07 Aug Enterprise Compliance Management Issues with Assets
Enterprise compliance management of corporate assets or equipment is a daunting challenge for most companies, especially when there is a large volume of assets or when those assets are continually being moved between departments, buildings or multiple trading partners. However, in today’s regulatory environment it has become more important than ever for companies to maintain traceability and control of their fixed and mobile assets.
For example, having complete traceability of a company’s assets when they are moved or when they change status while being able to manage unplanned events is critical. When assets wind up missing from a shipment or even within a facility, large amounts of time is wasted while employees try to track them down to update the corporate records. Wasted time is wasted money and is inefficient to an otherwise efficient operation.
Added to the internal problems that untraceable assets create for a corporation is the compliance with government regulations.
Sarbanes-Oxley Act of 2002
The Sarbanes-Oxley Act of 2002 (SOX) is a stringent and extensive set of business regulations that seek to restore public and investor confidence in public companies by requiring these corporations to create auditable business processes for improved financial transparency and strong internal operational controls.
Under the Sarbanes-Oxley regulations, CEOs and CFOs must personally certify the integrity of financial reports, as well as the procedures and systems used to create them. Public accounting firms must also attest to the validity of the financial reports and assessments. Both executives and their accounting firms can be held criminally liable for accounting inaccuracies, making the stakes higher than ever for everyone involved in financial reporting.
Sarbanes-Oxley Regulates Public Companies
Sarbanes-Oxley applies to public companies that are registered with the Securities and Exchange Commission. Most of these companies are headquartered in the United States, but a number of foreign companies with significant operations in the US are also affected.
Sarbanes-Oxley and Private Companies
Although private companies are not required to comply with Sarbanes-Oxley, there are excellent reasons for them to consider its implications. Any private company that strives to go public in the future will then be subject to the act upon filing a registration statement with the SEC in anticipation of an IPO. Additionally, any company that might be acquired by a public company or that has significant business partnerships with public corporations will need to asses the impact of Sarbanes-Oxley on future and current business relationships. Many private companies are already implementing “best practice” aspects of Sarbanes-Oxley on their own for these very reasons.
Section 404 of the Sarbanes-Oxley Act requires executives of public companies to include an assessment report of the effectiveness of internal controls over financial reporting, including IT controls, when submitting their annual reports to the SEC.
Section 404 also refers to internal controls as defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), although it does not require that a company use the COSO framework in order to create the assessment of internal controls. Some IT organizations are choosing to adopt the Control Objectives for Information and Related Technology (COBIT) framework for guidance about how to approach assessment and testing of IT related internal controls. The Public Company Accounting Oversight Board (PCAOB) (established by the Sarbanes-Oxley Act) released guidelines for auditors that discuss IT internal controls in March 2004.
By establishing and documenting internal controls, companies can attest to the validity and integrity of financial information from the time such information enters the company to the completion of the annual report each year. The SEC also requires that each company’s external controls and document any material weaknesses the audit firm discovers.
The “assessment of internal controls” report was created to assure the SEC as well as investors that a company has the necessary procedures and controls in place to adequately ensure the integrity of their financial data. When applied to technology, this implies that financial data must be secured from threats of unauthorized access, inappropriate changes and data corruption.
In 1996, the US Congress passed the Health Insurance Portability and Accountability Act (HIPAA). It created for the first time, a set of generally accepted security standards and requirements for protecting health information.
In 2009, the scope and depth of HIPAA was extended with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Both HIPAA and HITECH implement strict standards regulating information security and privacy.
While HIPAA/HITECH may be a substantial advancement to the security of healthcare information, they also create several challenges for companies in the form of tracking regulatory changes, extensive documentation and the need for a company wide approach toward compliance management to name a few.
An accurate inventory of fixed assets is the core of solid financial reporting of corporate assets. Without it, all downstream internal controls can do nothing to resolve inaccuracies created when assets which have been lost, stolen or taken out of service continue to be depreciated and reported.
In order to establish an accurate physical inventory of all fixed assets, a company must ensure that the inventory is conducted using the same method at all locations. It is also crucial to have solid procedures in place for reconciling the inventory data against your existing fixed asset records. However, fixed asset managers who continue the outdated practice of conducting inventories by spending tedious hours surveying corporate assets with a clipboard, followed by re-keying the data into a spreadsheet are wasting enormous amounts of time and money.
A far better method for having complete control over your inventory is to use a barcoding system on each fixed asset as it is placed in service. This method greatly reduces errors in ensuing physical inventories of assets. Inventories can be conducted quickly and efficiently using barcode scanners.
RFID technology tracks the physical location and movement of assets and inventory. RFID can help track the installation, maintenance, upgrade, movement and decommissioning of fixed assets. It can also monitor a “chain of custody” through the manufacturing and distribution process. Essentially, RFID can help companies establish an audit trail of ownership rights and physical location, which can help companies better account for their assets.
Companies can assign each asset a unique item number that can be stored in a company’s database to provide a complete asset life cycle history. From that point, every assigned asset can contain information such as it’s acquisition date, location, current value, billed account, warranty, purchase order, contract maintenance, insured value and depreciation schedule.
With the use of RFID technology, businesses can create a complete, low cost, real-time asset management system that ensures performance and reliability. The high storage capacity provides the ability to store all of the asset management information to not only perform operational efficiency and improved asset utilization but also to aid in financial auditing and reporting for better compliance with the Sarbanes-Oxley Act.
Ensure Asset Reporting Accuracy
While compliance with Sarbanes-Oxley, HIPAA/HITECH and other regulatory issues are both challenging and frustrating to many companies, they also provide an opportunity for companies to achieve a new level of better practices and integrity in financial reporting. Ultimately, ensuring the complete accuracy and reliability of the people, data, and systems that form financial results will enable companies to be better managed and will provide executives better insight into their organizations. Companies can be greatly aided in their Section 404 compliance efforts when financial applications contain features that support security, data accuracy and integrity, reliable reporting systems and reliable disaster recovery.
Explore RFID and asset management more.