May 2006

Considerations for Acquiring an Effective Sarbanes-Oxley Compliance Solution

Evaluating business needs, ensuring records are maintained, and monitoring the organization's compliance progress are some of the considerations companies should keep in mind before investing in a Sarbanes-Oxley compliance software solution.

Sonia Luna, CPA
Founder
SOX Solutions

Hugh Taylor
Vice President
SOA Software

It seems as if every software vendor these days has the perfect application that can make companies compliant with the U.S. Sarbanes-Oxley Act of 2002 or solve any compliance problems in the blink of an eye. Although no software application can truly solve "all" problems, despite vendor claims, good software products exist that can help organizations enhance their Sarbanes-Oxley compliance efforts.

Prior to purchasing a software solution, it's important for organizations to evaluate the application in its entirety by using a disciplined approach that takes into consideration factors such as current business needs and budget constraints. Besides assisting organizations in their Sarbanes-Oxley compliance efforts, following a disciplined approach can help companies decide which software and hardware solutions can meet corporate objectives more effectively.

TOP 10 COMPLIANCE SOFTWARE CONSIDERATIONS

Contrary to vendor claims, there are no "plug and play" compliance products in the marketplace — purchasing a software package that offers such promises should be considered carefully. The disciplined approach described below provides the top 10 considerations organizations should keep in mind when selecting a software package as part of their Sarbanes-Oxley compliance activities. Following this approach can be the difference between purchasing an effective software solution that enhances compliance needs and one that's simply a waste of corporate dollars.

1. Business Needs
The first step organizations should take prior to purchasing a compliance software solution is to identify their compliance needs and demands and evaluate different software applications against these requirements. Organizations also should consult the internal auditor, external auditor, or audit consultant to identify the auditor's overall approach to Section 404 compliance work. For example, if the internal audit staff is paper-based, using a software solution may not help improve the compliance process. The software solution also needs to provide information to meet the audit's needs. It is pointless, for instance, to purchase a risk-based solution that does not document existing controls, especially if the audit will require this kind of information.

Furthermore, because compliance might be a new subject for many employees who may be using the software or reviewing its output, it would be a good idea to purchase a solution that includes a glossary of user definitions and terms. In general, the more in-depth the solution's documentation is, the easier the software implementation process will be.

Finally, organizations should consider whether or not the software will be used to compensate for organizational, procedural, or human resources problems. If this is the case, purchasing the software may not be a good use of company time or money. In fact, it might just make things worse.

2. Investment Budget
There is more to a solution than its selling price. Before acquiring any kind of compliance software, organizations should keep in mind the extra expenses associated with software licensing fees, as well as training and implementation costs. In addition, organizations should determine what kind of maintenance and support the application needs, as well as the equipment needed to run the application and other infrastructure requirements.

For instance, the IT department might have to purchase and install a dedicated server or other hardware to run the application, while some compliance packages might require the company to obtain database licenses. Because, the majority of audit committee members and upper management usually like to know the "true cost" of compliance, internal and external costs must be considered when calculating software yearly compliance expenses. Therefore, underestimating internal and external implementation costs can severely affect the solution's return on investment.

3. Benchmarking Features
Benchmarking refers to the ongoing analysis of the company's compliance program efforts. As a key element of compliance, benchmarking capabilities should be offered as part of the software package's features. For example, some of the costlier software programs advertise tools that promise to deliver robust benchmarking compliance reports and related functions, such as features that compare the number of key controls tested annually. Although some of these solutions could be worth the extra expense, the same level of reporting and functionality can be achieved with a cheaper software program.

At a minimum, compliance software applications should be able to create reports on the following four areas:

  • Risk. Reports on risk should provide an in-depth view of critical vulnerabilities and threats and categorize risks by significant business processes.
  • Process-owner approvals. These useful benchmarking tools identify how many owners are involved in the compliance process and the timing of their involvement.
  • Audit plans and sampling. These reports assist management in identifying how many and which samples were used to test key controls, allowing for better compliance resource management.
  • Control. These documents should identify all corporate controls, the persons responsible for managing them (i.e., the control owner), and the effectiveness of any control fixes, as well as the control's mode of operation (i.e., manual versus automatic), frequency (i.e., how often the control is used), and testing and retesting status.

4. Record Safekeeping
Having a secure audit record of software users allows both internal auditors and the company to view a historical trail of who was responsible for various parts of the compliance process. This record also gives organizations the necessary evidence to determine whether all compliance activities were managed appropriately. To preserve this audit trail, the software should allow the company to roll over or copy information from the previous year, as well as "freeze" annual compliance work at a specific point in time. This will provide a baseline from which to measure compliance efforts as they progress throughout the year. When freezing or rolling over information, organizations need to make sure they do not override the work done in the previous year; Sarbanes-Oxley documentation is subject to the same retention guidelines as regular audit reports.

