FINAL PROJECT
Teaching case
The SOX compliance journey at Trinity
Industries Ulrike Schultze
ITOM, Cox School of Business, Southern Methodist University, Dallas, Texas, USA
Correspondence: U Schultze, ITOM, Cox School of Business, Southern Methodist University, Dallas, Texas, USA. Tel: 214-768-4265; Fax: 214-768-4099; E-mails: [email protected]; [email protected]
Abstract Process and information technology changes in organizations are not always voluntary and motivated by strategic goals. Instead, they may be imposed on organizations by regulatory bodies and certifying agencies. This teaching case focuses on one company’s multi-year journey of making process and information technology changes so as to comply with a new set of regulations known as the Sarbanes-Oxley Act (SOX). Even though SOX compliance work focuses on designing, implementing, and testing internal controls, these controls are nothing but activities designed to ensure that processes implicated in the production of financial information are completed correctly and that the financial representations they generate are reliable. Thus, despite its emphasis on internal controls, accounting and auditing, this teaching case provides students with insights into compliance-related process improvement and system integration in general. Journal of Information Technology Teaching Cases (2011) 1, 91–113. doi:10.1057/jittc.2011.11; published online 4 October 2011 Keywords: compliance-related process improvement; internal controls; Sarbanes-Oxley Act; systems integration
I n his office overlooking the Trinity River flats in Dallas, TX, Don Collum, VP and Chief Audit Executive at Trinity Industries, was about to chair his weekly meeting with
KPMG partner, Jarrod Bassman, who had been overseeing the KPMG engagement for Sarbanes-Oxley Act (SOX) compliance at Trinity since 2003. It was mid-January 2008, and the external audit report regarding Trinity’s SOX compliance for the year ending December 2007 was on the meeting agenda. Once again they could pat themselves on the back: for the fourth year in a row, Trinity passed its SOX audit without material weaknesses.1
Reflecting on Trinity’s SOX compliance journey, Don identified numerous accomplishments. In October 2003, when he first began consulting with Trinity Industries on their SOX initiative, he described the company as a ‘candidate of a company that could have had a material weakness as defined by SOX’ even though it was a highly successful, well-run and disciplined organization that consistently delivered shareholder value through growth and had never had cause to restate its earnings. But when it came to SOX compliance, Trinity faced the same challenges that most companies did, namely a general lack of process and control documentation and evidence that controls had been performed. In addition, Trinity’s operations were
highly diversified and decentralized, and their information systems were fragmented. Trinity had forgone the im- plementation of an integrated enterprise system even during the Y2K scare, citing the unique nature and requirements of its 22 business units (BUs). This meant that the company relied on its three versions of BPCS, a Business Planning and Control System, for its cost accounting and production scheduling system in its approximately 70 plants.2 Even though the different versions all ran on the AS/400 computing platform, they were nevertheless operating in seven different control environments, that is, different IT organizations were maintaining them and the implementations had been customized to varying degrees. As a result, a separate set of controls had to be developed, maintained and tested for each of these control environments.
Despite these challenges, all their SOX compliance audits had identified no material weaknesses at Trinity. Further- more, the number of SOX controls Trinity tested had halved from year to year (see Table 1), thereby decreasing the compliance costs.
But this was not a time on rest on their laurels. Don, who became Trinity’s Chief Audit Executive in May 2004, was aware of a number of challenges that Trinity would have to
Journal of Information Technology Teaching Cases (2011) 1, 91– 113 & 2011 JITTC Palgrave Macmillan All rights reserved 2043-8869/11
palgrave-journals.com/jittc/
tackle and he wanted to set some specific goals that would guide their SOX work for 2008. One pressing issue was the further reduction of audit costs. There was a general consensus within the audit group that the approximately 500 controls that Trinity had tested for the last 2 years represented as lean a control infrastructure as the company could muster without undergoing significant IT change. Should Trinity implement an ERP system after all? Should they try to emulate a leading global manufacturer that claimed to test only 25 controls for SOX thanks to a single instance ERP system representing global operations? Or were there other cost-reduction alternatives Trinity could pursue?
Another issue related to the International Financial Reporting Standards (IFRS). It was clear that IFRS legislation would be passed in the United States; the only question was when. For Trinity, this raised questions about when and how to prepare for it.
Company background Trinity Industries was born out of the 1958 merger between Trinity Steel and Dallas Tank, both struggling propane tank companies located in Dallas. W Ray Wallace, who was hired as an engineer and the 17th employee at Trinity Steel in 1946,3 became Trinity Industry’s first CEO. He led the company for 40 years, turning the struggling propane tank manufacturer into a US$2.4 billion provider of diversified products and services to the industrial, energy, transporta- tion, and construction sectors.
In July 1998, Timothy Wallace, Ray’s son, took over the helm as CEO of Trinity Industries. He joined Trinity in 1976, the year he graduated with a B.B.A. from Southern Methodist University. Working his way from the ground up and gaining first-hand experience with the various Trinity businesses provided Tim with the kind of in-depth knowl- edge he needed to lead the company and grow it into the $3.8 billion enterprise it became in 2007.
Trinity manufactured freight and tank rail cars to transport dry cargo and liquefied or pressurized commod- ities, respectively, dry-cargo and tank barges, propane tanks, highway guardrail and crash cushions, and structural wind towers. Strategically, Trinity sought to hold a leader- ship position in each of its markets. Thus, Trinity Rail combined resources of the leading manufacturer of railcars in North America. Trinity’s Marine Products group was the largest manufacturer of inland barges and fiberglass covers for barges in the United States. Furthermore, Trinity’s Highway Products group was the only full-line manufac- turer of highway guardrail and crash cushions in the United States.
The company also provided concrete and aggregates, which they mined themselves to the construction industry. Transit Mix Concrete & Materials Company, Trinity Materials Inc. and Armor Materials Inc. were leading producers of concrete, aggregates, and asphalt in Texas. Despite Trinity’s manufacturing focus, the Railcar Leasing group was one of its fastest growing businesses and a leading provider of railcar leasing and management services. It offered a variety of railcar leasing options, including full service, net, and per diem leases on either new railcars built by Trinity’s Rail group or railcars from the Leasing group’s lease fleet.
With manufacturing facilities in the United States and Mexico, Trinity had 14,400 employees working in 22 BUs in 2007. The BUs were grouped into five principal groups or lines of business (LOB) for financial reporting purposes: the Rail Group, the Railcar Leasing and Management Services Group, the Inland Barge Group, the Construction Products Group, and the Energy Equipment Group (see Table 2 for short profiles on each LOB). The Rail Group was the largest, employing about half of Trinity’s workforce and generating 39% of it revenues.
Trinity’s leadership consistently focused on being a premier, multi-industry growth company, a vision that it generally achieved. For instance, since 2005, revenues increased by 19% a year (see Tables 3 and 4 for more details on Trinity Industry’s recent financial performance).
The SOX of 2002 Enacted as a federal law in June 2002, the SOX was a response to the corporate and accounting scandals perpetrated by companies like Enron, WorldCom, and Adelphia Communications. These scandals not only cost investor’s billions of dollars, but also shook the public’s confidence in the nation’s security markets. In an act consisting of 11 sections, SOX legislated, among others, enhanced financial reporting standards for public compa- nies, officers’ individual responsibilities for the accuracy of corporate financial reports, and an oversight body, the PCAOB, to regulate public accounting companies in their capacity as external auditors.
Public companies were given until December 2004 to comply with SOX. For most, this meant implementing two key provisions of the act: Section 302, which dealt with the internal certification of controls, and Section 404, which focused on the assessment of internal controls. Section 302 mandated a set of internal procedures designed to ensure accurate financial disclosure. The signing officers had to certify that they were ‘responsible for establishing and
Table 1 Trinity’s SOX compliance journey by the numbers
Year Controls monitored
Controls tested
Control owners
Testing hours (internal)
Testing hours (external)
Total testing cost (in millions)
2004 2485 2440 516 3000 25,000 $2.5 2005 2752 1096 487 6269 6791 $1.3 2006 1882 524 328 6540 6464 $1.2 2007 2180 505 434 5915 5456 $1.0
Source: Internal Company Documentation.
The SOX compliance journey at Trinity Industries U Schultze 92
Table 2 Profile of Trinity’s lines of business (2008)
Trinity’s Rail Group (11 BUs) % Revenue: 39% % Operating Profit: 32% Largest manufacturer of railcars in North America Largest railcar axle manufacturer in North America Largest railcar coupler manufacturer in North America Trinity’s Rail Leasing and Management Services Group % Revenue: 15% % Operating Profit: 28% Leading provider of railcar leasing and management services Trinity’s Construction Products Group (8 BUs) % Revenue: 19% % Operating Profit: 11% Largest full-line highway guardrail and crash cushion manufacturer in the United States Leading producer of concrete and aggregates in Texas Trinity’s Energy Equipment Group % Revenue: 13% % Operating Profit: 12% Leading full-line LPG tank manufacturer in North America Leading manufacturer of structural wind towers in North America Trinity’s Inland Barge Group (3 BUs) % Revenue: 14% % Operating Profit: 17% Largest barge manufacturer in the United States Largest fiberglass hopper barge cover manufacturer in the United States
Source: August 2008 Company Presentation published on Trinity website & company-internal documentation.
Table 3 Consolidated income statement (2005–2007)
Year ended 31 December
2007 2006 2005 (in millions, except per share data)
Revenues $3832.8 $3218.9 $2709.7 Operating Costs
Cost of revenues 3091.1 2628.2 2324.4 Selling, engineering, and administrative expenses 228.9 208.1 181.2
3320.0 2836.3 2505.6
Operating profit 512.8 382.6 204.1 Other (income) expense
Interest income (12.2) (14.8) (3.1) Interest expense 76.2 64.1 42.2 Other, net (14.4) (15.2) (11.1)
49.6 34.1 28.0
Income from continuing operations before income taxes 463.2 348.5 176.1 Provision for income taxes
Current 110.1 57.5 43.9 Deferred 59.3 75.5 21.7
169.4 133.0 65.6
Income from continuing operations 293.8 215.5 110.5 Discontinued operations
Gain on sales of discontinued operations, net of provision for income taxes of $12.2 — 20.4 — Loss from discontinued operations, net of benefit for income taxes of $(0.2) $(1.7), and $(8.3) (0.7) (5.8) (24.2)
Net income 293.1 230.1 86.3 Dividends on Series B preferred stock — — (3.2) Net income applicable to common shareholders $293.1 $230.1 $83.1
Net income (loss) applicable to common shareholders per common share Basic
Continuing operations $3.73 $2.80 $1.51 Discontinued operations (0.01) 0.19 (0.34)
$3.72 $2.99 $1.17
Diluted Continuing operations $3.65 $2.72 $1.44 Discontinued operations (0.00) 0.18 (0.31)
$3.65 $2.90 $1.13 Weighted average number of shares outstanding
Basic 78.7 76.9 71.0 Diluted 80.4 79.3 76.7
Dividends declared per common share $0.26 $0.21 $0.17
The SOX compliance journey at Trinity Industries U Schultze 93
maintaining internal controls’ and had ‘designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared’ (15 U.S.C.4 y 7241(a)). The officers had to ‘have evaluated the effective- ness of the company’s internal controls as of a date within 90 days before the report’ and ‘presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.’
Section 404 required management and the external auditor to report on the adequacy of the company’s internal control over financial reporting. This was the most costly aspect of the legislation for companies to implement, due to the effort involved in documenting and testing manual and
automated controls. Management was also required to produce an ‘internal control report’ that acknowledged ‘the responsibility of management for establishing and main- taining an adequate internal control structure and proce- dures for financial reporting’ (15 U.S.C. y 7262(a)). The report also had to ‘contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and proce- dures of the issuer for financial reporting.’ Managers generally adopted an internal control framework, such as COSO,5 for this assessment.
2003Q3–2004Q4: year 1 of the SOX compliance journey During the time that SOX legislation was making its way through Congress, Trinity was making significant changes
Table 4 Consolidated balance sheet (2006–2007)
ASSETS 31 December
2007
31 December
2006 (in millions)
Cash and cash equivalents $289.6 $311.5 Receivables (net of allowance for doubtful accounts of $4.0 at 31 December 2007 and $3.8 at 31 December 2006)
296.5 252.5
Inventories Raw materials and supplies 302.6 316.5 Work in process 127.3 139.1 Finished goods 156.8 73.3
586.7 528.9
Property, plant and equipment, at cost 2849.6 2318.8 Less accumulated depreciation (779.8) (728.5)
2069.8 1590.3
Goodwill 503.5 463.7 Assets held for sale and discontinued operations 3.6 10.8 Other assets 293.5 267.9
$4043.2 $3425.6
LIABILITIES AND STOCKHOLDERS’ EQUITY Accounts payable and accrued liabilities $684.3 $655.8 Debt
Recourse 730.3 772.4 Non-recourse 643.9 426.5
1374.2 1198.9
Deferred income 58.4 42.9 Liabilities held for sale and discontinued operations 1.2 7.8 Other liabilities 198.4 116.7
2316.5 2022.1
Stockholders’ equity Preferred stock – 1.5 shares authorized and un-issued — — Common stock – shares authorized – 200.0; shares issued and outstanding at 31 December 2007 – 81.6.6; at 31 December 2006 – 80.0
81.6 80.0
Capital in excess of par value 538.4 484.3 Retained earnings 1177.8 908.8 Accumulated other comprehensive loss (61.6) (69.2) Treasury stock – at 31 December 2007 – 0.2 shares; at 31 December 2006 – 0.0 shares (9.5) (0.4)
1726.7 1403.5 $4043.2 $3425.6
The SOX compliance journey at Trinity Industries U Schultze 94
to its financial reporting processes. It reengineered financial reporting and standardized on one financial reporting system. This meant that the 22 – one per BU – financial reporting processes were replaced with one centralized process. This involved replacing the four general ledger packages running at Trinity with one instance of Oracle Financials. It was estimated that the Oracle project saved Trinity $.5 million annually in SOX compliance expenses.
