You might think that five years after a bill was passed, figuring out how to comply with it would be pretty much cut-and-dried. That's simply not the case with the Sarbanes-Oxley Act of 2002.While there is a good understanding of the kinds of excesses and vulnerabilities that its major sections are supposed to prevent, exactly how to go about implementing compliance procedures - and to what extent different-sized companies are responsible for compliance - is still very much up in the air.
The two major compliance areas are Section 302, which holds management, especially the chief executive officer and chief financial officer of the company, responsible for the appropriateness and fairness of the financial statements, and Section 404, which holds the same management responsible for the creation and validation of internal controls sufficient to prevent or expose unauthorized transactions.
Section 404 requires that management perform periodic assessments of internal controls in the form of a report that must be included with the company's annual financial statements. The company's external auditors must attest and report on these reports, and this report from them also becomes part of the financial statement.
Finally, Section 302 requires that the CEO and CFO also issue a statement that will accompany financial statements and other periodic reports certifying the appropriateness of the financial statements and disclosures. No more pointing of fingers and claims of "I didn't know what Accounting was doing!"
Further muddying the waters are new SAS pronouncements on risk assessment, audit documentation of internal control-related matters, and documentation standards. Many of these pronouncements tie directly into similar concerns addressed with SOX.
And just so you don't feel that the Securities and Exchange Commission is picking on you and your clients, Japan, which has suffered from some of the same kinds of corporate excesses that we have, is also getting its own new set of laws, the Financial Instruments and Exchange Law, nicknamed J-SOX. All publicly listed Japanese companies and their subsidiaries will be subject to J-SOX when it kicks in next April.
TO A MAN WITH A HAMMER ...
The IT function in many companies is where SOX compliance hits hardest. That's largely because of the high level of integration of IT with financial and other systems. While there may be paper backup for many transactions, for most companies, a transaction doesn't become "real" until it is "in the computer." That should happen as close to the point of occurrence as possible. Regardless of when the data is entered into the IT system, guarding the source document and the data that it contains is an important component of internal control.
SOX compliance software can be viewed as an adjunct to the company's IT and financial systems. While there is no single accepted definition of a SOX compliance application, we concentrated on applications that address three major areas of internal control. These are: access control, change control and documentation control.
Making sure that only authorized users have access to specific kinds of transactions and data is an important part of internal controls. SOX compliance software that addresses this area tests the financial system to make sure that these controls are in place and effective, and may also record all accesses and attempts.
Another layer of internal control that is addressed by SOX compliance applications is change control. This layer assures that only those users authorized to make changes are allowed to do so, and that the changes that are made are within predetermined constraints.
Finally, documentation control applications support the requirements of Section 302 in the areas of documenting procedures, internal controls, discovery and resolution of incidents, and backing up and archiving of all kinds of documents, including e-mails and faxes. The documentation requirements of Sec. 302 hope to forestall any future document-shredding parties.
To give you a good idea of what's out there to help with your clients' Sarbanes-Oxley compliance needs, we looked at seven popular applications. Some of the packages we included work with only specific financial systems. And all of these applications need to be installed and configured by a reseller, which is why vendors of this type of software quote prices on a per-inquiry basis.
One last thing to be aware of in choosing a SOX compliance package is that no matter how good internal controls are, there is no such thing as 100 percent effective. There will always be trade-offs between usability, maintainability, cost and risk.
AXENTIS SARBANES-OXLEY MANAGEMENT SUITE
Built on the Axentis Enterprise platform, which is the only major SOX compliance platform offered in the software-as-a-service online format, the Axentis Sarbanes-Oxley Management Suite is specifically tailored to address SOX compliance concerns in a number of areas. In addition to targeting Sec. 302, with documentation management, quarterly rep letters and certifications, code of conduct distribution and certification, and tone-at-the-top surveys, the software also handles Sec. 404 concerns in the areas of risk and control management and incident management.
