That's because the federal law requires business managers to continually identify, monitor and verify that they have effective financial controls in place.
Now that most large publicly held firms have gone through at least one round of meeting these so-called Section 404 requirements, many executives have recognized the need to automate those controls processes in order to make those activities repeatable and cheaper to maintain. Big companies like Time Warner Inc. and The Dow Chemical Co. each devoted hundreds of thousands of man-hours in 2004 to manually identifying, evaluating and testing their business and IT controls.
"We have to figure out how to make [Section 404 controls verification] more efficient," says Ron Edmonds, global accounting director at the Midland, Mich.-based chemical manufacturer.
Some companies have invested in software to help them automate their controls activities. Here's a look at five companies that have taken the plunge, the functionality they like best in the third-party compliance packages they each use and what features they'd like to add.
Constellation Energy, Baltimore
Charter: Generator, supplier and distributor of electric power
Modules in use: BindView Admin for Windows and Exchange 7.2, BindView Control for Windows and Active Directory and Exchange 8.0, BindView Control for Oracle Database 8.1, BindView Control for Unix 8.0 and BindView Compliance Center 2.1, from BindView Development Corp. (acquired last month by Symantec Corp.)
Requirements: In 1999, Constellation Energy began using a suite of network monitoring software called BindView Control to determine which of its servers and applications various employees had access to. The software identifies financial information that resides on those applications and servers to help Constellation Energy determine whether it has the appropriate controls and so-called segregation of duties in place. That allows it to restrict access to that information in order to meet the requirements of regulations such as the Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act.
How the software works: The BindView Control modules examine access-control lists for Constellation Energy's Oracle, Windows and Unix systems. "Some of the things we're looking for are not only who has access to the servers but the applications on that server as well," says John Petruzzi, director of enterprise security at Constellation Energy. Meanwhile, the Compliance Center module takes a snapshot of the company's IT controls environment to indicate "where we need to focus our attention" in terms of remediation and testing, says Petruzzi.
Customization required: BindView's professional services division customized the reporting capabilities for Constellation Energy.
Additional server/storage required: The storage requirements for the reports produced by the BindView systems are nominal, say Petruzzi, ranging from a few kilobytes to just under a megabyte. Since the BindView tools need to query each machine in Constellation Energy's IT environment, reports are scheduled to run during nonpeak hours to avoid taking away computing cycles from other business processes.
Favorite functionality: The ability to take a "snapshot" of Constellation Energy's IT environment from a manager's desktop, says Petruzzi.
Functionality desired: The ability to monitor multiple IT-related regulations from a single viewpoint in order to avoid duplicating work. Symantec is adding that feature to the BindView Policy & Compliance Management software in the first quarter.
Chicago Mercantile Exchange
Charter: Futures exchange and clearinghouse
Modules in use: Movaris Certainty 8.0, from Movaris Inc. in Cupertino, Calif.
Requirements: The exchange began using Movaris Certainty 8.0 to help it meet several Sarbanes-Oxley-related compliance requirements. For starters, the software enabled the CME to migrate all of its compliance documents into the Movaris system to create a single-source compliance data model, an approach that makes it easier for the exchange to store and track all Sarbanes-Oxley compliance documentation.
How the software works: Movaris Certainty allows the CME to document, report and review its internal controls. The software, which sits on an Oracle data-base, provides the CME with a single-source data model for all of its Sarbanes-Oxley compliance data. Movaris also provided the CME with a five- question survey to pose to its process-control owners, which the CME's internal audit group aggregated "and allowed us to focus on the exceptions," says John Verburgt, the CME's associate director of compliance.
Customization required: The CME customized the system "around the personality of the way we work," says Verburgt. The Chicago-based exchange made simple changes to the software, such as tweaking the language used in the system and adding logos. "Nothing significant in terms of effort," says Verburgt.
Additional servers/storage required: None.
Favorite functionality: The ability for process-control owners to make use of workflow capabilities to review, examine and test internal controls, says Verburgt. Also, the ability to add user-defined configuration fields without any customization.
Functionality desired: A financial control data mart, which would provide the CME's executives with graphical views of the performance of financial control operations. Movaris has incorporated these capabilities into Movaris 9.0, and the exchange plans to implement the system by April, says Verburgt.
