Corporate Governance in the Supply Chain, Part 1

By October 6, 2018 No Comments

Not only would a rose by any other name smell just as sweet, but it would also have thorns.

Which best describes your organization’s operations: internal controls in chaos or integrity in your supply chain?

But wait – is not a rose still a rose? What do internal controls have to do with the supply chain? Everything!

The concepts of internal controls and integrity in the supply chain go hand-in-hand, so much so that they can be considered one-in-the-same. If this is not obvious, consider that internal controls include oversight of interactions with outside entities to the organization, not just between internal departments. The effectiveness of the organization’s operations in order to ensure timely and accurate financial statements is judged by what happens inside and outside the proverbial and actual walls.

The definition of the supply chain needs some expansion. From a holistic viewpoint, the majority of activity in the supply chain is very likely more internal than external. This is due to the fact that interactions between company departments are in fact supply chains themselves, and are similar to interactions with outside entities such as customers and suppliers. The Enterprise Resource Planning (ERP) system is the repository of operations data (raw materials, finished goods, dollars, and transactions) which support the business flows and procedures (the internal controls) that define an organization’s operations.

The understanding that when we speak of internal controls we are also speaking of the supply chain is important, because a disruption in one link of the supply chain – a breakdown of an internal control – can have a negative ripple effect through the links. (From the internal controls viewpoint, a breakdown of one internal control may cause another to fail.) A problem in one link may not reveal itself until later in the chain. The investigation must focus on the root cause of the disruption, while damage control may be needed to mend the disrupted chain link. For example, the use of inferior raw materials – that that should have not passed through quality assurance inspection – may not be noticed until after finished goods are manufactured and shipped to the customer or consumer for use. In this example, the disrupted supply chain link was internal to the organization, but the effect was felt in an external supply chain link.

When we examine the necessity of corporate governance to an organization, we cannot look at just the controls surrounding the ability to produce accurate and timely financial statements. When Sarbanes-Oxley (SOX) was first established, financial systems integrity was the primary focus, and rightly so. Public companies have the responsibility, and burden, to produce timely and accurate financial statements to potential investors and shareholders. However, SOX is about so much more than just the end result (timely and accurate financial statements): it’s also about getting there. SOX is about defining and addressing the impediments to an organization being able to produce timely and accurate financial statements. SOX, it would seem, is more about the journey than the destination.

As such, corporate governance and the application of SOX is now moving beyond the financial area of organizations towards operations, a.k.a. the (internal/external) supply chain. What organizations are struggling with is how to utilize the least number of different SOX compliance frameworks throughout. According to a CFO magazine poll published in March 2006, an overwhelming number of respondent organizations (82%) used the COSO compliance framework. While some organizations reported using multiple SOX compliance frameworks, none of the others mentioned (AS2 – 28%, COBIT – 33%, SAS 55/78 – 13%) where used as much as COSO. (The COSO framework is also highlighted in the 2005 edition of the Fraud Examiner’s Manual published by the Association of Certified Fraud Examiners.) So, it would make sense for organizations to try and utilize COSO beyond the financial area.

What I have found is that the COSO compliance framework is very well suited as a guide towards bringing integrity into the supply chain, helping an organization to identify the internal controls necessary to mitigate risk and help ensure proper oversight while not impeding the efficiency of the organization.

But this is not just for public companies; private entities can gain benefit from bringing integrity into their operations. Reducing chaos increases control. And the benefits may go beyond just the obvious, such as the ability to grow and more efficient operations. During a phone conversation with the controller at a client, he had to reschedule a meeting due to the fact that they were still going through their audit. I questioned why a privately held company would go through such stringent audit processes. After all, in my interactions with the company I knew that they held themselves to very high standards of performance and control. The controller informed me that, though it was a disruption to have to go through, the banks looked favorably on this and would loan them more money at a lower interest rate. So, it would seem that having good internal controls has hidden (financial) benefits!

In the following series of articles I will speak to how each key aspect of the COSO compliance framework – Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring – can be adapted towards bringing integrity and control to different facets of the supply chain, and thus the operations of an organization.

Our thanks to this article’s author, Norman Katz, CFE, President of Katzscan, Inc. ( of Katzscan, Inc. is a consulting firm located just 20 minutes north of Fort Lauderdale, Florida, specializing in supply chain technologies & operations. Norman graduated from the University of Florida in 1985 with a Bachelor of Science degree in Business Administration majoring in Computer Information Sciences. Norman is a Certified Fraud Examiner, a Florida licensed Private Investigator, and holds a Certification in Corporate Governance from Tulane University College of Law. Information on detecting and reducing fraud in the supply chain can be found at Information on supply chain governance can be found at Norman can be e-mailed through his web sites or contacted by telephone at 954-942-4141.

DISCLAIMER: This Corporate Governance article is provided as an informational resource and does not constitute legal advice. The information provided in this article is based on the laws in effect at the time the article was published. Laws related to this article’s topics may change over the course of time. Visitors to this website should not rely upon or act upon this information without seeking professional legal counsel.