Visibility Blog

ERP Sarbanes-Oxley Compliance 

Written by John Nugent | Mar 29, 2018 1:56:00 PM

Many manufacturers are public companies, and even more manufacturers are private companies that may one day be acquired by a public company. For some mid-market manufacturers in particular, the ultimate goal may be acquisition by a larger public company.  All of these companies should be aware of and mindful of the Sarbanes-Oxley Act and ensure that their ERP software solution includes built in tools to ensure compliance with Sarbanes-Oxley.  In fact, all manufacturers should consider implementing procedures to ensure their compliance with Sarbanes-Oxley in order to meet industry standards regarding best practices.

Individual business processes including management controls are subject to a Sarbanes-Oxley compliance audit. When it comes to Sarbanes-Oxley, ERP software is a tool which, when effectively combined with appropriate procedures specific to an organization, can deliver the necessary management controls to pass Sarbanes-Oxley muster.

Software such as the VISIBILITY.net ERP system provides substantial controls used to address the compliance requirements of Sarbanes-Oxley. These built-in capabilities provide specific automation tools that when applied with procedural controls greatly assist in achieving optimal results towards compliance.

The list below highlights some of VISIBILITY.net’s built-in features to ensure Sarbanes-Oxley Compliance:

  • Controlled system access - Access to VISIBILITY.net requires a distinct username and password. These controls allow the user organization to manage maximum password lifetimes and minimum password length.
  • Data access user segregation – Data accessibility is controlled at the user level. Therefore, all data access is segregated to enable the unique data access grants by user. This controls access to and viewing of data, forms/screens, transactions, reports and inquiries.
  • Assigned security roles - User access is constrained to the set of actions defined within the one or more application security roles to which the user has been assigned.
  • Controlled administration and security - Only an application administrator can create a user or define or modify a role.
  • Administrative responsibility - Can be set up to split one administrative user to define users while a second administrative user is responsible for role definition and user assignment to roles.
  • Workflow notification - Define automatic workflow notifications and/or approvals which would be triggered by the creation of a new user, the modification of an existing user, or the assignment of a user to a role.
  • Traceability - All records within the VISIBILITY.net application database always include 4 identifying columns for traceability. These columns include:
    • 1) The user ID of the authorized user who inserted (created) the original record.
    • 2) The date and time (to the nearest millisecond) that the user created the record.
    • 3) The user ID of the authorized user who last modified the record.
    • 4) The date and time (also to the nearest millisecond) that the user modified the record.
  • Notifications - VISIBILITY.net’s integrated workflow makes it possible to define business process rules for enforcement and auto generation of notifications and restriction of transaction performance based on defined approvals before the execution of the transaction.
  • Audit Trail - For select transactions, VISIBILITY.net incorporates an audit trail whereby every change made to a transaction record is recorded on each insert/change event. These transactions include, but are not limited to:
    • Sales Order Line history,
    • Purchase Order Line history, and
    • Part movement (including receipt, inspection, transfer, issue, consumption and disposition), extending to distinct lot or serial number identification where defined.
  • Additional Auditability - ALL other data tables can also be set for auditability.  
    • The database can be set to capture events identifying user, date, and time for each record accessed or changed. The user organization may decide how rigorously they wish to deploy this option.
  • Software Change Management and Control – All application enhancements and changes use a managed process which monitors each application enhancement and change to multi-levels of sign-off and validation prior to release for use by application licensees.

Sarbanes-Oxley compliance is a business responsibility. This responsibility is audited for conformance to the business processes defined by the business to ensure that there are no overlapping responsibilities.

Most of these requirements are met solely by the business’ definition and enforcement of its own standard operating procedures and the managed control of responsibility. ERP software like VISIBILITY.net can play a major role in facilitating Sarbanes-Oxley compliance when combined with appropriate business procedures. To learn more about ERP Sarbanes-Oxley Compliance, click here to learn more about VISIBILITY.net's solution