SOX software: More questions than answers?

by Ted Needleman

As accountants, we’re all use to deadlines and filing requirements. Why, then, is the Nov. 15 phase-in of the reporting requirements of the Sarbanes-Oxley Act causing such unrest in the industry?

What is it about SOX that’s makes everyone so antsy?

A lot of it has to do with uncertainty about just what is expected from those who must meet the requirements. There are all sorts of pronouncements about what is necessary, and the dire results if these requirements are not met.

Still, with all this, it’s still not completely clear to many companies exactly what they need to do or change to be in compliance. Nor have many auditors figured out how they need to adapt their procedures and tools to assure both the client and the government that all requirements have been met.

Not the same old, same old
Just to throw one more fly in the ointment, you now have to pick your side and stick with it. Gone are the days of taking on an engagement to help a client establish their internal control policies and procedures, then auditing the same client. That’s always felt like a conflict of interest; now, it’s officially considered one.

That’s probably going to leave some clients twisting in the wind, and create some substantial new expenses for other clients as they rush to hire consultants to advise them on how their internal controls stack up, what changes need to be made, and just how to document the process so that it’s clear that the client has met requirements.

And just when you thought things couldn’t get any more complicated, the software available to help deal with the new complexities of Sarbanes-Oxley is different, depending upon where in the process you (and your client) are each involved.

It has to be that way, since the roles involved in complying are multi-faceted. It’s always been management’s responsibility to implement and administer appropriate internal controls. Now, SOX makes it the management’s responsibility to not only attest to the suitability of the company’s internal controls, but to provide specific documentation about the internal control procedures and policies to show exactly how they have come to the conclusion that the company’s internal controls are sufficient.In prior years, many audits simply accepted a photocopy of a client’s policies and procedures manual as documentation of acceptable internal control. This time, the stakes are higher, and the documentation requirements are as well.

A triad of applications
While there is an increasing number of software vendors touting their “compliance” applications, these products usually fall into one of three distinct and different categories.

The first of these is documentation. These applications are used by the company’s internal control committee, and by consultants that the company may employ. The purpose of these products is to document a company’s internal controls, as well as to manage and report on the process of verifying the integrity of these controls.

A second class of software includes monitoring applications. These run inside of or parallel to the client’s accounting applications and observe transactions and how they are handled. Monitoring software can, in some cases, be installed as part of an existing accounting system. In this mode, it might be set to flag transactions that are outside of standard or predefined parameters.

The third type is test software. This is the standard audit software that many audit firms have been using for years, and is used to create sampling lists for checking vouchers and similar tasks.

In the detailed product descriptions that follow, we have not listed any prices. That omission is intentional. The prices vary so greatly, from $300 to more than $50,000, that it would be exceptionally misleading to include them.

More important, prices of the same application can vary greatly, depending upon the environment that the application is being installed into.

Finally, purchase or license of the application is only the starting point. The most expensive parts of compliance are the costs of installation, configuration and ongoing operation.

Putting it in writing
Documentation is an important part of SOX compliance. It needs to take place on several levels. At the top, the entire internal control structure needs to be flowcharted and documented. All of the processes and procedures need to be explained, along with analyses at every point at which possible vulnerabilities might lie and how these vulnerabilities are addressed.

Procedures applicable to each level of staff also need to be documented and explained in detail, and these parts of the documentation need to be made accessible to those personnel to whom they apply. At the same time, other aspects of the documentation need to be restricted to both the staff level and persons who are high enough in the company hierarchy that they have a need to know.

Some of the tools to accomplish this, such as Lotus Workplace for Business Controls and Reporting, from IBM and KPMG, and Remediation Services for Microsoft Excel, from Scientific Software, are specifically aimed at providing this level of documentation for Excel spreadsheets and Lotus Notes documents.

Other applications designed to help your clients comply with Sections 302 and 404 of SOX include CRSTL Systems’ Compliance Positioning System; SOX Express from OpenPages; Axena Inc.’s SOAx Toolkit 4.0; the Sarbanes-Oxley Readiness Toolkit, from SilverBack Technologies; S-O Comply from onProject; and PeriscopeSOX, from Periscope IQ.

Axena’s SOAx ToolKit 4.0 is more than just a documentation tool, though it serves very nicely in this role with standard SOX documentation features, as well as more advanced features such as advanced location sign-off. The Toolkit 4.0 enables the internal controls staff to assign risk pro-formas alongside of the controls documentation. Controls are monitored, and control failures can be reported in a number of ways.The Compliance Positioning System, from CRSTL Systems, is a Web-based system that provides complete documentation capability to meet the requirements of Sections 302 and 404. It permits your clients to create custom and generic organization charts and calendars, and guides the client through the allocation of particular compliance requirements to the proper managers and staff.

Another enterprise-level documentation tool is SOX Express from OpenPages, which automates the design, documentation, review, approval and testing of internal controls and procedures. Based on the COSO framework, SOX Express automates the survey process for disclosure certification down to the functional areas. Sub-certifications are then rolled-up throughout the organization and approved by the managers at each business level before a final certification is produced.

OnProject’s S-O Comply is an expandable risk management platform that is designed to let your client quickly document their corporate structure, controls and procedures. It has modules for performing surveys and creating process and procedure questionnaires, and a project and methodology tracker. A report manager and dashboards present the results in an understandable format.

