Internal Audit Report

Harley-Davidson, Inc.
Milwaukee, USA

Fieldwork Conducted during September 2

to October 3, 1997
Issued: October 7, 1997
Distribution List: Mr. Garry Berryman, Vice-President of
Materials Management
Mr. Dave Cotteleer, Manager of Planning
and Control
1

Table of Contents
I. Executive Summary .....................................................2
II. Observations and Recommendations ..........................4
A. Integrity of Information Systems 4
B. Confidentiality of Information .. 5
C. Supplier Performance .. 6

III. Conclusion .............................7

I.

Executive Summar y

The internal audit team has performed a review of Harley Davidsons Inc. supply chain management
system during the months of October and September 1997. The purpose of the review was to evaluate the risks
and recommend measures with regards the adoption of Harley-Davidsons Supply Network, a private internet
that allows Harley-Davidson and its trading partners to communicate and collaborate on key aspects of the
supply chain. While eBusiness presents significant benefits to Harley-Davidson, there are also risks that need
to be considered. Such risks pertain to the integrity of systems, confidentiality of information and performance
of suppliers.

Background
Harley-Davidson has previously struggled in managing its supply chain, consisting of several
vertically-integrated suppliers. To solve this problem, Mr. Garry Berryman proposed a consolidation of the
internal purchasing systems and supply chain. From nine purchasing systems and over 4,000 suppliers, HarleyDavidson now has a single purchasing function and 800 suppliers who are made to agree to certain conditions.
Subsequently, Harley-Davidson established an Internet-based network designed and supported by Manugistics
Group Inc. to share vital inventory information to suppliers. Furthermore, Mr. Berryman granted suppliers the
right to place their employees within Harley-Davidson to participate in product design and manufacturing
discussions and the right to access Harley-Davidsons Intranet.

Scope
The

Objectives & Approach

The purpose of the review is to assess the risks related to Harley-Davidsons
supply chain management system, to evaluate risk management and to recommend
measures to mitigate such risks. To this end, the internal audit team has examined
systems documentation from Manugistics Group, Inc., reviewed supplier contracts and
agreements, and interviewed management, employees and suppliers.

Results
Overall Report Rating High Priority
The Observations section of this report provides detailed descriptions of each observation and
recommendation. Because of the unique circumstances of CBI with regards to the maintenance of specific
financial ratios, the following issues are assessed as high priority:

II. Observations and Recommendations

A. INTEGRITY OF SYSTEMS
Observation

HIGH
PRIORITY
Business Impact

The most common threats to systems integrity are attempts to

illegally access and modify data, and destructive programs such as
viruses that can lead to systems breakdown. System controls should
be able to protect the system from these risks.

Should the integrity of systems and

the information contained within be
compromised, the productivity of
operations will be disrupted.
Subsequently,
Harley-Davidsons
Harley-Davidsons Supply Network, being an Internet-based ability to meet customer demand will
network, is inherently susceptible to malicious individuals seeking be affected. Furthermore, to restore
confidential information, hackers, viruses, and even systems the system to its previous working
breakdown.
condition, costly systems reboot will
have to be made.
Harley-Davidsons supply chain management has benefited from
adopting an Internet-based system that allows Harley-Davidson to
connect to and share information with its suppliers. However,
because Harley-Davidsons communications and operations rely on
this system, systems integrity needs to be given high priority.

Recommendations
1

Harley-Davidson should establish an internal IT department

who should conduct periodic systems maintenance and
maintain security controls over the system. There should be
segregation of duties between the IT department and functions
within the organizations. The systems maintenance function
should be segregated from operations. The systems
administrator should also be segregated from other IT
functions.

Antivirus software should be installed and updated in all of

Harley-Davidsons computer systems to guard against
destructive programs. Firewalls should be implemented to
regulate access between networks. Encryption of information
being transmitted across networks should also be put in place
in order to prevent unauthorized recipients from making use
of information.

Harley-Davidson should develop back-up procedures in order

to minimize the effects of systems breakdown. This includes
the formation of a disaster recovery team. There are several
alternatives for creating a back up. Such alternatives include
mutual aid pact with its partners, empty shell or cold site,
recovery operations center or hot site, and internally provided
back up.