In addition, Trinity developed the Accounting Service Center (ASC), which provided centralized, outsourced services for routine, organization-wide transaction proces- sing such as billing, payroll, and AP. Thus, instead of individual BUs processing their own accounts payable transactions, these accounting transactions were completed centrally and, by implication, standardized. Even though the ASC was run and operated by an independent service provider, most of its Trinity-related operations were housed on the Trinity campus in Dallas.
While the co-location strengthened Trinity’s ability to assess the outsourcer’s controls, the up-front, data capture work was eventually moved to India for an additional 20% cost savings. This required an annual compliance audit by a Trinity representative at the outsourcer’s facilities in India.
Even though the $28 million Oracle initiative was instigated primarily to improve reporting effectiveness, that is, facilitate more timely closing of books and improve the availability of financial information, Chas Michel, Trinity’s Chief Accounting Officer, highlighted that the project was given priority in anticipation of SOX:
You knew the legislation was coming and you had kind of an idea of when. You could see it. Clearly it was going to happen.
Jake Farkas, Director of Finance and Accounting, led both the Oracle Financials and ASC outsourcing initiatives. Relying on a rigorous project management approach, organizational structures like a steering committee and a project management office (PMO), and expertise from
consulting resources, both projects were successfully implemented in April 2003. Both were on time and within budget. This was a considerable accomplishment especially in light of the challenges Trinity had previously experienced with large-scale IT projects and the deep-seated resistance organizational members harbored toward outsourcing.
The project team learned valuable lessons from the Oracle and ACS projects, including the importance of project management and change management. The team’s careful analysis of the financial processes in the various BUs also highlighted the lack of process and control documentation throughout the organization. It became increasingly clear that when it came to SOX compliance, Trinity had a lot of work to do.
Even though he was part of the Finance organization, Jake was tapped to lead the SOX compliance project, in large part because Trinity’s internal audit group consisted of only two people. Leveraging the existing project team and the lessons learned from the Oracle and ASC initiatives, he formed both a PMO and a steering committee to oversee the project. The steering committee reported to the CFO, was led by the CAO, and its members included the BU CFOs as well as representatives from Internal Audit, KPMG, and E&Y, the external auditor.
Jake secured advisory knowledge from KPMG and directed them to approach the compliance effort from a project management perspective. The KPMG team did just that and outlined the following project phases (see Figure 1 for a GANTT Chart):
Project scoping The purpose of this project-scoping phase was to build a project methodology, to develop a common language among the participants (i.e., E&Y, KMPG, and the Trinity steering committee), to estimate the project’s size and determine the right level of documentation. In order to estimate the size of the SOX project, the steering committee assessed the degree to which key processes (see Table 5 for a list of process areas) were standardized and/or
2003 2004 Q3 Q4 Q1 Q2 Q3
Complete Pilot Projects Finalize Scope Document Control Environment
July ? Nov. 2003
Recommendations Nov.-Dec. 2003
Roll-out Organizational Self Assessment
Dec. 2003 – March 2004
Conduct Validation Testing
March –?June 2004
Management Assertion External Audit Testing Audit Committee Meeting
July 2003 August 2003
Finalize Gap Analysis and Develop
June 2004 July – Sept. 2004
Figure 1 SOX compliance project plan (Q2003–Q4004).
The SOX compliance journey at Trinity Industries U Schultze 95
centralized. Their analysis revealed that there were numerous processes that were conducted in multiple locations and would therefore have to be documented, controlled, and tested in multiple control environments. This information was then used to estimate the total number of hours and average FTEs required throughout the project’s life cycle.
In order to gain insight into the amount of time and effort process and control documentation would require and the kinds of control gaps Trinity should anticipate, the KPMG team led pilot SOX projects in two manufacturing BUs: a Highway Safety facility in Lima and a Marine Tank- Barge facility in Madisonville. The BUs were chosen for their representativeness of different manufacturing opera- tions at Trinity and their relative difference with regard to the products they produced. Table 6 summarizes the control and gap profile that the pilots yielded.
The majority of gaps were related to the documentation of control activities such as management reviews of monthly/quarterly financial statements or reconciliations among various accounts.
Project planning, tool set-up, team identification, and training This phase saw the fleshing out of the project GANTT chart and included a process risk assessment for individual BUs to prioritize processes and controls for documentation. In addition, KMPG helped Trinity build and populate a database application. This application served as a central repository for all SOX controls and allowed Trinity to track each control’s testing history and any changes made to it over time. Although the descriptions of the controls were published on the Trinity intranet, their history and testing status were not.
In this phase, KPMG also assisted the steering committee in developing and training the documentation teams on the templates they would be using for the project. The three primary documents were flowcharts and matrices for controls, and gap-analyses. In addition, a control catalog that outlined a numbering scheme for controls by specific processes was developed. Since each of the BUs would document their own processes and controls, the catalog numbering scheme would help identify and organize the controls.
Table 5 Process areas for SOX compliance (2004)
Routine transactions Non-routine transactions
Manufacturing operations Restructuring Inventory operations Legal Leasing/finance operations Acquisitions and divestitures Mining operations Regulatory Contract operations Self-insurance Revenue and AR Benefits and pension plan adjustments Expenditure and AP Asset impairment Payroll Intangibles/goodwill impairment Capital expenditures Treasury Financial reporting Taxes Closing
Consolidation Information technology Journal entries IT control environment Disclosure and presentation
Control environment Fraud prevention and detection Control environment Fraud prevention/detection
Table 6 Pilot control and gap profile
Highway safety Tank-barge
Total key controls 83 67 Preventive controls 65% 55% Detective controls 35% 45% Manual controls 75% 86% System controls 25% 14% Total control gaps identified 13 19 Gaps related to documentation 9 15
Key controls: controls that pertain to SOX compliance; Preventive control: controls that prevent a mistake from happening, for example, check customer’s credit before authorizing a sale; Detective control: control that detects a mistake after it has happened, for example, reconciling bank account; Manual control: control completed by a person, for example, reviewing and signing a document; System control: control automatically completed by a computer system, for example, matching electronic purchase order to electronic delivery notice.
The SOX compliance journey at Trinity Industries U Schultze 96
Documentation of processes and controls Having identified where in the organization each of the key processes were performed and controlled, that is, at Corporate, ASC, Group or individual BU, the documenta- tion of processes and controls began. This work fell to documentation teams consisting of KPMG advisors, mem- bers of Trinity’s internal audit group, and BU controllers. The team would interview the organizational members to understand their processes and controls. These were then documented in flowcharts and control matrices, and shared with the organizational members for correction and feed- back. The focus of this project phase was to identify the AS– IS state of processes and controls through a bottom-up analysis of the organization’s work practices.
Comparison of controls and expectations to identify gaps Although the documentation phase had focused on the AS– IS processes and controls, the documentation teams had nevertheless noted gaps between the AS–IS practices and a SOX-compliant (or TO–BE) way of operating. In this fourth project phase, the documentation teams focused on these gaps by completing gap-analysis matrices for controls with gaps. A control gap might be the lack of corrective controls around inventory adjustments, for example, adjustments made to the BPCS system after a physical stock count. A documentation-related control gap might be noted if an employee initialed a checklist as evidence that all the transactions on the checklist, for example, a number of reconciliations, had been completed. For proper evidence that the control activity had been completed, each transaction (or reconciliation) had to be initialed sepa- rately.
In addition to describing these gaps, the gap-analysis template required the team to note additional control activites that would mitigate the risk of each control gap, an indicator of the impact’s severity (i.e., high, medium, or low), and a recommendation for dealing with the control gap. Also, instead of just documenting the gaps, the team also began remediating them whenever possible. As many of the gaps were documentation related, remediation frequently took the form of educating the control owners in the evidentiary expectations of SOX-related documenta- tion.
By mid-December 2003, the gap analysis had identified 1249 control activities and 265 gaps. Of these gaps, 172 were related to documentation and none of them were classified as high priority.
Self-assessment and test plan design In order to support management’s assertion regarding the effectiveness of internal controls, Trinity had to create a self-assessment process that would increase accountability. This process assigned and managed control owners for every control at perpetuity.
The steering committee designed a process whereby Control Certification Letters (or ‘Representative Letters’) were automatically generated and mailed to each control owner on a quarterly basis. These letters asserted that the control owner was accountable for the effectiveness of the internal control assigned to him/her. Depending on reporting structures, these letters needed to be signed and
returned to the BU controllers, the Group CFO or the internal audit department. This process was effective at tracking changes in control ownership as it regularly alerted Trinity if control ownership responsibilities had not been reassigned as people left the company or changed jobs, for instance.
As part of test planning, the steering committee oversaw the classifications of control activities into A, B, and C controls. ‘A’ controls were key or primary controls that would always be tested for SOX compliance. ‘B’ controls represented back-up controls that Trinity would rely on when the primary controls failed. ‘C’ controls were controls that were related, but not central, to SOX compliance. In June 2004, Trinity’s 1573 control activities broke down as shown in Table 7.
Control redesign to close gaps In order to remediate the gaps identified, the documenta- tion teams worked with Corporate, the BU controllers and the Group CFOs to gain agreement on each gap, its impact and mitigating control activities. Then they developed an action plan for correcting each control gap. This plan addressed what corrective action needed to be taken, who was responsible for gap closure and when it was going to be implemented. Gap closure was being monitored on an ongoing basis by the steering committee that met weekly during the course of 2004. Furthermore, gap closures would be validated during the internal validation testing planned for March to June 2004. By end of June 2004, all except three of the 280 documentation gaps had been closed.
Training The steering committee sponsored four levels of training: (i) high-level guidance on SOX for senior executives, (ii) training on COSO for the 50–70 controllers in Trinity, (iii) SOX documentation training for the various documentation teams, and (iv) control owner training.
This training phase was also a part of the change management activities that most large-scale, organization- wide projects require. However, Jake Farkas noted that there was one key difference between a regulatory project such as SOX compliance and an organizational process improvement initiative like the Oracle and ASC projects: since the former were compulsory, there was less need to convince people of the urgency and necessity of a change. Even though there was a considerable need to educate the members of the organization, particularly control owners, on the documentation and evidentiary requirements for SOX, in contrast to the Oracle and ASC projects, Trinity did
Table 7 Control classification (2004)
Control classification Count
‘A’ controls 649 ‘B’ controls 397 ‘C’ controls 705 Unranked controls 70
The SOX compliance journey at Trinity Industries U Schultze 97
not feel the need to hire a full-time change management consultant for the SOX project.
Monitor – test of control and/or control self-assessment This project phase represented the internal audit phase of the SOX compliance audit. Not only were the control activities tested, but so was the self-assessment process. By the end of June 2004, 1803 control activities had been tested and 284 testing gaps were identified, of which 226 were closed. The causes of these gaps were fairly evenly split between issues of operating effectiveness and documen- tation. Common testing gaps related to the lack of maintenance of the SOX binders that had been created for each control, insufficient evidence of timely reviews, insufficient exercise of change controls, and a ‘check the box’ mentality (rather than a fulfillment of the spirit of the control). By the end of the year, 2440 controls had been tested and 327 testing gaps had been identified.
Management assertion Right from the beginning of the SOX compliance project, Trinity had set a target for being in a position to complete the management assertion by 30 June 2004, even though the assertion was only due on 31 December 2004. This early deadline would give Trinity an opportunity to fix any key weaknesses identified during the course of preliminary testing by the real deadline.
External auditor evaluation and attestation of internal controls Even though the external auditor only started testing in Q32004, the SOX steering committee included a represen- tative from E&Y. Trinity thus had the benefit of E&Y’s interpretation of the SOX legislation throughout their decision-making. This was particularly important in light of the fact that SOX provided little guidance and the public accounting companies were developing the standards for SOX compliance in an emergent fashion and by comparing their standards of control effectiveness with their compe- titors. For instance, when PwC announced that spread- sheets needed to be password-protected in order to pass a SOX audit, there was much consternation at Trinity until E&Y took a clear stance on what they would deem an effective spreadsheet control.
