Software solutions tackle Sarbanes-Oxley from many different directions
When the Sarbanes-Oxley Act was passed in 2002, it was intended to address several specific accounting inadequacies in the public sector that led to a number of high-profile corporate failures, including Enron and WorldCom.
While the issues that SOX addresses are fairly complex, the intended result was to hold corporate management responsible for accurately reporting the financial condition of the company.
It's important to note that Sarbanes-Oxley specifically doesn't hold management responsible for profitably managing the company, only for ensuring that management actually meets stated standards in accounting procedures and controls, and that the results of operations and financial condition of the company are being accurately reported, no matter how good or poor those results are.
It is becoming obvious that compliance with its provisions is just part of the solution. While the most relevant sections of Sarbanes-Oxley address management reporting, documentation of procedures and effectiveness of internal controls, what SOX actually addresses, at least in part, are the larger issues of compliance, governance and risk management. This is reflected in the types of software that are being positioned to address compliance with the act.
SOME OF THIS, SOME OF THAT
Many accountants and their clients look at SOX as just another sign of government meddling with business, ignoring that a well-managed and ethical company is likely to be pretty much in compliance with the principles that SOX expounds. Good and accurate internal controls have always been a cornerstone of GAAP.
SOX is certainly not the first compliance act that most accounting firms' clients have had to face. And as accounting practices are getting more familiar with what their clients need to do to actually be in compliance with Sarbanes-Oxley, many are using SOX as a stepping stone to educate their clients on the larger issues of governance and risk assessment, and risk management as well.
In many areas, SOX dovetails with other compliance protocols, such as the COSO framework published by the Treadway Commission in 1992 (and updated in 2004). These were used as the basis of the COBIT IT governance protocols promulgated by the IT Governance Institute and the IASCA. That's hardly surprising, considering that any company that's going to be subject to compliance with Sarbanes-Oxley is also going to have their accounting and reporting functions highly integrated with IT.
This results in "SOX compliance" applications being all over the place in terms of what they actually do. The more obvious ones are those that directly address Sections 302 and 404 of the act. Under Section 302, management has to accept responsibility for the appropriateness and fairness of the financial statements. This doesn't absolve the auditor of responsibility, nor obviate the need for an audit letter, since these are still covered under the applicable Statements of Auditing Standards. It just means that management can no longer just rubber stamp an "everything's okay" report. There have to be tight and effective internal controls in place so that major discrepancies are uncovered, and so that poor workflow and procedures are not only identified, but also repaired. Those documentation and workflow processes are addressed by Section 404.
However, documentation, internal controls and management responsibility are tied in to other areas and applications. One of these is risk management, the "R" in GRC. GRC stands for governance, risk assessment and management, and compliance, and is a common acronym for a system that provides a targeted approach to implementing procedures and policies, tests, and reports of problems and solutions so that an enterprise is regulatorily compliant.
Risk assessment and management is directly related to internal control, as no set of internal controls can be assumed to be 100 percent effective 100 percent of the time. The process of risk assessment and management attempts to measure just how effective internal controls are at any time, and details procedures and management responsibilities for reporting and correcting any inadequacies that are detected. This targets both Sections 302 and 404 of SOX.
Governance is the process of setting out policies and responsibilities for all areas of operations, management and reporting, which again directly addresses the various sections of the act, while compliance is the process of actually demonstrating that the company is meeting the responsibilities required under Sarbanes-Oxley.
Many of the governance issues in complying with SOX revolve around internal controls, including segregation of duties, access control and change control - the ability to detect that any changes to the underlying records, data and/or procedures are performed by an authorized person, and that whatever changes are made are recorded so that they can be audited for compliance.
When added to the documentation and reporting aspects of the act, this means that it is likely that your clients may need more than one tool and application, or perhaps an entire GRC system, to truly be in compliance.
In turn, this means that every SOX engagement is fairly unique, and is an ongoing process. Even when your client has implemented a SOX solution, it is vital to routinely examine how well that compliance function is operating, and whether any changes need to be made to ensure continued effectiveness.
FROM EXPENSIVE TO FREE
Because most compliance software runs in an enterprise environment, much of the available applications are moderately expensive. All the vendors in this roundup won't discuss price until they have a good idea of what is involved in installing the software and integrating it with existing applications, workflows and controls. For most, the costs can range from tens of thousands of dollars to hundreds of thousands.
There are some very useful adjuncts to the compliance solution that are inexpensive, or even free. A number of vendors offer free implementation checklists, and Microsoft has a free, downloadable project management implementation template for MS Project.
Caseware's IDEA, which is an excellent audit tool, is very reasonably priced, and can be employed very effectively in testing internal controls.
Finally, you might want to look at the Application Discovery Tool. This free download from Sophos Inc. (www.sophos.com) lets you and your clients (or their auditors) discover what applications are installed on network workstations and servers. It requires that Active Directory be installed and used.
