Three years after President Bush signed the Sarbanes-Oxley Act into law, the repercussions continue to resonate through the business community - with calls for reform, the explosion of compliance tools, and relief on the part of some shareholders.In the wake of the scandals at Enron, WorldCom and Arthur Andersen, Sarbanes-Oxley was created to improve the financial reporting systems of American companies subject to Securities and Exchange Commission reporting requirements.
In addition to establishing records-retention requirements for audit papers, the law created a new oversight board for accounting firms auditing publicly traded companies; addresses auditor independence; outlines corporate responsibility at publicly traded companies; affects the financial disclosures of publicly traded companies; and establishes reviews for conflicts of interests of financial analysts. The law also creates protections for "whistleblowers" that are applicable to private and public companies, and imposes new criminal penalties relating to fraud, conspiracy and interfering with investigations.
The results to date have been positive in one sense. In the first four months of this year, 568 companies had complied with the requirement to report material weaknesses in their internal financial controls. But the cost has been high - reports have put the average cost of compliance for a large company as high as $7.8 million and 70,000 man-hours.
The high costs, together with the fact that the law was created with virtually no input from business leaders and no consideration of the impact the law would have on American business, have prompted some corporate leaders to push for reform of the law from new SEC chair Christopher Cox.
And there is another reason. Corporate executives complain that the lack of specific guidance in the law forces them to negotiate positions first with the accountants who set up their compliance rules and systems; then negotiate a separate peace with auditors who may not agree with the effectiveness of the system once in place.
Whatever the outcome of the reform movement, the market for compliance software and services is white-hot. From small startups to established management software platforms, a whole range of companies have suddenly become magnets for investment dollars and competitors in a fierce market in which even a small share will mean instant wealth.
For accountants, the challenge in selecting the right software and systems is made more difficult by the dual - but separate - roles they must play. On the one hand, internal financial managers and their external accountants must select appropriate software and systems to help them build a strong set of internal controls and establish systems to document those controls. On the other, external auditors need a means to test those internal controls and the documentation in order to declare the company to be in compliance.
In both cases, failure may be catastrophic to both the accounting firm and the client. That's why the first reviews of SOX compliance software were largely disappointing - they were ported from other programs or cobbled together to meet the short-term goal of attesting to compliance in the first year of the SOX Act, and didn't have the punch needed to go the full distance. Now in their second year, these solutions are gaining some muscle and elegance - getting better at automation and active financial controls to ensure sustainable compliance.
Ultimately, all of the software will be absorbed into business process software. This is because the internal controls they create are rapidly being absorbed into the business processes themselves, so that they are less about documenting external procedures than simply another part of doing business. The expectation is that SAP, Oracle, Hyperion and even Microsoft Office will have SOX compliance built in. And, in fact, the initial steps toward that integration are already underway.
In the meantime, this is a strong market with a strong set of competitors emerging from the pack. This year, we consider seven of the top performers from Axentis, Logical Apps, Movaris, Open Pages, Transition/1, Tripwire and Virsa.
Axentis Enterprise Sarbanes-Oxley Solution Axentis
Axentis Enterprise (Ae) is a Web-based compliance platform that has been deployed in over 100 countries to more than 600,000 users, including some in highly regulated industries like pharmaceuticals, finance, insurance, energy, manufacturing and consumer goods.
Built to assure compliance with multiple and often concurrent regulatory obligations, Ae was among the very first to offer support for SOX and with the U.S. Sentencing Commission guidelines on effective compliance management. Today, over 50,000 users use Ae to meet the requirements of SOX Section 404 (management assessment of internal controls), Section 302 (corporate responsibility for financial reports), Section 406 (code of ethics for senior financial officers), Section 409 (real-time issuer disclosures), and Section 802 (criminal penalties for altering documents). Ae also supports related and similar requirements set by CobiT, COSO, COSO ERM, Basel II and Turnbull.
The Axentis Enterprise Sarbanes-Oxley Solution is designed to centralize controls, tests, remediation plans and other procedures within a versioned, secure and SAS 70 Type II-certified facility. It enables valid period-to-period comparatives and preserves original context for seven-plus years, including complete control framework and documentation, testing, descriptive information, organizational structure and assessment data. And it creates and manages all required forms, dialogues and remediation/action plans, mapped to organizational and control frameworks for accurate, real-time results.
Axentis Enterprise is licensed on a subscription model, reducing the total cost of ownership, and offers a clean interface and simplified navigation that can be securely accessed from any location. Ae provides a holistic view of governance, risk and compliance for any number of government compliance and security management needs concurrently.
This framework, and the flexibility of the ASP model, allows Axentis to deliver new functionality, automate new guidelines as they evolve, and expand to support best practices without forcing clients to re-install or upgrade software.
Axentis Enterprise is a well-crafted and auditor-friendly application that is able to integrate with and aggregate information from one or more ERP/HRIS systems. With a firm grounding in risk management, an excellent track record for performance and a scope that ranges far beyond the SOX Act, Axentis is a strong and effective compliance toolkit.
