Questions:

#6A:Realism of recommendations for Target

which of the author's recommendations are realistic for a company like Target?

#6B: Comparison with Trinity

In a general sense, how does the apparent success of implementing controls at Trinity compare to what was described at Target?

Case Reading:

In his office overlooking the Trinity River flats in Dallas, TX, Don Collum, VP and Chief Audit Executive at Trinity Industries, was about to chair his weekly meeting with KPMG partner, Jarrod Bassman, who had been overseeing the KPMG engagement for Sarbanes-Oxley Act (SOX) compliance at Trinity since 2003. It was mid-January 2008, and the external audit report regarding Trinity's SOX compliance for the year ending December 2007 was on the meeting agenda. Once again they could pat themselves on the back: for the fourth year in a row, Trinity passed its SOX audit without material weaknesses.1

Reflecting on Trinity's SOX compliance journey, Don identified numerous accomplishments. In October 2003, when he first began consulting with Trinity Industries on their SOX initiative, he described the company as a 'candidate of a company that could have had a material weakness as defined by SOX' even though it was a highly successful, well-run and disciplined organization that consistently delivered shareholder value through growth and had never had cause to restate its earnings. But when it came to SOX compliance, Trinity faced the same challenges that most companies did, namely a general lack of process and control documentation and evidence that controls had been performed. In addition, Trinity's operations were highly diversified and decentralized, and their information systems were fragmented. Trinity had forgone the implementation of an integrated enterprise system even during the Y2K scare, citing the unique nature and requirements of its 22 business units (BUs). This meant that the company relied on its three versions of BPCS, a Business Planning and Control System, for its cost accounting and production scheduling system in its approximately 70 plants.2Even though the different versions all ran on the AS/400 computing platform, they were nevertheless operating in seven different control environments, that is, different IT organizations were maintaining them and the implementations had been customized to varying degrees. As a result, a separate set of controls had to be developed, maintained and tested for each of these control environments.

Despite these challenges, all their SOX compliance audits had identified no material weaknesses at Trinity. Furthermore, the number of SOX controls Trinity tested had halved from year to year (see Table 1 (See PDF) ), thereby decreasing the compliance costs.

But this was not a time on rest on their laurels. Don, who became Trinity's Chief Audit Executive in May 2004, was aware of a number of challenges that Trinity would have to tackle and he wanted to set some specific goals that would guide their SOX work for 2008. One pressing issue was the further reduction of audit costs. There was a general consensus within the audit group that the approximately 500 controls that Trinity had tested for the last 2 years represented as lean a control infrastructure as the company could muster without undergoing significant IT change. Should Trinity implement an ERP system after all? Should they try to emulate a leading global manufacturer that claimed to test only 25 controls for SOX thanks to a single instance ERP system representing global operations? Or were there other cost-reduction alternatives Trinity could pursue?

Another issue related to the International Financial Reporting Standards (IFRS). It was clearthatIFRS legislation would be passed in the United States; the only question waswhen. For Trinity, this raised questions about when and how to prepare for it.

Company background

Trinity Industries was born out of the 1958 merger between Trinity Steel and Dallas Tank, both struggling propane tank companies located in Dallas. W Ray Wallace, who was hired as an engineer and the 17th employee at Trinity Steel in 1946,3became Trinity Industry's first CEO. He led the company for 40 years, turning the struggling propane tank manufacturer into a US$2.4 billion provider of diversified products and services to the industrial, energy, transportation, and construction sectors.

In July 1998, Timothy Wallace, Ray's son, took over the helm as CEO of Trinity Industries. He joined Trinity in 1976, the year he graduated with a B.B.A. from Southern Methodist University. Working his way from the ground up and gaining first-hand experience with the various Trinity businesses provided Tim with the kind of in-depth knowledge he needed to lead the company and grow it into the $3.8 billion enterprise it became in 2007.

Trinity manufactured freight and tank rail cars to transport dry cargo and liquefied or pressurized commodities, respectively, dry-cargo and tank barges, propane tanks, highway guardrail and crash cushions, and structural wind towers. Strategically, Trinity sought to hold a leadership position in each of its markets. Thus, Trinity Rail combined resources of the leading manufacturer of railcars in North America. Trinity's Marine Products group was the largest manufacturer of inland barges and fiberglass covers for barges in the United States. Furthermore, Trinity's Highway Products group was the only full-line manufacturer of highway guardrail and crash cushions in the United States.

The company also provided concrete and aggregates, which they mined themselves to the construction industry. Transit Mix Concrete & Materials Company, Trinity Materials Inc. and Armor Materials Inc. were leading producers of concrete, aggregates, and asphalt in Texas. Despite Trinity's manufacturing focus, the Railcar Leasing group was one of its fastest growing businesses and a leading provider of railcar leasing and management services. It offered a variety of railcar leasing options, including full service, net, and per diem leases on either new railcars built by Trinity's Rail group or railcars from the Leasing group's lease fleet.