The Sarbanes-Oxley Management Suite provides management of the control framework with 404 self-assessments and self-testing, 404 independent testing, and remediation of deficiencies.
Incident tracking provides management and administrators with the ability to track incidents both known (those discovered through installed controls and procedures) and anonymously reported.
All of these services are managed through a single system, and Axentis includes comprehensive reports and analytics to make it easier to understand the status of compliance.
Because it's a Web-based application, Axentis Sarbanes-Oxley Management Suite is not vendor-specific, and can be configured for most popular enterprise financial systems. In addition to SOX compliance, the suite can also be used to construct compliance processes for other compliance regimes, including COBIT, COSO and others.
LOGICAL APPS ACTIVE GOVERNANCE
Logical Apps provides a modular approach to compliance, with three modules that together comprise the Active Governance Platform. The Active Access Governor provides a method to enforce access policies in the enterprise. These include segregation of duties and even temporary user access. In addition to monitoring effective use of access controls, this application allows you to simulate authorized and unauthorized user access to test existing controls in this area.
The Active Data Governor monitors data editing and changes, flagging unauthorized changes or attempts to edit data.
Finally, the Active Policy Governor matches transactions against policies, and flags any questionable transactions for approval or remediation. The Active Policy Governor works across a mix of vendor environments, including Oracle, SAP, PeopleSoft and others, while the other components of the Active Governance Platform are designed to work only with Oracle's E-Business Suite.
MOVARIS SARBANES-OXLEY COMPLIANCE
Movaris has most of the bases covered in its Unity platform. This framework includes applications for financial close, account reconciliation, general risk compliance and SOX compliance. The Movaris Sarbanes-Oxley Compliance system is primarily targeted at documentation, rather than the actual testing of controls and procedure. It allows the enterprise to document all controls, testing results and remediation taken as a result of that testing, assigning tasks to the responsible individuals, and providing a complete audit trail for SOX compliance purposes.
The application consists of several modules, including the SOX Console, the SOX Organizer, the SOX Scoping Manager, the SOX Task Organizer, and an optional additional application called OneClose.
The SOX Organizer and Task Organizer let users document all SOX-related activity, so that it's easier to identify controls, tasks, the status of each of these, and the status of testing and remediation. The testing process is documented and controlled with the SOX Scoping Manager, which uses pre-defined rules to establish which account balances require testing and which don't. The SOX Console is a dashboard display of all the SOX activities, which lets the responsible manager determine the overall status in a single place.
Movaris OneClose is an adjunct to the Unity platform that is used in the closing process to streamline workflow and provide "last mile" drill-downs and controls on manual processes performed during the closing. These processes analyze where the adjustments and entries are coming from, and subject them to a risk analysis. The results are displayed on an easy-to-read dashboard.
OPENPAGES FCM
OpenPages has two governance applications that can be used to address SOX compliance issues. The more general compliance application is OpenPages GCM (general compliance management) that can be used to solve IT and other compliance issues in addition to SOX compliance. The more targeted SOX application is OpenPages FCM (financial controls management). OpenPages FCM addresses both Section 302 compliance and Section 404 concerns. Section 302 is addressed by using surveys that must be filled out by every manager who has internal control responsibility. This helps management comply with attestation requirements.
While OpenPages FCM does not actually perform internal control testing, which will often be done by another vendor's continuous monitoring application, it does help in meeting Section 404 requirements by serving as a central repository for all of the enterprise's documentation, including e-mails and control and compliance documentation. Workflow is routed to those who are responsible for generating it or signing off on it, and status is readily available in the form of easy-to-understand dashboards.
OpenPages works with enterprise financial accounting systems from most vendors. It also plays well with other business software from a variety of vendors, including Hyperion, Cognos and Business Objects.
SAP SOLUTIONS FOR GRC
Perhaps you remember the old Remington razor TV commercial, with the president of Remington enthusing about how he liked the product so much that he bought the company.
