It has been little more than three years since the Sarbanes-Oxley Act was signed into law following the scandals at several high-profile companies such as Enron, Global Crossings, WorldCom, Tyco and Arthur Anderson. The Act was designed to provide a proper accounting framework and rules around corporate governance for any public company, wholly-owned subsidiary or private company preparing to go public that is doing business in the United States. The legislation’s stated objective is "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws."
The hope was to achieve a radical reduction in the rash of corporate wrongdoing that would restore investor confidence. Corporate and individual investors lost billions of dollars, resulting in a significant negative impact on financial markets and investor trust. This led legislators to specify stiff penalties for corporations and corporate officers who don’t comply. For example, an officer found to be noncompliant could receive a jail sentence of as long as 10 years and a fine of $1 million, even if the noncompliance was unintentional. The maximum fine increases to $5 million and the maximum jail sentence goes to 20 years if it can be proven that noncompliance was intentional. In the words of President Bush, the legislation will “deter and punish corporate and accounting fraud and corruption, ensure justice for wrongdoers, and protect the interests of workers and shareholders.”
All eleven sections of the Sarbanes-Oxley Act, also known as SOX, are now in effect. Thus, affected companies are obliged to submit an annual assessment of the effectiveness of their internal financial controls to the SEC. In turn, an external auditor is expected to audit and report on each company’s internal financial controls in addition to their financial statements. SOX compliance also ensures that financial reports are easily traceable back to source data, and that any changes to source data have been documented properly as to what was added, changed or deleted, by whom, at what date and time, and for what reason. It’s this traceability requirement that has the greatest implication for managing your maintenance function and how you use your CMMS.
Maintenance and your CMMS
To meet the challenges set forth in the SOX legislation, your company must assess and manage risk by implementing adequate controls. This is relevant to everyone and every system in a corporation, including the maintenance department and its CMMS. The good news for some of you is that SOX can be used as a powerful justification for long-overdue improvements such as purchasing a new or upgraded CMMS, implementing better control systems such as condition monitoring or predictive maintenance, and hiring external resources to help implement best practices. In my view, because the legislation is so vague, it’s not surprising that many SOX experts predict that billions of dollars will be spent on external resources such as auditors, consultants and vendors in an effort to interpret and comply with SOX regulations. So take advantage of the situation and try to make the legislation work in your favor.
Here are a few key phrases that should help you build a business case for SOX compliance with respect to asset management:
- Risk management (better-defined processes governing the purchase of MRO inventory and contracted services).
- Establishment of controls (effective use of work orders and purchase orders).
- Accuracy and integrity of source data (automation and streamlining of work request, purchase requisition and time sheet data entry).
- Accuracy and timeliness of reporting (maintenance expenditures integrated with accounting functions such as accounts payable and payroll).
- Improved visibility (automated and highly transparent control systems such as condition monitoring and alarming).
- Full documentation (well-documented maintenance strategy, budget, policies, procedures and equipment history).
- Separation of duties (those requesting versus those approving work or capital purchases).
- Implementing best practices (decentralized and unsupervised MRO inventory versus centralized and secured inventory accessible only through stockkeeper).
- Proper training to ensure SOX compliance (teaching employees the proper procedures).
- Compliance tracking (PM compliance).
The combination of the right maintenance management processes, supporting technology such as your CMMS, and sufficiently well-trained employees will go a long way to help senior management comply with SOX, and therefore stay well away from negative media attention and the judicial system.
The truth is, however, most of the better CMMS packages have had features and functions that support good maintenance management practices long before SOX passed into law. But in a mad flurry to put out fires, we take shortcuts and, in some cases, less than half of the features of a typical CMMS are used. Therefore, another silver lining on the SOX cloud is that compliance could lead to greater efficiency and effectiveness of the maintenance function, not just a gold star for being compliant. Described below are some of the key features and functions of your CMMS that may be important to both achieving SOX compliance and improving maintenance productivity.
Key performance indicators (KPIs): Most higher-end CMMS packages have standard and user-generated KPIs along with a host of ways to slice and dice the data they represent. For example, measuring PM compliance can determine if equipment is at risk of failure when PMs are inconsistent.
Workflow: The workflow engine available on the more sophisticated CMMS packages is a powerful tool for establishing and automating standard processes. For example, a workflow can be established that prevents users from trying to release a given inventory item from stores without, say, a QA inspection having been completed.
Security: Most CMMS packages have fairly sophisticated security capability such as providing only certain users with rights to view or edit menus, screens and fields. The more advanced CMMS packages have digital signature capability.
Audit trail: CMMS vendors and third parties offer a wide range of audit trail capability, from tracking logon history, to logging every change to a given file, to recording every keystroke.
Notification, approvals and alarming: This is the poor cousin of a workflow engine that many CMMS vendors offer. It allows users to send an e-mail or page, print a report or invoke an alarm when a predefined event occurs or condition is met. For example, a work order whose estimated cost exceeds a threshold will require an electronic preapproval before it can be scheduled.
Condition-based maintenance: More CMMS vendors have added condition-based maintenance capability that allow users to define one or more triggers for a given PM routine, such as reaching an upper or lower control limit as vibration readings are monitored continuously.
Mobile technology: When used properly, mobile technology can both reduce risk and improve productivity. For example, a wireless PDA device can download work orders and upload hours worked, parts used and other data regarding work completed, all in real time.
For your corporate executives, SOX is about risk management and corporate governance. For the maintenance department, SOX may translate into an infusion of money to improve your processes, upgrade your CMMS and raise the awareness and skill level of your front-line employees. So, act now while SOX is top of mind for your senior management team.
E-mail Contributing Editor David Berger, P. Eng., at firstname.lastname@example.org