The Final CountdownBy Elizabeth Bennett | Posted 2005-09-07 Email Print
Following its much anticipated IPO, the mattress maker had barely a year to document its policies and procedures for a SOX audit.
The Final Countdown
As 2004 waned, documenting change-management controls ate up the most time, according to Williams and Smith. "Change control, in my opinion," says Smith, "is probably the single biggest issue facing companies, where really bad things can happen if controls aren't in place."
For example, if a developer has to add an element to the records kept on retailers buying the company's mattresses, the change has to be made now on a staging server, not in the actual system in use every day. That way, if the new code somehow goes awry, it won't foul up existing records or procedures.
Prior to SOX, Smith says, "We knew we went through the right process. We knew we tested it. We had a backup plan. But it wasn't necessarily organized and documented in a format that said: This is change number one; this is who's been affected; here's who approved the testing; and now let's place it into production and do final testing to make sure it works."
Smith describes the sprint to the year-end deadline as arduous, even though the company chose when to go public with its eyes open. Besides the amount of information and the time frame, understanding the regulation itself was a major hurdle. The Public Company Accounting Oversight Board (PCAOB), which oversees SOX compliance procedures, made piecemeal amendments to the regulations throughout 2004. According to Smith, "There were interpretations being made all last year about what SOX really meant."
When the fourth and last quarter for compliance came around, Smith's team was still trying to confirm that all of its technology controls were in place. Some controls had to be rewritten, and the proof that controls were in place started over. Smith attributes the policy rewrites to the subjectivity of the SOX guidelines and inadequate communication among the SOX advisers: "The way Ernst & Young or Deloitte or internal auditing would interpret [a requirement] was completely different. They weren't all on the same page, and therefore our requirements weren't defined yet."
Given what SOX has wrought, Tempur-Pedic's CFO is eager to "standardize, simplify and systematize" controls in 2005. Early this year, the company implemented software that ensures employees only have access to the systems and information they need to do their jobs. The application, made by Irvine, Calif.-based Logical Apps, uses existing employee responsibilities defined in Oracle to identify conflicts of roles or functions.
However, Williams balks at the idea of making everything more efficient. Digital signatures, for example, could be used to sign off on some transactions, reducing paperwork and speeding up processes such as paying invoices. Workers could mail approvals electronically instead of by company mail or the Postal Service.
That gives Williams pause. A company can't simply elect to start replacing hand-written signatures with digital ones. Investors have to be shown how the process will work—how some miscreant inside or outside the company can't purloin the signature and start writing checks to suit his or her personal pleasure.
"There's a different level of complexity around that with SOX,'' Williams says. "Because then you have to have controls for the electronic signatures. It never ends."