The results of E&Y’s external audit testing revealed no material weaknesses, but 14 deficiencies.6
2005: year 2 With the first year of compliance successfully behind them, the SOX project was moved into the audit organization, which had grown under Don Collum’s leadership. It was clear to Don and the SOX steering committee that there was much room and need for improvement for their second round of SOX assessment. While Trinity had adopted a ‘get it done’ and ‘brute force’ attitude in the first year of compliance, it was clear that their approach of document- ing and testing ‘every control known to man’ was not going to be feasible in the long term. Like so many other companies, Trinity believed that they had ‘over-audited’ and ‘over-tested’ in order to avoid material weaknesses,
since ‘failure was not an option.’ Now, it was time to ‘step back, look at it, and do a better job at risk profiling.’
In order to prepare Trinity for its second year of SOX compliance, the steering committee focused on two initiatives: (i) a top-down, risk-management approach to testing, and (ii) the streamlining of controls across BUs. Together these initiatives halved the number of SOX control activities Trinity tested in 2005.
The risk management method to testing implied a shift from a ‘shotgun’ to a ‘rifle’ approach. Trinity would not test all controls but identify areas that were material and posed a threat to the financial statements. Only significant processes and major classes of transactions in these processes would need to be audited for SOX. Trinity thus sampled BUs that contributed at least 5% to Trinity’s revenues or represented at least 5% of Trinity’s assets as per the company’s consolidated financial statements. Only control activities in significant processes in those BUs would be tested.
One implication of this risk-oriented approach was that it reduced the number of control activities designated as key or ‘A’ controls in part because their definition focused more on what risks these controls posed for material misstate- ments of the company’s financial results. Furthermore, not all ‘A’ controls would be tested every year, because they might be located in BUs that were not significant enough to be audited. Similarly, ‘C’ controls were no longer seen as relevant for SOX compliance because the audit group did not anticipate ever testing them for SOX. Nevertheless, these ‘C’ controls could be maintained and tracked on the SOX database if the BUs so wished. Some BUs saw symbolic value in designating certain control activities ‘SOX controls’ as this made their enforcement easier.
The second year-2 initiative focused on process improve- ment. The SOX steering committee created process improvement teams and charged them with streamlining, standardizing and automating the control activities for a given process (e.g., inventory, AP, AR). Georgia Papageorge, VP Finance and Accounting in the Freight Car Group, led the inventory process improvement team. The team consisted of about seven members and included represen- tatives of the BUs, KPMG, and the internal audit group.
In order to streamline the inventory-related control activities, the team analyzed each BU’s control documenta- tion. They found considerable overlap and variability in the way the controls were described. Most of the variability arose from the different systems that were operating at the BUs. A report that one BU relied on for its controls was not available in another, for instance. Furthermore, the same control activities might be worded differently, such as ‘the BU controller reviews this, vs the accounting manager reviews this, vs accounting personnel reviews this.’ In order to standardize the controls, the process improvement team abstracted the control description so that it was universal enough to cover the control activities in the various environments.
The team also looked for redundant control activities. Some BUs relied on multiple controls to accomplish the same objective. By looking across BUs, it was relatively easy to identify these redundant control activities and to determine best practices that could then be replicated across BUs. Overall, this process improvement effort took
The SOX compliance journey at Trinity Industries U Schultze 98
about 3 months and reduced inventory controls by about 25%. Its biggest achievement was to bring consistency to inventory controls such that each BU relied on the same control despite operational differences related to unique products and IT infrastructure.
A closer look at the inventory process of the Trinity Rail Car group provides some detailed insights into the improve- ment team’s work. A flowchart of the 2004 inventory management process is presented in Figure 2. Table 8 provides the accompanying control matrix. The latter highlights the overlap of control objectives within the inventory process in this single LOB. For instance, controls 3, 4, and 13 all dealt with the correct valuation and recording of inventory. Furthermore, different plants relied on different variations of control #14.
Figure 3 and Table 9, which show the inventory process flowchart and control matrix for 2005, illustrate the inventory improvement team’s efforts. In particular, the controls were uniquely numbered and described in more universal terms. However, as best practice controls were applied to all plants, there was an initial increase in the controls in Freight Car operations in 2005. Only after the inventory team’s recommendations to eliminate some controls were put into effect in 2006 (see Table 10 for summary), did the Freight Car see a decrease in controls maintained and tested. In 2007, as more plants were added to the Freight Car group and more plants became signi- ficant for SOX compliance, the number of controls main- tained and tested went back up.
Table 11 highlights the number and breakdown in controls maintained and tested in Freight Car between 2004 and 2007.
Internal testing in year 2 brought a new set of challenges to light: Trinity’s IT group seemed unaware that SOX compliance was a new reality and not a one-time effort. Kasey Nash, a KPMG senior manager on the Trinity SOX project, recounted the reaction from the IT group when they came to test in 2005: ‘You’re back again? You mean we still have to do this?’
SOX compliance had not been given the necessary priority in the IT department and this led to the identification of 48 gaps in IT control activities.7 These gaps included privileged and programmer access rights for core systems like BPCS and the on- and off-boarding of Trinity employees, which included managing their access rights to networks and applications. While the 48 gaps were an improvement on the 20% error rate of IT controls in 2004, it was September 2005 by the time they were identified. This did not give the IT group much time to remediate them. The IT environment was also challenging due to its distributed nature. There was a corporate IT group that was primarily responsible for infrastructure technologies (e.g., networks, Internet, email), IT groups within the BUs that supported business-specific applica- tions, and IT support in Mexico and Europe. These different control environments multiplied the controls that needed to be maintained and tested. Furthermore, nine applications (including Oracle, Peoplesoft, BPCS) plus the network were in scope for SOX compliance.
In November 2005, Terri Wilson, Analyst in IT’s Strategic Compliance Services, replaced the previous IT SOX manager. Determined not to fail as it could cost her job,
Terri learned what she could about SOX compliance. She became aware of ISACA8 in 2006. She subsequently joined the organization, attended local chapter meetings regularly, and even earned her CISA9 certification.
2006: year 3 While the first 2 years of SOX compliance had been guided by a project management approach, it became increasingly clear to Don Collum and other members of the steering committee that Trinity needed to move beyond ‘the SOX project’ and put in place a ‘governance process.’ This meant that their language and mindset needed to change. The controls needed to become so deeply embedded in Trinity’s processes, that they were indistinguishable from people’s sense of ‘good business practices.’ Thus the ‘SOX’ designa- tion, for example, ‘SOX steering committee’ and ‘SOX controls,’ was dropped and new labels such as ‘governance steering committee’ and ‘financial controls’ emerged.
One of the controllers described life with SOX as follows:
You are audited constantly; you just have to have perfection in your job. There is no room any more for any sort of margin of error. We have to make sure that our revenue recognition is accurate. We have to make sure that we have controls and that people are doing them. We work for a public company. We are audited almost daily; so there is a little more pressure with making sure that we have seasoned people in positions who understand what they are doing. Or even if they are not seasoned that they know the rules and follow them; that they understand they are going to be audited quarterly, monthly, daily. It is all about accountability.
Even though they acknowledge that SOX was ensuring that they were doing what they ought to be doing anyway, the controllers maintained that their SOX responsibilities added at least 8–10 h a month to their workloads.10 The extent of the additional work depended on the number of controls they owned and the number of paper binders11
they needed to maintain. Indeed, Mike Mason, CFO for the Construction, Energy and Marine Group, voiced his frustration with an audit process that hampered organiza- tional efficiency:
How do I change the audit process, not the control process? Because I’ve done the control, it’s there, and it’s available. The problem is now to explain to the auditors that it’s done. Because they want it nice and neat, in a stack of papers, and then ‘walk me through because I’ve been out of school for a whopping 6 months and I don’t understand your business.’ So I am just catering to the audit side of the control.
In order to change group and BU controllers’ perception of SOX, Don promised them that, ‘if you can show me a control that we are doing solely because of SOX, I will let you quit doing it. If there is no business reason to do it, quit doing it.’ Don also stressed one of the key benefits of SOX compliance, namely that they no longer had to spend time
The SOX compliance journey at Trinity Industries U Schultze 99
Figure 2 Flowchart of Trinity’s Freight Car inventory management process (2004).
The SOX compliance journey at Trinity Industries U Schultze 100
T a b
le 8
C o n tr
o l
m a tr
ix o f
T ri n it y ’s
fr e ig
th c a r
in v e n to
ry m
a n a g e m
e n t
p ro
c e s s
(2 0 0 4 )
C la
ss O
p er
a ti
n g
u n
it
C o
n tr
o l
re f
S u
b p
ro ce
ss O
b je
ct iv
e R
is k
E x
is ti
n g
co n
tr o
l C
O S
O
ca te
g o
ry
P /D
S /M
P ro
ce ss
o w
n er
E v
id en
ce F
re q
u en
cy
A B
U 1
In v
en to
ry
tr a
n sa
ct io
n s
In v
en to
ry is
v a
lu ed
a n
d
re co
rd ed
co rr
ec tl
y
In a p
p ro
p ri
a te
u se
rs m
a y
h a
v e
th e
a b
il it
y to
a cc
es s
in v
en to
ry
tr a
n sa
ct io
n s
A cc
es s
to th
e U
N IX
/B P
C S
in v
en to
ry
m o
d u
le is
re st
ri ct
ed to
o n
ly th
o se
p la
n t
a n
d
B U
p er
so n
n el
w it
h a
d ir
ec t
a n
d o
n g
o in
g
n ee
d fo
r a
cc es
s. A
cc es
s is
re m
o v
ed fo
r
th o
se em
p lo
y ee
s w
h o
n o
lo n
g er
re q
u ir
e
su ch
a cc
es s.
M a
n a
g em
en t
re v
ie w
s th
e li
st o
f u
se rs
w it
h
a cc
es s
to th
e in
v en
to ry
m o
d u
le q
u a rt
er ly
(d o
cu m
en te
d in
m a
n a
g em
en t’
s q
u a
rt er
ly
ch ec
k li
st a n
d d
o cu
m en
te d
b y
th e
in it
ia le
d
u se
r p
ro fi
le li
st in
g fr
o m
B P
C S
)
A u
th o
ri za
ti o
n P
S B
U
C o
n tr
o ll
er
D o
cu m
en ta
ti o
n o
f
u se
r a
cc es
s ri
g h
ts
re st
ri ct
in g
th e
re co
rd in
g o
f
m a te
ri a
l re
ce ip
ts in
B P
C S
to a u
th o
ri ze
d
p er
so n
n el
Q u
a rt
er ly
C P
la n
t 2
In v
en to
ry
tr a
n sa
ct io
n s
In v
en to
ry is
p h
y si
ca ll
y
se cu
re d
a n
d
p ro
te ct
ed
U n
a u
th o
ri ze
d
p er
so n
n el
m a
y
re ce
iv e
o r
m o
v e
in v
en to
ry ,
w h
ic h
m a y
re su
lt in
in a
cc u
ra te
in v
en to
ry
tr a
n sa
ct io
n s
T h
e M
a te
ri a
ls M
a n
a g
er co
m p
a re
s th
e
se cu
ri ty
re ce
iv in
g re
p o
rt s
a n
d /o
r th
e
p a
ck in
g sl
ip s
to th
e B
P C
S re
ce iv
in g
re p
o rt
s
m o
n th
ly .
A n
y d
is cr
ep a n
ci es
a re
re so
lv ed
b y
th e
M a
te ri
a ls
M a
n a
g er
. T
h is
re v
ie w
is to
en su
re th
a t
a ll
in v
en to
ry it
em s
a re
en te
re d
in to
th e
sy st
em ti
m el
y a
n d
to p
re v
en t
u n
a u
th o
ri ze
d u
se o
f in
v en
to ry
. O
n ly
a u
th o
ri ze
d p
er so
n n
el m
a k
e tr
a n
sf er
s to
a n
d
fr o
m th
e B
P C
S st
o ra
g e
lo ca
ti o
n s
A u
th o
ri za
ti o
n P
M M
a te
ri a ls
M a
n a
g er
S ec
u ri
ty lo
g ,
D o
cu m
en ta
ti o
n o
f
u se
r p
ro fi
le
re st
ri ct
in g
a cc
es s
to tr
a n
sf er
in v
en to
ry it
em s
w it
h in
B P
C S
,
m o
n th
ly B
P C
S
R ec
ei v
er L
o g
,
si g
n ed
re ce
iv er
s,
m o
n th
ly B
P C
S B
O L
L o
g ,
si g
n ed
B O
L
M o
n th
ly
A P
la n
t 3
In v
en to
ry
tr a
n sa
ct io
n s
In v
en to
ry is
v a
lu ed
a n
d
re co
rd ed
co rr
ec tl
y
T h
e v
a lu
e o
f
in v
en to
ry is
m a
y b
e
m is
st a te
d .
