Tempur-Pedic International: Amazing RaceBy Elizabeth Bennett | Posted 2005-09-07 Email Print
Know the Risk: Digital Transformation's Impact on Your Business-Critical Applications REGISTER >
Following its much anticipated IPO, the mattress maker had barely a year to document its policies and procedures for a SOX audit.
What did Dale Williams want for Christmas in 2003?
An IPO, mostly.
As the CFO of Tempur-Pedic International, Williams was hoping to take the high-end mattress maker public by December 2003. He also knew that in doing so, the company would have to comply with the Sarbanes-Oxley Act of 2002 a full year sooner than if it went public one month later.
If Tempur-Pedic went public in January 2004, it would have, by law, until the last day of 2005 to pass a Sarbanes-Oxley audit by its public accountants, Ernst & Young, and report the results to the Securities and Exchange Commission. A December IPO would mean a deadline at the end of 2004.
But the company's investment bankers and top executives decided that investors were ready, sooner rather than later. The company went public on Dec. 18, 2003, selling 18.8 million shares to the public at $14 a pop.
"We had to get busy very quickly understanding the dynamics [of SOX],'' Williams says, but "the complicating factor was that [the rules] really weren't final until about May'' of 2004.
Plus, going public in December 2003 would add cost. If it had had an additional year to review and document its processes, Tempur-Pedic might have been able to take stock itself and compile the required reporting for the SEC on its own, using just its three-person internal audit department heads.
Instead, it brought in consultants, Williams says, "because we knew we didn't have time to do it completely on our own."
The $480 million company spent $3 million on SOX consultants from Deloitte and two additional internal auditors, to make a staff of five. That number does not include other staff involvement, such as the approximately 10% of Williams' time, 45% of the controller's time and hours of conference-room meetings two to three times a week that the vice president of information technology, Michael Smith, spent with one of the company's internal auditors.
If the company had had more time, it probably could have saved $1 million of that $3 million, Williams says.
But it didn't. And while Tempur-Pedic, according to Williams, was "well controlled," it didn't have the extensive documentation required by SOX.
"That was the heavy lifting—establishing documentation and doing all the testing to ensure [our] controls really worked." Williams says the company needed to lock down approximately 800 key controls.
Take a seemingly simple process like paying an invoice. There are numerous risks, such as cutting a check for the wrong amount, the wrong person or the wrong time. The check can even be cut by the wrong department, putting the wrong person in the cross-hairs of a company.
To avoid such risks, controls are put in place. And SOX requires clear documentation of every step in those controls, so they can be audited by external accountants and assessed for whether they are being carried out and whether they work.
In audit lingo, the most important items for SOX are "key controls"—ones that directly or indirectly support the content in income statements, balance sheets and other reports that describe a company's financial condition to shareholders.
To review and then document these controls, Deloitte and Tempur-Pedic's internal auditing group pored over spreadsheets that summarized the company's statements of policies and its procedures. Then, that task group met with managers in departments such as finance, information technology and manufacturing to go over how different procedures worked and see if any other steps were followed or might be needed, to improve the controls. To meet the intent of SOX, a good process would separate different responsibilities for authorizing and executing a transaction among different staffers, reducing the risk that any one person could commit fraud, says David Hartley, a director at Protiviti, an internal auditing and risk-management consulting firm that helps companies comply with SOX; Tempur-Pedic is not a client.
The results were step-by-step written accounts of the hundreds of processes that in some way link to the company's balance sheet.
In the case of Tempur-Pedic's SOX-driven invoice payment process that follows, each step is bolstered by the next, making it almost impossible for employees to manipulate records, absent collusion.
When a delivery of plastic wrappers for mattresses arrives now at Tempur-Pedic, the vendor's invoice is checked by many workers in different departments before being paid. Here is its path:
- 1. The invoice goes to accounts-payable department, where a clerk enters details into a financial database.
- 2. The database alerts a payables manager when it's time for the invoice to be paid.
- 3. A clerk sends a paper copy of the invoice to the department where the goods arrived, for approval.
- 4. A supervisor checks details against records of what was received.
- 5. If the two match, the supervisor signs off.
- 6. Signed documents are sent back to accounts payable.
- 7. A payables supervisor makes final check, ensuring all details in the database are correct, and signs off.
- 8. Check gets cut.
A paper copy of the invoice and the approval sheet are filed in a drawer—even though the electronic record is marked "paid."
Once Tempur-Pedic defined a process and its supporting controls, like this invoice-payment process, internal auditors tested the controls by examining a random sampling of invoices from 2004. Their goal: to make sure the procedure was followed 100% of the time, and that there was no doubt about the independence or integrity of the person responsible for each control.
If a control didn't meet the criteria of the financial controls segment of the Sarbanes-Oxley legislation, known as Section 404, the internal auditors would change the process, until they were convinced that the control would not be rejected by external auditors.