SMU COX SCHOOL OF BUSINESS The SOX Compliance Journey at Trinity Industries~ In his office overlooking the Trinity River flats in Dallas, TX, Don Collum, VP and Chief Audit Executive at Trinity Industries, was about to chair his weekly meeting with KPMG partner, Jarrod Bassman, who had been overseeing the KPMG engagement for SOX compliance at Trinity since 2003. It was mid‐January 2008, and the external audit report regarding Trinity’s SOX compliance for the year ending December 2007 was on the meeting agenda. Once again they could pat themselves on the back: for the fourth year in a row, Trinity passed its SOX audit without material weaknesses. Reflecting on Trinity’s SOX compliance journey, Don identified numerous accomplishments. In October 2003, when he first began consulting with Trinity Industries on their SOX initiative, he described the company as a “candidate of a company that could have had a material weakness as defined by SOX” even though it was a highly successful, well‐run and disciplined organization that consistently delivered shareholder value through growth and never had cause to restate its earnings. But when it came to SOX compliance, Trinity faced the same challenges that most companies faced, namely a general lack of process and control documentation and evidence that controls had been performed. In addition, Trinity’s operations were highly diversified and decentralized, and their information systems were fragmented. Trinity had forgone the implementation of an integrated enterprise system even during the Y2K scare, citing the unique nature and requirements of its 22 business units. This meant that the company had seven different versions of BPCS, a cost accounting and production scheduling application, running in approximately 67 plants1. The cooperation of Trinity Industries, Inc. and KPMG, LLP in the preparation of this case is gratefully acknowledged. This case was prepared in September 2008 by Ulrike Schultze, Associate Professor in ITOM at the Cox School of Business, Southern Methodist University. This case was developed as a basis of class discussion and is not designed to illustrate effective or ineffective handling of an administrative situation.
1 This number excludes the 128 Transit Mix locations, which act as material depots for the concrete trucks that then pick up sand, gravel and cement to be mixed en route to the delivery point.
1
Despite these challenges, all their SOX compliance audits had identified no material weaknesses at Trinity. Furthermore, the number of SOX controls Trinity tested had halved from year to year (see Exhibit 1), thereby decreasing the compliance costs. But this was not a time on rest on their laurels. Don, who became Trinity’s Chief Audit Executive in May 2004, was aware of a number of challenges that Trinity would have to tackle and he wanted to set some specific goals that would guide their SOX work for 2008. One pressing issue was the further reduction of audit costs. There was a general consensus within the audit group that the approximately 500 controls that Trinity had tested for the last two years represented as lean a control infrastructure as the company could muster without undergoing significant IT change. Should Trinity implement an ERP system after all? Should they try to emulate a leading global manufacturer that claimed to test only 25 controls for SOX thanks to a single instance ERP system representing global operations? Or were there other cost‐reduction alternatives Trinity could pursue? Another issue related to the International Financial Reporting Standards (IFRS). It was clear that IFRS legislation would be passed in the US; the only question was when. For Trinity, this raised questions about when and how to prepare for it. Company Background Trinity Industries was born out of the 1958 merger between Trinity Steel and Dallas Tank, both struggling propane tank companies located in Dallas. W. Ray Wallace, who was hired as an engineer and the 17th employee at Trinity Steel in 19462, became Trinity Industry’s first CEO. He led the company for 40 years, turning the struggling propane tank manufacturer into a $2.4 billion provider of diversified products and services to the industrial, energy, transportation and construction sectors. In July 1998, Timothy Wallace, Ray’s son, took over the helm as CEO of Trinity Industries. He joined Trinity in 1976, the year he graduated with a BBA from Southern Methodist University. Working his way from the ground up and gaining first‐hand experience with the various Trinity businesses provided Tim with the kind of in‐depth knowledge he needed to lead the company and grow it into the $3.8 billion enterprise it became in 2007.
2 Source: “The Legend of Trinity Industries, Inc.” by Jeffrey L. Rodengen. 2000. Write Stuff Enterprises.
2
Trinity manufactured freight and tank rail cars to transport dry cargo and liquefied or pressurized commodities respectively, dry‐cargo and tank barges, propane tanks, highway guardrail and crash cushions, and structural wind towers. Strategically, Trinity sought to hold a leadership position in each of its markets. Thus, Trinity Rail combined resources of the leading manufacturer of railcars in North America. Trinity’s Marine Products group was the largest manufacturer of inland barges and fiberglass covers for barges in the United States. Furthermore, Trinity’s Highway Products group was the only full‐line manufacturer of highway guardrail and crash cushions in the United States. The company also provided concrete and aggregates, which they mined themselves to the construction industry. Transit Mix Concrete & Materials Company, Trinity Materials, Inc. and Armor Materials, Inc. were leading producers of concrete, aggregates, and asphalt in Texas. Despite Trinity’s manufacturing focus, the Railcar Leasing group was one of its fastest growing businesses and a leading provider of railcar leasing and management services. It offered a variety of railcar leasing options, including full service, net, and per diem leases on either new railcars built by Trinity’s Rail group or railcars from the Leasing group’s lease fleet. With manufacturing facilities in the US and Mexico, Trinity had 14,400 employees working in 22 business units (BUs) in 2007. The BUs were grouped into five principal groups or lines of business (LOB) for financial reporting purposes: the Rail Group, the Railcar Leasing and Management Services Group, the Inland Barge Group, the Construction Products Group and the Energy Equipment Group (see Exhibit 2 for short profiles on each LOB). The Rail Group was the largest, employing about half of Trinity’s workforce and generating 39% of it revenues. Trinity’s leadership consistently focused on being a premier, multi‐industry growth company, a vision that it generally achieved. For instance, since 2005, revenues increased by 19% a year (see Exhibits 3 & 4 for more details on Trinity Industry’s recent financial performance). Furthermore, in 2007, it boasted the following achievements: • The companies within Trinity’s Rail Group achieved record revenues of more
than $2.3 billion. They delivered approximately 27,370 railcars in North America during 2007 and ended the year with an order backlog of approximately 31,870 railcars, the second highest end‐of‐year backlog in company history.
3
• Trinity Industries Leasing Company (TILC) continued to grow its fleet during 2007, adding more than 5,500 railcars. This increased the total number of railcars leased to approximately 36,090 at year‐end. The Leasing and Management Services Group recorded revenues of more than $631 million and operating profit that exceeded $161 million‐ both record highs.
• Trinity Marine’s revenues grew to more than $493 million in 2007, its operating profit exceeded $72 million, and the end‐of‐year order backlog totaled $753 million.
• Revenues for the Construction Products Group grew during 2007 to a record level of $733 million. Operating profit exceeded $58 million.
• In 2007, the Energy Equipment Group had record revenues of more than $433 million and operating profit that exceeded $50 million.
The Sarbanes‐Oxley Act of 2002 Enacted as a federal law in June 2002, the Sarbanes‐Oxley Act (SOX) was a response to the corporate and accounting scandals perpetrated by companies like Enron, WorldCom and Adelphia Communications. These scandals not only cost investor’s billions of dollars, but also shook the public’s confidence in the nation’s security markets. In an act consisting of 11 sections, SOX legislated, among others, enhanced financial reporting standards for public companies, officers’ individual responsibilities for the accuracy of corporate financial reports, and an oversight body, the PCAOB, to regulate public accounting companies in their capacity as external auditors. Public companies were given until December 2004 to comply with SOX. For most, this meant implementing two key provisions of the act: Section 302, which dealt with the internal certification of controls, and Section 404, which focused on the assessment of internal controls. Section 302 mandated a set of internal procedures designed to ensure accurate financial disclosure. The signing officers had to certify that they were “responsible for establishing and maintaining internal controls” and had “designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared.” 15 U.S.C.3 § 7241(a). The officers had to “have evaluated the effectiveness of the company’s internal controls as of a date within 90 days prior to the report” and “presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.” 3 Title 15 of the United States Code.