Compliance for Oracle Logical Apps
Logical Apps' Compliance for Oracle has its roots in the controls automation software industry, and provides an off-the-shelf application that speeds deployment of the SOX compliance tools through automated processes and seeded content.
Logical Apps' Compliance products are designed to comply with the COSO and CobiT frameworks, and may be used as well to meet the requirements of Basel II, Solvency II, the U.K.'s Turnbull Guidance and Canada's Instruments 105-111 frameworks.
Logical Apps' solution resides within the Oracle E-Business application, allowing the ability to prevent fraud and new-user access that conflicts with a company's segregation-of-duties policies. Solutions for other ERP systems are currently in development and planned for an upcoming release.
The Sarbanes-Oxley solution for Oracle Applications uses a proactive approach based on a comprehensive set of business process and audit rules to automate application controls across the Oracle E-Business Suite. The software is designed to prevent, detect and monitor all user activities and transactions and application changes in real time, in the same manner as anti-virus software prevents and detects viruses.
The software defines and applies SOD controls across enterprise applications. In addition, Logical Apps provides more than 400 prescribed controls that can detect and prevent common violations across ERP applications such as Oracle's E-Business Suite. For change controls, there are more than 1,500 change controls that can be loaded in a company's Change Control Solution - fields under change control are key set-ups with financial impact and SOX-related. Data integrity controls ensure that data input is accurate.
Logical Apps is an excellent system for automation and enforcement of business process controls in an environment that can be quickly configured without extensive customization. Currently on the Oracle platform, its expansion this year into other ERP and management systems will make it a viable contender for both enterprise and mid-range companies.
Certainty Movaris
The Movaris Certainty family of financial control management applications builds on the Movaris system of action plans - configurable sequences of steps, directed to specific individuals with different roles and instructions, and attached or linked to reference materials, to complete specific tasks, such as performing a control test or review of a control. The action plans include triggers that detect changes in conditions and initiate an alert or another action plan.
Section 404 Compliance Management delivers four configurable action plans that speed the implementation and deployment of the financial control management system. It offers automated scheduling of all control activities, including evaluations, self-assessments, and tests; automated e-mail reminders, ensuring that control participants perform required evaluation and testing activities on time; and automated escalation of overdue or non-complete control activities.
Certainty Control Improvement uses a financial control console to analyze exceptions from multiple perspectives, and to focus resources on critical issue resolution activities. Automatic e-mail alerts bring high-risk issues and weaknesses immediately to management's attention. Configurable exception management and exception action plans are used to resolve control deficiencies and guide the review of significant control weaknesses.
The Section 302 Compliance Management system offers two configurable action plans to guide certification and record representations and signatures from key executives, management staff and legal counsel. Configurable management sub-certification action plans collect signatures and comments from key sales, marketing and finance groups managers, and Section 302 certification action plans quickly guide certification of multiple financial statements, including the 10-Q, 10-K SB, 10-Q SB, 20-F and 40-F.
Movaris Certainty provides a simple, orchestrated process to improve and document financial controls, providing a short learning curve and fast implementation for companies ranging from midsized to major enterprises. Aimed at companies with distributed financial control operations, Certainty runs on MS SQL Server, DB2, Oracle and other common database engines, operating in either a Windows or UNIX platform.
OpenPages SOX Express OpenPages
OpenPages SOX Express is a flexible, customer-configured solution that automates the corporate financial reporting and disclosure compliance requirements of SOX Sections 404 and 302. For Section 404, SOX Express automates the design, documentation, review, approval and testing of a company's internal controls framework. SOX Express provides a COSO-based risk management framework to shorten time-to-compliance, and to expedite compliance audits.
For Section 302, SOX Express automates the survey process for financial disclosure certification, in which individual process owners first provide sub-certification for their functional areas. Sub-certifications are then "rolled up" throughout the organization and approved by managers at each business level. SOX Express then presents management with a final certification report for attestation from corporate officers.
Driven by a central command center, SOX Express allows a company to automate the quarterly test and review of internal controls to lower the costs associated with quarter-over-quarter compliance. With user-specific home pages, e-mail integration, easy-to-use navigation and interactive reporting capabilities, SOX Express creates a highly productive compliance environment with five key areas of functionality - project management, documentation, compliance automation, issues management and monitoring.
With its straightforward interface, consistent navigation and simple audit trail, SOX Express is an efficient document and process management system, tightly focused on compliance with Sections 404 and 302. Built on a Java-based Web browser architecture, SOX Express offers IT organizations lower total deployment costs and integration with existing infrastructure.
eProcess Manager Suite Transition/1 Management Accounting Systems Inc.
The eProcess Manager Suite was not created to meet the demands of SOX. Rather, it was an extension of ERP designed to enhance the performance of organizations through more effective controls and the ability of management both to understand corporate data and drill down to its details.