With manufacturing facilities in the United States and Mexico, Trinity had 14,400 employees working in 22 BUs in 2007. The BUs were grouped into five principal groups or lines of business (LOB) for financial reporting purposes: the Rail Group, the Railcar Leasing and Management Services Group, the Inland Barge Group, the Construction Products Group, and the Energy Equipment Group (see Table 2 (See PDF) for short profiles on each LOB). The Rail Group was the largest, employing about half of Trinity's workforce and generating 39% of it revenues.

Trinity's leadership consistently focused on being a premier, multi-industry growth company, a vision that it generally achieved. For instance, since 2005, revenues increased by 19% a year (see Tables 3 (See PDF) and 4 (See PDF) for more details on Trinity Industry's recent financial performance).

The SOX of 2002

Enacted as a federal law in June 2002, the SOX was a response to the corporate and accounting scandals perpetrated by companies like Enron, WorldCom, and Adelphia Communications. These scandals not only cost investor's billions of dollars, but also shook the public's confidence in the nation's security markets. In an act consisting of 11 sections, SOX legislated, among others, enhanced financial reporting standards for public companies, officers' individual responsibilities for the accuracy of corporate financial reports, and an oversight body, the PCAOB, to regulate public accounting companies in their capacity as external auditors.

Public companies were given until December 2004 to comply with SOX. For most, this meant implementing two key provisions of the act: Section 302, which dealt with the internal certification of controls, and Section 404, which focused on the assessment of internal controls. Section 302 mandated a set of internal procedures designed to ensure accurate financial disclosure. The signing officers had to certify that they were 'responsible for establishing and maintaining internal controls' and had 'designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared' (15 U.S.C.4 7241(a)). The officers had to 'have evaluated the effectiveness of the company's internal controls as of a date within 90 days before the report' and 'presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.'

Section 404 required management and the external auditor to report on the adequacy of the company's internal control over financial reporting. This was the most costly aspect of the legislation for companies to implement, due to the effort involved in documenting and testing manual and automated controls. Management was also required to produce an 'internal control report' that acknowledged 'the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting' (15 U.S.C. 7262(a)). The report also had to 'contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.' Managers generally adopted an internal control framework, such as COSO,5for this assessment.

2003Q3-2004Q4: year 1 of the SOX compliance journey

During the time that SOX legislation was making its way through Congress, Trinity was making significant changes to its financial reporting processes. It reengineered financial reporting and standardized on one financial reporting system. This meant that the 22 - one per BU - financial reporting processes were replaced with one centralized process. This involved replacing the four general ledger packages running at Trinity with one instance of Oracle Financials. It was estimated that the Oracle project saved Trinity $.5 million annually in SOX compliance expenses.

In addition, Trinity developed the Accounting Service Center (ASC), which provided centralized, outsourced services for routine, organization-wide transaction processing such as billing, payroll, and AP. Thus, instead of individual BUs processing their own accounts payable transactions, these accounting transactions were completed centrally and, by implication, standardized. Even though the ASC was run and operated by an independent service provider, most of its Trinity-related operations were housed on the Trinity campus in Dallas.

While the co-location strengthened Trinity's ability to assess the outsourcer's controls, the up-front, data capture work was eventually moved to India for an additional 20% cost savings. This required an annual compliance audit by a Trinity representative at the outsourcer's facilities in India.

Even though the $28 million Oracle initiative was instigated primarily to improve reporting effectiveness, that is, facilitate more timely closing of books and improve the availability of financial information, Chas Michel, Trinity's Chief Accounting Officer, highlighted that the project was given priority in anticipation of SOX:

You knew the legislation was coming and you had kind of an idea of when. You could see it. Clearly it was going to happen.

Jake Farkas, Director of Finance and Accounting, led both the Oracle Financials and ASC outsourcing initiatives. Relying on a rigorous project management approach, organizational structures like a steering committee and a project management office (PMO), and expertise from consulting resources, both projects were successfully implemented in April 2003. Both were on time and within budget. This was a considerable accomplishment especially in light of the challenges Trinity had previously experienced with large-scale IT projects and the deep-seated resistance organizational members harbored toward outsourcing.

The project team learned valuable lessons from the Oracle and ACS projects, including the importance of project management and change management. The team's careful analysis of the financial processes in the various BUs also highlighted the lack of process and control documentation throughout the organization. It became increasingly clear that when it came to SOX compliance, Trinity had a lot of work to do.