4
Section 404 required management and the external auditor to report on the adequacy of the companyʹs internal control over financial reporting. This was the most costly aspect of the legislation for companies to implement, due to the effort involved in documenting and testing manual and automated controls. Management was also required to produce an “internal control report” that accompanied “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.” 15 U.S.C. § 7262(a). The report also had to “contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” Managers generally adopted an internal control framework, such as COSO, for this assessment. 2003Q3‐2004Q4: Year 1 of the SOX Compliance Journey During the time that SOX legislation was making its way through Congress, Trinity was making significant changes to its financial reporting processes. It reengineered financial reporting and standardized on one financial reporting system. This meant that the 22 – one per BU – financial reporting processes were replaced with one centralized process. This involved replacing the 4 general ledger packages running at Trinity with one instance of Oracle Financials. Additionally, Trinity developed the Accounting Service Center (ASC), which provided centralized, outsourced services for routine, organization‐wide transaction processing such as billing, payroll and AP. Thus, instead of individual BUs processing their own accounts payable transactions, these accounting transactions were completed centrally and, by implication, standardized. Even though the ASC was run and operated by an independent service provider, most of its Trinity‐related operations were housed on the Trinity campus in Dallas. While the co‐location strengthened Trinity’s ability to assess the outsourcer’s controls, the up‐front, data capture work was eventually moved to India for an additional 20% cost savings. This required an annual compliance audit by a Trinity representative at the outsourcer’s facilities in India. While the $28 million Oracle initiative was instigated primarily to improve reporting effectiveness, that is, facilitate more timely closes and improve the availability of financial information, Chas Michel, Trinity’s Chief Accounting Officer, highlighted that the project was given priority in anticipation of SOX:
“You knew the legislation was coming and you had kind of an idea of when. You could see it. Clearly it was going to happen.”
5
Ultimately, it was estimated that the Oracle project saved Trinity $.5 million annually in SOX compliance expenses. Additionally, the project proved invaluable with regard to the organizational infrastructure lessons and culture of cooperation between the BU controllers it generated. Jake Farkas, Director of Finance and Accounting, led both the Oracle Financials and ASC outsourcing initiatives. Relying on a rigorous project management approach, organizational structures like a steering committee and a project management office (PMO), and expertise from consulting resources, both projects were successfully implemented in April 2003. Both were on time and within budget. This was a considerable accomplishment especially in light of the challenges Trinity had previously experienced with large‐scale IT projects and the deep‐seated resistance organizational members harbored toward outsourcing. The project team learned valuable lessons from the Oracle and ACS projects, including the importance of project management and change management. The team’s careful analysis of the financial processes in the various BUs also highlighted the lack of process and control documentation throughout the organization. It became increasingly clear that when it came to SOX compliance, Trinity had a lot of work to do. Even though he was part of the Finance organization, Jake was tapped to lead the SOX compliance project, in large part because Trinity’s internal audit group consisted of only 2 people. Leveraging the existing project team and the lessons learned from the Oracle and ASC initiatives, he formed both a PMO and a steering committee to oversee the project. The steering committee reported to the CFO, was led by the CAO, and its members included the BU CFOs as well as representatives from Internal Audit, KPMG, and E&Y, the external auditor. Jake secured advisory knowledge from KPMG and directed them to approach the compliance effort from a project management perspective. The KPMG team did just that and outlined the following project phases (see Exhibit 5 for a GANTT Chart): 1. Project Scoping
The purpose of this project scoping phase was to build a project methodology, to develop a common language among the participants (i.e., E&Y, KMPG and the Trinity steering committee), to estimate the project’s size and determine the right level of documentation. In order to estimate the size of the SOX project, the steering committee assessed the degree to which key processes (see Exhibit
6
6 for a list of process areas) were standardized and/or centralized. Their analysis revealed that there were numerous processes that were conducted in multiple locations and would therefore have to be documented, controlled and tested in multiple control environments. This information was then used to estimate the total number of hours and average FTEs required throughout the project’s life cycle. In order to gain insight into the amount of time and effort process and control documentation would require and the kinds of control gaps Trinity should anticipate, the KPMG team led pilot SOX projects in two manufacturing BUs: a Highway Safety facility in Lima and a Marine Tank‐Barge facility in Madisonville. The BUs were chosen for their representativeness of different manufacturing operations at Trinity and their relative difference with regard to the products. Table 1 summarizes the control and gap profile that the pilots yielded. Table 1: Pilot Control and Gap Profile Highway
Safety Tank‐Barge
Total Key Controls 83 67 Preventive Detective
65% 35%
55% 45%
Manual System
75% 25%
86% 14%
Total Control Gaps Identified 13 19 Gaps Related to Documentation 9 15 The majority of gaps were related to the documentation of management reviews such as monthly/quarterly financial statements and reconciliations.
2. Project Planning, Tool Set‐up, Team Identification and Training This phase saw the fleshing out of the project GANTT chart and included a process risk assessment for individual BUs to prioritize processes and controls for documentation. In addition, KMPG helped Trinity build and populate a database application for Trinity. This application served as a central repository for all SOX controls and allowed Trinity to track each control’s testing history and any changes made to it over time. While the descriptions of the controls
7
were published on the Trinity intranet, their history and testing status were not. In this phase, KPMG also assisted the steering committee in developing and training the documentation teams on the templates they would be using for the project. The three primary documents were flowcharts and matrices for controls and gap‐analyses. Additionally, a control catalog that outlined a numbering scheme for controls by specific processes was developed. Since each of the BUs would document their own processes and controls, the catalog numbering scheme would help identify and organize the controls.
3. Documentation of Processes and Controls Having identified where in the organization each of the key processes were performed and controlled, i.e., at Corporate, ASC, Group or individual BU, the documentation of processes and controls began. This work fell to documentation teams consisting of KPMG advisors, members of Trinity’s internal audit group, and BU controllers. The team would interview the organizational members to understand their processes and controls. These were then documented in flowcharts and control matrices, and shared with the organizational members for correction and feedback. The focus of this project phase was to identify the AS‐IS state of processes and controls through a bottom‐up analysis of the organization’s work practices.
4. Comparison of Controls to Expectations to Identify Gaps While the documentation phase had focused on the AS‐IS processes and controls, the documentation teams had nevertheless noted gaps between the AS‐IS practices and a SOX‐compliant (or TO‐BE) way of operating. In this fourth project phase, the documentation teams focused on these gaps by completing gap‐analysis matrices for controls with gaps. A control gap might be the lack of corrective controls around inventory adjustments, e.g., adjustments made to the BPCS system after a physical stock count. Another control gap might be noted if an employee initialed a checklist as evidence that all the transactions on the checklist had been completed, e.g., a number of reconciliations. Each transaction (or reconciliation) had to be initialed as evidence that a control had been performed, not the checklist. In addition to describing these gaps, the gap‐analysis template required the team to note additional controls that would mitigate the risk of each control gap, an indicator of the impacts severity (i.e., high, medium or low), and a recommendation for dealing with the control gap. Instead of just
8
documenting the gaps, the team also began remediating them whenever possible. By mid‐December 2003, the gap analysis had identified 1,249 controls and 265 gaps. Of these gaps, 172 were related to documentation, 0 and 10 were classified as high‐ and medium‐priority respectively.