Perisocope IQ’s PeriscopeSOX, like many of the products here, is built on the COSO framework. It provides a set of anonymous assessments that are sent to internal groups to help determine a company’s compliance with best financial practices. It allows management to sense employee concerns and needs, and includes the ethical decisions risk audit.

The Sarbanes-Oxley Readiness Toolkit, from SilverBack Technologies, is offered to VARs, system integrators and consultants. The Toolkit can provide a centralized console view of the entire information technology infrastructure, document security controls and provide ongoing vulnerability scanning and notification, and monitor the corporate network for spikes in network traffic and denial-of-service attacks. Continuous availability of archived documents is another desirable feature of the Toolkit.

Keeping an eye out
While documenting procedures and practices is an important part of Sarbanes-Oxley compliance, actually performing ongoing monitoring and analysis of transactions to assure that internal controls are functioning properly is equally important.

Some of the tools that accomplish this are generic, while others are very closely tied to the specific accounting software being used by the client. For example, SAP AG has its own application, SAP Compliance Management for Sarbanes-Oxley. This is a set of enhancements for the mySAP Business Suite that provides documentation features, as well as features such as whistle-blowing capabilities that allow employees to send anonymous complaints regarding questionable business practices.

BizRights 2.0 is a real-time monitoring application. Your client sets permissions on who has the right to approve vendors, and other constraints such as the volume, in number or dollar amount, of monthly vendor checks. When any of these constraints are exceeded or violated, an exception is noted. BizRights 2.0 integrates with many of the popular enterprise ERP systems.

Another general compliance tool is eLustroHarmony, from InfoStep. This application is a process-monitoring tool, which allows your client’s management to keep track of where in the assessment process each participant is. It identifies issues and records exceptions arising from the assessment programs. An “executive dashboard” provides an easy-to-understand overall picture.

Movaris Certainty is an enterprise-class application that documents, monitors, tests and reports on a client’s internal controls and internal control activities. It is built to use the COSO framework, so it should install easily and work with a wide variety of accounting and ERP applications.

Risk Navigator and Focus are two SOX compliance applications from Paisley Consulting. Risk Navigator provides a framework of self-assessment surveys that allow your client to customize their processes based on unique requirements. Focus is a control assurance application that is designed to allow small and midsized businesses to comply with Section 302 and Section 404.

Another risk management tool is Risk Resolve, from Providus Software Solutions. It is primarily aimed at banks and other financial institutions, and is designed to perform risk analysis and display the results on a simple console.

Testing, testing ...
The final piece of the SOX compliance software puzzle is testing. This process (and software) is used by both internal and external auditors. Your clients’ internal audit staff needs to be able to show that the controls actually are capable of providing the protection that the documentation claims.

Perhaps the most popular and well-known audit software tool is ACL, originally the acronym for Audit Control Language. ACL is available in a number of versions, from those that run on Windows to mainframe and client/server offerings. While ACL lets you perform data extraction, sampling and other audit-oriented tasks, its major benefit is its ability to create test transactions that can be slipped in-to the system to test whether or not controls actually work. Because of this, ACL is an excellent tool for auditing through the computer.

In testing for SOX compliance, ACL needs to be used in conjunction with the documentation of procedures and controls produced by the client’s internal staff, letting you target specific tests to stress the internal controls.

Data mining, or the ability to extract and correlate specific information from a company database, is one of the more useful tools available to forensic accountants and auditors. Idea 2004, the popular PC-based package developed by CaseWare Idea Inc., offers both data extraction and sampling. Idea works with a variety of different file formats, but should you need to deal with databases residing on a minicomputer server, you can always convert the target files into ASCII.

With many of the companies that will need to comply with Sarbanes-Oxley running enterprise accounting systems, such as SAP on minis, data mining tools, such as SAS and SPSS, are an excellent way to extract and analyze transaction data. Both of these packages started out as statistical analysis applications — SPSS was originally named Statistical Package for the Social Sciences — and both have exceptionally strong capabilities in this area. Using either application, you can design your sample, generate a list of vouchers or checks to be examined, and apply it against the data files.

Given the risk assessment component of Sarbanes-Oxley, discovery sampling is sure to become an increasingly important component of the auditing process. If your statistical analysis needs don’t require the comprehensive capabilities of SAS, SPSS or similar tools, consider The Number from Linton Shafer. This reasonably priced Windows-based statistical package lets you do discovery sampling and monetary unit sampling against a data file, and perform a number of classical variables samplings, including mean-per-unit, and difference and ratio estimations. The Number isn’t as comprehensive as Idea or the other applications mentioned here, but it’s very suitable for helping you perform at least a portion of the testing that is likely to be required to make the proper attestations.

Another set of reasonably priced PC-based applications to consider adding to your toolkit are available from Datawatch. Many auditors already use Monarch to perform data extraction and report generation for audits. In an enterprise environment, Datawatch|ES or Datawatch|RMS provide an excellent and cost-effective way of both testing compliance and providing ongoing monitoring.

Ted Needleman, a former editor of Accounting Technology, is a consultant and freelance writer based in Stony Point, N.Y.