Even though he was part of the Finance organization, Jake was tapped to lead the SOX compliance project, in large part because Trinity's internal audit group consisted of only two people. Leveraging the existing project team and the lessons learned from the Oracle and ASC initiatives, he formed both a PMO and a steering committee to oversee the project. The steering committee reported to the CFO, was led by the CAO, and its members included the BU CFOs as well as representatives from Internal Audit, KPMG, and E&Y, the external auditor.

Jake secured advisory knowledge from KPMG and directed them to approach the compliance effort from a project management perspective. The KPMG team did just that and outlined the following project phases (see Figure 1 - See PDF, for a GANTT Chart):

Project scoping

The purpose of this project-scoping phase was to build a project methodology, to develop a common language among the participants (i.e., E&Y, KMPG, and the Trinity steering committee), to estimate the project's size and determine the right level of documentation. In order to estimate the size of the SOX project, the steering committee assessed the degree to which key processes (see Table 5 (See PDF) for a list of process areas) were standardized and/or centralized. Their analysis revealed that there were numerous processes that were conducted in multiple locations and would therefore have to be documented, controlled, and tested in multiple control environments. This information was then used to estimate the total number of hours and average FTEs required throughout the project's life cycle.

In order to gain insight into the amount of time and effort process and control documentation would require and the kinds of control gaps Trinity should anticipate, the KPMG team led pilot SOX projects in two manufacturing BUs: a Highway Safety facility in Lima and a Marine Tank-Barge facility in Madisonville. The BUs were chosen for their representativeness of different manufacturing operations at Trinity and their relative difference with regard to the products they produced. Table 6 (See PDF) summarizes the control and gap profile that the pilots yielded.

The majority of gaps were related to the documentation of control activities such as management reviews of monthly/quarterly financial statements or reconciliations among various accounts.

Project planning, tool set-up, team identification, and training

This phase saw the fleshing out of the project GANTT chart and included a process risk assessment for individual BUs to prioritize processes and controls for documentation. In addition, KMPG helped Trinity build and populate a database application. This application served as a central repository for all SOX controls and allowed Trinity to track each control's testing history and any changes made to it over time. Although the descriptions of the controls were published on the Trinity intranet, their history and testing status were not.

In this phase, KPMG also assisted the steering committee in developing and training the documentation teams on the templates they would be using for the project. The three primary documents were flowcharts and matrices for controls, and gap-analyses. In addition, a control catalog that outlined a numbering scheme for controls by specific processes was developed. Since each of the BUs would document their own processes and controls, the catalog numbering scheme would help identify and organize the controls.

Documentation of processes and controls

Having identified where in the organization each of the key processes were performed and controlled, that is, at Corporate, ASC, Group or individual BU, the documentation of processes and controls began. This work fell to documentation teams consisting of KPMG advisors, members of Trinity's internal audit group, and BU controllers. The team would interview the organizational members to understand their processes and controls. These were then documented in flowcharts and control matrices, and shared with the organizational members for correction and feedback. The focus of this project phase was to identify the AS-IS state of processes and controls through a bottom-up analysis of the organization's work practices.

Comparison of controls and expectations to identify gaps

Although the documentation phase had focused on the AS-IS processes and controls, the documentation teams had nevertheless noted gaps between the AS-IS practices and a SOX-compliant (or TO-BE) way of operating. In this fourth project phase, the documentation teams focused on these gaps by completing gap-analysis matrices for controls with gaps. A control gap might be the lack of corrective controls around inventory adjustments, for example, adjustments made to the BPCS system after a physical stock count. A documentation-related control gap might be noted if an employee initialed a checklist as evidence that all the transactions on the checklist, for example, a number of reconciliations, had been completed. For proper evidence that the control activity had been completed, each transaction (or reconciliation) had to be initialed separately.

In addition to describing these gaps, the gap-analysis template required the team to note additional control activites that would mitigate the risk of each control gap, an indicator of the impact's severity (i.e., high, medium, or low), and a recommendation for dealing with the control gap. Also, instead of just documenting the gaps, the team also began remediating them whenever possible. As many of the gaps were documentation related, remediation frequently took the form of educating the control owners in the evidentiary expectations of SOX-related documentation.

By mid-December 2003, the gap analysis had identified 1249 control activities and 265 gaps. Of these gaps, 172 were related to documentation and none of them were classified as high priority.

Self-assessment and test plan design

In order to support management's assertion regarding the effectiveness of internal controls, Trinity had to make a self-assessment process that would increase accountability. This process assigned and managed control owners for every control at perpetuity.

The steering committee designed a process whereby Control Certification Letters (or 'Representative Letters') were automatically generated and mailed to each control owner on a quarterly basis. These letters asserted that the control owner was accountable for the effectiveness of the internal control assigned to him/her. Depending on reporting structures, these letters needed to be signed and returned to the BU controllers, the Group CFO or the internal audit department. This process was effective at tracking changes in control ownership as it regularly alerted Trinity if control ownership responsibilities had not been reassigned as people left the company or changed jobs, for instance.