5. Self‐Assessment and Test Plan Design In order to support management’s assertion regarding the effectiveness of internal controls, Trinity had to create a self‐assessment process that would increase accountability. This process assigned and managed control owners for every control at perpetuity. The steering committee designed a process whereby Control Certification Letters (or “Representative Letters”) were automatically generated and mailed to each control owner on a quarterly basis. These letters asserted that the control owner was accountable for the effectiveness of the internal control assigned to him/her. Depending on reporting structures, these letters needed to be signed and returned to the BU controllers, the Group CFO or the internal audit department. This process was effective at tracking changes in control ownership as it regularly alerted Trinity if control ownership responsibilities had not been reassigned as people left the company or changed jobs, for instance. As part of test planning, the steering committee oversaw the classifications of controls into A, B, and C controls. “A” controls were key or primary controls that would always be tested for SOX compliance. “B” controls represented back‐up controls that Trinity would rely on when the primary controls failed. “C” controls were controls that were related, but not central, to SOX compliance. In June 2004, Trinity’s 1,573 controls broke down as shown in Table 2:
9
Table 2: Control Classification (2004) Control Classification
Count
“A” controls 649 “B” controls 397 “C” controls 705 Unranked controls 70
6. Control Redesign to Close Gaps
In order to remediate the gaps identified, the documentation teams worked with Corporate, the BU controllers and the Group CFOs to gain agreement on each gap, its impact and mitigating controls. Then they developed an action plan for correcting each control gap. This plan addressed what corrective action needed to be taken, who was responsible for gap closure and when it was going to be implemented. Gap closure was being monitored on an ongoing basis by the steering committee that met weekly during the course of 2004. Furthermore, gap closures would be validated during the internal validation testing planned for March to June 2004. By end of June 2004, 1,573 controls had been identified and 280 documentation gaps. All except 3 of these gaps had been closed.
7. Training The steering committee sponsored four levels of training: (i) high‐level guidance on SOX for senior executives, (ii) training on COSO for the 50‐70 controllers in Trinity, (iii) SOX documentation training for the various documentation teams, and (iv) control owner training. This training phase was also a part of the change management activities that most large‐scale, organization‐wide projects require. However, Jake Farkas noted that there was one key difference between a regulatory project such as SOX compliance and an organizational process improvement initiative like the Oracle and ASC projects: since the former were compulsory, there was less need to convince people of the urgency and necessity of a change. Even though there was a considerable need to educate the members of the organization, particularly control owners, on the documentation and evidentiary requirements for SOX, in contrast to the Oracle and ASC projects,
10
Trinity did not feel the need to hire a full‐time change management consultant for the SOX project.
8. Monitor – Test of Control and/or Control Self‐Assessment This project phase represented the internal audit phase of the SOX compliance audit. Not only were the controls tested, but also the self‐assessment process. By the end of June 2004, 1,803 controls had been tested and 284 testing gaps were identified, of which 226 were closed. The causes of these gaps were fairly evenly split between issues of operating effectiveness and documentation. Common testing gaps related to the lack of maintenance of the SOX binders that had been created for each control, insufficient evidence of timely reviews, insufficient exercise of change controls, and a “check the box” mentality (rather than a fulfillment of the spirit of the control). By the end of the year, 2,440 controls had been tested and 327 testing gaps had been identified.
9. Management Assertion Right from the beginning of the SOX compliance project, Trinity had set a target for being in a position to complete the management assertion by June 30, 2004, even though the assertion was only due on December 31, 2004. This early deadline would give Trinity an opportunity to fix any key weaknesses identified by preliminary testing by the real deadline.
10. External Auditor Evaluation and Attestation of Internal Controls Even though the external auditor only started testing in Q3’04, the SOX steering committee included a representative from E&Y. Trinity thus had the benefit of E&Y’s interpretation of the SOX legislation throughout their decision‐making. This was particularly important in light of the fact that SOX provided little guidance and the public accounting companies were developing the standards for SOX compliance in an emergent fashion and by comparing their standards of control effectiveness with their competitors. For instance, when PwC announced that spreadsheets needed to be password‐protected in order to pass a SOX audit, there was much consternation at Trinity until E&Y took a clear stance on what they would deem an effective spreadsheet control. The results of E&Y’s external audit testing revealed no material weaknesses, but 14 deficiencies.
2005: Year 2 With the first year of compliance successfully behind them, the SOX project was moved into the audit organization, which had grown under Don Collum’s
11
leadership. It was clear to Don and the SOX steering committee that there was much room and need for improvement for their second round of SOX assessment. While Trinity had adopted a “get it done” and “brute force” attitude in the first year of compliance, it was clear that their approach of documenting and testing “every control known to man” was not going to be feasible in the long term. Like so many other companies, Trinity believed that they had “over‐audited” and “over‐tested” in order to avoid material weaknesses, since “failure was not an option.” Now, it was time to “step back, look at it, and do a better job at risk profiling.” In order to prepare Trinity for its second year of SOX compliance, the steering committee focused on two initiatives: (i) a top‐down, risk‐management approach to testing, and (ii) the streamlining of controls across BUs. Together these initiatives halved the number of SOX controls Trinity tested in 2005. The risk management method to testing implied a shift from a “shotgun” to a “rifle” approach. Trinity would not test all controls but identify areas that were material and posed a threat to the financial statements. Only significant processes and major classes of transactions in these processes would need to be audited for SOX. Trinity thus identified BUs that contributed at least 5% to Trinity’s revenues or represented at least 5% of Trinity’s assets as per the company’s consolidated financial statements. Only controls in significant processes in those BUs would be tested. One implication of this risk‐oriented approach was that it reduced the number of controls designated as key or “A” controls in part because their definition focused more on what risks these controls posed for material misstatements of the company’s financial results. Furthermore, not all “A” controls would be tested every year, because they might be located in BUs that were not significant enough to be audited. Similarly, “C” controls were no longer seen as relevant for SOX compliance because the audit group did not anticipate ever testing them for SOX. Nevertheless, these “C” controls could be maintained and tracked on the SOX database if the BUs so wished. Some BUs saw symbolic value in designating certain control activities “SOX controls” as this made their enforcement easier. The second Year‐2 initiative focused on process improvement. The SOX steering committee created process improvement teams and charged them with streamlining, standardizing and automating the controls for a given process (e.g., inventory, AP, AR). Georgia Papageorge, VP Finance and Accounting in the Freight Car Group, led the inventory process improvement team. The team
12
consisted of about 7 members and included representatives of the BUs, KPMG and the internal audit group. In order to streamline the inventory controls, the team analyzed each BU’s control documentation. They found considerable overlap and variability in the way the controls were described. Most of the variability arose from the different systems that were operating at the BUs. A report that one BU relied on for its controls was not available in another, for instance. Furthermore, the same control might be worded differently, such as “the BU controller reviews this, versus the accounting manager reviews this, versus accounting personnel reviews this.” In order to standardize the controls, the process improvement team abstracted the control description so that it was universal enough to cover the control activities in the various environments. The team also looked for redundant controls. Some BUs relied on multiple controls to accomplish the same objective. By looking across BUs, it was relatively easy to identify these redundant controls and to determine best practices that could then be replicated across BUs. Overall, this process improvement effort took about 3 months and reduced inventory controls by about 25%. Its biggest achievement was to bring consistency to inventory controls such that each BU relied on the same control despite operational differences related to unique products and IT infrastructure. A closer look at the inventory process of the Trinity Rail Car group provides some detailed insights into the improvement team’s work. A flowchart of the 2004 inventory management process is presented in Exhibit 7. Exhibit 8 provides the accompanying control matrix. The latter highlights the overlap of control objectives within the inventory process in this single LOB. For instance, controls 3, 4 and 13 all dealt with the correct valuation and recording of inventory. Furthermore, different plants relied on different variations of control #14. Exhibits 9 and 10, which show the inventory process flowchart and control matrix for 2005, illustrate the inventory improvement team’s efforts. In particular, the controls were uniquely numbered and described in more universal terms. However, as best practice controls were applied to all plants, there was an initial rise in the controls in Rail Car operations in 2005. Only after the inventory team’s recommendations to eliminate some controls were put into effect in 2006 (see Exhibit 11 for summary), did the Rail Car see a decrease in controls maintained and tested. In 2007, as more plants were added to the Rail Car group and more
13
plants became significant for SOX compliance, the number of controls maintained and tested went back up. Table 3 highlights the number and breakdown in controls maintained and tested in Rail Car between 2004 and 2007. Table 3: Controls Tested and Maintained in Rail Car Group (2004‐2007) 2004 2005 2006 2007 BU‐level Controls 8 7 9 6 Plant‐level Controls 7 10 4 8 A Controls 14 14 6 7 C Controls 1 3 7 7 Controls Tested 81 109 50 70 Controls Maintained 81 127 115 127 Internal testing in year 2 brought a new set of challenges to light: Trinity’s IT group seemed unaware that SOX compliance was a new reality and not a one‐time effort. Kasey Nash, a KPMG senior manager on the Trinity SOX project, recounted the reaction from the IT group when they came to test in 2005: “You’re back again? You mean we still have to do this?” SOX compliance had not been given the necessary priority in the IT department and this led to the identification of 48 gaps in IT. These gaps included privileged and programmer access rights for core systems like BPCS and the on‐ and off‐boarding of Trinity employees. While the 48 gaps were an improvement on the 20% error rate of IT controls in 2004, it was September 2005 by the time they were identified. This did not give the IT group much time to remediate them. The IT environment was also challenging due to its distributed nature. There was a corporate IT group that was primarily responsible for infrastructure technologies (e.g., networks, Internet, email), IT groups within the BUs that supported business‐specific applications, and IT support in Mexico and Europe. These different control environments multiplied the controls that needed to be maintained and tested. Furthermore, 9 applications (including Oracle, Peoplesoft, BPCS) plus the network were in scope for SOX compliance. In November 2005, Terri Wilson, Analyst in IT’s Strategic Compliance Services, replaced the previous IT SOX manager. Determined not to fail as it could cost her job, Terri learned what she could about SOX compliance. She became aware of
14
ISACA in 2006. She subsequently joined the organization, attended local chapter meetings regularly, and even earned her CISA certification. 2006: Year 3 While the first two years of SOX compliance had been guided by a project management approach, it became increasingly clear to Don Collum and other members of the steering committee that Trinity needed to move beyond “the SOX project” and put in place a “governance process.” This meant that their language and mindset needed to change. The controls needed to become so deeply embedded in Trinity’s processes, that they were indistinguishable from people’s sense of “good business practices.” Thus the “SOX” designation, e.g., “SOX steering committee” and “SOX controls,” was dropped and new labels such as “governance steering committee” and “financial controls” emerged. One of the controllers described life with SOX as follows:
“You are audited constantly; you just have to have perfection in your job. There is no room any more for any sort of margin of error. We have to make sure that our revenue recognition is accurate. We have to make sure that we have controls and that people are doing them. We work for a public company. We are audited almost daily; so there is a little more pressure with making sure that we have seasoned people in positions who understand what they are doing. Or even if they are not seasoned that they know the rules and follow them; that they understand they are going to be audited quarterly, monthly, daily. It is all about accountability.”
Even though they acknowledge that SOX was ensuring that they were doing what they ought to be doing anyway, the controllers maintained that their SOX responsibilities added at least 8‐10 hours a month to their workloads4. The extent of the additional work depended on the number of controls they owned and the number of paper binders they needed to maintain. Indeed, Mike Mason, CFO for the Construction, Energy and Marine Group, voiced his frustration with an audit process that hampered organizational efficiency:
“How do I change the audit process, not the control process? Because I’ve done the control, it’s there, and it’s available. The problem is now to explain to the auditors that it’s done. Because they want it nice and neat, in a stack of papers, and then ‘walk me through because I’ve been out of
4 By KPMG’s estimates, it took 160,000 hours of internal work to perform SOX controls in year 1 of SOX compliance at Trinity.
15
school for a whopping 6 months and I don’t understand your business.’ So I am just catering to the audit side of the control.”
In order to change group and BU controllers’ perception of SOX, Don promised them that, “if you can show me a control that we are doing solely because of SOX, I will let you quit doing it. If there is no business reason to do it, quit doing it.” Don also stressed one of the key benefits of SOX compliance, namely that they no longer had to spend time assessing the reliability of their information, which allowed them to spend more time on activities that required judgment and estimation, such as warranties, taxes and inventory. Trinity also started to benchmark their SOX processes and controls with other companies in their industry to identify additional opportunities for reducing their controls and streamlining their SOX testing. Mike Mason explained that they went to one of their peers to learn about their system access control processes. He found that even competing peer companies were open to sharing knowledge around SOX because they saw no advantage to keeping their SOX‐related processes secret. A peer’s SOX failure was not seen as a victory:
“It just puts a fear factor, at least in the finance world, of ‘they got caught on something, maybe I’m going to get caught on something.’ It’s almost like nobody wants anybody to get into trouble for SOX, because that just means we’re all going to get in trouble for something. It’s almost like you want everybody to win and for everyone to be doing SOX okay.”
In IT, Terri Wilson led a control streamlining effort similar to the one that the process improvement teams had done in the BUs in the prior year. Her analysis highlighted duplicate controls caused by inconsistent numbering and wording. She also found that some controls had multiple control owners. Her efforts reduced IT’s specific controls from 92 to 39. She also categorized the IT controls into a categorization scheme that resembled COBIT, of which she was unaware at the time (see Exhibit 12 for the categories and control samples). This process improvement effort did not only lead to a reduction in IT controls, but also a reduction of IT control gaps over time as Table 4 demonstrates.
16
Table 4: IT Controls (2005‐2007) Year Total IT Controls IT SOX Controls
Tested IT Gaps
2005 555 316 48 2006 180 156 7 2007 125 1385
1 2007: Year 4 In the fourth year of SOX compliance, the number of controls tested stabilized. There was a general sense among the members of the governance steering committee that Trinity’s SOX control infrastructure was as lean as it could be. Furthermore, they felt that their self‐assessment and change control processes were robust and sustainable. For instance, they had established the following change control procedure for SOX controls:
• When a BU wanted to make a change to a SOX control, e.g., replace a control owner, change the control description, or replace a manual control with an automated one, a change request was sent to the internal audit group, where it was reviewed by the SOX Program Manager, Rhonda Krasselt.
• Depending on the change, either Rhonda Krasselt or Don Collum reviewed the change. They explained that as long as a proposed control effectively met a necessary control objective, they were likely to approve a control change. Once final approval had been granted by Don, the change was forwarded to the SOX administrator, who maintained the SOX database, which tracked all changes.
• Periodically, the governance steering committee was informed about the SOX control changes that had been made.
On average, about 1000 SOX changes were made every 6 months. Control changes were also made in response to new business processes and gaps that had been identified during testing. Rhonda Krasselt noted that, at times, it was difficult to convince BU staff to document their controls. They did not want to have to “sign off on more things” and were reluctant to give the audit
5 The total number of IT controls tested in 2007 was greater than the IT SOX controls because the auditors included control tests for a SAS70 audit.
17
department “more things to gap them on.” This sentiment seemed to express a “fear of the gap.” Increasingly, the governance steering committee got involved in screening proposals for organizational change initiatives such as system upgrades or process improvements. This screening sought to identify the SOX implications of a given change, but it also sought to leverage business‐driven initiatives in order to improve Trinity’s control environment. Thus, while it was difficult to make a business case for implementing systems and process changes for the purpose of reducing SOX compliance costs, improvements that served more strategic objectives could be used as a vehicle to achieve this goal. For instance, when Trinity was planning to implement a new time reporting system for payroll, the steering committee looked for ways to improve the timesheet approval process and to store the approval information electronically without compromising its auditability. Pondering the Next Phase of the Compliance Journey In early 2008, as Don Collum was getting ready for his meeting with Jarrod Bassman, he mulled over the Trinity’s SOX compliance journey, its victories and ongoing challenges. There were numerous victories. Chief among them was that their external auditor, E&Y, never identified any material weaknesses in Trinity’s financial reporting processes. Trinity also decreased the cost of SOX compliance every year, even though the number of controls they tested had stabilized. Additionally, they developed a system of accountability that clearly identified and tracked control owners. They also implemented governance structures such as the SOX steering committee, which was now actively involved in monitoring any organizational change with implications for Trinity’s internal controls. Any changes to processes related to financial reporting were being managed. Lastly, there was a general acknowledgement in the organization that internal controls made business sense and that they were helpful to the organization. For instance, they sustained disciplined operations and provided more confidence in the data that various operational and financial processes generated. Nevertheless, there were questions about the next steps in Trinity’s SOX compliance journey. How could they continue to reduce the costs of compliance given that the number of SOX controls they tested was as lean as was possible given the company’s relatively decentralized IT infrastructure? Many SOX controls were manual. Was it time to invest in a company‐wide, single‐instance ERP system, a strategy that many global manufacturing firms had pursued? How could such an investment be justified? Were there other approaches that Trinity
18
could rely on to further reduce the cost of SOX compliance? For instance, were there ways in which the cost of “catering to the audit side of the control” could be reduced? At the same time, there were questions about the integrity of the control infrastructure as a whole. As Trinity only tested A controls for SOX, was there a danger that B controls, which were supposed to serve as back‐ups to A controls, would fail compliance tests? Furthermore, many of the A controls assumed that C controls were in place. What if they weren’t? Without testing them periodically, how could Trinity be assured that there were no weaknesses in its control infrastructure? Lastly, there was the question about the inevitable move to the International Financial Reporting Standards (IFRS). How well prepared was Trinity for this change? How could the governance, technology and process infrastructures that had been developed as part of SOX compliance be leveraged for this imminent transition? Case Study Discussion Questions 1) Don Collum described Trinity as a likely candidate for a material weakness in
the first year of SOX compliance. What were the factors critical to Trinity’s ultimate success in its first year of compliance?
2) In the design of their controls, Trinity moved from a practice‐based, bottom‐up approach to a risk management approach, reducing their controls that they tested from ~2,500 to ~500. Was their approach effective? How might they have proceeded more effectively?
3) In order to save SOX‐related expenses, should Trinity attempt to reduce its controls further? How could they further reduce their controls? What would it take? What are some of the barriers?
4) What other alternatives could Trinity pursue to reduce the SOX‐related expenses?
5) What objectives other than cost‐reduction should Trinity consider for its SOX compliance work in 2008?
6) How well do you think Trinity’s governance, technology and process infrastructure will serve the organization with respect to the transition to IFRS?
19
Exhibit 1: Trinity’s SOX Compliance Journey By the Numbers Year Controls
Monitored Controls Tested
Control Owners
Hours (internal)
Hours (external)
Total Compliance Cost
2004 2,485
2,440 516 3,000 25,000 $2.5 million
2005 2,752 1,096 487 6,269 6,791 $1.3 million 2006 1,882 524 328 6,540 6,464 $1.2 million 2007 2,180 505 434 5,915 5,456 $1.0 million Source: Internal Company Documentation Exhibit 2: Profile of Trinity’s Lines of Business (2008) Trinity’s Rail Group (11 BUs) % Revenue: 39% % Op Profit: 32% Largest manufacturer of railcars in North America Largest railcar axle manufacturer in North America Largest railcar coupler manufacturer in North America Trinity’s Rail Leasing and Management Services Group
% Revenue: 15% % Op Profit: 28%
Leading provider of railcar leasing and management services Trinity’s Construction Products Group (8 BUs)
% Revenue: 19% % Op Profit: 11%
Largest full‐line highway guardrail and crash cushion manufacturer in the United States Leading producer of concrete and aggregates in Texas Trinity’s Energy Equipment Group % Revenue: 13% % Op Profit: 12% Leading full‐line LPG tank manufacturer in North America Leading manufacturer of structural wind towers in North America Trinity’s Inland Barge Group (3 BUs) % Revenue: 14% % Op Profit: 17% Largest barge manufacturer in the United States Largest fiberglass hopper barge cover manufacturer in the United States Source: August 2008 Company Presentation published on Trinity website & company‐internal documentation.
20
Exhibit 3: Consolidated Income Statement (2005‐2007)
Year Ended December 31, 2007 2006 2005
(in millions, except per share data)Revenues ...................................................................................... $3,832.8 $3,218.9 $2,709.7 Operating Costs: Cost of revenues ................................................................... 3,091.1 2,628.2 2,324.4 Selling, engineering, and administrative expenses.......... 228.9 208.1 181.2
3,320.0 2,836.3 2,505.6
Operating profit .......................................................................... 512.8 382.6 204.1 Other (income) expense: Interest income ..................................................................... (12.2) (14.8) (3.1) Interest expense .................................................................... 76.2 64.1 42.2 Other, net ............................................................................... (14.4) (15.2) (11.1)
49.6 34.1 28.0
Income from continuing operations before income taxes ..... 463.2 348.5 176.1 Provision for income taxes: Current ................................................................................... 110.1 57.5 43.9 Deferred ................................................................................. 59.3 75.5 21.7
169.4 133.0 65.6
Income from continuing operations ......................................... 293.8 215.5 110.5 Discontinued operations: Gain on sales of discontinued operations, net of
provision for income taxes of $12.2 ................................
‐‐‐‐
20.4
‐‐‐‐ Loss from discontinued operations, net of benefit for
income taxes of $(0.2) $(1.7), and $(8.3) ..........................
(0.7)
(5.8)
(24.2)
Net income ................................................................................... 293.1 230.1 86.3 Dividends on Series B preferred stock ..................................... ‐‐‐‐ ‐‐‐‐ (3.2)
Net income applicable to common shareholders ................... $ 293.1 $ 230.1 $ 83.1 Net income (loss) applicable to common shareholders per common share:
Basic: Continuing operations .................................................. $ 3.73 $ 2.80 $ 1.51 Discontinued operations ............................................... (0.01) 0.19 (0.34)
$ 3.72 $ 2.99 $ 1.17 Diluted: Continuing operations .................................................. $ 3.65 $ 2.72 $ 1.44 Discontinued operations ............................................... (0.00) 0.18 (0.31)
$ 3.65 $ 2.90 $ 1.13 Weighted average number of shares outstanding: Basic ........................................................................................ 78.7 76.9 71.0 Diluted ................................................................................... 80.4 79.3 76.7 Dividends declared per common share ................................... $ 0.26 $ 0.21 $ 0.17
21
Exhibit 4: Consolidated Balance Sheet (2006‐2007)
Dec. 31, 2007
Dec. 31, 2006
ASSETS (in millions) Cash and cash equivalents .............................................................. $ 289.6 $ 311.5 Receivables (net of allowance for doubtful accounts of $4.0 at December 31, 2007 and $3.8 at December 31, 2006) .............
296.5
252.5
Inventories: Raw materials and supplies ..................................................... 302.6 316.5 Work in process ......................................................................... 127.3 139.1 Finished goods ........................................................................... 156.8 73.3
586.7 528.9 Property, plant and equipment, at cost ......................................... 2,849.6 2,318.8 Less accumulated depreciation ...................................................... (779.8) (728.5)
2,069.8 1,590.3 Goodwill ............................................................................................ 503.5 463.7 Assets held for sale and discontinued operations ....................... 3.6 10.8 Other assets ....................................................................................... 293.5 267.9
$4,043.2 $3,425.6 LIABILITIES AND STOCKHOLDERSʹ EQUITY
Accounts payable and accrued liabilities ..................................... $ 684.3 $ 655.8 Debt: Recourse ...................................................................................... 730.3 772.4 Non‐recourse .............................................................................. 643.9 426.5
1,374.2 1,198.9 Deferred income ............................................................................... 58.4 42.9 Liabilities held for sale and discontinued operations ................. 1.2 7.8 Other liabilities ................................................................................. 198.4 116.7
2,316.5 2,022.1 Stockholdersʹ equity: Preferred stock – 1.5 shares authorized and un‐issued ........ ‐‐‐ ‐‐‐ Common stock – shares authorized – 200.0; shares issued
and outstanding at December 31, 2007 – 81.6.6; at December 31, 2006 – 80.0 .......................................................
81.6
80.0 Capital in excess of par value .................................................. 538.4 484.3 Retained earnings ...................................................................... 1,177.8 908.8 Accumulated other comprehensive loss ................................ (61.6) (69.2) Treasury stock – at December 31, 2007 – 0.2 shares; at
December 31, 2006 – 0.0 shares .............................................
(9.5)
(0.4)
1,726.7 1403.5
$4,043.2 $3,425.6
22
23
Exhibit 5: SOX Compliance Project Plan (Q2’03‐Q4’04)
2003 2004 Q3 Q4 Q1 Q2 Q3 Complete Pilot Projects July 2003 Finalize Scope August 2003 Document Control Environment
July – Nov. 2003
Finalize Gap Analysis and Develop Recommendations
Nov.‐Dec. 2003
Roll‐out Organizational Self Assessment
Dec. 2003 – March 2004
Conduct Validation Testing
March – June 2004
Management Assertion June 2004 External Audit Testing July – Sept. 2004 Audit Committee Meeting
Exhibit 6: Process Areas for SOX Compliance (2004)
Routine Transactions Non‐Routine Transactions Manufacturing Operations Restructuring Inventory Operations Legal Leasing/Finance Operations Acquisitions and Divestitures Mining Operations Regulatory Contract Operations Self‐insurance Revenue and AR Benefits and Pension Plan Adjustments Expenditure and AP Asset Impairment Payroll Intangibles/ Goodwill Impairment Capital Expenditures Treasury Financial Reporting Taxes Closing Consolidation Information Technology Journal Entries IT Control Environment Disclosure and Presentation Control Environment Fraud Prevention and Detection Control Environment Fraud Prevention/Detection
24
Exhibit 7: Flowchart of Trinity’s Rail Car Inventory Management Process (2004)
25
26
Exhibit 8: Control Matrix of Trinity’s Rail Car Inventory Management Process (2004)
Class Operating Unit
Control Ref Sub Process Objective Risk Existing Control COSO
Category P/D S/M Process Owner Evidence Frequency
A BU 1 Inventory Transactions
Inventory is valued and recorded correctly.
Inappropriate users may have the ability to access inventory transactions.
Access to the UNIX/BPCS inventory module is restricted to only those plant and BU personnel with a direct and ongoing need for access. Access is removed for those employees who no longer require such access. Management reviews the list of users with access to the inventory module quarterly (documented in management's quarterly checklist and documented by the initialed user profile listing from BPCS).
Authorization P S BU Controller Documentation of user access rights restricting the recording of material receipts in BPCS to authorized personnel
Quarterly
C plant 2 Inventory Transactions
Inventory is physically secured and protected.
Unauthorized personnel may receive or move inventory which may result in inaccurate inventory transactions.
The Materials Manager compares the security receiving reports and/or the packing slips to the BPCS receiving reports monthly. Any discrepancies are resolved by the Materials Manager. This review is to ensure that all inventory items are entered into the system timely and to prevent unauthorized use of inventory. Only authorized personnel make transfers to and from the BPCS storage locations.
Authorization P M Materials Manager
Security log, Documentation of user profile restricting access to transfer inventory items within BPCS, monthly BPCS Receiver Log, signed receivers, monthly BPCS BOL Log, signed BOL
Monthly
A plant 3 Inventory Transactions
Inventory is valued and recorded correctly.
The value of inventory is may be misstated. Inventory transactions may be incomplete, inaccurate, or posted to the wrong period.
The Plant Accountant reviews the WIP Reports (including shop order status report) to ensure proper accounting at end of job. This review is performed to ensure that inventory valuation is properly recorded between raw materials, WIP, and finished goods.
Reconciliation D M Plant Accountant
Open Shop Orders report created after shop order month-end close.
Monthly
A plant 3.2 Labor Transactions
Labor costs are properly estimated.
Cost estimates may be inaccurate.
The standard labor rate, standard material prices and overhead burden rate is reviewed every six months. The Plant Accountant compares the current standard rate and the average actual rate. If it is determined that the standard rate needs to be adjusted, a request is submitted to the BU Controller and the BU President for approval.
Management Review
P M Plant Accountant
Reviewed standard rate analysis and appropriate approvals (if necessary).
Semi-Annually
A BU 3.6 Labor Transactions
Labor expenses are calculated correctly.
Labor expenses may be misstated.
The Labor Journal Entry Template is formatted to calculate the labor efficiency variance, labor rate variance, overhead amount and allocation of direct and indirect manufacturing hours correctly. The journal entry also reconciles total payroll dollars to the labor allocation.
System Configuration
P S BU Controller Plant ADI's are agreed with template ADI's to assure no hard code or other changes have been made.
Weekly
A plant 4 Inventory Transactions
Inventory is valued and recorded correctly.
The value of inventory may be misstated. Inventory transactions may be incomplete, inaccurate, or
Plant Accountant prepares a reconciliation of UNIX/BPCS to Oracle (book-to-perpetual) - for raw materials and fabricated parts. Any variances are investigated and resolved. This control activity is documented through plant accountant's monthly checklist,
Reconciliation D M Plant Accountant
plant accountant's monthly checklist, additionally, documentation supporting any adjustments is initialed and retained.
Monthly
27
Class Operating Unit
Control Ref Sub Process Objective Risk COSO Existing Control P/D S/M Process Owner Evidence Frequency Category
posted to the wrong period.
additionally, documentation supporting any adjustments is initialed and retained.
A plant 5 Physical Inventory
Inventory is recorded in the G/L completely, accurately, and timely.
