specific challenges and opportunities regarding the implementation of RFID and its integration with the enterprise systems in use? And how do these challenges impact the SOX compliance process? The remainder of this article offers a blueprint for effectively overcoming the pitfalls and linking RFID and SOX compliance through the ERP system.
ERP-SOX Challenges and Opportunities
Some sections of SOX compliance call for the direct involvement of information systems such as ERP. Section 409, for example, dictates the rapid and current disclosure of material changes in the firm’s financial situation. In addition, section 802 of the act requires immutable data retention. At the same time, RFID data needs to be processed into operational information before it can be used for making inventory and supply chain decisions The ERP system comes into play here acting as a processing center of RFID data. As such, it can add to the potential compliance challenge for supply chain managers. Supply chain managers will need to turn to their ERP systems to manage changes rapidly and retain the data for future use and reporting. In addition, they need to be aware of the following potential challenges and opportunities related to ERP and SOX compliance.
ERP systems and reporting: Section 409 of SOX requires companies to report material changes in operations and financial position within four days. Thus, companies that are updating their data and systems in weekly or monthly batches are not in compliance. Obviously, a better approach is needed. In addition, Section 409 highlights the need for ERP systems to receive real time data from RFID systems to enable quick reporting. ERP systems—and systems that are integrated with ERP—must have absolute integrity to enable managers report any changes within the short four-day lead time.
Unless data input is somehow automated, the reporting process is vulnerable to manual input mistakes or even employee tampering with transaction data. On top of that, many companies utilize multiple fragmented legacy systems that are not necessarily linked to one other, posing additional data quality problems. In cases where recent mergers or acquisitions have taken place, the problem of disjointed systems is further exacerbated. Under section 409, the linkage between SOX and ERP, and ERP and RFID becomes much more crucial. It’s exceedingly difficult to comply with the reporting mandates when information systems are disparate and disjointed.
A report by strategy consulting firm The Hackett Group suggests that SOX will accelerate the move to consolidate and standardize ERP and supply chain systems. According to the firm, companies on average have three different enterprise systems from which to pull data. In sum, companies will need to develop new and effective processes to consolidate financial and operational data from multiple sources.6
Integration of compliance management software: SOX compliance is too massive a task to be handled manually. Therefore, companies are investing in software that can automate much of this work. Market research firm IDC estimates the growth of the compliance software market at 22 percent annually. SOX compliance should not be treated as a standalone process; instead, it needs to be integrated into existing business processes. This means that in addition to integrating their legacy systems with the RFID systems, firms need to integrate their ERP system with compliance-management software. Therefore, they must approach software and vendor selection not as an IT purchase, but rather as a business process improvement project. If the firm’s existing ERP vendor is capable of producing a compliance-management solution, this may be an easy way out since systems integration could reasonably be expected to be relatively less painful.
Consider the case of Loral Space and Communications, a New York-based manufacturer of satellites. Loral chose to use its enterprise planning vendor’s compliance application mainly because of their familiarity with the solution. Notably, the company has been satisfied since. As a general rule of thumb, though, the priority in selecting a compliance-management solution should be the fit to existing business processes.
Enterprise information architecture: Most of the challenges at the ERP-SOX interface originate from problems in the enterprise information architecture. Generally, companies use different architectures for different functions of their business. For example, retail stores only need to store and forward RFID data, while distribution centers need more data processing power. Furthermore, companies build their enterprise architecture on top of legacy systems and frequently require individual components to be revamped, replaced, or redeveloped.
But every time the enterprise architecture is modified, system parameters and infrastructure change, thereby requiring updating of compliance processes and increasing compliance costs. Supply chain managers who have gone through an ERP implementation can attest to a process often beleaguered by complex technical problems at the systems’ interface such as middleware bugs, poor coding, and substandard system performance. (RFID middleware is software that filters, formats, and applies logic to tag data captured by a reader allowing a software application to process the data.)
