The announcement comes a day after the SEC extended the compliance deadline for this provision of the law, which was enacted last year in the wake of headline-grabbing corporate scandals that have eroded investor trust in public markets. On Tuesday, the SEC said it would require internal-controls certification for year-end financial statements for fiscal years ending on or after June 15, 2004. An earlier version of the law applied to such financial statements ending on or after Oct. 15, 2003. For most companies, that means they won't have to formally comply until 2004, which gives them a significant amount of breathing room, according to an E-mail from John Hagerty, VP of research at AMR Research.
Regardless of the deadline to comply, Oracle says its application--dubbed Internal Controls Manager--will help a company identify the risks associated with business processes and the possible effect those risks might have on the company's financial statements.
To help companies better understand and track those risks, Oracle Internal Controls Manager lets them build and populate a library of potential risks that can be associated with each business process within an organization. Once potential risks are identified, Oracle Internal Controls Manager lets the company design controls to help mitigate those risks. "This allows you to define processes and procedures and establish audit attribute to those flows, such as who owns process, is it high or low risk, and which GL accounts it might affect, so you can document all procedures that might affect financial results," says Steve Miranda, Oracle's VP of application development. "You can define and associate those procedures with risks," such as fraud, to assess what the financial impact would be if the risk occurred--either intentionally or because of error.
Oracle also worked side by side with the risk-assurance practice of PricewaterhouseCoopers to make it easy for companies to use the consulting firm's risk library as well. PricewaterhouseCoopers' library can be uploaded into the Internal Controls Manager, so auditors will have a framework to judge the effectiveness of internal controls. Oracle plans to work with other consulting firms to offer customers the same access to their risk libraries.
The length of time needed to install the Oracle Internal Controls Manager varies, depending on company size, the heterogeneous nature of application, and training issues. But companies are waiting eagerly for the application, Miranda says, as they're feeling the pressure of the impending deadline for compliance. "We've had tremendous pressure in getting the apps out because [our customers] were feeling the pressure of the date," he says. "I don't think it's going to slow down that much with the extension."
Pricing for the applications will be posted on Oracle's Web site in the next few weeks, and the application will be available this summer.