To provide you with an overview, we looked at nine applications and tools. Many others are available. Keep in mind that while some tools can be installed and configured by you or your client, most compliance and GRC systems are sold and installed by resellers, who will quote prices depending on the specifics of each engagement.
Axentis has held an important position in the GRC market, which should be further strengthened by its recent acquisition by CCH. CCH has stated that it intends to run Axentis as an independent company, which means that existing customers of the Web-based Enterprise platform can breathe a sigh of relief.
The Axentis Enterprise platform is a suite of Software-as-a-Service GRC applications, some of which are more suitable than others for SOX compliance, as well as a central database in which rules, results and documentation are stored.
GRC compliance for SOX, as well as other compliance areas, is based around risk-based assessment, testing and control. The basic starter applications are the Compliance Office Manager, which allows your client to identify those areas that pose a compliance-oriented risk, and to prioritize them so that corporate resources can be deployed most effectively.
After that, Policy Manager can be used to establish enterprise-wide policies and procedures, and then onto other modules in the suite to implement testing procedures, reporting and remediation.
Axentis Enterprise provides a comprehensive suite of capabilities to address both Sarbanes-Oxley compliance and other areas such as HIPAA, but another major benefit is that, as a SaaS application suite, it can be very quickly deployed.
FrontRange Solutions isn't known for its SOX compliance applications, but rather for GoldMine, a popular customer relationship management package. The vendor is included in this roundup because of another of its offerings, IT Service Management, or ITSM. This application is not directly targeted to SOX compliance, but as with several other tools in the roundup, provides a valuable adjunct to handling compliance issues.
The ITSM is a set of modules designed around the Information Technology Infrastructure Library, which is a set of procedures and best practices. It's comprised of nine modules, each of which is available separately, that address incident management, problem management, change management, release management, service level management, configuration management, availability management, knowledge management and self-service. While most of these will be of value to your clients' IT departments, the modules most applicable to SOX compliance are incident management, problem management and change management. These can be used to provide coverage if other compliance applications and procedures do not provide the level of coverage that you and your client feel is necessary.
All of these modules require an installed database to hold data collected by the module. Microsoft SQL and SQL 2005 are supported, as is Oracle 9i.
OPENPAGES AUDIT AND FCM
OpenPages provides compliance and governance applications at a number of levels. At the top of the offerings is Enterprise GRC, a suite of modules that addresses pretty much all governance issues in most enterprises, including IT compliance, risk assessment and compliance, audit issues, and financial controls management. Both the FCM module and OpenPages Audit are directly germane to SOX compliance.
OpenPages Audit provides risk assessment that can be used when planning an audit of internal controls, as well as providing tools for the management of the audit itself. For the most part, this is an application meant to be used by the internal audit department on an ongoing basis. It also provides reports that will be helpful in meeting SOX Section 302 requirements.
Also very applicable to SOX compliance is OpenPages FCM. This complements other OpenPages modules, or can be installed as a stand-alone, and provides a central depository for data, a comprehensive audit trail, dashboard displays of status and workflows, and a variety of reports. Management surveys and workflow routing help meet the requirements of both Section 302 and 404.
PAISLEY GRC ON DEMAND
Paisley Software is well known for its full line of GRC products for the enterprise. These include enterprise risk, operational risk, internal audit, overall GRC, SOX compliance, and even J-SOX compliance.
GRC on Demand is a relatively new suite aimed at mid-market and resource-constrained companies, and is offered as a Web-based product that includes most of the modules contained in its enterprise suite. GRC on Demand for SOX allows your client to establish a centralized system of internal controls; manage surveys, assessments and sign-offs through an automated workflow; and provide ongoing reports and dashboards. This approach alerts management when controls are not operating effectively, and documents remediation procedures.
As part of Thomson Reuters, there are some extras that are provided with GRC on Demand for SOX that greatly enhance its value. These include best practice risk and control models to speed up implementation, and a subscription to the Checkpoint research service.
SAP BUSINESSOBJECTS GRC SOLUTIONS
With the acquisition of BusinessObjects (best known for Crystal Reports) complete, SAP has slightly changed the name of its applications for governance and compliance. The approach remains the same, however, with separate modules for risk management, access control, process control, global trade services, and environmental, health and safety management. Each of these addresses specific areas of compliance, some of which probably aren't relevant in most SOX compliance situations.
The first three modules - risk management, access control and process control - do provide a very thorough approach to SOX compliance. The risk management module helps your client balance benefits against risk, and is useful not only in determining audit and internal control risk, but also operational, financial and legal risks. Access control extends the capabilities of SAP ERM applications in these areas, identifying and controlling access risks at every level, while process control monitors help to enforce controls affecting processes and workflows in the enterprise.
Keep in mind, though, that all of the SAP BusinessObjects GRC solutions are meant to be used alongside SAP's ERM applications and may or may not be applicable if your client is using another vendor for their financial and operational software.
In addition to SAP's own offerings in GRC, other vendors also provide applications to enhance specific areas of SAP products. Security Weaver is a set of five modules that provide enhancements in key areas for users of SAP software.