ERP-RFID integration: As we discussed earlier, SOX calls for real time or fast capture of data and its seamless integration to an enterprise system. For this reason, any RFID solution should also be able to communicate with the existing ERP system. In some cases though, this is easier said than done. To illustrate, bicycle maker Pacific Cycle recognized that importing accurate data into its SAP system was not going to be easy because of data-formatting and software compatibility issues with the company’s multiple middleware systems. Pacific Cycle’s solution was to dedicate a person to search for inconsistencies such as multiple read duplications within thousands of RFID records received weekly. While the company has spent close to $1 million on RFID since 2003, the best read rates obtained were 70-80 percent after two years.7 Recently, some ERP vendors started offering interfaces to accept RFID data. Clearly, this should reduce the need for middleware for their customers.
Flood of data: Many large consumer goods manufacturers produce billions of products annually. Even if tagging starts at the case or pallet level, this large output will result in overwhelming amounts of data that need to be processed correctly and quickly. When individual items are tagged at the retail level, this causes a flood of data. Unless a company’s IT infrastructure is ready for this load, the situation could turn into an internal controls nightmare. Being prepared and vigilant with the correct IT infrastructure can turn the RFID implementation into a success story.
The RFID-SOX Linkage
RFID technology will probably not be SOX-friendly until many years from now when the technology has been essentially perfected as a regular component of supply chains. In the meantime, RFID champions like Wal-Mart must accept this new technology as a potential risk to their internal controls under SOX. With about $1.2 trillion worth of inventory waiting to be scanned by RFID readers at any given point in time in Wal-Mart’s case, there is plenty of opportunity for read errors to cause glitches in the SOX compliance process.
A flaw in the RFID implementation could potentially constitute a material weakness in internal controls, which could trigger an error in a public company’s financial statements. Further, a supply chain glitch could negatively impact a company’s stock price by nearly 20 percent.8 For supply chain managers, the heart and soul of SOX compliance is this: To identify material weaknesses in company processes and implement a reliable check-and-balance system to mitigate those risks. Perfected and properly implemented RFID technology would help supply chain managers accomplish the task.
The RFID-SOX linkage presents a real challenge to supply chain managers because SOX goes beyond financial statement risks in mandating the monitoring of internal controls. SOX makes the human factor the new audit point in the supply chain. In effect, the whole supply chain becomes an integrated accounting department, with every point in the supply chain as a potential SOX audit crossing. Consider, for example, that according to AMR Research most suppliers have inventory accuracy that is already as high as 99.99 percent. Yet trial RFID deployments reveal high failure rates that can degrade that accuracy rate. Moreover, these failures can only really be detected by redundant technologies and the human eye. The internal control multiplier effect comes into play here. If within your managerial control and responsibility you identify 20 risks that have 20 control points, then suddenly you have 400 control points. All need to be monitored and managed to effectively mitigate risk.
Vulnerabilities to Watch For
Companies moving forward on SOX compliance and RFID technology should be aware of three potential vulnerabilities that could hinder these efforts. They are technical, security, and human.
At the top of the list of technical vulnerabilities is the tag failure rate, which can have a ripple effect in inventory accuracy across the supply chain. Many suppliers of Wal-Mart, for example, initially experienced high failure rates in their RFID deployments. These were not isolated technological aberration, but rather recurring problems in some instances. During RFID trials, pallet read rates of the tag’s electronic product code ranged from 40 percent to nearly 100 percent. A time- and resource-expensive fix to this problem finds companies testing tag-reads before shipping their products to verify that the label works properly and to collect tracking data. Yet this redundancy constitutes a new internal control layer at a critical integration point that can impact the accuracy and reliability of financial reporting for both the supplier and the retailer.