As part of test planning, the steering committee oversaw the classifications of control activities into A, B, and C controls. 'A' controls were key or primary controls that would always be tested for SOX compliance. 'B' controls represented back-up controls that Trinity would rely on when the primary controls failed. 'C' controls were controls that were related, but not central, to SOX compliance. In June 2004, Trinity's 1573 control activities broke down as shown in Table 7 (See PDF) .

Control redesign to close gaps

In order to remediate the gaps identified, the documentation teams worked with Corporate, the BU controllers and the Group CFOs to gain agreement on each gap, its impact and mitigating control activities. Then they developed an action plan for correcting each control gap. This plan addressed what corrective action needed to be taken, who was responsible for gap closure and when it was going to be implemented. Gap closure was being monitored on an ongoing basis by the steering committee that met weekly during the course of 2004. Furthermore, gap closures would be validated during the internal validation testing planned for March to June 2004. By end of June 2004, all except three of the 280 documentation gaps had been closed.

Training

The steering committee sponsored four levels of training: (i) high-level guidance on SOX for senior executives, (ii) training on COSO for the 50-70 controllers in Trinity, (iii) SOX documentation training for the various documentation teams, and (iv) control owner training.

This training phase was also a part of the change management activities that most large-scale, organization-wide projects require. However, Jake Farkas noted that there was one key difference between a regulatory project such as SOX compliance and an organizational process improvement initiative like the Oracle and ASC projects: since the former were compulsory, there was less need to convince people of the urgency and necessity of a change. Even though there was a considerable need to educate the members of the organization, particularly control owners, on the documentation and evidentiary requirements for SOX, in contrast to the Oracle and ASC projects, Trinity did not feel the need to hire a full-time change management consultant for the SOX project.

Monitor - test of control and/or control self-assessment

This project phase represented the internal audit phase of the SOX compliance audit. Not only were the control activities tested, but so was the self-assessment process. By the end of June 2004, 1803 control activities had been tested and 284 testing gaps were identified, of which 226 were closed. The causes of these gaps were fairly evenly split between issues of operating effectiveness and documentation. Common testing gaps related to the lack of maintenance of the SOX binders that had been created for each control, insufficient evidence of timely reviews, insufficient exercise of change controls, and a 'check the box' mentality (rather than a fulfillment of the spirit of the control). By the end of the year, 2440 controls had been tested and 327 testing gaps had been identified.

Management assertion

Right from the beginning of the SOX compliance project, Trinity had set a target for being in a position to complete the management assertion by 30 June 2004, even though the assertion was only due on 31 December 2004. This early deadline would give Trinity an opportunity to fix any key weaknesses identified during the course of preliminary testing by the real deadline.

External auditor evaluation and attestation of internal controls

Even though the external auditor only started testing in Q32004, the SOX steering committee included a representative from E&Y. Trinity thus had the benefit of E&Y's interpretation of the SOX legislation throughout their decision-making. This was particularly important in light of the fact that SOX provided little guidance and the public accounting companies were developing the standards for SOX compliance in an emergent fashion and by comparing their standards of control effectiveness with their competitors. For instance, when PwC announced that spreadsheets needed to be password-protected in order to pass a SOX audit, there was much consternation at Trinity until E&Y took a clear stance on what they would deem an effective spreadsheet control.

The results of E&Y's external audit testing revealed no material weaknesses, but 14 deficiencies.6

2005: year 2

With the first year of compliance successfully behind them, the SOX project was moved into the audit organization, which had grown under Don Collum's leadership. It was clear to Don and the SOX steering committee that there was much room and need for improvement for their second round of SOX assessment. While Trinity had adopted a 'get it done' and 'brute force' attitude in the first year of compliance, it was clear that their approach of documenting and testing 'every control known to man' was not going to be feasible in the long term. Like so many other companies, Trinity believed that they had 'over-audited' and 'over-tested' in order to avoid material weaknesses, since 'failure was not an option.' Now, it was time to 'step back, look at it, and have better job at risk profiling.'

In order to prepare Trinity for its second year of SOX compliance, the steering committee focused on two initiatives: (i) a top-down, risk-management approach to testing, and (ii) the streamlining of controls across BUs. Together these initiatives halved the number of SOX control activities Trinity tested in 2005.

The risk management method to testing implied a shift from a 'shotgun' to a 'rifle' approach. Trinity would not test all controls but identify areas that were material and posed a threat to the financial statements. Only significant processes and major classes of transactions in these processes would need to be audited for SOX. Trinity thus sampled BUs that contributed at least 5% to Trinity's revenues or represented at least 5% of Trinity's assets as per the company's consolidated financial statements. Only control activities in significant processes in those BUs would be tested.