A PC-based solution based on Transition/1 Management Accounting Systems' 17 years of experience, it uses Microsoft SQL Server, Visio and Microsoft Project to build a suite of browser-based applications for documenting, monitoring and analyzing the performance of the organization - all summarized in a color-coded dashboard application.
An advanced version of the eProcess Manager Suite was created from this foundation to address the specific needs of SOX. SOX features in this version include the ability to populate matrices that can quickly compare risks, controls and materiality in order to easily prioritize projects. The analysis is automatically linked to appropriate levels within the process, whether it is a sub-task, major activity or key process. The suite consists of the ProcessManager, SOX Enabled (Risk and Control); ePerformanceManager; eProcessMonitor (to automate monitoring); Sarbanes-Oxley Implementation Template; and Proven Practice Template with Sarbanes-Oxley Risks and Controls.
Perhaps because of its roots in ERP and performance enhancement, Transition/1 MAS carries the unique view that SOX compliance is not a burden for most companies, but rather an opportunity to realize a return on investment through greater efficiencies.
One of the first software vendors to release a COSO-compliant methodology, Transition/1 MAS has built the eProcess Manager Suite for the midrange markets, offering companies the ability to use a standard template for SOX compliance or build their own application using well-known desktop tools. The result is a compliance tool with exceptional flexibility and a purpose that makes business sense even for private companies not covered by Sarbanes-Oxley.
Tripwire Change Auditing Tripwire Inc.
Tripwire Change Auditing is different from the other products reviewed in that it doesn't address documentation of processes and internal controls, but verifies the integrity of the processes and controls. It is software focused on the IT infrastructure of the company, and its job is to monitor, check and validate changes that auditors need to know about.
In today's sophisticated world of fraud, directly tampering to commit fraud that would trigger a Section 404 violation requires an intervention at the IT level. Permissions must be changed, software code re-written or other changes made to the IT infrastructure.
The process of seeking out these changes in order to ensure compliance with the SOX Act and other internal controls is called "change auditing," and its purpose is to prove that all changes are authorized and intended - or to trigger corrective action when they are not. To accomplish this, Tripwire Change Auditing software first detects all changes made to monitored infrastructure and then reconciles the detected changes against all known approved changes in order to expose unauthorized change.
Tripwire's library of various graphical reports and dashboards documents infrastructure change status, change history, desired versus undesired changes, and process effectiveness - enabling management to demonstrate compliance, increase availability and enhance security.
Tripwire Change Auditing software is available in two versions - Tripwire Enterprise and Tripwire for Servers. Tripwire Enterprise software independently audits changes to servers, desktops and network devices for the ultimate in enterprise change management. It detects, reconciles and reports on change status to maintain and verify infrastructure integrity and process effectiveness.
Tripwire for Servers is a solution for small to midsized organizations requiring only server monitoring. With the Tripwire Manager console, it provides detailed reporting, centralized server management, and the ability to roll back to a known and trusted state for maximum server availability.
Its tight focus on change auditing and its singular capabilities in this area - with flexibility to address processes from the enterprise to small companies - will make this an invaluable auditing tool for both internal financial managers and their outside counselors.
Compliance Calibrator Virsa Systems
Virsa is the world leader in compliance systems for enterprises, with more than 200 customers in the Global 2000 and key partnerships with SAP and Big Four firm PricewaterhouseCoopers. Compliance Calibrator runs inside of the SAP and Oracle ERP systems, providing a preventive layer of security to detect and prevent internal accounting control violations.
It is designed to interface with compliance documentation and to monitor and enforce controls in real time for SOX and other compliance framework violations, allowing organizations to maintain continuous preventive compliance. Its automated solutions enable companies to lower the cost of compliance, reduce risk and increase the efficiency of key business processes.
It sports a browser-based interface, and uses role-based dashboards to provide snapshot reports segmented for executives, managers, auditors and IT professionals. Its focus is on real-time, cross-system analysis as a hedge against errors or fraud not easily detected by after-the-fact detection.
The system reports on essential compliance categories of separation of duties, critical transaction monitoring, super-user access control, and scanning of custom code. Also, process controls provide real-time compliance management for deficiencies in finance, inadequate controls and missing reports in procure to pay, order to cash, and financial accounting and controlling processes.
Virsa lays claim to a lower total cost of ownership, based on the risk reduction through real-time monitoring and enforcement, elimination of error-prone manual processes, efficient remediation and mitigation for faster compliance, elimination of false positives, the use of pre-defined rules and automated rule-building drive efficiency. Part of that efficiency lies in its built-in library of more than 100,000 best-practice compliance rules and automated object-level rule building.
Virsa is a cross-system, enterprise-wide compliance system that addresses both access and process controls with real-time alerts. It is a strong package whose market leadership has been earned through performance.
Dave McClure is the president of Kent Associates, in Alexandria, Va., an independent testing laboratory and evaluation service.
