Beyond Sarbanes-Oxley

Beyond Sarbanes-Oxley

For almost two years I have been speaking to clients and industry leaders about how Sarbanes-Oxley would exert a profound impact on logistics. Back then, the reaction was, "huh?" Now, the response is, "duh!"

I can't claim that my crystal ball is infallible, but I would like to offer another prediction for JoC readers. Having recently accepted the rigors of Sarbanes-Oxley, most logistics professionals are not looking for another dose of regulation. But it's coming, and your next logistics initiative is going to be ... federal identity management.


The Patriot Act requires financial institutions to be able to correctly identify all parties to a financial transaction (Section 311). Remember the famous New Yorker cartoon, "On the Internet, no one knows you're a dog?" Banks aren't laughing. When they underwrite a letter of credit or other instrument of trade, they are criminally liable for knowing who is at each end of the transaction, whether in future commitments or past transactions. Banks regard your goods as their money, albeit in a temporarily solid form.

Your company has proudly joined the world of electronic commerce: Do you know if your business partner is a dog? When you click the "Submit" button on the order to your supplier, can you be certain of:

-- Whether the order went to the intended recipient (authentication)?

-- If it did, whether the recipient received the same order you sent (integrity)?

-- Whether anyone else saw the order on its way to the recipient (confidentiality)?

This is a brief sample of the security issues that give your bankers cold sweats. What if your order for 100 widgets was intercepted and altered, so that your supplier received one for 90 widgets and somebody else made 10 counterfeit ones? With the order consolidated overseas and C.I.F. payment terms, your company is happy to get 100 widgets and might satisfy the Sarbanes-Oxley regulations, because your order and invoices reconcile very neatly.

But the regulations say that somebody is going to jail for that security failure, and the bankers are going to make sure it isn't them. Your bankers are wrestling with the same logistics issues for the Patriot Act that your company is starting to address with Sarbanes-Oxley (and yes, they have SOX issues, too).

Homeland Security classifies banks as "critical infrastructure." A number of federal agencies favor a neutral bank-centric network to resolve the turf wars between large and small banks over control and access to that infrastructure. The Federal Reserve, the General Services Administration and several industry groups have created a test environment and are planning their coordination strategy with the private sector based on the results.

Federated Identity Management is a proposed solution to incorporate existing technologies and national clearance networks to reduce the clutter of IDs and to automate the settlement process. It will allow variations for existing national systems but with common access and transmission requirements for global consistency.

Now we come back to you - the companies importing, exporting and carrying our nation's goods across U.S. borders. You know that ideas are being floated for the Customs-Trade Partner-ship Against Terrorism to force carriers to monitor their partners' security capabilities. You might even have your logistics people reporting their purchase orders and invoices on a more timely basis to finance thanks to SOX. But now you will be asked to adjust your payment terms and procedures to explicitly protect something you have taken for granted - the identity of those at the other end of the transaction.

Why should you do this? You like to get paid. You want to stay out of jail. Doesn't everybody? So unless you plan to move to an entirely cash basis (and won't the authorities take a keen interest in you if you do that!) your funds will not be transferred unless you use the banks' networks, and supply the necessary counterparty information for the banks to satisfy the Patriot Act.

In turn, you need an exponential improvement in your internal documents' consistency and reconciliation. You've already seen this for the electronic submission of manifest data for Customs - it's simply being extended to your financial recordkeeping.

It's doubtful that Congress foresaw this convergence when it passed SOX, Patriot and Homeland Security legislation as separate regulations. But it's a logical outcome of the simple idea behind each of those initiatives: Know what's in your supply chain, and who put it there. Duh.

Gordon Fuller is a director of Covansys Corp., a global consulting and technology services company in Farmington Hills, Mich. He can be contacted at (248) 848-8884, or via e-mail at