One implication of this risk-oriented approach was that it reduced the number of control activities designated as key or 'A' controls in part because their definition focused more on what risks these controls posed for material misstatements of the company's financial results. Furthermore, not all 'A' controls would be tested every year, because they might be located in BUs that were not significant enough to be audited. Similarly, 'C' controls were no longer seen as relevant for SOX compliance because the audit group did not anticipate ever testing them for SOX. Nevertheless, these 'C' controls could be maintained and tracked on the SOX database if the BUs so wished. Some BUs saw symbolic value in designating certain control activities 'SOX controls' as this made their enforcement easier.

The second year-2 initiative focused on process improvement. The SOX steering committee created process improvement teams and charged them with streamlining, standardizing and automating the control activities for a given process (e.g., inventory, AP, AR). Georgia Papageorge, VP Finance and Accounting in the Freight Car Group, led the inventory process improvement team. The team consisted of about seven members and included representatives of the BUs, KPMG, and the internal audit group.

In order to streamline the inventory-related control activities, the team analyzed each BU's control documentation. They found considerable overlap and variability in the way the controls were described. Most of the variability arose from the different systems that were operating at the BUs. A report that one BU relied on for its controls was not available in another, for instance. Furthermore, the same control activities might be worded differently, such as 'the BU controller reviews this,vsthe accounting manager reviews this,vsaccounting personnel reviews this.' In order to standardize the controls, the process improvement team abstracted the control description so that it was universal enough to cover the control activities in the various environments.

The team also looked for redundant control activities. Some BUs relied on multiple controls to accomplish the same objective. By looking across BUs, it was relatively easy to identify these redundant control activities and to determine best practices that could then be replicated across BUs. Overall, this process improvement effort took about 3 months and reduced inventory controls by about 25%. Its biggest achievement was to bring consistency to inventory controls such that each BU relied on the same control despite operational differences related to unique products and IT infrastructure.

A closer look at the inventory process of the Trinity Rail Car group provides some detailed insights into the improvement team's work. A flowchart of the 2004 inventory management process is presented in Figure 2 - See PDF,. Table 8 (See PDF) provides the accompanying control matrix. The latter highlights the overlap of control objectives within the inventory process in this single LOB. For instance, controls 3, 4, and 13 all dealt with the correct valuation and recording of inventory. Furthermore, different plants relied on different variations of control #14.

Figure 3 - See PDF, and Table 9 (See PDF) , which show the inventory process flowchart and control matrix for 2005, illustrate the inventory improvement team's efforts. In particular, the controls were uniquely numbered and described in more universal terms. However, as best practice controls were applied to all plants, there was an initial increase in the controls in Freight Car operations in 2005. Only after the inventory team's recommendations to eliminate some controls were put into effect in 2006 (see Table 10 (See PDF) for summary), did the Freight Car see a decrease in controls maintained and tested. In 2007, as more plants were added to the Freight Car group and more plants became significant for SOX compliance, the number of controls maintained and tested went back up.

Table 11 (See PDF) highlights the number and breakdown in controls maintained and tested in Freight Car between 2004 and 2007.

Internal testing in year 2 brought a new set of challenges to light: Trinity's IT group seemed unaware that SOX compliance was a new reality and not a one-time effort. Kasey Nash, a KPMG senior manager on the Trinity SOX project, recounted the reaction from the IT group when they came to test in 2005: 'You're back again?

SOX compliance had not been given the necessary priority in the IT department and this led to the identification of 48 gaps in IT control activities.7These gaps included privileged and programmer access rights for core systems like BPCS and the on- and off-boarding of Trinity employees, which included managing their access rights to networks and applications. While the 48 gaps were an improvement on the 20% error rate of IT controls in 2004, it was September 2005 by the time they were identified. This did not give the IT group much time to remediate them. The IT environment was also challenging due to its distributed nature. There was a corporate IT group that was primarily responsible for infrastructure technologies (e.g., networks, Internet, email), IT groups within the BUs that supported business-specific applications, and IT support in Mexico and Europe. These different control environments multiplied the controls that needed to be maintained and tested. Furthermore, nine applications (including Oracle, Peoplesoft, BPCS) plus the network were in scope for SOX compliance.

In November 2005, Terri Wilson, Analyst in IT's Strategic Compliance Services, replaced the previous IT SOX manager. Determined not to fail as it could cost her job, Terri learned what she could about SOX compliance. She became aware of ISACA8in 2006. She subsequently joined the organization, attended local chapter meetings regularly, and even earned her CISA9certification.

