Requirements: FirstEnergy wanted a software package that could help it automate the internal-controls documentation and testing activities it needs to comply with Section 404 of Sarbanes-Oxley. The software it began implementing last June from Certus enables managers at FirstEnergy to view which business and IT controls they have across multiple financial systems and operations, all the way down to the account level. In using the software, "everything is in one place, so you have total visibility instead of having to rely on hundreds of spreadsheets," says Alan Michel, manager of internal audit at the energy company.

How the software works: The software identifies the risks and assertions tied to various accounts and then maps those accounts back to the controls that support them, according to Michel. The software also instructs users on how to schedule and test internal controls throughout the organization. If there are any issues or discrepancies with a given control, they are sent through workflow for remediation and testing.

Customization required: None.

Additional servers/storage required: FirstEnergy added servers and software to support its test and production environments.

Favorite functionality: The software "gives you complete visibility" on what controls are in place to support each account, and vice versa, says Michel.