Vendors hawk Sarbanes-Oxley wares

FRAMINGHAM (11/07/2003) - Like tax accountants in April, software vendors are lining up to help companies comply with regulatory issues set forth in the Sarbanes-Oxley Act of 2002. IBM Corp., Oracle Corp. and SAP AG are among the latest to unveil new and upgraded products designed to make it easier for companies to put in place internal processes and systems that will help them meet the requirements of the law.

There's an active audience for these wares, according to analysts. A Meta Group Inc. poll found 90 percent of companies are engaged in or planning Sarbanes-Oxley compliance projects.

Under the act, publicly traded companies must comply with stringent financial reporting and disclosure requirements. Some provisions already are in effect, such as Section 302 that requires key executives to certify the accuracy of their companies' financial filings.

Other rules are pending, such as the so-called whistle-blower provision that requires companies to provide ways for employees to anonymously submit accounting concerns.

The effect on IT systems is varied. Some companies have met the act's initial certification requirements with little disruption to financial reporting processes, AMR Research Inc. says. However, certain pending provisions have broad IT implications that could require system overhauls.

For example, Section 404 requires companies to certify financial reporting processes and the structure of internal audit controls. Companies need to document and attest not only to final numbers, but also the processes by which they arrived at those numbers - something many haven't done religiously, says John Hagerty, vice president at AMR Research.

"A lot of companies are trying to figure out exactly what the auditors will require, and then put a process or system in place to support that documentation effort," he says. "Often the philosophy is in place, but the actual documentation may not have been kept up to snuff."

What is certain is that companies will need to spend money to implement the required documentation, procedures and controls. AMR Research says Sarbanes-Oxley compliance will drive companies to spend more money in areas such as IT, business process changes, corporate governance and consulting. Collectively, the Fortune 1000 companies will spend US$2.5 billion this year on the act's initiatives, the firm estimates.

Giga Information Group Inc. estimates individual companies' compliance will cost between $5 million and $10 million.

Attracted by the prospect of available IT spending money, vendors with expertise in business intelligence, content management, ERP, middleware, portals, collaboration and business process management are coming out with targeted Sarbanes-Oxley products. "What vendors smell in Sarbanes-Oxley is an initiative that needs to get solved pretty quickly," Hagerty says.

There's no one type of vendor that companies should look to for help with Sarbanes-Oxley, Hagerty says. For example, it might make sense for a company to turn to an ERP vendor, because ERP software is the source for much financial data. But if a company is decentralized and running multiple iterations of ERP software or operating in a heterogeneous environment, it might make more sense to turn to a software provider that can help aggregate and analyze data from multiple sources.

McData Corp. invested in products from two software vendors in its compliance efforts: portal tools from risk consulting and internal audit firm Protiviti, and content management software from Documentum. Protiviti supplies organizational and financial models, process classification schemes and risk information data, and the Documentum repository stores all unstructured, Sarbanes-Oxley-related content, says Paul Brothe, director of internal audit at the Broomfield, Colo., storage network company.

"We looked to Documentum for a tool that we could link into the Protiviti portal to actually put the formal documentation into an electronic format that has version control and authorship control," Brothe says.

While observers have compared Sarbanes-Oxley compliance requirements with Y2K efforts, Brothe says the regulatory effort is broader. "Y2K required a lot of work that took you up to a date. Beyond that date, if nothing fell apart, you just didn't worry about it," he says.

"This is an ongoing fundamental business change," he adds.

Here are some of the latest Sarbanes-Oxley offerings:

* SAP this week announced Compliance Management for Sarbanes-Oxley Act. PricewaterhouseCoopers helped SAP develop the software, which extends functionality in mySAP Financials and mySAP ERP to cover the law's requirements. Highlights include tools to document, model, test and monitor business processes and existing internal controls. New portal features are aimed at helping companies handle anonymous submissions from employees.

* Oracle this week announced upgrades to its Oracle Treasury software, which is designed to help corporate treasury departments - which oversee banking activity and financial market interaction - ensure compliance with risk-exposure policies. The new version adds payment-processing validation features to address fraud prevention; straight-through processing capabilities for money-market transactions; and access to real-time cash-flow information for better forecasting and investment decision-making.

* IBM recently introduced bundles of hardware, software and services for helping companies comply with federal regulations such as Sarbanes-Oxley, the Patriot Act and the Health Insurance Portability and Accountability Act. IBM E-mail Archive and Records Management Service is a hosted service that automates the capture, archiving and retrieval of e-mail, instant messages and other documents. DB2 Content Manager for Data Retention Compliance addresses data archiving, retention and retrieval requirements.

* Business process management software maker IDS Scheer next month is expected to preview its Aris Sarbanes-Oxley Audit Manager, which is designed to help companies manage the process of certifying internal controls. The software routes, tracks and stores control policies and can alert a company when its controls might be steering away from Sarbanes-Oxley compliance.

* Financial software specialist Nth Orbit next week is expected to announce upgrades to its flagship internal controls and assurance product, Certus. New features include workflow tools that let users graphically map out complex financial processes and view the status of each step.

* Business intelligence software maker SAS Institute Inc. recently unveiled software that combines its analytic, data warehousing and workflow technologies in a regulatory-oriented package. SAS Corporate Compliance for Sarbanes-Oxley helps companies consolidate and analyze financial data from disparate sources. Monitoring and reporting tools provide multiple views of compliance status and can trigger alerts when a company is in danger of not attaining certain requirements.

* PeopleSoft Inc. last month announced Enterprise Internal Controls Enforcer, a module in its suite of financial applications designed to automate and enforce internal controls required by Sarbanes-Oxley. The product includes diagnostic tools that test and continuously monitor controls within PeopleSoft's transaction systems, alerting executives when users make significant configuration alterations, such as a change in revenue recognition methods.

* Content management software maker FileNet Corp. last month unveiled records management software aimed at tracking electronic and physical records from creation to disposal. FileNet Records Manager makes use of the software maker's monitoring and analytic capabilities to help companies understand how records are used within their businesses and how they can adjust records retention policies to meet regulatory requirements. FileNet Records Manager is due to be released in the first half of next year.

* Portal software firm Plumtree Software Inc. recently upgraded its Sarbanes-Oxley Act Accelerator, which combines business-process management tools from HandySoft with Plumtree's collaboration, search and portal technology. The new version adds support for the Committee of Sponsoring Organizations of the Treadway Commission framework - a standard methodology that companies use to establish and manage internal controls.