Software Review: SOX compliance software - lots to choose from

Even the best intentions sometimes have unexpected results. The Sarbanes-Oxley Act of 2002 was enacted in reaction to the Enron and WorldCom financial debacles, where poor internal controls resulted in dubious transactions being unchallenged. The result, as you know, was the collapse of several huge corporations, with many top executives facing considerable jail terms. Add in the document-shredding parties at Arthur Andersen, and in retrospect, SOX seems unavoidable.SOX was enacted in hopes of preventing something like this happening again. It not only holds management responsible for creating and maintaining internal controls tight enough to prevent or expose unauthorized or unusual transactions, but requires that publicly held corporations document how they are accomplishing these goals. There are numerous sections of the reform act, but the two that deal most directly with compliance are Section 302 and Section 404.

Section 302 underscores the corporate responsibility for financial reports. It requires that a statement be made by both the chief executive and chief financial officer of the company to accompany the audit report and other periodic reports certifying the appropriateness of the statements and disclosures. These statements that the reports fairly present the operations and financial condition of the issuer are in addition to any auditor's statement.

Section 404 of the act is a bit more directed. This section requires a managerial assessment of the corporation's internal controls, which takes the form of an internal control report that needs to be included in the annual financial statements. In addition, these reports and statements need to be examined by the corporation's external auditors, who are required to attest to, and report on, the assessment made by the corporation's management.

The problem with SOX is that while it details the reports and statements that are necessary for compliance, it does not detail the methods or techniques that have to be employed to back up these statements. There is no one "right way" to comply with the requirements of Sarbanes-Oxley. In turn, that pretty much leaves the field of what constitutes "SOX compliance software" open for interpretation.

The situation becomes even more muddied with the issuance of a number of new SAS pronouncements by the Auditing Standards Board (SAS 102 through SAS 112) on risk assessment, audit documentation of internal control-related matters, and documentation standards. Most of these SAS requirements go into effect in December of this year, and there is some crossover with the requirements of SOX.

A bit of this, a dash of that

In most corporations, compliance with Sarbanes-Oxley revolves around the IT function. That's not to say that internal controls are unnecessary in other areas, where manual handling of transactions takes place. This IT emphasis, however, simply reflects that in a well-designed accounting system, any transaction should be captured and entered into the system as close to the point of occurrence as possible. If this is not happening, then there is an internal control vulnerability that must be addressed to comply with SOX.

While the Securities and Exchange Commission is the agency that can enforce compliance with Sarbanes-Oxley, there is no agency that regulates compliance software or tools. Any software tool that can be used in the testing of internal controls or the documentation process could legitimately be considered "compliance software."

Under this definition, audit tools such as Caseware's Idea and a host of other such tools meet the criteria. Some software is more directed, but only covers a very limited part of the total financial information system. Sage's new FAS Compliance Manager, for instance, provides auditing reports to help demonstrate SOX compliance for those clients using FAS Fixed Asset software.

For the purposes of this roundup, however, we concentrated on tools that address the following three major concerns of internal control compliance. These are:

1. Access control: The compliance software tests the financial system to ensure that it effectively and successfully limits access to only those users who are authorized for specific kinds of transactions, or monitors the financial application's internal access controls. Moreover, the financial system must also limit these users to making only the types of transactions or transaction edits for which they are specifically authorized.

2. Change control: The compliance software tests that the financial system is able to accurately capture data on any changes that occur in the system, or supplements the financial system in this area.

This includes entering of data, changes or edits of existing data, changes in internal controls or procedures, and alerting management of any attempts to access the system or any of its components by unauthorized users. While some vendors have developed proprietary applications for this purpose, there are also industry-standard data-mining packages that can employ pattern-matching algorithms to detect out-of-the-ordinary transactions or access attempts.

3. Documentation control: Because Sarbanes-Oxley specifically requires that a management report on the internal controls be included as part of the SEC-mandated reports and financial statements, documenting what internal reports are present and how they were tested becomes an important step in the compliance procedure. Documentation control also consists of document and e-mail management. Good internal control procedures require that documents and e-mails be archived in such a way that they can be accessed for future investigation.