Security Weaver's modules include Separations Enforcer, Emergency Repair, Secure Provisioning, Secure Audit and Secure Enterprise. Each of these is pretty tightly targeted towards a specific area.
Separations Enforcer enhances the ability of an administrator to define separation-of-duties rights to strengthen controls on which employees have access to specific applications and data. A second module, Emergency Repair, can provide specific after-hours access for pre-specified employees to specific administrative areas. These accesses are monitored and recorded, with e-mails automatically sent to the appropriate supervisors.
The Secure Provisioning module also supplies a measure of access control. It allows the IT department to set up policies that automatically grant or restrict access to new employees, re-assigned employees and terminated employees, and reports any conflicts with the existing separation of duties.
Security Weaver also provides a Secure Audit module. This allows a continuous monitoring of transaction activity throughout the enterprise, as well as tracking transactions for internal control purposes.
Part of the confusion about compliance with Sarbanes-Oxley is that the act defines the desired results, but not how to get them. This has resulted in a number of different approaches. Transaction/1's ePM3SOx is process-oriented, and is targeted at the COSO framework defined by the Treadway Commission. The ePM3SOx application is an extension of Transition/1's more IT-focused eProcessManager Suite and lets your client identify their business units, process cycles and functional areas. These can then be defined and documented using the COSO and COBIT templates that are included with the application.
By defining the business processes in an organization and then evaluating their effectiveness and controls, your client can ensure that they are in, or are brought into, compliance with regulatory requirements, as well as the desired business goals.
Part of the evaluation process is performed by identifying and assessing the risks associated with each process and determining the impact on financial reporting, operational effectiveness, and corporate strategies and goals, as well as regulatory compliance. During this process, ePM3SOx generates the documentation necessary to comply with Section 302.
Unlike some of the applications in this roundup, ePM3SOx is independent of any particular vendor's accounting application. This allows ePM3SOx to be used alongside many mid-market accounting systems that might be used in some smaller companies subject to SOX, rather than restricting its use to enterprise-level applications.
TRINTECH UNITY FINANCIAL GRC SUITE
As with a number of the GRC approaches detailed in this roundup, Trintech provides a suite of four applications for governance, risk assessment and compliance. These can be implemented separately, or as an integrated system. The four modules of the Unity Financial GRC Suite are Risk Management, Compliance, Financial Close and Reporting, and Account Reconciliation. While the complete suite will be useful for many of your clients, the two modules most applicable to SOX compliance are Compliance and Financial Reporting.
The Compliance module is a system for monitoring and documenting internal control testing, evaluating whether or not a particular control actually needs to be tested, risk evaluation, and remediation. It provides extensive dashboard status monitors and documents the results of risk evaluation, any remediation that needs to be done, and the completion and effectiveness of any such remediation. This addresses Section 302 requirements.
Another component of the suite that might be of interest in SOX compliance is Financial Close. This used to be named OneClose and addresses the "last mile" in financial statement preparation. It analyses and controls the manual processes in the closing process so that nothing slips into the financials at the last moment. The risk analysis is performed according to where the closing entries are coming from, and the results are viewable on a dashboard.
TRIPWIRE ENTERPRISE CHANGE AUDITING
Tripwire is a vendor that isn't really in the SOX compliance market. Its products are really aimed at the IT department and address IT infrastructure. Change Auditing establishes internal controls on the IT side that exist independently of those in the financial applications.
The Change Auditing application is a stand-alone program that monitors all changes taking place on an entire enterprise network. These might be data entry into an application, changes made to operating system or network settings, or a change made to any of the databases maintained on the network. Tripwire Change Auditing has separate components that monitor applications, directory services, databases (Oracle 9 and 10g, Microsoft SQL Server 2000 and 2005), middleware, operating systems, virtual environments, and network devices.
All changes are compared against access rules established by the IT administrator, and any changes that do not comply with these rules trigger an alert to the appropriate supervisor or manager, as established when setting up the policies. Additionally, continuous reporting is available in the form of dashboards, and comprehensive reports are generated to alert management to any unauthorized changes, as well as providing backup documentation to meet Section 404 requirements.
Ted Needleman is senior director of the Technical Services Division of Industry Analysts Inc., an independent market research firm and testing laboratory. He was previously the editor-in-chief of Accounting Technology, and writes frequently on software, hardware, and technology-related subjects.
FrontRange Solutions Inc.
OpenPages Audit and FCM
Paisley GRC on Demand
New York City
SAP BusinessObjects GRC Solutions
SAP America Inc.
Newtown Square, Pa.
Transition/1 Management Accounting Systems Inc.
Long Beach, Calif.
Trintech Unity Financial GRC Suite
Tripwire Enterprise Change Auditing
(c) 2009 Accounting Today and SourceMedia, Inc. All Rights Reserved.
Register or login for access to this item and much more
All Accounting Today content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access