How the software works: Users can enter their IDs and passwords to access the software on SunTrust's network, or they can use tokens through the company's VPN. People can view the processes they're responsible for and the controls that support them through SunTrust's security provisions, says Keith. If there are any control deficiencies, process owners can create an action plan, have the problem remediated and then retest the control in question. At the end of each quarter, senior management reviews all of the controls to determine whether they have deficiencies that might affect the company's financial reporting.

Customization required: No customization was required, just configuration of the data to match SunTrust's business processes.

Additional servers/storage required: SunTrust acquired an eight-way server for its production environment and used existing servers for its testing and quality-assurance environments.

Favorite functionality: A dashboard view of the controls environment allows users to "drill down" to the reasons behind a control deficiency and determine where it stands in terms of remediation and testing, says John Wheeler, senior vice president of financial reporting risk management at SunTrust.

Functionality desired: SOX Express 4.0, due out this spring, "will allow us to configure our own [data] fields," says Keith. Wheeler would like to be able to load SunTrust's financial data into the system, a capability that he says OpenPages is currently addressing.