Incomplete or unauthorized inventory adjustments can impact financial reports.
Physical inventories are performed every 6 months. Plant personnel investigate and resolve significant discrepancies. The BU Controller reviews reconciliations and required adjustments. The detailed inventory binders with supporting schedules are prepared by plant personnel, reviewed and approved by the BU Controller, and completed within the company timeline.
Management Review
D M Plant Accountant
Inventory procedures binder with supporting documentation
Semi-Annually
A BU 6 Obsolescence Inventory is valued and recorded correctly.
Obsolete inventory may not be identified timely. Inventory is under/over stated.
On a quarterly basis, procedures such as reviewing slow moving report, examination of inventory, and discussions with operations exist to establish and review the obsolete/slow moving reserve. This control activity is documented through BU Controller's monthly checklist. Additionally, the report summarizing unallocated and surplus inventory is initialed and maintained.
Management Review
D M BU Controller Reviewed and signed unallocated and surplus inventory reports.
Quarterly
A plant 7 Product Costing
Inventory exists and is properly valued.
The value of inventory may be misstated, inventory transactions may be incomplete or posted to the wrong period.
Plant Accountant reviews purchase price variance report to confirm inventory is properly stated (i.e., purchase cost variances for inventory items are compared by month). This control activity is documented through Plant Accountant's monthly checklist. Additionally, the report summarizing unallocated and surplus inventory is initialed and maintained.
Management Review
D M Plant Accountant
Plant Accountant's monthly checklist. Additionally, the report summarizing unallocated and surplus inventory is initialed and maintained.
Monthly
A BU 8 Inventory Transactions
Inventory is recorded in the G/L completely, accurately, and timely.
The value of inventory may be misstated, inventory transactions may be incomplete or posted to the wrong period.
BU Controller reviews inventory balances on a monthly basis. This control activity is documented through BU Controller's monthly checklist.
Management Review
D M BU Controller Sign-off sheet documenting monthly review of the reconciliation binder containing reconciliations and adjustments after physical inventories.
Monthly
A BU 9 Inventory Transactions
Inventory is recorded in the G/L completely, accurately, and timely.
The value of inventory may be misstated, inventory transactions may be incomplete or posted to the wrong period.
BU Controller reviews COS report for reasonableness on a monthly basis. This control activity is documented through BU Controller's monthly checklist. Additionally, The BU Controller documents this review by initialing and retaining the COS report.
Management Review
D M BU Controller BU Controller checklist item documenting the performance of a monthly precap and recap job specific analysis. Signed reports noting review (as applicable).
Monthly
A BU 10 Labor Transactions
Labor expenses are calculated correctly.
Labor expenses may be misstated.
To be control - The BU Accountant reviews the direct wages account monthly to verify that entries made during the Labor Journal Entry have completely allocated payroll.
Management Review
P M BU Controller Checklist item confirming zero balance to be added to F.50.
Monthly
28
Class Operating Unit
Control Ref Sub Process Objective Risk COSO Existing Control P/D S/M Process Owner Evidence Frequency Category
This review is documented in management's monthly checklist (BU Checklist) and supporting variance report review documents.
A BU 11 Cost of Sales Labor variances are correctly recorded.
Cost of Sales may be misstated.
The BU Controller reviews the plant variance reports monthly. Any material differences identified on the variance reports are researched, resolved and documented. This review is documented in management's monthly checklist (BU Checklist) and supporting variance report review documents.
Management Review
P M BU Controller Labor journal entry template and labor source documents are support for new checklist item to be added to F.50.
Monthly
A BU 13 Inventory Transactions
Inventory is valued and recorded correctly.
The value of inventory may be misstated. Inventory transactions may be incomplete, inaccurate, or posted to the wrong period.
Monthly during close an interface is run by the IT Operations Department that records all of the raw material transactions that have occurred throughout the month, including raw materials still in inventory and raw materials that have moved to WIP. The entire inventory interface will not be completed if there are any errors in the transactions. Any errors are resolved by the Plant Accountant. Once the errors are resolved the Plant Accountant will notify IT Operations to re-run the interface. Successful completion of the interface is documented in the Plant Monthly closing checklist F.20.
System Configuration
P S IT (BU-level) Monthly
A plant 14a Labor Transactions
Actual labor costs are properly recorded.
Cost of Sales may be misstated.
Departmental supervisors review hourly employee timecards/edits from Kronos for reasonableness before signing off on the time card/edit for approval (daily). Semi-monthly employees are responsible for completing time sheets. Departmental supervisors review and sign the time sheets noting approval (semi-monthly). Approved summary of employee time punch detail and approved time edits as well as the approved monthly payroll register will be signed and retained. See control G. 40 a of the payroll control matrix.
Management Review
P M Payroll Clerk Labor journal entry template and labor source documents are support for new checklist item to be added to F.50.
Daily
A BU 14b Labor Transactions
Actual labor costs are properly recorded.
Cost of Sales may be misstated.
To be control - BU Controller reviews the labor journal entry template to verify that the labor values were correctly entered into the template. This will be added to the BU Controller checklist at F. 50.
Management Review
P M BU Controller Labor journal entry template and labor source documents are support for new checklist item to be added to F.50.
Daily
29
30
Exhibit 9: Flowchart of Trinity’s Rail Car Inventory Management Process (2005)
31
32
Exhibit 10: Control Matrix of Trinity’s Rail Car Inventory Management Process (2005) Class Op
Unit Sub Process
Cntrl Ref
Objective Risk Existing Control Evidence Freq COSO Category
P/D S/M Process Owner
A BU Inventory Transactions
1 Access to inventory transactions are limited to authorized personnel.
Inappropriate users have the ability to access inventory transactions.
Access to the legacy inventory module is restricted to only those plant and BU personnel with a direct and ongoing need for access. Access is removed for those employees who no longer require such access. Controller reviews the list of users with access to the inventory module quarterly.
Signed and retained authorized user list.
Quarterly System Access P S BU Controller
A plant Inventory Transactions
2 Inventory is valued and recorded correctly.
The value of inventory may be misstated. Inventory transactions may be incomplete, inaccurate, or posted to the wrong period.
Plant receiving compares shippers document to the receiving report in legacy system.
Signed and dated evidence of review on receiving report.
Weekly Management Review
D M Plant Receiving Personnel
A plant Labor Transactions
3 Actual labor costs are properly recorded.
Cost of sales may be misstated or misclassed.
Supervisor reviews daily labor and-or adjustments to ensure that labor is being coded and properly distributed.
Labor system reports are signed and dated.
Weekly Management Review
P M Plant Payroll Clerk
A plant Labor Transactions
4 Labor expenses are calculated and coded correctly.
Labor expenses may be misstated.
Accounting personnel validates the hourly distribution to ensure hours are properly allocated.
Sign and dated evidence of review.
Monthly Management Review
P M Accounting Personnel
A plant Labor Transactions
5 Labor costs are properly estimated.
Cost estimates may be inaccurate.
Controller or Sr. Accountant (different than preparer of entry) reviews labor journal entry to ensure hours are properly reviewed for accuracy.
Sign and dated evidence of review.
Monthly Management Review
D M BU Controller
A plant Inventory Transactions
6 Inventory is valued and recorded correctly.
The value of inventory may be misstated. Inventory transactions may be incomplete, inaccurate, or posted to the wrong period or account.
Material management compares the shop orders to the material transfer documentation. Any significant issues are investigated and resolved.
Shop Orders report is signed and dated.