You could say the same thing about Virsa Systems. SAP liked its compliance products so much it bought the well-known compliance software developer and took its products as the core of SAP's Solutions for GRC. SAP Solutions for GRC is a highly integrated system that addresses all three areas - governance, risk and control. Governance is handled by a single SAP GRC Repository, a comprehensive database system that stores all the information from the modules being used, as well as compliance frameworks, policies, processes, risk and control libraries, test plans, and evidence. Risk determination and management is handled by the appropriately named SAP GRC Risk Management module. This module allows management to implement processes to balance opportunities against financial, legal and operational risks.
Other components of the SAP Solutions for GRC system include business process control and authorized access control. The business process control module helps apply a risk-based approach to setting up the control environment, while the authorized access control implements segregation of duties and access control to ensure that authorized users are given appropriate access, while other users are locked out. The authorized access control can also be used to test controls, and can report when a business practice or process will violate those controls, which is useful in a multi-vendor software environment.
EPROCESSMANAGER EPM3SOX
Transition/1's eProcessManager for SOX (ePM3SOX) is essentially the vendor's process-management tool, which has been fine-tuned for SOX compliance use. By using the COSO Internal Control Framework to evaluate risk and control compliance, ePM3SOX helps companies comply with both Sections 302 and 404. This model assumes that all business operations, including disclosures, are process-based, and provides a methodology for evaluating whether the current financial and disclosure system controls are functioning correctly, or, if not, what process changes are needed to bring them into compliance.
Once the transaction-based systems are correctly aligned with other necessary systems, including processes, financial and disclosure reporting, control objectives, and risk assessment, the suite uses the eProcessMonitor utility to provide continuous feedback on the process on an ongoing basis. This feedback can be provided to those managers responsible for the process being monitored, to the internal auditor, and to management, so that remediation can take place.
Since the ePM3SOX application is an entity separate from your accounting system, it is vendor-independent. In fact, ePM3SOX has the ability to work with many mid-market accounting systems, such as MAS 90 and Microsoft Dynamics, a segment of the accounting software market that is largely ignored by SOX compliance software developers.
TRIPWIRE ENTERPRISE
Tripwire, which is available in Enterprise and Server editions, is not strictly a SOX compliance utility, though it addresses a major concern of Sec. 404 internal controls. For SOX compliance, the Server edition, which provides support for workstation monitoring, is probably the better choice.
Tripwire is an IT compliance utility that monitors changes of all kinds. These include changes to the operating system, applications, system registry files, user identification files and data files. It records what was accessed, when it was accessed, and by whom. By establishing access rules for Tripwire, you can monitor attempts (or successes) in bypassing internal controls.
Because it keeps an audit trail of all changes in the system, Tripwire is an excellent adjunct to other SOX compliance utilities, and can provide backup in certifying the soundness of internal controls.
Ted Needleman, a former editor of Accounting Technology, is a consultant and freelance writer based in Stony Point, N.Y.
Vendor Information
Axentis Sarbanes-Oxley Management Suite
Axentis Inc.
Cleveland
(800) 955-2706
www.axentis.com
Logical Apps Active Governance
Logical Apps
Irvine, Calif.
(949) 453-9101
www.logicalapps.com
Movaris Sarbanes-Oxley
Compliance
Movaris
San Jose, Calif.
(888) 800-7545
www.movaris.com
OpenPages FCM
OpenPages
Waltham, Mass.
(781) 647-3800
www.openpages.com
SAP Solutions for GRC
SAP America Inc.
Newtown Square, Pa.
(800) 872-1727
www.sap.com/grc
eProcessManager ePM3SOX
Transition/1 Management Accounting Systems Inc.
Long Beach, Calif.
(866) 590-4376
www.eprocessmanager.com
Tripwire Enterprise
Tripwire Inc.
Portland, Ore.
(800) 874-7947
www.tripwire.com