In v
en to
ry
tr a
n sa
ct io
n s
m a
y b
e
in co
m p
le te
,
in a
cc u
ra te
, o
r
p o
st ed
to th
e
w ro
n g
p er
io d
T h
e P
la n
t A
cc o
u n
ta n
t re
v ie
w s
th e
W IP
R ep
o rt
s (i
n cl
u d
in g
sh o
p o
rd er
st a tu
s
re p
o rt
) to
en su
re p
ro p
er a
cc o
u n
ti n
g a
t en
d
o f
jo b
. T
h is
re v
ie w
is p
er fo
rm ed
to en
su re
th a
t in
v en
to ry
v a
lu a
ti o
n is
p ro
p er
ly
re co
rd ed
b et
w ee
n ra
w m
a te
ri a
ls ,
W IP
, a
n d
fi n
is h
ed g
o o
d s
R ec
o n
ci li
a ti
o n
D M
P la
n t
A cc
o u
n ta
n t
O p
en sh
o p
o rd
er s
re p
o rt
cr ea
te d
a ft
er
sh o
p o
rd er
m o
n th
-
en d
cl o
se
M o
n th
ly
A P
la n
t 3
.2 L
a b
o r
tr a
n sa
ct io
n s
L a
b o
r co
st s
a re
p ro
p er
ly
es ti
m a
te d
C o
st es
ti m
a te
s
m a
y b
e
in a
cc u
ra te
T h
e st
a n
d a rd
la b
o r
ra te
, st
a n
d a rd
m a
te ri
a l
p ri
ce s
a n
d o
v er
h ea
d b
u rd
en ra
te is
re v
ie w
ed ev
er y
6 m
o n
th s.
T h
e P
la n
t
A cc
o u
n ta
n t
co m
p a re
s th
e cu
rr en
t st
a n
d a rd
ra te
a n
d th
e a
v er
a g
e a
ct u
a l
ra te
. If
it is
M a
n a
g em
en t
re v
ie w
P M
P la
n t
A cc
o u
n ta
n t
R ev
ie w
ed st
a n
d a rd
ra te
a n
a ly
si s
a n
d
a p
p ro
p ri
a te
a p
p ro
v a
ls (i
f
n ec
es sa
ry )
S em
i-
a n
n u
a ll
y
The SOX compliance journey at Trinity Industries U Schultze 101
T a b
le 8
C o n ti n u e d
C la
ss O
p er
a ti
n g
u n
it
C o
n tr
o l
re f
S u
b p
ro ce
ss O
b je
ct iv
e R
is k
E x
is ti
n g
co n
tr o
l C
O S
O
ca te
g o
ry
P /D
S /M
P ro
ce ss
o w
n er
E v
id en
ce F
re q
u en
cy
d et
er m
in ed
th a t
th e
st a n
d a rd
ra te
n ee
d s
to
b e
a d
ju st
ed ,
a re
q u
es t
is su
b m
it te
d to
th e
B U
C o
n tr
o ll
er a n
d th
e B
U P
re si
d en
t fo
r
a p
p ro
v a
l
A B
U 3
.6 L
a b
o r
tr a
n sa
ct io
n s
L a
b o
r
ex p
en se
s
a re
ca lc
u la
te d
co rr
ec tl
y
L a
b o
r
ex p
en se
s m
a y
b e
m is
st a te
d
T h
e L
a b
o r
Jo u
rn a
l E
n tr
y T
em p
la te
is
fo rm
a tt
ed to
ca lc
u la
te th
e la
b o
r ef
fi ci
en cy
v a
ri a
n ce
, la
b o
r ra
te v
a ri
a n
ce ,
o v
er h
ea d
a m
o u
n t
a n
d a
ll o
ca ti
o n
o f
d ir
ec t
a n
d
in d
ir ec
t m
a n
u fa
ct u
ri n
g h
o u
rs co
rr ec
tl y
.
T h
e jo
u rn
a l
en tr
y a
ls o
re co
n ci
le s
to ta
l
p a y
ro ll
d o
ll a rs
to th
e la
b o
r a ll
o ca
ti o
n
S y
st em
co n
fi g
u ra
ti o
n
P S
B U
C o
n tr
o ll
er
P la
n t
A D
I’ s
a re
a g
re ed
w it
h
te m
p la
te A
D I’
s to
a ss
u re
n o
h a rd
co d
e o
r o
th er
ch a n
g es
h a
v e
b ee
n
m a d
e
W ee
k ly
A P
la n
t 4
In v
en to
ry
tr a
n sa
ct io
n s
In v
en to
ry is
v a
lu ed
a n
d
re co
rd ed
co rr
ec tl
y
T h
e v
a lu
e o
f
in v
en to
ry m
a y
b e
m is
st a te
d .
In v
en to
ry
tr a
n sa
ct io
n s
m a
y b
e
in co
m p
le te
,
in a
cc u
ra te
, o
r
p o
st ed
to th
e
w ro
n g
p er
io d
P la
n t
A cc
o u
n ta
n t
p re
p a re
s a
re co
n ci
li a ti
o n
o f
U N
IX /B
P C
S to
O ra
cl e
(b o
o k
-t o
-
p er
p et
u a l)
– fo
r ra
w m
a te
ri a ls
a n
d
fa b
ri ca
te d
p a
rt s.
A n
y v
a ri
a n
ce s
a re
in v
es ti
g a te
d a n
d re
so lv
ed .
T h
is co
n tr
o l
a ct
iv it
y is
d o
cu m
en te
d
th ro
u g
h p
la n
t a cc
o u
n ta
n t’
s m
o n
th ly
ch ec
k li
st ,
a d
d it
io n
a ll
y ,
d o
cu m
en ta
ti o
n
su p
p o
rt in
g a
n y
a d
ju st
m en
ts is
in it
ia le
d a
n d
re ta
in ed
R ec
o n
ci li
a ti
o n
D M
P la
n t
A cc
o u
n ta
n t
P la
n t
A cc
o u
n ta
n t’
s
m o
n th
ly ch
ec k
li st
,
a d
d it
io n
a ll
y ,
d o
cu m
en ta
ti o
n
su p
p o
rt in
g a
n y
a d
ju st
m en
ts is
in it
ia le
d a
n d
re ta
in ed
M o
n th
ly
A P
la n
t 5
P h
y si
ca l
in v
en to
ry
In v
en to
ry is
re co
rd ed
in
th e
G /L
co m
p le
te ly
,
a cc
u ra
te ly
,
a n
d ti
m el
y
In co
m p
le te
o r
u n
a u
th o
ri ze
d
in v
en to
ry
a d
ju st
m en
ts
ca n
im p
a ct
fi n
a n
ci a l
re p
o rt
s
P h
y si
ca l
in v
en to
ri es
a re
p er
fo rm
ed ev
er y
6
m o
n th
s. P
la n
t p
er so
n n
el in
v es
ti g
a te
a n
d
re so
lv e
si g
n if
ic a n
t d
is cr
ep a n
ci es
. T
h e
B U
C o
n tr
o ll
er re
v ie
w s
re co
n ci
li a ti
o n
s a n
d
re q
u ir
ed a
d ju
st m
en ts
.
T h
e d
et a
il ed
in v
en to
ry b
in d
er s
w it
h
su p
p o
rt in
g sc
h ed
u le
s a re
p re
p a re
d b
y p
la n
t
p er
so n
n el
, re
v ie
w ed
a n
d a
p p
ro v
ed b
y th
e
B U
C o
n tr
o ll
er ,
a n
d co
m p
le te
d w
it h
in th
e
co m
p a n
y ti
m el
in e
M a
n a
g em
en t
re v
ie w
D M
P la
n t
A cc
o u
n ta
n t
In v
en to
ry
p ro
ce d
u re
s b
in d
er
w it
h su
p p
o rt
in g
d o
cu m
en ta
ti o
n
S em
i-
a n
n u
a ll
y
A B
U 6
O b
so le
sc en
ce In
v en
to ry
is
v a
lu ed
a n
d
re co
rd ed
co rr
ec tl
y
O b
so le
te
in v
en to
ry m
a y
n o
t b
e
id en
ti fi
ed
ti m
el y
.
O n
a q
u a rt
er ly
b a
si s,
p ro
ce d
u re
s su
ch a
s
re v
ie w
in g
sl o
w m
o v
in g
re p
o rt
, ex
a m
in a
ti o
n
o f
in v
en to
ry ,
a n
d d
is cu
ss io
n s
w it
h
o p
er a ti
o n
s ex
is t
to es
ta b
li sh
a n
d re
v ie
w th
e
o b
so le
te /s
lo w
m o
v in
g re
se rv
e.
M a
n a
g em
en t
re v
ie w
D M
B U
C o
n tr
o ll
er
R ev
ie w
ed a
n d
si g
n ed
u n
a ll
o ca
te d
a n
d su
rp lu
s
in v
en to
ry re
p o
rt s
Q u
a rt
er ly
The SOX compliance journey at Trinity Industries U Schultze 102
In v
en to
ry is
u n
d er
/o v
er
st a
te d
T h
is co
n tr
o l
a ct
iv it
y is
d o
cu m
en te
d
th ro
u g
h B
U C
o n
tr o
ll er
’s m
o n
th ly
ch ec
k li
st .
A d
d it
io n
a ll
y ,
th e
re p
o rt
su m
m a ri
zi n
g
u n
a ll
o ca
te d
a n
d su
rp lu
s in
v en
to ry
is
in it
ia le
d a
n d
m a
in ta
in ed
A P
la n
t 7
P ro
d u
ct
co st
in g
In v
en to
ry
ex is
ts a
n d
is
p ro
p er
ly
v a
lu ed
T h
e v
a lu
e o
f
in v
en to
ry m
a y
b e
m is
st a te
d ,
in v
en to
ry
tr a
n sa
ct io
n s
m a
y b
e
in co
m p
le te
o r
p o
st ed
to th
e
w ro
n g
p er
io d
P la
n t
A cc
o u
n ta
n t
re v
ie w
s p
u rc
h a se
p ri
ce
v a
ri a
n ce
re p
o rt
to co
n fi
rm in
v en
to ry
is
p ro
p er
ly st
a te
d (i
.e .,
p u
rc h
a se
co st
v a
ri a
n ce
s fo
r in
v en
to ry
it em
s a
re co
m p
a re
d
b y
m o
n th
).
T h
is co
n tr
o l
a ct
iv it
y is
d o
cu m
en te
d
th ro
u g
h P
la n
t A
cc o
u n
ta n
t’ s
m o
n th
ly
ch ec
k li
st .
A d
d it
io n
a ll
y ,
th e
re p
o rt
su m
m a
ri zi
n g
u n
a ll
o ca
te d
a n
d su
rp lu
s
in v
en to
ry is
in it
ia le
d a
n d
m a
in ta
in ed
M a
n a
g em
en t
re v
ie w
D M
P la
n t
A cc
o u
n ta
n t
P la
n t
A cc
o u
n ta
n t’
s
m o
n th
ly ch
ec k
li st
.
A d
d it
io n
a ll
y ,
th e
re p
o rt
su m
m a
ri zi
n g
u n
a ll
o ca
te d
a n
d
su rp
lu s
in v
en to
ry
is in
it ia
le d
a n
d
m a in
ta in
ed
M o
n th
ly
A B
U 8
In v
en to
ry
tr a
n sa
ct io
n s
In v
en to
ry is
re co
rd ed
in
th e
G /L
co m
p le
te ly
,
a cc
u ra
te ly
,
a n
d ti
m el
y
T h
e v
a lu
e o
f
in v
en to
ry m
a y
b e
m is
st a te
d ,
in v
en to
ry
tr a
n sa
ct io
n s
m a
y b
e
in co
m p
le te
o r
p o
st ed
to th
e
w ro
n g
p er
io d
B U
C o
n tr
o ll
er re
v ie
w s
in v
en to
ry b
a la
n ce
s
o n
a m
o n
th ly
b a si
s.
T h
is co
n tr
o l
a ct
iv it
y is
d o
cu m
en te
d
th ro
u g
h B
U C
o n
tr o
ll er
’s m
o n
th ly
ch ec
k li
st
M a
n a
g em
en t
re v
ie w
D M
B U
C o
n tr
o ll
er
S ig
n -o
ff sh
ee t
d o
cu m
en ti
n g
m o
n th
ly re
v ie
w o
f
th e
re co
n ci
li a
ti o
n
b in
d er
co n
ta in
in g
re co
n ci
li a ti
o n
s a n
d
a d
ju st
m en
ts a
ft er
p h
y si
ca l
in v
en to
ri es
M o
n th
ly
A B
U 9
In v
en to
ry
tr a
n sa
ct io
n s
In v
en to
ry is
re co
rd ed
in
th e
G /L
co m
p le
te ly
,
a cc
u ra
te ly
,
a n
d ti
m el
y
T h
e v
a lu
e o
f
in v
en to
ry m
a y
b e
m is
st a te
d ,
in v
en to
ry
tr a
n sa
ct io
n s
m a
y b
e
in co
m p
le te
o r
p o
st ed
to th
e
w ro
n g
p er
io d
B U
C o
n tr
o ll
er re
v ie
w s
C O
S re
p o
rt fo
r
re a so
n a b
le n
es s
o n
a m
o n
th ly
b a si
s.
T h
is co
n tr
o l
a ct
iv it
y is
d o
cu m
en te
d
th ro
u g
h B
U C
o n
tr o
ll er
’s m
o n
th ly
ch ec
k li
st .