FirstEnergy Corp., Akron, Ohio
Charter: Diversified energy company
Modules in use: Certus Governance Suite, from Certus Software Inc. in Cupertino, Calif.
Requirements: FirstEnergy wanted a software package that could help it automate the internal-controls documentation and testing activities it needs to comply with Section 404 of Sarbanes-Oxley. The software it began implementing last June from Certus enables managers at FirstEnergy to view which business and IT controls they have across multiple financial systems and operations, all the way down to the account level. In using the software, "everything is in one place, so you have total visibility instead of having to rely on hundreds of spreadsheets," says Alan Michel, manager of internal audit at the energy company.
How the software works: The software identifies the risks and assertions tied to various accounts and then maps those accounts back to the controls that support them, according to Michel. The software also instructs users on how to schedule and test internal controls throughout the organization. If there are any issues or discrepancies with a given control, they are sent through workflow for remediation and testing.
Customization required: None.
Additional servers/storage required: FirstEnergy added servers and software to support its test and production environments.
Favorite functionality: The software "gives you complete visibility" on what controls are in place to support each account, and vice versa, says Michel.
Functionality desired: The ability to determine which accounts are "significant" and whether they're in scope, says Michel. Also, the ability to provide greater transparency between entity-level controls, business process controls and IT controls.
SunTrust Banks Inc., Atlanta
Charter: Commercial bank
Modules in use: SOX Express, from OpenPages Inc. in Waltham, Mass.
Requirements: SunTrust wanted a software package that could help business managers monitor the controls that each of their departments use to support the bank's collective financial reporting. In addition, senior executives at the bank are able to use a software dashboard to determine whether company managers have verified that appropriate controls are in place to support their departments' business activities. Prior to using software from OpenPages, SunTrust's managers used Excel spreadsheets and Microsoft Office Visio software to monitor their internal controls. But the process was extremely manual, says Martha Keith, group vice president in financial reporting risk management.
How the software works: Users can enter their IDs and passwords to access the software on SunTrust's network, or they can use tokens through the company's VPN. People can view the processes they're responsible for and the controls that support them through SunTrust's security provisions, says Keith. If there are any control deficiencies, process owners can create an action plan, have the problem remediated and then retest the control in question. At the end of each quarter, senior management reviews all of the controls to determine whether they have deficiencies that might affect the company's financial reporting.
Customization required: No customization was required, just configuration of the data to match SunTrust's business processes.
Additional servers/storage required: SunTrust acquired an eight-way server for its production environment and used existing servers for its testing and quality-assurance environments.
Favorite functionality: A dashboard view of the controls environment allows users to "drill down" to the reasons behind a control deficiency and determine where it stands in terms of remediation and testing, says John Wheeler, senior vice president of financial reporting risk management at SunTrust.
Functionality desired: SOX Express 4.0, due out this spring, "will allow us to configure our own [data] fields," says Keith. Wheeler would like to be able to load SunTrust's financial data into the system, a capability that he says OpenPages is currently addressing.
UGS Corp., Plano, Texas
Charter: Provider of product life-cycle management software
Modules in use: BizRights, from Approva Corp. in Vienna, Va.
Requirements: UGS began implementing Approva's BizRights system last May to identify and correct any segregation-of-duties violations with its SAP ERP system in order to comply with Sarbanes-Oxley.
How the software works: BizRights provides UGS managers with a view of the segregation of duties across its SAP ERP environment. The BizRights software analyzes whether there is appropriate segregation of duties among business managers and compares that with a "rule book" that's incorporated into the software. So if a manager is responsible for cash applications, the system can determine whether he is authorized to conduct accounts-receivable adjustments, says Jeff Greiner, director of enterprise applications engineering at UGS.
Customization required: None.
Additional servers/storage required: BizRights currently runs on a Dell Windows-based server "that's a little underpowered," says Greiner. UGS is upgrading to a more powerful Windows-based server this year at a cost of US$10,000.
Favorite functionality: Minimal administration is required. Also, BizRights has helped UGS significantly reduce its reliance on external auditors to gather segregation-of-duties information from its SAP environment, says Tom Beitel, UGS's internal audit director.
Functionality desired: "A systems administration tool where I can see what's going on," says Greiner.