Considering that SOX is only four years old, it's amazing that a search for compliance software turns up literally hundreds of applications that purport to address these needs. Further muddying the water is the fact that a company subject to SOX may have more than a single integrated accounting and financial system.

For example, an enterprise subject to mandated compliance might be using Peachtree in some subsidiaries, and roll up the figures to MAS 90, PeopleSoft or Oracle Financials. Depending on the materiality of the figures in this subsidiary, management may very well have to institute the same degree and techniques of internal control, as well as tests required for SOX compliance.

The fly in the ointment in this situation is that the same tools that are appropriate for conducting these tests on the enterprise-level systems may not be appropriate, or even usable, if different software is in use in a subsidiary location or department.

To help you through the morass of SOX compliance software offerings, we looked at seven packages. When reading this roundup, there are several things to keep in mind. One is that SOX compliance applications are often vendor-specific. A particular package may only be available for Oracle Financials, SAP or another vendor's accounting system.

Another thing to keep in mind is that many of the vendors listed in this roundup did not provide us with prices. With this type of software, integration with a company's existing systems can be an elaborate, time-consuming and expensive process. That makes estimating the acquisition cost a task that varies greatly from installation to installation. It also means that even with those vendors that did provide a starting price, figure that most of these solutions are going to be expensive. Still, the actual cost will be significantly less than the potential fines and ongoing vulnerability without the ability to test and repair internal controls.

Finally, keep in mind that even with mandated SOX compliance, no set of internal controls will ever be 100 percent effective. There will always have to be an ongoing cost-benefit analysis, as well as determination of materiality, in certifying that internal controls are sufficient and effective.

Axentis Enterprise for SOX

Of the seven SOX compliance solutions in this roundup, Axentis Enterprise is the only one that is Web-based. This approach provides some unique benefits, including a defined yearly subscription cost and the assurance that the version of the software that your client is using is the very latest.

As with many of the Sarbanes-Oxley compliance applications included in this roundup, Axentis Enterprise is a compliance management application, with a framework that supports multiple compliance standards, including SOX. AE supports COSO, COSO ERM, CobiT, Turnbull, Basel II and overall risk-management standards, and links the multilevel organizational structure to risk frameworks, which reduces maintenance as the entity evolves and grows.

The Sarbanes-Oxley solution addresses multiple areas of monitoring and compliance. These include document management, period management and enterprise integration, mirroring and aggregating information from one or more ERP/HRIS systems.

The application also provides assessment, testing and remediation, which are mapped to the organizational and control frameworks. Audit logs track and record all changes to framework and organizational structure, as well as action plans and tests.

Finally, AE provides an extensive reporting facility, including easy-to-understand executive dashboards, as well as integrated data warehousing.

Axentis Enterprise is one of the more popular and successful SOX compliance solutions. It can be configured to work with most financial system software. AE has been extensively deployed by the Global 2000, and has more than half a million users in over 100 countries.

Logical Apps Active Governance

The hot phrase this year among compliance software vendors is "business efficiency." Many of the vendors detailed here have taken the tack that SOX compliance should focus not only on meeting the requirements of the legislation, but on the business processes that underlie being compliant with SOX. By maximizing process efficiency, so the reasoning goes, the enterprise will not only gain better control and accountability, but be more effective and profitable.

With the three components and underlying Active Governance Platform that provides the framework for Logical Apps' solution, Active manages business processes, provides better efficiency, controls user access and tracks data changes. These three components are: the Active Access Governor, the Active Data Governor and the Active Policy Governor.

The Active Access Governor enforces access policies, including temporary access and separation of duties. The Data Governor provides auditable workflows, and provides control over viewing and editing key data. This component also tracks changes and attempted changes by both business and IT users. Finally, the Active Policy Governor lets administrators and management fine-tune controls by continuously monitoring transactions, comparing them against policies, and initiating instant remediation if policies are violated.

All of these components feed into the platform, which provides configurable dashboards and a variety of reports to record what alerts have been initiated, and what remediation was undertaken.

Currently, Logical Apps' Active Governance solution is available only for the Oracle E-Business Suite. Your clients who are using other vendors' enterprise software will need to look elsewhere.

Movaris OneClose

OneClose is an interesting approach to SOX compliance, with a concentration on what the vendor calls the "last mile of finance." Addressing Section 302 compliance, the certification of internal controls, and Section 404 and Section 406, OneClose is a suite comprised of several applications, some of which are used in the closing process. Movaris takes this approach because it believes that much of the closing of financial statements relies on e-mail, Word documents, spreadsheets and other processes outside of the automated financial systems, and that this represents a significant vulnerability that must be addressed to be in compliance with SOX.

OneClose addresses this vulnerability by providing a system to record all of the manual processes and where they originate from, and analyzing them in terms of risk assessment. The result of these analyses is presented in a set of dashboards, which include the Scoping Manager display, the Financial Controls Console, a one-button Financial Statement Publisher, and a Close Console. Where significant risk is detailed, additional tests of internal controls can be performed, and management can take a closer look at any high-risk transactions identified by OneClose.

This type of presentation makes it easier to address any inconsistencies that need to be addressed before finishing the close and preparing the financial statements. Of course, OneClose documents the entire process, storing it for future reference if needed to verify the compliance.

OneClose doesn't ignore looking at the rest of the financial system. Part of the OneClose system is the Movaris Sarbanes-Oxley Compliance component, which is a renamed version of Movaris's popular SOX compliance tool, Certainty. Monitoring changes in internal control and providing certification roll-up from all managers required to sign off on controls, Movaris SOX Compliance provides the enterprise with the hard data necessary for Section 302 and 404 compliance.

By analyzing the financial results and closing adjustments as the financial statements are being constructed, OneClose provides an interesting and unusual link between financial reporting, internal control and SOX compliance. While some SOX compliance solutions stop at internal control, OneClose carries through to the final product - the financial statements.

OpenPages FCM 4.0

Open Pages Financial Controls Management provides a compliance solution for both Sections 302 and 404. To meet the attestation requirements of Section 302, OpenPages FCM employs surveys that must be filled out by every manager with responsibility for specific internal control areas. These surveys are custom-designed to the needs of the individual organization, but generally contain questions about any changes in internal controls over the reporting period, as well as any relevant documentation or test information.

These surveys are then rolled up to an overall document for review and certification by management and the internal control auditors. Any aberrations that need to be further investigated or documented are highlighted in a dashboard. The software maintains version control over the survey responses, so that issues that have been addressed are then rolled up into the most current survey summary. All of these surveys and responses are captured and held in a secure "repository" for future auditing or other use.

In meeting the requirements for Section 404 compliance, OpenPages FCM works as a comprehensive document management system. In addition to managing and capturing e-mails, the system serves to control documentation projects.

In this application, OpenPages FCM allows members of the team documenting internal controls tests or restructuring to capture all relevant information about the project, as well as any internal communications that take place during the reporting period.

Using filter options available in OpenPages FCM, managers can generate reports on tasks performed, as well as manage any issues that are uncovered during the reporting period. A large selection of standard reports are available, including reports on all processes, on all risks, reports on all controls, including those which are found to be ineffective, at-risk action items and issues. Custom reports can be created to meet the specific requirements of the organization.

Since OpenPages FCM generally operates in parallel with an accounting system, most companies should find it applicable, regardless of the financial software already in use. In addition, OpenPages FCM is integrated with other financial systems software from vendors including Hyperion, Cognos and Business Objects.

SAP Solutions for GRC

Some of the more successful products in the compliance market have been marketed by Virsa Systems. In fact, these products have been so successful that the company was acquired earlier this year by SAP. The Virsa products are still being marketed, but comprise the core of a new SAP business unit, the SAP Governance, Risk and Compliance Management Business Unit. Initially, SAP GRC products include Virsa Compliance Calibrator, Virsa Access Enforcer, Virsa Role

Expert and Virsa Firefighter. These components comprised the former Virsa Access Controls Suite and are available individually or in combination.

As with a growing number of vendors, SAP's GRC products are not strictly targeted towards SOX compliance. The entire compliance issue has been broadened in recent years, with SOX being only one regulatory issue. Even entities not subject to the provisions of SOX, such as nonprofits, have become concerned with accountability and transparency. Compliance with IT standards and SAS issuances are additional concerns that compliance software vendors are addressing.