A d
d it
io n
a ll
y ,
T h
e B
U C
o n
tr o
ll er
d o
cu m
en ts
th is
re v
ie w
b y
in it
ia li
n g
a n
d re
ta in
in g
th e
C O
S re
p o
rt
M a
n a
g em
en t
re v
ie w
D M
B U
C o
n tr
o ll
er
B U
C o
n tr
o ll
er
ch ec
k li
st it
em
d o
cu m
en ti
n g
th e
p er
fo rm
a n
ce o
f a
m o
n th
ly p
re ca
p
a n
d re
ca p
jo b
sp ec
if ic
a n
a ly
si s.
S ig
n ed
re p
o rt
s
n o
ti n
g re
v ie
w (a
s
a p
p li
ca b
le )
M o
n th
ly
A B
U 1
0 L
a b
o r
tr a
n sa
ct io
n s
L a
b o
r
ex p
en se
s
a re
ca lc
u la
te d
co rr
ec tl
y
L a
b o
r
ex p
en se
s m
a y
b e
m is
st a te
d
T o
b e
co n
tr o
l –
T h
e B
U A
cc o
u n
ta n
t re
v ie
w s
th e
d ir
ec t
w a
g es
a cc
o u
n t
m o
n th
ly to
v er
if y
th a
t en
tr ie
s m
a d
e d
u ri
n g
th e
L a
b o
r Jo
u rn
a l
E n
tr y
h a
v e
co m
p le
te ly
a ll
o ca
te d
p a
y ro
ll .
T h
is re
v ie
w is
d o
cu m
en te
d in
m a
n a
g em
en t’
s m
o n
th ly
ch ec
k li
st (B
U
C h
ec k
li st
) a
n d
su p
p o
rt in
g v
a ri
a n
ce re
p o
rt
re v
ie w
d o
cu m
en ts
M a
n a
g em
en t
re v
ie w
P M
B U
C o
n tr
o ll
er
C h
ec k
li st
it em
co n
fi rm
in g
ze ro
b a
la n
ce to
b e
a d
d ed
to F
.5 0
M o
n th
ly
A B
U 1
1 C
o st
o f
sa le
s L
a b
o r
v a
ri a
n ce
s
T h
e B
U C
o n
tr o
ll er
re v
ie w
s th
e p
la n
t
v a
ri a
n ce
re p
o rt
s m
o n
th ly
. A
n y
m a
te ri
a l
M a
n a
g em
en t
re v
ie w
P M
B U
C o
n tr
o ll
er
L a
b o
r jo
u rn
a l
en tr
y
te m
p la
te a
n d
la b
o r
M o
n th
ly
The SOX compliance journey at Trinity Industries U Schultze 103
T a b
le 8
C o n ti n u e d
C la
ss O
p er
a ti
n g
u n
it
C o
n tr
o l
re f
S u
b p
ro ce
ss O
b je
ct iv
e R
is k
E x
is ti
n g
co n
tr o
l C
O S
O
ca te
g o
ry
P /D
S /M
P ro
ce ss
o w
n er
E v
id en
ce F
re q
u en
cy
a re
co rr
ec tl
y
re co
rd ed
C o
st o
f sa
le s
m a
y b
e
m is
st a te
d
d if
fe re
n ce
s id
en ti
fi ed
o n
th e
v a
ri a
n ce
re p
o rt
s a re
re se
a rc
h ed
, re
so lv
ed a n
d
d o
cu m
en te
d .
T h
is re
v ie
w is
d o
cu m
en te
d in
m a
n a
g em
en t’
s m
o n
th ly
ch ec
k li
st (B
U
C h
ec k
li st
) a n
d su
p p
o rt
in g
v a ri
a n
ce re
p o
rt
re v
ie w
d o
cu m
en ts
so u
rc e
d o
cu m
en ts
a re
su p
p o
rt fo
r
n ew
ch ec
k li
st it
em
to b
e a
d d
ed to
F .5
0
A B
U 1
2 In
v en
to ry
tr a
n sa
ct io
n s
In v
en to
ry is
re co
rd ed
in
th e
G /L
co m
p le
te ly
,
a cc
u ra
te ly
,
a n
d ti
m el
y
T h
e v
a lu
e o
f
in v
en to
ry m
a y
b e
m is
st a te
d .
In v
en to
ry
tr a
n sa
ct io
n s
m a
y b
e
in co
m p
le te
o r
p o
st ed
to th
e
w ro
n g
p er
io d
B U
C o
n tr
o ll
er re
v ie
w s
su m
m a ry
in v
en to
ry
b a
la n
ce s
o n
a m
o n
th ly
b a si
s
M a
n a
g em
en t
re v
ie w
D M
B U
C o
n tr
o ll
er
S ig
n ed
a n
d
a p
p ro
v ed
b a
la n
ce
sh ee
t o
r p
la n
t
lo ca
ti o
n s
sc h
ed u
le
M o
n th
ly
A B
U 1
3 In
v en
to ry
tr a
n sa
ct io
n s
In v
en to
ry is
v a
lu ed
a n
d
re co
rd ed
co rr
ec tl
y
T h
e v
a lu
e o
f
in v
en to
ry m
a y
b e
m is
st a te
d .
In v
en to
ry
tr a
n sa
ct io
n s
m a
y b
e
in co
m p
le te
,
in a
cc u
ra te
, o
r
p o
st ed
to th
e
w ro
n g
p er
io d
M o
n th
ly d
u ri
n g
cl o
se a n
in te
rf a ce
is ru
n b
y
th e
IT O
p er
a ti
o n
s D
ep a rt
m en
t th
a t
re co
rd s
a ll
o f
th e
ra w
m a te
ri a
l tr
a n
sa ct
io n
s th
a t
h a
v e
o cc
u rr
ed th
ro u
g h
o u
t th
e m
o n
th ,
in cl
u d
in g
ra w
m a te
ri a
ls st
il l
in in
v en
to ry
a n
d ra
w m
a te
ri a
ls th
a t
h a
v e
m o
v ed
to W
IP .
T h
e en
ti re
in v
en to
ry in
te rf
a ce
w il
l n
o t
b e
co m
p le
te d
if th
er e
a re
a n
y er
ro rs
in th
e
tr a n
sa ct
io n
s. A
n y
er ro
rs a re
re so
lv ed
b y
th e
P la
n t
A cc
o u
n ta
n t.
O n
ce th
e er
ro rs
a re
re so
lv ed
th e
P la
n t
A cc
o u
n ta
n t
w il
l n
o ti
fy IT
O p
er a ti
o n
s to
re -r
u n
th e
in te
rf a ce
.
S u
cc es
sf u
l co
m p
le ti
o n
o f
th e
in te
rf a ce
is
d o
cu m
en te
d in
th e
P la
n t
M o
n th
ly cl
o si
n g
ch ec
k li
st F
.2 0
S y
st em
co n
fi g
u ra
ti o
n
P S
IT (B U
-l ev
el )
M o
n th
ly
A P
la n
t 1
4 a
L a
b o
r
tr a
n sa
ct io
n s
A ct
u a
l la
b o
r
co st
s a
re
p ro
p er
ly
re co
rd ed
C o
st o
f sa
le s
m a
y b
e
m is
st a te
d
D ep
a rt
m en
ta l
su p
er v
is o
rs re
v ie
w h
o u
rl y
em p
lo y
ee ti
m ec
a rd
s/ ed
it s
fr o
m K
ro n
o s
fo r
re a so
n a b
le n
es s
b ef
o re
si g
n in
g o
ff o
n th
e
ti m
e ca
rd /e
d it
fo r
a p
p ro
v a
l (d
a il
y ).
S em
i-
m o
n th
ly em
p lo
y ee
s a re
re sp
o n
si b
le fo
r
co m
p le
ti n
g ti
m e
sh ee
ts .
D ep
a rt
m en
ta l
su p
er v
is o
rs re
v ie
w a n
d si
g n
th e
ti m
e sh
ee ts
n o
ti n
g a p
p ro
v a l
(s em
i- m
o n
th ly
). A
p p
ro v
ed
su m
m a
ry o
f em
p lo
y ee
ti m
e p
u n
ch d
et a il
a n
d a
p p
ro v
ed ti
m e
ed it
s a
s w
el l
a s
th e
M a
n a
g em
en t
re v
ie w
P M
P a
y ro
ll
C le
rk
L a
b o
r jo
u rn
a l
en tr
y
te m
p la
te a
n d
la b
o r
so u
rc e
d o
cu m
en ts
a re
su p
p o
rt fo
r
n ew
ch ec
k li
st it
em
to b
e a
d d
ed to
F .5
0
D a
il y
The SOX compliance journey at Trinity Industries U Schultze 104
assessing the reliability of their information, which allowed them to spend more time on activities that required judgment and estimation, such as warranties, taxes, and inventory.
Trinity also started to benchmark their SOX processes and controls with other companies in their industry to identify additional opportunities for reducing their controls and streamlining their SOX testing. Mike Mason explained that they went to one of their peers to learn about their system access control processes. He found that even competing peer companies were open to sharing knowledge around SOX because they saw no advantage to keeping their SOX-related processes secret. A peer’s SOX failure was not seen as a victory:
It just puts a fear factor, at least in the finance world, of ‘they got caught on something, maybe I’m going to get caught on something.’ It’s almost like nobody wants anybody to get into trouble for SOX, because that just means we’re all going to get in trouble for something. It’s almost like you want everybody to win and for everyone to be doing SOX okay.
In IT, Terri Wilson led a control streamlining effort similar to the one that the process improvement teams had done in the BUs in the prior year. Her analysis highlighted duplicate controls caused by inconsistent numbering and wording. She also found that some controls had multiple control owners. Her efforts reduced IT’s controls from 92 to 39.
She also categorized the IT controls into a categorization scheme that resembled COBIT,12 of which she was unaware at the time (see Table 12 for the categories and control samples). This process improvement effort led to not only a reduction in IT controls, but also a reduction of IT control gaps over time as Table 13 demonstrates.
2007: year 4 In the fourth year of SOX compliance, the number of control activities tested stabilized. There was a general sense among the members of the governance steering committee that Trinity’s SOX control infrastructure was as lean as it could be. Furthermore, they felt that their self- assessment and change control processes were robust and sustainable. For instance, they had established the following change control procedure for SOX controls:
� When a BU wanted to make a change to a SOX control, for example, replace a control owner, change the control description, or replace a manual control with an automated one, a change request was sent to the internal audit group, where it was reviewed by the SOX Program Manager, Rhonda Krasselt.
� Depending on the change, either Rhonda Krasselt or Don Collum reviewed the change. They explained that as long as a proposed control effectively met a necessary control objective, they were likely to approve a con- trol change. Once final approval had been granted by Don, the change was forwarded to the SOX adminis- trator, who maintained the SOX database, which tracked all changes.
a p
p ro
v ed
m o
n th
ly p
a y
ro ll
re g
is te
r w
il l
b e
si g
n ed
a n
d re
ta in
ed .
S ee
co n
tr o
l G
. 4
0 a
o f
th e
p a
y ro
ll co
n tr
o l
m a
tr ix
A B
U 1
4 b
L a
b o
r
tr a
n sa
ct io
n s
A ct
u a
l la
b o
r
co st
s a
re
p ro
p er
ly
re co
rd ed
C o
st o
f sa
le s
m a
y b
e
m is
st a te
d
T o
b e
co n
tr o
l –
B U
C o
n tr
o ll
er re
v ie
w s
th e
la b
o r
jo u
rn a
l en
tr y
te m
p la
te to
v er
if y
th a
t
th e
la b
o r
v a
lu es
w er
e co
rr ec
tl y
en te
re d
in to
th e
te m
p la
te .
T h
is w
il l
b e
a d
d ed
to th
e B
U
C o
n tr
o ll
er ch
ec k
li st
a t
F .
5 0
M a
n a
g em
en t
re v
ie w
P M
B U
C o
n tr
o ll
er
L a
b o
r jo
u rn
a l
en tr
y
te m
p la
te a
n d
la b
o r
so u
rc e
d o
cu m
en ts
a re
su p
p o
rt fo
r
n ew
ch ec
k li
st it
em
to b
e a
d d
ed to
F .5
0
D a
il y
A B
U 1
5 L
a b
o r
tr a
n sa
ct io
n s
L a
b o
r co
st s
a re
p ro
p er
ly
es ti
m a
te d
C o
st es
ti m
a te
s
m a
y b
e
in a
cc u
ra te
T h
e st
a n
d a rd
la b
o r
ra te
a n
d o
v er
h ea
d
b u
rd en
ra te
is re
v ie
w ed
ev er
y 6
m o
n th
s.