Monthly Management Review
P M Material Management
A plant Inventory Transactions
7 Inventory is recorded to the G/L completely, accurately, and timely.
Inventory transactions are incomplete, posted to the wrong period, or not accurately reported in the G/L.
The WIP Material balance per Oracle is compared to the legacy system monthly. Any significant variances are investigated and resolved.
Signed WIP Reconciliation
Monthly Reconciliation P M Plant Accountant
A BU Cost of Sales 8 Inventory is recorded in the G/L completely, accurately, and timely.
The value of inventory may be misstated. Inventory transactions may be incomplete or posted to the wrong period.
BU Controller reviews cost of sales on a monthly basis. Any significant issues are investigated and resolved.
Evidence documented in monthly checklist which references secondary documentation.
Monthly Management Review
D M BU Controller
A plant Reconciliation 9 Inventory is valued and recorded correctly.
The value of inventory may be misstated, inventory transactions may be incomplete or posted to the wrong period.
Accounting personnel reviews inventory on a monthly basis comparing legacy system to oracle for all categories. Any significant issues are investigated and resolved.
Inventory reconciliation is approved and filed in the month end binder.
Monthly Management Review
D M Plant Accountant
A plant Product Costing
10 Inventory exists and is properly valued.
The value of inventory may be misstated, inventory transactions may be incomplete or posted to the wrong period.
Accounting Personnel reviews purchase price variance report to confirm inventory is properly stated. Any significant issues are investigated and resolved.
Reviewed and signed Purchase Price Variance Report.
Monthly Management Review
D M Accounting Personnel
C BU Inventory 11 Inventory is valued The value of inventory may Monthly during close an interface is run by Successful completion Monthly System P S BU Controller
33
Class Op Unit
Sub Process
Cntrl Ref
Objective Risk Existing Control Evidence Freq COSO Category
P/D S/M Process Owner
Transactions and recorded correctly.
be misstated. Inventory transactions may be incomplete, inaccurate, or posted to the wrong period.
the IT Operations Department that records all of the raw material transactions that have occurred throughout the month. Any errors are resolved by the Plant Accountant and the Plant IT Operations individual. Once the errors are resolved the Plant Accountant will notify IT Operations to re-run the interface.
of the interface is documented in the Plant Monthly closing checklist.
Configuration
A BU Inventory Transactions
12 Inventory is recorded in the G/L completely, accurately, and timely.
The value of inventory may be misstated. Inventory transactions may be incomplete or posted to the wrong period.
BU Controller reviews summary inventory balances on a monthly basis.
Signed and approved balance sheet or plant locations schedule.
Monthly Management Review
D M BU Controller
A plant Physical Inventory
13 Inventory is recorded in the G/L completely, accurately, and timely.
The value of inventory is misstated or inventory does not exist.
Physical inventories are performed every 6 months. Plant personnel investigate and resolve significant discrepancies. Inventory schedules are prepared by accounting personnel, reviewed and approved by the BU Controller.
Physical Inventory reconciliation and supporting documentation.
Semi-Annually
Reconciliation D M Plant Accountant
C plant Physical Inventory
14 Procedures for segregating the inventory count process from the recording of the inventory count have been established.
Incomplete or unauthorized inventory adjustments can impact financial reports.
Authorized users who perform physical inventory counts are different from those users who are able to enter counts. Only authorized users have the ability to post the final count, where applicable.
Observer checklist (Checklist which shows segregation of duties review).
Semi-Annually
Segregation of Duties
P S Warehouse personnel
A BU Labor Transactions
15 Labor costs are properly estimated.
Cost estimates may be inaccurate.
The standard labor rate and overhead burden rate is reviewed every six months. The BU Controller compares the current standard rate and the average actual rate for the standard labor rate and the overhead burden rate. If it is determined that the standard rate needs to be adjusted, a request is submitted to the BU President for approval.
Labor and burden analysis is reviewed and appropriate approval was obtained.
Semi-Annually
Management Review
D M BU Controller
C BU Product Costing
16 Inventory balances and labor costs are properly estimated.
Cost estimates may be inaccurate.
Standard material prices are reviewed each six months to lower of cost or market or buyers standard based on contract pricing.
Support for lower of cost or market calculation or buyers standard based on contract pricing.
Semi-Annually
Management Review
D M BU Controller
A plant Obsolescence 17 Inventory is recorded in the G/L completely, accurately, and timely.
Obsolete inventory may not be identified timely. Inventory may be under/overstated.
Materials Manager analyzes obsolete / surplus inventory per the surplus inventory procedure issued on 9/1/05.
Evidence of review of the obsolete / surplus analysis by Materials Manager and journal entry support as applicable.
Quarterly Management Review
D M Materials Manager
34
35
Exhibit 11: Inventory Management Controls Eliminated in Trinity Rail Car (2006)
Cntrl Ref
Class Objective Risk Existing Control Chg Control #
Change Control Notes
7 A Inventory is recorded to the G/L completely, accurately, and timely.
Inventory transactions are incomplete, posted to the wrong period, or not accurately reported in the G/L.
The WIP Material balance per Oracle is compared to the legacy system monthly. Any significant variances are investigated and resolved.
Q2-2006-CntrlImp-49
Inventory Team Recommendation: Removal of this control Reason: Covered by Inventory Control # 9, monthly sub ledger to Oracle reconciliation. Mitigated by Inventory Control # 13, physical inventory reconciliation. Mitigated by Month End Controls # 4 & 5, financial statement review and analysis, including balance sheet review and margin analysis.
8 A Inventory is recorded in the G/L completely, accurately, and timely.
The value of inventory may be misstated. Inventory transactions may be incomplete or posted to the wrong period.
BU Controller reviews cost of sales on a monthly basis. Any significant issues are investigated and resolved.
Q2-2006-CntrlImp-50
Inventory Team Recommendation: Removal of this control Reason: Covered by Month End Controls # 4 & 5, financial statement review, particularly gross profit, product, and margin reviews. Mitigated by forecast to actual variance analysis, especially cost & margin analysis. Mitigated somewhat by Inventory Control # 13 - physical inventory reconciliation, and # 16 - material standards review. Removes redundant control. Reduces risk of failure. Reduces cost of compliance.
12 A Inventory is recorded in the G/L completely, accurately, and timely.
The value of inventory may be misstated. Inventory transactions may be incomplete or posted to the wrong period.
BU Controller reviews summary inventory balances on a monthly basis.
Q2-2006-CntrlImp-52
Inventory Team Recommendation: Removal of this control Reason: Covered by Month End Controls # 4 & 5, financial statement review, particularly balance sheet trends. Mitigated by forecast to actual variance analysis, especially inventory variances. Mitigated somewhat by Inventory Control # 13 - physical inventory reconciliation, and # 17 - surplus inventory review. Removes redundant control. Reduces risk of failure. Reduces cost of compliance.
Exhibit 12: IT SOX Control Framework with Examples Control # Control Category Change Management & Projects 9 A formal process for emergency changes is in place to help ensure
they are appropriately authorized prior to promotion to production. Administrative 35 All third‐party providers’ services are identified and formal contracts
are in place. Operations 66 Backup copies of data files and programs are taken and rotated off‐
site regularly. Backup schedules are documented. Physical Access 46 Access to the Trinity Corporate Campus is controlled and monitored
by badge access, security guard and security cameras. System Access 38 Programmers do not have access to production. Procedures
outlining exceptions have been developed. Only non‐programmers can migrate changes to production.
Security 40 Logical access controls are applied. These include restricted number
of sign‐on attempts, automatic password changes, and minimum length of passwords.
36