An unintended consequence of the tag failure rate could be a slowing down or redesign of processes since unread or misread boxes or pallets need to be re-entered into the system. Alternatively, redundant checks could be added, which increases operational costs. How could the problem of tag failure rates be addressed in a manner that ensures effective SOX compliance? As a practical matter, individual cases should be scanned as pallets are constructed or torn down.9 Users must keep in mind that water and metal in and around products can lower readability rates. Significant changes in the orientation of tags and readers, as well as a redesign of the tags themselves to avoid the interference of the radio waves, may be necessary. The result may be higher costs for tags and/or the use of multiple types of tags, which can complicate and add costs to the inventory process.
From a supply chain security standpoint, viruses present a potential RFID headache. These viruses are no longer theoretical; tags, readers, and backend systems could all be at risk. Last year, researchers at Vrije Universiteit in Amsterdam presented a paper that outlined how a “RFID worm” might be introduced into the supply chain. An RFID tag can be maliciously infected with a virus because of certain intrinsic vulnerabilities in the RFID software. The propagation effect can easily spread this virus to other tags. Such a virus disruption could cost the company millions of dollars, not to mention the impact that virus-corrupted data could have on a company’s quarterly profits statement.
Fortunately for supply chain managers, the researchers of this study have provided details on how to defend against this virus corruption. Significantly, up until now, no one thought that a “RFID worm” was even possible. In any case, supply chain managers cannot afford to superficially trust RFID-generated data.
Finally, as in any process, human error presents another operational control risk. Supply chain managers must know who handles the RFID readers, which procedures they are supposed to follow, the robustness of those procedures, and who inside or outside the firm should be involved in those procedures. To avoid a possible internal control deficiency, firms need to develop a comprehensive education program for essential employees involved in the RFID-SOX interface. This training should be conducted at least annually. It should involve both inside resources and outside experts.
Necessary Actions Going Forward
The recent “watering down” of SOX’s internal controls requirement (Section 404) by the Securities and Exchange Commission to make it scalable based on the size of a company and the complexity of its business operations does not detract from anything said so far. Managers at public companies must still focus on testing internal controls in those areas that pose the highest risk or the most potential for fraud with regard to the accuracy and integrity of their financial statements. Although these new SEC guidelines seemingly grant management considerable discretion in determining the SOX audit points—and the SEC claims that this will make SOX compliance less costly for smaller companies—we believe companies pursuing RFID must continue to maintain their compliance with rigorous due diligence. The reason: any new technology when implemented using old processes would pose a risk point for internal controls.
The emergence of RFID technology and SOX compliance both offer a great opportunity for firms to reevaluate their business processes. Toward this end, we recommend the following actions to supply chain managers:
* Be very patient and methodical as you evaluate the RFID technology and plan for its implementation. Remember, even some highly regarded firms were forced to abandon their ERP implementations after spending significant amounts of money. The message: Do it right the first time. Also, before implementing RFID, sell senior management on the idea of linking this technology to SOX compliance to secure their buy-in—an essential ingredient to success.
* Treat RFID implementation as an opportunity to reevaluate your operational processes and merge your RFID implementation and SOX compliance teams. Consider inviting key suppliers to join the merged RFID-SOX team. Under no circumstances should you treat RFID implementation as an IT project.
* Develop new and effective processes to consolidate financial and operational data from multiple sources. SOX compliance should not be treated as a standalone process. It must be fully integrated into existing business processes.
* Initially anticipate some technology glitches and budget for additional expenses resulting from necessary redundancies in business processes.
* Ensure that your operators are fully trained and knowledgeable about their instructions and clear about their responsibilities with respect to the use of new technology in business processes they are a part of.
* Don’t be tempted to relax your compliance efforts in light of SEC’s recent watering down of certain SOX provisions. For retailers, the RFID-SOX interface in the supply chain should be a top priority, internal control audit point.
Source: Supply Chain Management Review
----- Advertisement -----
Use this powerful tool to expand your professional vocabulary and ensure that everyone on your team is speaking the same language. www.theKnowledgeTransfer.com |
 paperback student version $ 19,99 hardcover executive version $ 29,99 |
print terms