T h
e B
U C
o n
tr o
ll er
co m
p a re
s th
e cu
rr en
t
st a
n d
a rd
ra te
a n
d th
e a
v er
a g
e a
ct u
a l
ra te
fo r
th e
st a
n d
a rd
la b
o r
ra te
a n
d th
e
o v
er h
ea d
b u
rd en
ra te
. If
it is
d et
er m
in ed
th a
t th
e st
a n
d a
rd ra
te n
ee d
s to
b e
a d
ju st
ed ,
a re
q u
es t
is su
b m
it te
d to
th e
B U
P re
si d
en t
fo r
a p
p ro
v a
l
M a
n a
g em
en t
re v
ie w
D M
B U
C o
n tr
o ll
er
L a
b o
r a
n d
b u
rd en
a n
a ly
si s
is
re v
ie w
ed a
n d
a p
p ro
p ri
a te
a p
p ro
v a
l w
a s
o b
ta in
ed
S em
i-
a n
n u
a ll
y
C B
U 1
6 P
ro d
u ct
co st
in g
In v
en to
ry
b a
la n
ce s
a n
d la
b o
r
co st
s a
re
C o
st es
ti m
a te
s
m a
y b
e
in a
cc u
ra te
S ta
n d
a rd
m a
te ri
a l
p ri
ce s
a re
re v
ie w
ed ea
ch
6 m
o n
th s
to lo
w er
o f
co st
o r
m a rk
et o
r
b u
y er
s st
a n
d a
rd b
a se
d o
n co
n tr
a ct
p ri
ci n
g
M a
n a
g em
en t
re v
ie w
D M
B U
C o
n tr
o ll
er
S u
p p
o rt
fo r
lo w
er
o f
co st
o r
m a rk
et
ca lc
u la
ti o
n o
r
b u
y er
s st
a n
d a rd
S em
i-
a n
n u
a ll
y
The SOX compliance journey at Trinity Industries U Schultze 105
� Periodically, the governance steering committee was informed about the SOX control changes that had been made.
On average, about 1000 SOX changes were made every 6 months.
Changes to control activities were also made in response to new business processes and gaps that had been identified during testing. Rhonda Krasselt noted that, at times, it was difficult to convince BU staff to document their controls. They did not want to have to ‘sign off on more things’ and were reluctant to give the audit department ‘more things to gap them on.’ This sentiment seemed to express a ‘fear of the gap.’
Increasingly, the governance steering committee got involved in screening proposals for organizational change initiatives such as system upgrades or process improve- ments. This screening sought to identify the SOX implica- tions of a proposed change, but it also sought to leverage business-driven initiatives in order to improve Trinity’s control environment. Thus, while it was difficult to make a business case for implementing systems and process changes for the purpose of reducing SOX compliance costs, improvements that served more strategic objectives could be used as a vehicle to achieve this goal. For instance, when Trinity was planning to implement a new time reporting system for payroll, the steering committee looked for ways to improve the timesheet approval process and to store the
Figure 3 Flowchart of Trinity’s Freight Car inventory management process (2005).
The SOX compliance journey at Trinity Industries U Schultze 106
approval information electronically without compromising its auditability.
Pondering the next phase of the compliance journey In early 2008, as Don Collum was getting ready for his meeting with Jarrod Bassman, he mulled over the Trinity’s SOX compliance journey, its victories and ongoing challenges. There were numerous victories. Chief among them was that their external auditor, E&Y, never identified any material weaknesses in Trinity’s financial reporting processes. Trinity also decreased the cost of SOX com- pliance every year, even though the number of controls they tested had stabilized. In addition, they developed a system of accountability that clearly identified and tracked control owners. They also implemented governance structures such as the SOX steering committee, which was now actively involved in monitoring any organizational change with implications for Trinity’s internal controls. Any changes to processes related to financial reporting were being mana- ged. Lastly, there was a general acknowledgement in the organization that internal controls made business sense and that they were helpful to the organization. For instance, they sustained disciplined operations and provided more confidence in the data that various operational and financial processes generated.
Nevertheless, there were questions about the next steps in Trinity’s SOX compliance journey. How could they continue to reduce the costs of compliance given that the number of SOX controls they tested was as lean as was possible given the company’s relatively decentralized IT infrastructure? Many SOX controls were manual. Was it time to invest in a company-wide, single-instance ERP system, a strategy that many global manufacturing firms had pursued? How could such an investment be justified?
Or were there ways of leveraging the information technology that Trinity already had to automate some of their many manual controls? For instance, BPCS was increasingly marketed as an ERP system for manufacturing organizations as it integrated cost accounting, planning, distribution, and manufacturing functionality. However, BPCS had not been implemented in a way that the standardization of processes and centralization of controls afforded by ERP systems could be leveraged. Not only was Trinity running three different versions of the BPCS software, they were also relying on different IT organi- zations to support them. In addition, many BUs had customized the software to produce the kind of output they needed to calculate Cost of Sales, Overhead and Labor Rates, among others, in their homegrown spreadsheets. In other words, instead of automating the interface between BPCS, which essentially served as a sub-ledger, and Oracle Financials, Trinity’s general ledger, the BUs downloaded customized data from BPCS, manipulated it in Excel and then based their manual general ledger journal entries on these spreadsheets. As a result, BPCS operated in seven different control environments, which multiplied the number of controls that needed to be developed, main- tained, and tested.
In addition to standardizing processes and centralizing controls by integrating systems, were there other strategies that Trinity could rely on to further reduce the cost of SOX compliance? For instance, could the hours internal auditors spent on control testing be reduced? Were there ways in which the cost of ‘catering to the audit side of the control’ could be decreased?
At the same time, there were questions about the integrity of the control infrastructure as a whole. As Trinity only tested A controls for SOX, was there a danger that B controls, which were supposed to serve as back-ups to A controls, would fail compliance tests? Furthermore, many
Figure 3 Continued.
The SOX compliance journey at Trinity Industries U Schultze 107
T a b
le 9
C o n tr
o l m
a tr
ix o f
T ri n it y ’s
F re
ig h t
C a r
in v e n to
ry m
a n a g e m
e n t
p ro
c e s s
(2 0 0 5 )
C la
ss O
p er
a ti
n g
u n
it S
u b
p ro
ce ss
C o
n tr
o l
re fe
re n
ce O
b je
ct iv
e R
is k
E x
is ti
n g
co n
tr o
l E
v id
en ce
F re
q u
en cy
C O
S O
ca te
g o
ry P
/ D
S /
M P
ro ce
ss o
w n
er
A B
U In
v en
to ry
tr a n
sa ct
io n
s
1 A
cc es
s to
in v
en to
ry
tr a n
sa ct
io n
s a re
li m
it ed
to a u
th o
ri ze
d
p er
so n
n el
In a p
p ro
p ri
a te
u se
rs
h a v
e th
e a b
il it
y to
a cc
es s
in v
en to
ry tr
a n
sa ct
io n
s
A cc
es s
to th
e le
g a cy
in v
en to
ry
m o
d u
le is
re st
ri ct
ed to
o n
ly th
o se
p la
n t
a n
d B
U p
er so
n n
el w
it h
a d
ir ec
t
a n
d o
n g
o in
g n
ee d
fo r
a cc
es s.
A cc
es s
is re
m o
v ed
fo r
th o
se em
p lo
y ee
s w
h o
n o
lo n
g er
re q
u ir
e su
ch a cc
es s.
C o
n tr
o ll
er re
v ie
w s
th e
li st
o f
u se
rs
w it
h a cc
es s
to th
e in
v en
to ry
m o
d u
le
q u
a rt
er ly
S ig
n ed
a n
d re
ta in
ed
a u
th o
ri ze
d u
se r
li st
Q u
a rt
er ly
S y
st em
a cc
es s
P S
B U
C o
n tr
o ll
er
A P
la n
t In
v en
to ry
tr a n
sa ct
io n
s
2 In
v en
to ry
is v
a lu
ed
a n
d re
co rd
ed
co rr
ec tl
y
T h
e v
a lu
e o
f in
v en
to ry
m a y
b e
m is
st a te
d .
In v
en to
ry tr
a n
sa ct
io n
s
m a y
b e
in co
m p
le te
,
in a cc
u ra
te ,
o r
p o
st ed
to
th e
w ro
n g
p er
io d
P la
n t
re ce
iv in
g co
m p
a re
s sh
ip p
er s
d o
cu m
en t
to th
e re
ce iv
in g
re p
o rt
in
le g
a cy
sy st
em
S ig
n ed
a n
d d
a te
d
ev id
en ce
o f
re v
ie w
o n
re ce
iv in
g re
p o
rt
W ee
k ly
M a n
a g
em en
t
re v
ie w
D M
P la
n t
R ec
ei v
in g
P er
so n
n el
A P
la n
t L
a b
o r
tr a n
sa ct
io n
s
3 A
ct u
a l
la b
o r
co st
s
a re
p ro
p er
ly
re co
rd ed
C o
st o
f sa
le s
m a y
b e
m is
st a te
d o
r m
is cl
a ss
e d
S u
p er
v is
o r
re v
ie w
s d
a il
y la
b o
r a n
d -o
r
a d
ju st
m en
ts to
en su
re th
a t
la b
o r
is
b ei
n g
co d
ed a n
d p
ro p
er ly
d is
tr ib
u te
d
L a b
o r
sy st
em
re p
o rt
s a re
si g
n ed
a n
d d
a te
d
W ee
k ly
M a n
a g
em en
t
re v
ie w
P M
P la
n t
P a y
ro ll
C le
rk
A P
la n
t L
a b
o r
tr a n
sa ct
io n
s
4 L
a b
o r
ex p
en se
s a re
ca lc
u la
te d
a n
d co
d ed
co rr
ec tl
y
L a b
o r
ex p
en se
s m
a y
b e
m is
st a te
d
A cc
o u
n ti
n g
p er
so n
n el
v a li
d a te
s th
e
h o
u rl
y d
is tr
ib u
ti o
n to
en su
re h
o u
rs
a re
p ro
p er
ly a ll
o ca
te d
S ig
n a n
d d
a te
d
ev id
en ce
o f
re v
ie w
M o
n th
ly M
a n
a g
em en
t
re v
ie w
P M
A cc
o u
n ti
n g
P er
so n
n el
A P
la n
t L
a b
o r
tr a n
sa ct
io n
s
5 L
a b
o r
co st
s a re
p ro
p er
ly es
ti m
a te
d
C o
st es
ti m
a te
s m
a y
b e
in a cc
u ra
te
C o
n tr
o ll
er o
r S
r. A
cc o
u n
ta n
t
(d if
fe re
n t
th a n
p re
p a re
r o
f en
tr y
)
re v
ie w
s la
b o
r jo
u rn
a l
en tr
y to
en su
re
h o
u rs
a re
p ro
p er
ly re
v ie
w ed
fo r
a cc
u ra
cy
S ig
n a n
d d
a te
d
ev id
en ce
o f
re v
ie w
M o
n th
ly M
a n
a g
em en
t
re v
ie w
D M
B U
C o
n tr
o ll
er
A P
la n
t In
v en
to ry
tr a n
sa ct
io n
s
6 In
v en
to ry
is v
a lu
ed
a n
d re
co rd
ed
co rr
ec tl
y
T h
e v
a lu
e o
f in
v en
to ry
m a y
b e
m is
st a te
d .
In v
en to
ry tr
a n
sa ct
io n
s
m a y
b e
in co
m p
le te
,
in a cc
u ra
te ,
o r
p o
st ed
to
th e
w ro
n g
p er
io d
o r
a cc
o u
n t
M a te
ri a l
m a n
a g
em en
t co
m p
a re
s th
e
sh o
p o
rd er
s to
th e
m a te
ri a l
tr a n
sf er
d o
cu m
en ta
ti o
n .
A n
y si
g n
if ic
a n
t
is su
es a re
in v
es ti
g a te
d a n
d re
so lv
ed
S h
o p
o rd
er s
re p
o rt
is si
g n
ed a n
d d
a te
d
M o
n th
ly M
a n
a g
em en
t
re v
ie w
P M
M a te
ri a l
M a n
a g
em e n
t
A P
la n
t In
v en
to ry
tr a n
sa ct
io n
s
7 In
v en
to ry
is
re co
rd ed
to th
e G
/L
co m
p le
te ly
,
a cc
u ra
te ly
, a n
d
ti m
el y
In v
en to
ry tr
a n
sa ct
io n
s
a re
in co
m p
le te
, p
o st
ed
to th
e w
ro n
g p
er io
d ,
o r
n o
t a cc
u ra
te ly
re p
o rt
ed
in th
e G
/L
T h
e W
IP M
a te
ri a l
b a la
n ce
p er
O ra
cl e
is co
m p
a re
d w
it h
th e
le g
a cy
sy st
em
m o
n th
ly .
A n
y si
g n
if ic
a n
t v
a ri
a n
ce s
a re
in v
es ti
g a te
d a n
d re
so lv
ed
S ig
n ed
W IP
re co
n ci
li a ti
o n
M o
n th
ly R
ec o
n ci
li a ti
o n
P M
P la
n t
A cc
o u
n ta
n t
A B
U C
o st
o f
sa le
s 8
In v
en to
ry is
re co
rd ed
in th
e G
/L
co m
p le
te ly
,
a cc
u ra
te ly
, a n
d
ti m
el y
T h
e v
a lu
e o
f in
v en
to ry
m a y
b e
m is
st a te
d .