2006: year 3

While the first 2 years of SOX compliance had been guided by a project management approach, it became increasingly clear to Don Collum and other members of the steering committee that Trinity needed to move beyond 'the SOXproject' and put in place a 'governanceprocess.' This meant that their language and mindset needed to change. The controls needed to become so deeply embedded in Trinity's processes, that they were indistinguishable from people's sense of 'good business practices.' Thus the 'SOX' designation, for example, 'SOX steering committee' and 'SOX controls,' was dropped and new labels such as 'governance steering committee' and 'financial controls' emerged.

One of the controllers described life with SOX as follows:

You are audited constantly; you just have to have perfection in your job. There is no room any more for any sort of margin of error. We have to make sure that our revenue recognition is accurate. We have to make sure that we have controls and that people are doing them. We work for a public company. We are audited almost daily; so there is a little more pressure with making sure that we have seasoned people in positions who understand what they are doing. Or even if they are not seasoned that they know the rules and follow them; that they understand they are going to be audited quarterly, monthly, daily. It is all about accountability.

Even though they acknowledge that SOX was ensuring that they were doing what they ought to be doing anyway, the controllers maintained that their SOX responsibilities added at least 8-10 h a month to their workloads.10The extent of the additional work depended on the number of controls they owned and the number of paper binders11they needed to maintain. Indeed, Mike Mason, CFO for the Construction, Energy and Marine Group, voiced his frustration with an audit process that hampered organizational efficiency:

How do I change theaudit process, not thecontrol process? Because I've done the control, it's there, and it's available. The problem is now to explain to the auditors that it's done. Because they want it nice and neat, in a stack of papers, and then 'walk me through because I've been out of school for a whopping 6 months and I don't understand your business.' So I am just catering to theaudit side of the control.

In order to change group and BU controllers' perception of SOX, Don promised them that, 'if you can show me a control that we are doing solely because of SOX, I will let you quit doing it. If there is no business reason to do it, quit doing it.' Don also stressed one of the key benefits of SOX compliance, namely that they no longer had to spend time assessing the reliability of their information, which allowed them to spend more time on activities that required judgment and estimation, such as warranties, taxes, and inventory.

Trinity also started to benchmark their SOX processes and controls with other companies in their industry to identify additional opportunities for reducing their controls and streamlining their SOX testing. Mike Mason explained that they went to one of their peers to learn about their system access control processes. He found that even competing peer companies were open to sharing knowledge around SOX because they saw no advantage to keeping their SOX-related processes secret. A peer's SOX failure was not seen as a victory:

It just puts a fear factor, at least in the finance world, of 'they got caught on something, maybe I'm going to get caught on something.' It's almost like nobody wants anybody to get into trouble for SOX, because that just means we're all going to get in trouble for something. It's almost like you want everybody to win and for everyone to be doing SOX okay.

In IT, Terri Wilson led a control streamlining effort similar to the one that the process improvement teams had done in the BUs in the prior year. Her analysis highlighted duplicate controls caused by inconsistent numbering and wording. She also found that some controls had multiple control owners. Her efforts reduced IT's controls from 92 to 39.

She also categorized the IT controls into a categorization scheme that resembled COBIT,12of which she was unaware at the time (see Table 12 (See PDF) for the categories and control samples). This process improvement effort led to not only a reduction in IT controls, but also a reduction of IT control gaps over time as Table 13 (See PDF) demonstrates.

2007: year 4

In the fourth year of SOX compliance, the number of control activities tested stabilized. There was a general sense among the members of the governance steering committee that Trinity's SOX control infrastructure was as lean as it could be. Furthermore, they felt that their self-assessment and change control processes were robust and sustainable. For instance, they had established the following change control procedure for SOX controls:

When a BU wanted to make a change to a SOX control, for example, replace a control owner, change the control description, or replace a manual control with an automated one, a change request was sent to the internal audit group, where it was reviewed by the SOX Program Manager, Rhonda Krasselt.

Depending on the change, either Rhonda Krasselt or Don Collum reviewed the change. They explained that as long as a proposed control effectively met a necessary control objective, they were likely to approve a control change. Once final approval had been granted by Don, the change was forwarded to the SOX administrator, who maintained the SOX database, which tracked all changes.

Periodically, the governance steering committee was informed about the SOX control changes that had been made.

On average, about 1000 SOX changes were made every 6 months.

Changes to control activities were also made in response to new business processes and gaps that had been identified during testing. Rhonda Krasselt noted that, at times, it was difficult to convince BU staff to document their controls. They did not want to have to 'sign off on more things' and were reluctant to give the audit department 'more things to gap them on.' This sentiment seemed to express a 'fear of the gap.'