Management Response

B. CONFIDENTIALITY OF INFORMATION
Observation

MODERATE
PRIORITY
Business Impact

As much as possible, Harley-Davidson should provide its suppliers

with only essential information that can assist them in the conduct
and delivery of their duties and responsibilities. The degree to
which Harley-Davidson seeks to collaborate and share information
with its suppliers should be properly determined.

Harley-Davidsons suppliers can also

be the suppliers of its competitors.
Information, particularly on product
design, can be leaked to these
competitors and other outside
parties. This may result to a
Aside from sharing inventory information with its suppliers, Harley- competitive disadvantage for HarleyDavidson has also allowed employees of suppliers to participate in Davidson.
the Companys product design and manufacturing discussions.
These employees are also given access to the Intranet, which allows
them to look into the minutes of the meeting, plans, schedules and
other internal systems.
By having suppliers participate in-house, Harley-Davidson expects
a more wholesome approach to product design and manufacturing
with the inputs regarding parts and other materials provided by its
suppliers.
1

There should be strict policies and procedures regarding what

information the in-house suppliers can access. Segregation of
duties between the employees of Harley-Davidson and its
suppliers should be established. Security controls such as
passwords, access tokens, access control list and discretionary
access privileges should be set in place to prevent
unauthorized access to confidential information.

Suppliers should sign a confidentiality contract, which

enumerates their duties and responsibilities for the
confidentiality and use of information, as well as the
consequences resulting from the breach of contract. As much
possible, Harley-Davidson should not enter into contracts with
suppliers that may have conflicts of interest.

An audit should also be conducted periodically to determine

the suppliers compliance to confidentiality policies. This is to
ensure that suppliers have not divulged nor use confidential
information in violation of the confidentiality contract and/or
to disadvantage of Harley-Davidson.

C. DEPENDENCE ON SUPPLIERS PERFORMANCE

MODERATE
PRIORITY

Observation

Business Impact

The performance of Harley-Davidson is dependent on how well its

key suppliers deliver their responsibilities. Thus, the Company
should set specific standards in choosing and retaining its key
suppliers.

Harley-Davidsons supply chain

dictates how well the company can
deliver the demand of its customers.
Should the Companys supplier fail
to
meet
standards,
HarleyDavidsons Production departments
efficiency and effectiveness will be
adversely affected. Subsequently,
the Companys image may have to
suffer.

In order to manage its supply chain better, Harley-Davidson has

diminished the number of its suppliers from over 4,000 to about 800.
With a smaller supplier base, the Company needs to ensure that
suppliers are capable of meeting their demands. Consequently, key
suppliers have to agree to certain conditions in return for being
retained by Harley-Davidson. Although the suppliers may have
agreed, their performance can still vary from the conditions.
Harley-Davidsons close relationships with its suppliers allow the
Company to set significant demands from its suppliers. As one of the
most profitable and well-revered companies in the world, HarleyDavidson has a reputation to maintain.

Recommendations
1

Harley-Davidson should choose suppliers that have sufficient

resources, both technological and managerial, that will allow
them to reap the optimum benefits of the Supplier Network,
with such benefits being passed down to Harley-Davidson.
Otherwise, Harley-Davidson should provide support activities
to suppliers who dont have enough resources.

Harley-Davidson should continually evaluate the performance

of key suppliers. Harley-Davidson and its key suppliers should
get together to establish cohesive goals that are beneficial to
all parties. They can agree on goals pertaining to cost
reduction, quality improvement and environmental initiatives.
Based on the suppliers performance, Harley-Davidson should
decide whether to retain the suppliers or to look for other
suppliers who can meet the Companys requirements better.

Harley-Davidson should continue to maintain close

relationships with suppliers considering its significant
demands. The specific benefits of the partnership with HarleyDavidson should be properly communicated to its suppliers to
ensure their commitment. Benefits may include the use of
information provided by Harley-Davidsons Supply Network
and in-house suppliers, the enhanced image brought by being
associated with a reputed company and a secured source of
revenues.

Management Response

III. Conclusion
Harley-Davidsons implementation of the Supplier Nehas brought significant benefits to the Company.
However, it also exposes the Company to a number of risks. These risks include the