In v
en to
ry tr
a n
sa ct
io n
s
m a y
b e
in co
m p
le te
o r
p o
st ed
to th
e w
ro n
g
p er
io d
B U
C o
n tr
o ll
er re
v ie
w s
co st
o f
sa le
s
o n
a m
o n
th ly
b a si
s. A
n y
si g
n if
ic a n
t
is su
es a re
in v
es ti
g a te
d a n
d re
so lv
ed
E v
id en
ce
d o
cu m
en te
d in
m o
n th
ly ch
ec k
li st
w h
ic h
re fe
re n
ce s
se co
n d
a ry
d o
cu m
en ta
ti o
n
M o
n th
ly M
a n
a g
em en
t
re v
ie w
D M
B U
C o
n tr
o ll
er
The SOX compliance journey at Trinity Industries U Schultze 108
A P
la n
t R
ec o
n ci
li a ti
o n
9 In
v en
to ry
is v
a lu
ed
a n
d re
co rd
ed
co rr
ec tl
y
T h
e v
a lu
e o
f in
v en
to ry
m a y
b e
m is
st a te
d ,
in v
en to
ry tr
a n
sa ct
io n
s
m a y
b e
in co
m p
le te
o r
p o
st ed
to th
e w
ro n
g
p er
io d
A cc
o u
n ti
n g
p er
so n
n el
re v
ie w
s
in v
en to
ry o
n a
m o
n th
ly b
a si
s
co m
p a ri
n g
le g
a cy
sy st
em to
o ra
cl e
fo r
a ll
ca te
g o
ri es
. A
n y
si g
n if
ic a n
t
is su
es a re
in v
es ti
g a te
d a n
d re
so lv
ed
In v
en to
ry
re co
n ci
li a ti
o n
is
a p
p ro
v ed
a n
d fi
le d
in th
e m
o n
th en
d
b in
d er
M o
n th
ly M
a n
a g
em en
t
re v
ie w
D M
P la
n t
A cc
o u
n ta
n t
A P
la n
t P
ro d
u ct
co st
in g
1 0
In v
en to
ry ex
is ts
a n
d
is p
ro p
er ly
v a lu
ed
T h
e v
a lu
e o
f in
v en
to ry
m a y
b e
m is
st a te
d ,
in v
en to
ry tr
a n
sa ct
io n
s
m a y
b e
in co
m p
le te
o r
p o
st ed
to th
e w
ro n
g
p er
io d
A cc
o u
n ti
n g
p er
so n
n el
re v
ie w
s
p u
rc h
a se
p ri
ce v
a ri
a n
ce re
p o
rt to
co n
fi rm
in v
en to
ry is
p ro
p er
ly st
a te
d .
A n
y si
g n
if ic
a n
t is
su es
a re
in v
es ti
g a te
d a n
d re
so lv
ed
R ev
ie w
ed a n
d
si g
n ed
P u
rc h
a se
P ri
ce V
a ri
a n
ce
R ep
o rt
M o
n th
ly M
a n
a g
em en
t
re v
ie w
D M
A cc
o u
n ti
n g
P er
so n
n el
C B
U In
v en
to ry
tr a n
sa ct
io n
s
1 1
In v
en to
ry is
v a lu
ed
a n
d re
co rd
ed
co rr
ec tl
y
T h
e v
a lu
e o
f in
v en
to ry
m a y
b e
m is
st a te
d .
In v
en to
ry tr
a n
sa ct
io n
s
m a y
b e
in co
m p
le te
,
in a cc
u ra
te ,
o r
p o
st ed
to
th e
w ro
n g
p er
io d
M o
n th
ly d
u ri
n g
cl o
se a n
in te
rf a ce
is
ru n
b y
th e
IT O
p er
a ti
o n
s D
ep a rt
m en
t
th a t
re co
rd s
a ll
o f
th e
ra w
m a te
ri a l
tr a n
sa ct
io n
s th
a t
h a v
e o
cc u
rr ed
th ro
u g
h o
u t
th e
m o
n th
. A
n y
er ro
rs
a re
re so
lv ed
b y
th e
P la
n t
A cc
o u
n ta
n t
a n
d th
e P
la n
t IT
O p
er a ti
o n
s
in d
iv id
u a l.
O n
ce th
e er
ro rs
a re
re so
lv ed
th e
P la
n t
A cc
o u
n ta
n t
w il
l
n o
ti fy
IT O
p er
a ti
o n
s to
re -r
u n
th e
in te
rf a ce
S u
cc es
sf u
l
co m
p le
ti o
n o
f th
e
in te
rf a ce
is
d o
cu m
en te
d in
th e
P la
n t
M o
n th
ly
cl o
si n
g ch
ec k
li st
M o
n th
ly S
y st
em
co n
fi g
u ra
ti o
n
P S
B U
C o
n tr
o ll
er
A B
U In
v en
to ry
tr a n
sa ct
io n
s
1 2
In v
en to
ry is
re co
rd ed
in th
e
G /L
co m
p le
te ly
,
a cc
u ra
te ly
, a n
d
ti m
el y
T h
e v
a lu
e o
f in
v en
to ry
m a y
b e
m is
st a te
d .
In v
en to
ry tr
a n
sa ct
io n
s
m a y
b e
in co
m p
le te
o r
p o
st ed
to th
e w
ro n
g
p er
io d
B U
C o
n tr
o ll
er re
v ie
w s
su m
m a ry
in v
en to
ry b
a la
n ce
s o
n a
m o
n th
ly
b a si
s
S ig
n ed
a n
d
a p
p ro
v ed
b a la
n ce
sh ee
t o
r p
la n
t
lo ca
ti o
n s
sc h
ed u
le .
M o
n th
ly M
a n
a g
em en
t
re v
ie w
D M
B U
C o
n tr
o ll
er
A P
la n
t P
h y
si ca
l
in v
en to
ry
1 3
In v
en to
ry is
re co
rd ed
in th
e
G /L
co m
p le
te ly
,
a cc
u ra
te ly
, a n
d
ti m
el y
T h
e v
a lu
e o
f in
v en
to ry
is
m is
st a te
d o
r in
v en
to ry
d o
es n
o t
ex is
t
P h
y si
ca l
in v
en to
ri es
a re
p er
fo rm
ed
ev er
y 6
m o
n th
s. P
la n
t p
er so
n n
el
in v
es ti
g a te
a n
d re
so lv
e si
g n
if ic
a n
t
d is
cr ep
a n
ci es
. In
v en
to ry
sc h
ed u
le s
a re
p re
p a re
d b
y a cc
o u
n ti
n g
p er
so n
n el
, re
v ie
w ed
a n
d a p
p ro
v ed
b y
th e
B U
C o
n tr
o ll
er
P h
y si
ca l
in v
en to
ry
re co
n ci
li a ti
o n
a n
d
su p
p o
rt in
g
d o
cu m
en ta
ti o
n
S em
i-
a n
n u
a ll
y
R ec
o n
ci li
a ti
o n
D M
P la
n t
A cc
o u
n ta
n t
C P
la n
t P
h y
si ca
l
in v
en to
ry
1 4
P ro
ce d
u re
s fo
r
se g
re g
a ti
n g
th e
in v
en to
ry co
u n
t
p ro
ce ss
fr o
m th
e
re co
rd in
g o
f th
e
in v
en to
ry co
u n
t h
a v
e
b ee
n es
ta b
li sh
ed
In co
m p
le te
o r
u n
a u
th o
ri ze
d in
v en
to ry
a d
ju st
m en
ts ca
n im
p a ct
fi n
a n
ci a l
re p
o rt
s
A u
th o
ri ze
d u
se rs
w h
o p
er fo
rm
p h
y si
ca l
in v
en to
ry co
u n
ts a re
d if
fe re
n t
fr o
m th
o se
u se
rs ,
w h
o a re
a b
le to
en te
r co
u n
ts .
O n
ly a u
th o
ri ze
d
u se
rs h
a v
e th
e a b
il it
y to
p o
st th
e fi
n a l
co u
n t,
w h
er e
a p
p li
ca b
le
O b
se rv
er ch
ec k
li st
(C h
ec k
li st
w h
ic h
sh o
w s
se g
re g
a ti
o n
o f
d u
ti es
re v
ie w
)
S em
i-
a n
n u
a ll
y
S eg
re g
a ti
o n
o f
d u
ti es
P S
W a re
h o
u se
P er
so n
n el
A B
U L
a b
o r
tr a n
sa ct
io n
s
1 5
L a b
o r
co st
s a re
p ro
p er
ly es
ti m
a te
d
C o
st es
ti m
a te
s m
a y
b e
in a cc
u ra
te
T h
e st
a n
d a rd
la b
o r
ra te
a n
d o
v er
h ea
d
b u
rd en
ra te
is re
v ie
w ed
ev er
y 6
m o
n th
s. T
h e
B U
C o
n tr
o ll
er co
m p
a re
s
th e
cu rr
en t
st a n
d a rd
ra te
a n
d th
e
a v
er a g
e a ct
u a l
ra te
fo r
th e
st a n
d a rd
la b
o r
ra te
a n
d th
e o
v er
h ea
d b
u rd
en
ra te
. If
it is
d et
er m
in ed
th a t
th e
st a n
d a rd
ra te
n ee
d s
to b
e a d
ju st
ed ,
a
re q
u es
t is
su b
m it
te d
to th
e B
U
P re
si d
en t
fo r
a p
p ro
v a l
L a b
o r
a n
d b
u rd
en
a n
a ly
si s
is re
v ie
w ed
a n
d a p
p ro
p ri
a te
a p
p ro
v a l
w a s
o b
ta in
ed
S em
i-
a n
n u
a ll
y
M a n
a g
em en
t
re v
ie w
D M
B U
C o
n tr
o ll
er
The SOX compliance journey at Trinity Industries U Schultze 109
of the A controls assumed that C controls were in place. What if they were not? Without testing them periodically, how could Trinity be assured that there were no weaknesses in its control infrastructure?
Lastly, there was the question about the inevitable move to the IFRS. Even though it was unclear when the Security and Exchange Commission would require companies to report their financials under the international standard (deadlines ranging from 2011 to 2014 were rumored), it was certain that public companies would have to embark on another major compliance-motivated process and infor- mation technology change in the near future. How well prepared was Trinity for this change? How could the governance, information technology, and process infra- structures that had been developed as part of SOX compliance be leveraged for this imminent transition?
In 2008, there was much discussion about the differences between the US GAAP (Generally Accepted Accounting Principles) and IFRS. The international standard was frequently described as more principles-based than the rule-based GAAP. For instance, US GAAP contained a number of rules for classifying leases, whereas IFRS took a more holistic approach to lease classification, relying on accountants’ professional judgment to make a classification based on the substance of a given lease agreement. As principle-based frameworks make different interpretations of similar transactions possible, transitioning to IFRS had implications for an organization’s control activities. Given that controls were designed to ensure compliance with rules, a change in the underlying logic of lease classifica- tion, for instance, was highlight likely to require adjust- ments in a company’s control activities.
In addition, the experience of companies in regions of the world that had already converted to IFRS (e.g., Europe, Australasia, Latin America, and Africa), highlighted that the implications of moving to the new accounting standard was at least as great for companies’ information systems as it was for their accounting practices and internal controls. The need for new data, as well as changes in calculations and reporting required by IFRS, would ultimately have to be implemented in a company’s information systems. For this reason, some estimated that over 50% of IFRS conversion costs were related to IT.13
An example of the different ways in which US GAAP and IFRS treat fixed assets illustrates the IT implications of transitioning to the new accounting standard. Under GAAP, the total cost of a building was capitalized and depreciated over the life of the structure. The flow of information for this transaction was as follows: the real estate system fed the building cost to the fixed asset system, which then calculated the depreciation and fed it to the general ledger. In contrast, under IFRS, a building was decomposed into different asset components, for example, building, roof, fixtures, each of which was then depreciated over its useful life, for example, 40 years for a building, 10 years for a roof and so on. Thus, the real estate system would need to track and allocate the building cost to different compo- nents, and the fixed asset system would need to depreciate assets at different rates. These information systems would therefore not only need to accommodate new fields, but also new calculations, as well as new system and user interfaces.T
a b
le 9
C o n ti n u e d
C la
ss O
p er
a ti
n g
u n
it
S u
b p
ro ce
ss C
o n
tr o
l
re fe
re n
ce
O b
je ct
iv e
R is
k E
x is
ti n
g co
n tr
o l
E v
id en
ce F
re q
u en
cy C
O S
O
ca te
g o
ry
P /
D
S /
M
P ro
ce ss
o w
n er
C B
U P
ro d
u ct
co st
in g
1 6
In v
en to
ry b
a la
n ce
s
a n
d la
b o
r co
st s
a re
p ro
p er
ly es
ti m
a te
d
C o
st es
ti m
a te
s m
a y
b e
in a cc
u ra
te
S ta
n d
a rd
m a te
ri a l
p ri
ce s
a re
re v
ie w
ed ea
ch 6
m o
n th
s to
lo w
er o
f
co st
o r
m a rk
et o
r b
u y
er s
st a n
d a rd
b a se
d o
n co
n tr
a ct
p ri
ci n
g
S u
p p
o rt
fo r
lo w
er o
f
co st
o r
m a rk
et
ca lc
u la
ti o
n o
r
b u
y er
s st
a n
d a rd
b a se
d o
n co
n tr
a ct
p ri
ci n
g
S em
i-
a n
n u
a ll
y
M a n
a g
em en
t
re v
ie w
D M
B U
C o
n tr
o ll
er
A P
la n
t O
b so
le sc
en ce
1 7
In v
en to
ry is
re co
rd ed
in th
e G
/L
co m
p le
te ly
,
a cc
u ra
te ly
, a n
d
ti m
el y
O b
so le
te in
v en
to ry
m a y
n o
t b
e id
en ti
fi ed
ti m
el y
.