5. Progress Monitoring
Software packages should allow companies to monitor their progress from the planning stages through the completion of the audit's report. This helps to keep the compliance process on track. Most compliance initiatives break down when there is a lack of communication regarding where the process is at a specific point in time. For instance, as a deficiency is fixed, the application should keep track of the entire remediation process and identify whether or not the problem was resolved. Therefore, companies should ask the software vendor how specific functions for monitoring progress and fixing control deficiencies operate. An example of poor functionality in this case would be a "notes" field that allows users to type text. A more robust functionality would be a pre-set, customizable interface that enables users to provide updates on a specific control and enables companies to search, sort, or conduct a report on those updates.

6. Publishing Options
Companies should make sure the software solution allows them to print results and compliance reports. Ideally, the application should be able to publish data in formats that are compatible with the company's standard software applications.

7. International Needs
If a company operates in multiple locations, the compliance software should too. This is important especially if the organization is involved in international compliance issues. For example, some of the worst internal control problems arise in cross-border financial reporting. Another related technological issue is whether or not the package supports integration protocols, such as extensible markup language, which can help connect compliance software solutions to other systems without incurring additional middleware costs. Companies also should consider whether the solution provides multiple character sets and customizable interfaces for multiple languages.

8. Using What's Available
Organizations should not create compliance software programs from scratch. Creating a software compliance program using developer tools such as VisualStudio.Net would, more than likely, not be cost effective. Alternatively, adapting a general purpose portal application such as SharePoint as the company's de-facto compliance package could be highly problematic. There are simply too many variables and settings that can go wrong, such as creating the necessary management and audit reports. Companies should consider buying software packages that provide built-in best practice guidelines or work process templates. The organization should ask the vendor for references and inquire whether the software has been used successfully at a comparable company.

9. Online Availability
The organization's internal and external auditors should be able to access the system online in a secure manner. Before the company commits to a package, it must determine whether the solution offers Web-based modules and whether the software allows users to access the compliance program remotely. The organization also needs to make sure the solution integrates with existing hardware and does not disrupt any maintenance schedules or security parameters in a way that causes excessive busy work and expenses. For example, the Web-based version of a compliance application needs to meet existing corporate security baseline standards. If it doesn’t, the company might be creating a costly hassle for the IT department to manage. Finally, the software program must be able to access any Web-based documentation easily, especially in organizations with a global workforce.

10. Integration
As a final consideration, IT departments should determine whether the package works with existing platforms, operates independently of other systems, or needs to be integrated into financial or enterprise resource planning systems. If it needs to be integrated, many security and change management issues could arise. For example, if IT staff are working on controls that involve existing integration points among multiple systems, and the compliance application requires the introduction of another layer of integration, it might become cost prohibitive to keep the integration interfaces in operation.

In addition, auditors should recommend that IT departments create IT procedures that incorporate existing corporate policies and make sure that the application's change management policy clearly states the proper way to handle change requests. For instance, the policy should describe how to conduct routine changes in the IT environment as well as changes that require additional approval from senior managers. Furthermore, IT departments should consider other issues that can arise when acquiring and deploying a new software solution, such as training employees on how to use the application and considering all support and hardware costs.

MOVING FORWARD

Choosing the right compliance software program can enhance an organization's compliance efforts or make them more difficult. For better or for worse, the software industry has responded to corporate needs to enhance organizations' compliance programs by offering a variety of solutions, some of which are better than others. As a result, it is important for companies to purchase applications that take into consideration the recommendations provided above.

Furthermore, the decision to purchase a compliance solution might involve people who may or may not completely understand the consequences of acquiring and installing a software package. Auditors and accounting professionals may have a set of needs and expectations that are quite different from those of IT or information security staff. To get the right compliance solution, companies might need to take into consideration divergent and potentially conflicting points of view. In such cases, it's important to understand the requirements, goals, and restrictions that could affect the software purchase process. When done in combination with a disciplined approach, the company will be able to move forward with a solution that best meets its specific needs.

Sonia Luna, CPA, is the founder of SOX Solutions, a Sarbanes-Oxley solutions provider for both privately held and publicly traded companies. Luna has worked with clients from different industries, ranging from Fortune 500 international companies to small organizations. Previously, she worked with Ernst & Young as an audit manager.

Hugh Taylor is the vice president of SOA Software, a provider of enterprise service-oriented architecture management, security, and governance solutions. Taylor is the author of The Joy of SOX: Why Sarbanes-Oxley and Service-Oriented Architecture May Be The Best Thing That Ever Happened to You and Understanding Enterprise SOA.

 


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

 

 Write for Gaming Auditorium

Write for FSA Times

 

 Twitter

facebook IAO 

IA APP