Increasingly, the governance steering committee got involved in screening proposals for organizational change initiatives such as system upgrades or process improvements. This screening sought to identify the SOX implications of a proposed change, but it also sought to leverage business-driven initiatives in order to improve Trinity's control environment. Thus, while it was difficult to make a business case for implementing systems and process changes for the purpose of reducing SOX compliance costs, improvements that served more strategic objectives could be used as a vehicle to achieve this goal. For instance, when Trinity was planning to implement a new time reporting system for payroll, the steering committee looked for ways to improve the timesheet approval process and to store the approval information electronically without compromising its auditability.

Pondering the next phase of the compliance journey

In early 2008, as Don Collum was getting ready for his meeting with Jarrod Bassman, he mulled over the Trinity's SOX compliance journey, its victories and ongoing challenges. There were numerous victories. Chief among them was that their external auditor, E&Y, never identified any material weaknesses in Trinity's financial reporting processes. Trinity also decreased the cost of SOX compliance every year, even though the number of controls they tested had stabilized. In addition, they developed a system of accountability that clearly identified and tracked control owners. They also implemented governance structures such as the SOX steering committee, which was now actively involved in monitoring any organizational change with implications for Trinity's internal controls. Any changes to processes related to financial reporting were being managed. Lastly, there was a general acknowledgement in the organization that internal controls made business sense and that they were helpful to the organization. For instance, they sustained disciplined operations and provided more confidence in the data that various operational and financial processes generated.

Nevertheless, there were questions about the next steps in Trinity's SOX compliance journey. How could they continue to reduce the costs of compliance given that the number of SOX controls they tested was as lean as was possible given the company's relatively decentralized IT infrastructure? Many SOX controls were manual. Was it time to invest in a company-wide, single-instance ERP system, a strategy that many global manufacturing firms had pursued? How could such an investment be justified?

Or were there ways of leveraging the information technology that Trinity already had to automate some of their many manual controls? For instance, BPCS was increasingly marketed as an ERP system for manufacturing organizations as it integrated cost accounting, planning, distribution, and manufacturing functionality. However, BPCS had not been implemented in a way that the standardization of processes and centralization of controls afforded by ERP systems could be leveraged. Not only was Trinity running three different versions of the BPCS software, they were also relying on different IT organizations to support them. In addition, many BUs had customized the software to produce the kind of output they needed to calculate Cost of Sales, Overhead and Labor Rates, among others, in their homegrown spreadsheets. In other words, instead of automating the interface between BPCS, which essentially served as a sub-ledger, and Oracle Financials, Trinity's general ledger, the BUs downloaded customized data from BPCS, manipulated it in Excel and then based their manual general ledger journal entries on these spreadsheets. As a result, BPCS operated in seven different control environments, which multiplied the number of controls that needed to be developed, maintained, and tested.

In addition to standardizing processes and centralizing controls by integrating systems, were there other strategies that Trinity could rely on to further reduce the cost of SOX compliance? For instance, could the hours internal auditors spent on control testing be reduced? Were there ways in which the cost of 'catering to the audit side of the control' could be decreased?

At the same time, there were questions about the integrity of the control infrastructure as a whole. As Trinity only tested A controls for SOX, was there a danger that B controls, which were supposed to serve as back-ups to A controls, would fail compliance tests? Furthermore, many of the A controls assumed that C controls were in place. What if they were not? Without testing them periodically, how could Trinity be assured that there were no weaknesses in its control infrastructure?

Lastly, there was the question about the inevitable move to the IFRS. Even though it was unclear when the Security and Exchange Commission would require companies to report their financials under the international standard (deadlines ranging from 2011 to 2014 were rumored), it was certain that public companies would have to embark on another major compliance-motivated process and information technology change in the near future. How well prepared was Trinity for this change? How could the governance, information technology, and process infrastructures that had been developed as part of SOX compliance be leveraged for this imminent transition?

In 2008, there was much discussion about the differences between the US GAAP (Generally Accepted Accounting Principles) and IFRS. The international standard was frequently described as more principles-based than the rule-based GAAP. For instance, US GAAP contained a number of rules for classifying leases, whereas IFRS took a more holistic approach to lease classification, relying on accountants' professional judgment to make a classification based on the substance of a given lease agreement. As principle-based frameworks make different interpretations of similar transactions possible, transitioning to IFRS had implications for an organization's control activities. Given that controls were designed to ensure compliance with rules, a change in the underlying logic of lease classification, for instance, was highlight likely to require adjustments in a company's control activities.