In v
en to
ry m
a y
b e
u n
d er
/o v
er st
a te
d
M a te
ri a ls
M a n
a g
er a n
a ly
ze s
o b
so le
te /
su rp
lu s
in v
en to
ry p
er th
e su
rp lu
s
in v
en to
ry p
ro ce
d u
re is
su ed
o n
S ep
te m
b er
1 2
0 0
5
E v
id en
ce o
f re
v ie
w
o f
th e
o b
so le
te /
su rp
lu s
a n
a ly
si s
b y
M a te
ri a ls
M a n
a g
er
a n
d jo
u rn
a l
en tr
y
su p
p o
rt a s
a p
p li
ca b
le
Q u
a rt
er ly
M a n
a g
em en
t
re v
ie w
D M
M a te
ri a ls
M a n
a g
er
The SOX compliance journey at Trinity Industries U Schultze 110
T a b
le 1 0
In v e n to
ry m
a n a g e m
e n t
c o n tr
o ls
e lim
in a te
d in
T ri n it y
F re
ig h t
C a r
(2 0 0 6 )
C o
n tr
o l
re fe
re n
ce C
la ss
O b
je ct
iv e
R is
k E
x is
ti n
g co
n tr
o l
C h
g co
n tr
o l
# C
h a
n g e
co n
tr o
l n
o te
s
7 A
In v
en to
ry is
re co
rd ed
to th
e G
/L co
m p
le te
ly ,
a cc
u ra
te ly
, a n
d ti
m el
y
In v
en to
ry tr
a n
sa ct
io n
s a re
in co
m p
le te
, p
o st
ed to
th e
w ro
n g
p er
io d
, o
r n
o t
a cc
u ra
te ly
re p
o rt
ed in
th e
G /L
T h
e W
IP M
a te
ri a l
b a la
n ce
p er
O ra
cl e
is co
m p
a re
d w
it h
th e
le g
a cy
sy st
em m
o n
th ly
. A
n y
si g
n if
ic a n
t v
a ri
a n
ce s
a re
in v
es ti
g a te
d a n
d re
so lv
ed
Q 2
-2 0
0 6
- C
n tr
lI m
p -4
9 In
v en
to ry
T ea
m R
ec o
m m
en d
a ti
o n
: R
em o
v a l
o f
th is
co n
tr o
l R
ea so
n :
C o
v er
ed b
y In
v en
to ry
C o
n tr
o l
# 9
, m
o n
th ly
su b
-l ed
g er
to O
ra cl
e re
co n
ci li
a ti
o n
. M
it ig
a te
d b
y In
v en
to ry
C o
n tr
o l
# 1
3 ,
p h
y si
ca l
in v
en to
ry re
co n
ci li
a ti
o n
. M
it ig
a te
d b
y m
o n
th -e
n d
co n
tr o
ls #
4 a n
d 5
, fi
n a n
ci a l
st a te
m en
t re
v ie
w a n
d a n
a ly
si s,
in cl
u d
in g
b a la
n ce
sh ee
t re
v ie
w a n
d m
a rg
in a n
a ly
si s
8 A
In v
en to
ry is
re co
rd ed
in th
e G
/L co
m p
le te
ly ,
a cc
u ra
te ly
, a n
d ti
m el
y
T h
e v
a lu
e o
f in
v en
to ry
m a y
b e
m is
st a te
d .
In v
en to
ry tr
a n
sa ct
io n
s m
a y
b e
in co
m p
le te
o r
p o
st ed
to th
e w
ro n
g p
er io
d
B U
C o
n tr
o ll
er re
v ie
w s
co st
o f
sa le
s o
n a
m o
n th
ly b
a si
s. A
n y
si g
n if
ic a n
t is
su es
a re
in v
es ti
g a te
d a n
d re
so lv
ed
Q 2
-2 0
0 6
- C
n tr
lI m
p -5
0 In
v en
to ry
T ea
m R
ec o
m m
en d
a ti
o n
: R
em o
v a l
o f
th is
co n
tr o
l R
ea so
n :
C o
v er
ed b
y m
o n
th -e
n d
co n
tr o
ls #
4 a n
d 5
, fi
n a n
ci a l
st a te
m en
t re
v ie
w ,
p a rt
ic u
la rl
y g
ro ss
p ro
fi t,
p ro
d u
ct ,
a n
d m
a rg
in re
v ie
w s.
M it
ig a te
d b
y fo
re ca
st to
a ct
u a l
v a ri
a n
ce a n
a ly
si s,
es p
ec ia
ll y
co st
a n
d m
a rg
in a n
a ly
si s.
M it
ig a te
d so
m ew
h a t
b y
In v
en to
ry C
o n
tr o
l #
1 3
– p
h y
si ca
l in
v en
to ry
re co
n ci
li a ti
o n
, a n
d #
1 6
– m
a te
ri a l
st a n
d a rd
s re
v ie
w .
R em
o v
es re
d u
n d
a n
t co
n tr
o l.
R ed
u ce
s ri
sk o
f fa
il u
re .
R ed
u ce
s co
st o
f co
m p
li a n
ce
1 2
A In
v en
to ry
is re
co rd
ed in
th e
G /L
co m
p le
te ly
, a cc
u ra
te ly
, a n
d ti
m el
y
T h
e v
a lu
e o
f in
v en
to ry
m a y
b e
m is
st a te
d .
In v
en to
ry tr
a n
sa ct
io n
s m
a y
b e
in co
m p
le te
o r
p o
st ed
to th
e w
ro n
g p
er io
d
B U
C o
n tr
o ll
er re
v ie
w s
su m
m a ry
in v
en to
ry b
a la
n ce
s o
n a
m o
n th
ly b
a si
s
Q 2
-2 0
0 6
- C
n tr
lI m
p -5
2 In
v en
to ry
T ea
m R
ec o
m m
en d
a ti
o n
: R
em o
v a l
o f
th is
co n
tr o
l R
ea so
n :
C o
v er
ed b
y m
o n
th en
d co
n tr
o ls
# 4
a n
d 5
, fi
n a n
ci a l
st a te
m en
t re
v ie
w ,
p a rt
ic u
la rl
y b
a la
n ce
sh ee
t tr
en d
s. M
it ig
a te
d b
y fo
re ca
st to
a ct
u a l
v a ri
a n
ce a n
a ly
si s,
es p
ec ia
ll y
in v
en to
ry v
a ri
a n
ce s.
M it
ig a te
d so
m ew
h a t
b y
In v
en to
ry C
o n
tr o
l #
1 3
– p
h y
si ca
l in
v en
to ry
re co
n ci
li a ti
o n
, a n
d #
1 7
– su
rp lu
s in
v en
to ry
re v
ie w
. R
em o
v es
re d
u n
d a n
t co
n tr
o l.
R ed
u ce
s ri
sk o
f fa
il u
re .
R ed
u ce
s co
st o
f co
m p
li a n
c e
The SOX compliance journey at Trinity Industries U Schultze 111
Case study discussion questions
(1) Don Collum described Trinity as a likely candidate for a material weakness in the first year of SOX compliance. What were the factors critical to Trinity’s ultimate success in its first year of compliance?
(2) In the design of their controls in year 1, Trinity relied on a practice-based, bottom-up approach. What were the strengths and weaknesses of this approach? How
effective was it? What would you recommend they should have done differently in year 1?
(3) In 2008, how could Trinity further reduce SOX-related expenses? For each of your recommendations, be sure to take the barriers Trinity would face into account?
(4) How well do you think Trinity’s 2008 governance, information technology and process infrastructure will serve the organization with respect to new finance- related legislation, such as IFRS?
Table 12 IT SOX control framework with examples
Control # Control category
Change management and projects 9 A formal process for emergency changes is in place to help ensure they are appropriately
authorized before promotion to production
Administrative 35 All third-party providers’ services are identified and formal contracts are in place
Operations 66 Backup copies of data files and programs are taken and rotated off-site regularly
Backup schedules are documented
Physical access 46 Access to the Trinity Corporate Campus is controlled and monitored by badge access, security guard,
and security cameras
System access 38 Programmers do not have access to production. Procedures outlining exceptions have been developed
Only non-programmers can migrate changes to production
Security 40 Logical access controls are applied. These include restricted number of sign-on attempts,
automatic password changes, and minimum length of passwords
Table 13 IT controls (2005–2007)
Year Total IT controls IT SOX controls tested IT gaps
2005 555 316 48 2006 180 156 7 2007 125 138a 1
aThe total number of IT controls tested in 2007 was greater than the IT SOX controls because the auditors included control tests for a SAS70 audit, which is a certification of SOX compliance that providers of outsourcing services presents to their clients for the clients’ SOX certification. Since Trinity’s railcar leasing services was providing outsourced information processing services to its customers, Trinity needed to complete a SAS70 audit.
Table 11 Controls tested and maintained in Freight Car Group (2004–2007)
2004 2005 2006 2007
BU-level controls 8 7 9 6 Plant-level controls 7 10 4 8 A controls 14 14 6 7 C controls 1 3 7 7 Controls Tested 81 109 50 70 Controls Maintained 81 127 115 127
The SOX compliance journey at Trinity Industries U Schultze 112
Notes
1 If an internal control is thought to be ineffective and it is deemed that there is more than a remote likelihood that its deficiency will stop the organization from preventing or detecting a material misstatement in a company’s financial statements (e.g., a $100 million overstatement of annual revenues in a $500 million company), it is classified as a material weakness. As such, material weaknesses signal a company’s failure to achieve SOX compliance.
2 This number excludes the 128 Transit Mix locations, which act as material depots for the concrete trucks that then pick up sand, gravel, and cement to be mixed en route to the delivery point.
3 Source: ‘The Legend of Trinity Industries Inc.’ by Jeffrey L. Rodengen, 2000. Write Stuff Enterprises.
4 Title 15 of the United States Code. 5 COSO stands for the ‘Committee Of Sponsoring Organiza-
tions of the Treadway Commission,’ a nonprofit commission that in 1992 established a common definition of internal control and created a framework for evaluating the effective- ness of internal controls. The framework defines internal controls in terms of the following five interrelated compo- nents: (1) Control Environment: The integrity and ethical values of the company, including its code of conduct, involvement of the Board of Directors and other actions that set the tone of the organization; (2) Risk Assessment: Management’s process of identifying potential risks that could result in misstated financial statements and developing actions to address those risks; (3) Control Activities: These are the activities usually thought of as internal controls; (4) Information and Communication: The internal and external reporting process and includes an assessment of the technology environment; and (5) Monitoring: Asses- sing the quality of a company’s internal control over time and taking actions as necessary to ensure it continues to address the risks of the organization.
6 A deficiency in internal controls exists when the design or operation of a control activity does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis.
7 IT controls are typically classified as pervasive or general controls because they cover the environment within which multiple applications and business processes operate. Exam- ples of IT controls include managing users’ access to different systems and ensuring network availability or uptime. In contrast, application or business process controls are specific to the activities supported by the application or business process. For instance, in inventory management, checking that the good delivered were in fact ordered, constitutes a business process or – to the extent that this control activity is automated – an application control.
8 The Information Systems Audit and Control Association (ISACA) is an organization focused on developing standards, guidance and education for information systems audit and governance. It serves primarily information governance, control, security and audit professionals.
9 Certified Information Systems Auditor (CISA) is a professional certification managed and issued by ISACA.
10 By KPMG’s estimates, it took 160,000 h of internal work to perform SOX controls in year 1 of SOX compliance at Trinity.
11 Traditionally, evidence of a manual control activity took the form of a signed or initialed paper document; however, neither SOX nor the external auditor required paper-based documen- tation.
12 The Control Objectives for Information and related Technol- ogy (COBIT) can be seen as IT’s equivalent of COSO. Developed by ISACA and the IT Governance Institute (ITGI) in 1996, it is a framework intended to guide IT governance in organizations.
13 KPMG Report: ‘The Effects of IFRS on Information Systems’ 2008.
About the author Ulrike Schultze is an Associate Professor in Information Technology and Operations Management at Southern Methodist University. Her research explores the impact of information technology on work practices. Dr. Schultze frequently relies on multi-method research designs, which include ethnographic observations, interviews and surveys. Her research has been published in, among others, ISR, MIS Quarterly, JIT, Information & Organizations.
The SOX compliance journey at Trinity Industries U Schultze 113