Software May Ease Compliance

Companies hope emerging applications will help them meet impending deadline to comply with Sarbanes-Oxley regulation
Entergy needed software to coordinate the planning, testing, and certification procedures that Sarbanes-Oxley requires. It turned to PeopleSoft's Internal Controls Enforcer. The product, which is integrated with PeopleSoft Financials, monitors key internal controls, alerts management to changes in controls, and enforces accountability throughout the organization. Entergy is evaluating a beta version of the product and expects to put it into production next year. For its current fiscal year, which ends Dec. 31, it's having to make do with its homegrown system. "It'll get us through our first external audit cycle," Israel says.

Compliance is a three-step process--document, test, and remediate--that must be performed on a continuous basis, not just viewed as a throwaway project. That point often gets lost when companies are "in project mode," as they are now with Sarbanes-Oxley compliance, Israel says. "Companies are spending millions of dollars to get into acceptable condition for section 404 and will have to spend additional millions every year," she says. Entergy's own tab for achieving 404 compliance will come in at between $3 million and $4 million the first year.

Software vendors hope to help ease the process. Protiviti last month formed an alliance with enterprise content-management vendor Stellent Inc. to create a content-management-based compliance platform combining Stellent's Universal Content Management system with Protiviti's subject-matter expertise. Besides offering its own Sarbox Portal software, Protiviti, a wholly owned subsidiary of staffing company Robert Half International, provides risk consulting and internal audit services in support of Sarbanes-Oxley compliance. Sarbox Portal provides a tool to document control assessments, giving executives the evidence they need to document internal financial-reporting controls, says Scott Gracyalny, managing director of Protiviti. The software also automates quarterly assessments mandated under section 404.

McData Corp., a provider of storage-network hardware and software, uses Sarbox Portal as the foundation of its 404 compliance effort. It completed documentation of its internal financial-reporting controls in March and is on track to launch the testing phase in July, well in advance of the end of its fiscal year on Jan. 31. The initial documentation phase, which was performed by the business-process owners themselves, was a "big internal expenditure, involving legal counsel and internal auditors," says Mike Moreno, senior manager of internal audit at McData.

McData uses Protiviti in tandem with enterprise content-management software from Documentum to assess control over each business process that impacts financial reporting. For accounts receivable, for example, Documentum stores invoices, purchase orders, and other records, as well as a description of the controls in place. Those controls are loaded into Protiviti's Sarbox Portal, which acts as a repository for all of the company's finan- cial-reporting controls and associated risks, along with test plans and results. "Protiviti houses the risk-control matrix, which lists all risks and controls associated with a process," Moreno says.

Ringing Up E-SalesMicrosoft is also getting into Sarbanes-Oxley compliance in a big way. Protiviti is one of several independent software vendors and accounting firms collaborating with Microsoft on its Office Solution Accelerator for Sarbanes-Oxley, introduced late last year. Offered as a free add-on for users of Microsoft Office, the accelerator helps companies document and review their internal financial controls as required by Sarbanes-Oxley. Microsoft has invited independent business-intelligence and content-man- agement software vendors to build solutions on top of the accelerator, and accounting firms are lending subject-matter expertise.

The Big Four accounting firms are also forming relationships with other software providers. OpenPages, for example, last month bought PricewaterhouseCoopers' Internal Controls Workbench software and is integrating it with its own Sarbanes-Oxley Express product. OpenPages was motivated by the opportunity to acquire 375 clients that already use the PricewaterhouseCoopers software. Micros Systems uses Sarbanes-Oxley Express to automate the compliance process. The product provides a Web-based portal that lets the compliance team view control documentation and testing, Micros' Russo says.

By getting out of the software business, PricewaterhouseCoopers can focus on its core competency--auditing. The firm has five big multinational clients that are on the verge of testing their internal financial-reporting controls, and it intends to provide them all with the help they need. "The coordination of that testing is really challenging," says Lynn Edelson, head of PricewaterhouseCoopers' compliance systems practice. "The goal is to automate that process and make it more efficient."

With the help of emerging compliance software, companies striving to meet Sarbanes-Oxley compliance are all shooting for that goal.

Continue to the sidebar: "Top Choice: Paisley Is Hot Pick For Compliance Software"

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing