The bottom-up approach is forward looking, thus it begins with the basic processes and transactions …show more content…
and culminates with the financial statements. As a result, the bottom-up approach “will require a bloated and disproportionate control structure” since more resources are consumed testing routine level controls (Reporting on Internal Controls, 2009). In using this approach, one would first identify processes, then identify risks, and lastly, evaluate and prioritize the risks (Zahara & Said, 2014). Advantages of this approach include that it is more precise and it analyzes the business unit level to the organizational level. However, the bottom-up approach requires the increased utilization of resources, it is data intensive, and it is more costly.
At the time of initial compliance, Trinity Industries had several challenges to address such as, a general lack of process and control documentation, decentralized information systems, twenty two diverse business units and seventy plants, and seven different control environments (Schultze, 2011, p.
91). Hence, Trinity Industries chose to use the bottom-up approach in complying with year one of SOX, In my opinion, this was the correct choice, because when SOX first became law, The Sarbanes-Oxley Act did not provide detailed guidelines on how to achieve compliance. The act only stated the various regulatory requirements. With the numerous challenges that faced Trinity Industries, a clear starting point was not …show more content…
evident.
During their path towards compliance, Trinity utilized several substantive tests such as analytical tests, observation and inquiry, tests of balances, and tests of transactions. While each of these played a crucial role in compliance, the test of transactions was the best method to use in examining the documents associated with recording those financial transactions. Starting with the initial transactions of processes and working upwards to the financial statements allowed Trinity to identify and correct weaknesses at each step. The bottom-up approach was successful for Trinity Industries as in December of 2003, 265 gaps were identified and in June 2004, all of the documentation gaps were closed, except for three (Schultze, 2011, p. 97). In addition, when E&Y completed their external audit in 2004, they reported no material weaknesses and fourteen deficiencies (Schultze, 2011, p. 98).
Trinity’s project team began the implementation of SOX with pilot projects to obtain a general idea of what was going to be required across the entire company. During the scoping phase of implementation, Trinity selected two business units, Highway Safety and Marine Tank-Barge, to assist the SOX compliance team in understanding how much time and effort would be needed, what control documentation would be required, and what control gaps would be identified (Schultze, 2011, p. 96). Trinity’s team worked closely with members of each business unit and conducted interviews with the goal of documenting the processes and controls of those units. The next step was that the team performed gap analysis to identify gaps of the processes and controls and rectified the gaps when discovered. The identified controls were then assigned to various employees and quarterly those employees would have to complete a control certification letter, which would allow the steering committee to note and track changes and/or ownership of the controls. Control activities were defined as category A, B, or C representing controls that were a priority for SOX compliance, backup if controls in category A failed, and controls not important for SOX compliance (Schultze, 2011, p. 97). In addition, four training levels were created to assist employees in understanding the changes being made to comply with SOX. According to Schultze (2011, p. 98), when testing of gaps took place, the causes were “split between issues of operating effectiveness and documentation.”
Trinity’s major sources of cost are related to decentralization and the testing of every process and control across the entire company. According to Schultze (2011, p. 92), total testing costs, in millions, for years 2004 through 2007 were $2.5, $1.3, $1.2, and $1.0 respectively. Major costs of SOX compliance were new financial software, auditor fees, and employee wages for those involved in the SOX compliance project, as well as training of employees.
After the initial year of compliance, Trinity changed its process to a top-down risk approach. As a result, Trinity did not utilize the vast quantity of financial resources as year one, thus the decline in costs for subsequent years 2005 through 2007. At the time of their SOX journey, Trinity had three versions of a business planning and control system being used for production and cost accounting. To incorporate standardization, I would recommend investing in one ERP system. While initial implementation costs may be hefty, I believe in the end, the correct ERP system will generate a high ROI. Since Trinity just converted to Oracle, I would suggest researching NetSuite ERP, as it works in conjunction with Oracle.
Trinity’s cost to convert to Oracle Financials cost the company $28MM, yet it saved the company $.5MM annually in SOX related expenses (Schultze, 2011, p. 95). Oracle has several advantages such as its excellent security features, high efficiency, and high ROI (Oracle ERP Software Review, n.d.). However, Oracle has numerous disadvantage such as the user interface is not attractive, it does not connect with other databases, and it cannot be sued for any changed legacy systems (Oracle ERP Software Review, n.d.).
Trinity could have selected several other software options offered by Oracle’s competitors, such as SAP. SAP is known for the availability of numerous features and its functionality, as well as its flexible integration (SAP ERP Software Review, n.d.). Conversely, SAP is too flexible which leads to increased risk. The high costs and level of user difficulty can be an issue for many businesses as well as, SAP is more suitable for a company with consistency and standardization (Kimberling, n.d.).
Microsoft Dynamics is another major competitor. This product syncs with Windows products, allows different parts of company to easily share information, and has a relatively quick implementation (SAP vs. Microsoft Dynamics vs. Oracle, n.d.). On the other hand, Microsoft Dynamics upgrading process is quite cumbersome and has several modules and functionalities that are provided by third parties and/or partners, which can lead to risk issues (Microsoft Dynamics AX Sweet Spot & Alternative Solutions, n.d.).
I believe that Trinity chose the best product available.
Even with its huge price tag, Oracle has shown continued compliance savings each year after implementation. In addition, Oracle has top-notch security features and does not have third party or partner modules, which lessens risk. While Trinity has centralized standard financial transactions, the company is diverse and Oracle has proven that it has the capability to address this.
Memorandum
January 31, 2004
To: Timothy Wallace, Chief Executive Officer
From: Tammy A. Brugger
RE: Summary – SOX Compliance Year One
In order to meet compliance with Section 404 of The Sarbanes-Oxley Act, the SOX compliance project team conducted a bottom-up analysis of all internal controls of the financial processes for Trinity Industries. Management assertation was completed six months ahead of schedule and within budget. At the end of fiscal year 2004, 2,440 controls were tested and 327 gaps were identified. Upon completion of E&Y’s external audit, the result was no material weaknesses and fourteen deficiencies.
Beginning in year two, it is my recommendation that Trinity Industries shifts to a top-down approach of analysis of internal controls, resulting in significant cost savings of approximately $.5MM each year. In addition, I would research transitioning from the three versions of BCPS to a single ERP system, such as NetSuite, to allow for standardization of production and cost
accounting.