SAP's Virsa Compliance Calibrator is the module that handles testing and enforcement of segregation of duties, and performs analysis of access and duty violations, as well as providing remediation and mandatory risk analysis.

Extending these capabilities is the Role Expert module, which manages and documents "roles" across the enterprise, with a role being responsibility for a particular area of workflow. As with the other modules, ongoing analysis of risk and potential violations are performed with archiving of all documentation, change history and control test results. The Access Enforcer module tracks user accesses throughout the enterprise and scans for potential access violations. To provide the same level of security, risk analysis and control for "superusers," the highest levels of management, Firefighter allows these superusers access under a blanket of control and documentation.

When the products were marketed by Virsa Systems, they were available not only for SAP financial systems installations, but for a number of other higher-end enterprise ERP and accounting vendors' products. SAP has wisely decided to continue this approach, and even expand it, with a GRC product suite for Hyperion in the works.

Transition/1 eProcessManager Suite

As with a number of products detailed in this roundup, eProcessManager Suite is not specifically designed as a SOX compliance tool, though it can be configured for that purpose. The eProcessManager Framework itself is targeted at process management within an enterprise, of which management of the processes impacting SOX compliance is only a part. The eProcessManager Suite can be set up to monitor compliance in any of a number of areas, using predefined templates designed to define the business cycles and key processes with their control objectives, including COSO, CobiT and, of course, Sarbanes-Oxley.

Templates are also product application-specific, though a generic template can be interfaced with financial applications that don't already have a predefined template. These predefined templates are available for a wide variety of accounting systems. This allows implementation to be very rapid compared to some of the other products detailed in this roundup. Transition/1 claims that many of its Sarbanes-Oxley implementations have been accomplished in days, rather than weeks or months.

The eProcessManager Suite addresses both Section 302 and 404. Once configured, the application generates all required documentation, including narratives, flow charts and risk matrixes. Departmental and process owner sign-offs can be rolled up into summaries, which can trigger action if necessary. All of these are automatically archived, as are control tests and other process checks. Comprehensive and easily understandable displays let management assess risk, track action items and issues, assign staff, and document corrections.

Unlike many of the applications in this roundup, eProcessManager Suite is available for mid-level accounting products such as MAS 90/200, Dynamics and similar systems. That makes this application well worth considering for the many smaller public companies not running Oracle Financials, SAP or Hyperion.

Tripwire

Tripwire is not a SOX compliance software product per se. Rather, it is an IT process monitor, auditing and reporting system that provides an excellent way of helping to achieve the internal control change monitoring that is required under Section 404.

The application is available in two versions, Tripwire Enterprise and Tripwire for Servers. Tripwire Manager Enterprise is probably the more appropriate version for most SOX compliance uses, as it installs both on enterprise-wide servers and on individual workstations. Available for a wide variety of platforms, including Windows, Solaris and a number of Unix/Linux implementations, Tripwire monitors and securely records changes to files, operating system components, system registry files and user identification files, and what files were accessed, when and by whom. The vendor offers standard integrations with HP OpenView, IBM Tivoli and Remedy AR System. Tripwire for Servers monitors and maintains much the same information as the Enterprise version, but only for a single server or workstation.

By itself, Tripwire needs to be configured with what specific changes are allowable, since entering transactions into an accounting system will affect files. Where Tripwire is especially useful is in identifying attempts to bypass controls by altering files outside of the financial application.

With the ability to monitor changes in the areas covered by internal controls, Tripwire is not only an excellent tool for monitoring IT integrity, but can also serve as a valuable means of certifying some areas of internal control integrity and effectiveness for SOX compliance reporting. Besides its use in SOX compliance, you might want to think about adding Tripwire to your clients' SOX tools (as well as your own) to keep IT functions secure.

Ted Needleman, a former editor of Accounting Technology, is a consultant and freelance writer based in Stony Point, N.Y.

For reprint and licensing requests for this article, click here.
Technology
MORE FROM ACCOUNTING TODAY