In addition, the experience of companies in regions of the world that had already converted to IFRS (e.g., Europe, Australasia, Latin America, and Africa), highlighted that the implications of moving to the new accounting standard was at least as great for companies' information systems as it was for their accounting practices and internal controls. The need for new data, as well as changes in calculations and reporting required by IFRS, would ultimately have to be implemented in a company's information systems. For this reason, some estimated that over 50% of IFRS conversion costs were related to IT.13

An example of the different ways in which US GAAP and IFRS treat fixed assets illustrates the IT implications of transitioning to the new accounting standard. Under GAAP, the total cost of a building was capitalized and depreciated over the life of the structure. The flow of information for this transaction was as follows: the real estate system fed the building cost to the fixed asset system, which then calculated the depreciation and fed it to the general ledger. In contrast, under IFRS, a building was decomposed into different asset components, for example, building, roof, fixtures, each of which was then depreciated over its useful life, for example, 40 years for a building, 10 years for a roof and so on. Thus, the real estate system would need to track and allocate the building cost to different components, and the fixed asset system would need to depreciate assets at different rates. These information systems would therefore not only need to accommodate new fields, but also new calculations, as well as new system and user interfaces.

Case study discussion questions

Don Collum described Trinity as a likely candidate for a material weakness in the first year of SOX compliance. What were the factors critical to Trinity's ultimate success in its first year of compliance?

In the design of their controls in year 1, Trinity relied on a practice-based, bottom-up approach. What were the strengths and weaknesses of this approach? How effective was it? What would you recommend they should have done differently in year 1?

In 2008, how could Trinity further reduce SOX-related expenses? For each of your recommendations, be sure to take the barriers Trinity would face into account?

How well do you think Trinity's 2008 governance, information technology and process infrastructure will serve the organization with respect to new finance-related legislation, such as IFRS?

AuthorAffiliation

[1] ITOM, Cox School of Business, Southern Methodist University, Dallas, Texas, USA

Correspondence : U Schultze, ITOM, Cox School of Business, Southern Methodist University, Dallas, Texas, USA. Tel: 214-768-4265; Fax: 214-768-4099;

Footnote

1If an internal control is thought to be ineffective and it is deemed that there is more than a remote likelihood that its deficiency will stop the organization from preventing or detecting a material misstatement in a company's financial statements (e.g., a $100 million overstatement of annual revenues in a $500 million company), it is classified as a material weakness. As such, material weaknesses signal a company's failure to achieve SOX compliance.

2This number excludes the 128 Transit Mix locations, which act as material depots for the concrete trucks that then pick up sand, gravel, and cement to be mixed en route to the delivery point.

3Source: 'The Legend of Trinity Industries Inc.' by Jeffrey L. Rodengen, 2000. Write Stuff Enterprises.

4Title 15 of the United States Code.

5COSO stands for the 'Committee Of Sponsoring Organizations of the Treadway Commission,' a nonprofit commission that in 1992 established a common definition of internal control and created a framework for evaluating the effectiveness of internal controls. The framework defines internal controls in terms of the following five interrelated components: (1)Control Environment: The integrity and ethical values of the company, including its code of conduct, involvement of the Board of Directors and other actions that set the tone of the organization; (2)Risk Assessment: Management's process of identifying potential risks that could result in misstated financial statements and developing actions to address those risks; (3)Control Activities: These are the activities usually thought of as internal controls; (4)Information and Communication: The internal and external reporting process and includes an assessment of the technology environment; and (5)Monitoring: Assessing the quality of a company's internal control over time and taking actions as necessary to ensure it continues to address the risks of the organization.

6A deficiency in internal controls exists when the design or operation of a control activity does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis.

7IT controls are typically classified as pervasive or general controls because they cover the environment within which multiple applications and business processes operate. Examples of IT controls include managing users' access to different systems and ensuring network availability or uptime. In contrast, application or business process controls are specific to the activities supported by the application or business process. For instance, in inventory management, checking that the good delivered were in fact ordered, constitutes a business process or - to the extent that this control activity is automated - an application control.

8The Information Systems Audit and Control Association (ISACA) is an organization focused on developing standards, guidance and education for information systems audit and governance. It serves primarily information governance, control, security and audit professionals.

9Certified Information Systems Auditor (CISA) is a professional certification managed and issued by ISACA.

10By KPMG's estimates, it took 160,000 h of internal work to perform SOX controls in year 1 of SOX compliance at Trinity.

11Traditionally, evidence of a manual control activity took the form of a signed or initialed paper document; however, neither SOX nor the external auditor required paper-based documentation.

12The Control Objectives for Information and related Technology (COBIT) can be seen as IT's equivalent of COSO. Developed by ISACA and the IT Governance Institute (ITGI) in 1996, it is a framework intended to guide IT governance in organizations.

13KPMG Report: 'The Effects of IFRS on Information Systems' 2008.

About the author

Ulrike Schultzeis an Associate Professor in Information Technology and Operations Management at Southern Methodist University. Her research explores the impact of information technology on work practices. Dr. Schultze frequently relies on multi-method research designs, which include ethnographic observations, interviews and surveys. Her research has been published in, among others,ISR,MIS Quarterly,JIT,Information & Organizations.