In the last year or two, the fog surrounding Sarbanes-Oxley software was finally starting to clear, with a number of vendor offerings focused specifically on compliance, primarily with Sections 302 and 404, on management's responsibility for certifying financial results and internal controls, and with the documentation and testing of internal controls.That split software applications into several basic groups - those that help to document processes and internal controls, software that tests the effectiveness of internal controls, and applications used in the audit test process.
Examples of this last type of software include CaseWare's IDEA, ACL Services' Audit Control Language, and data-mining applications like Datawatch's Monarch Pro. SAS for Sarbanes-Oxley Compliance is another powerful statistical analysis and data-mining application from SAS Institute.
In the last year or so, the lines defining SOX software have started to blur again. Not because of any change in the act itself, but out of a realization that the issue is more one of general governance than simple compliance. Adding to the overall confusion are the recent SAS pronouncements on risk avoidance and a growing acknowledgement that SOX compliance is just one facet of governance.
IT compliance is another.
Fortunately, there are plenty of vendors in the SOX compliance software market who have earned their reputation. Movaris offers a suite of compliance and governance applications, including its unusual OneClose, which concentrates on the closing entries and adjustments, rather than verifying internal controls earlier in the process, and OpenPages, which offers a variety of management packages, including OpenPages FMC. Also remaining popular are vendor-specific applications, such as SAP's SAP Solutions for GRC, Oracle's PeopleSoft Internal Controls Enforcer, and Logical Apps' Active Governance.
The Axentis Sarbanes-Oxley Management Suite is just the opposite - it is not vendor-specific, and is Web-based Software as a Service, so it can be used with a wide variety of vendor financial management applications.
Risky business?
To some extent, SOX compliance is a subset of a wider concern in an enterprise - risk management. Risk management addresses a global and systemic view of all identifiable risks in a particular enterprise, and tries to determine the materiality of the potential vulnerability.
Most of the vendors that offer SOX compliance applications also offer more comprehensive risk management systems. Paisley Software is one vendor that offers an overall governance suite that encompasses controls management, internal audit, operational risk management, and enterprise risk management.
Process management, which examines and tests the entire workflow in an enterprise, is also a very germane compliance issue. Transition/1's eProcessManager Suite addresses this global view of compliance.
Another important area of compliance and governance is IT compliance. Tripwire Enterprise tracks configuration changes to applications, the operating system, and all databases in the enterprise.
