Shortly after Sarbanes-Oxley (SOX) first appeared in 2002, "compliance" applications started hitting the market in a big way. Companies from established players like Oracle and Documentum to start-ups looking for a piece of the action began marketing applications designed to take your company from the non-compliance darkness into the light of compliant, quarterly SOX reporting.
The problem is none of these "solutions" is a complete solution in and of itself. Most are starting points that run the gamut from simple, spreadsheet-style reporting tools to applications that integrate into your ERP system and automatically pull out, record, document, and track all events material to SOX compliance, including, in some cases, elusive threads like email and phone conversations.
But that is at the high-end of the game. Oracle, for example, provides these capabilities, says Seamus Moran, Oracle's director of financial application development, as well as a compliance roadmap based on the COSO (Committee of Sponsoring Organizations of the Treadway Commission) enterprise risk management framework to help you get started. It's easier to use, however, if you're an Oracle shop. Otherwise, expect the need for a lot of custom API work or manual data entry before things run smoothly.
Some compliance apps have gaps in their coverage too large to ignore. For example, Gartner Analyst Rich Mogull says his company no longer recommends Microsoft's offering in the compliance game because Microsoft failed to make Gartner aware of some important security vulnerabilities in the document-handling schema. Specifically, changes could be made to documents without any trace of who made the alterations — a critical no-no from a SOX point of view.
Although security seems to be a recurring problem with Microsoft products, shortcomings invariably are going to be found in most offerings. So, depending on a piece of software to bring your enterprise into total SOX compliance is simply not going to work.
Roadmap to Compliance
What needs to be done (preferably before any software is purchased), Moran recommends, is a thorough assessment of your company's financial infrastructure from an IT perspective. At one time, Oracle, for example, was running 90 accounting applications in 120 different countries. Today, the company fields just one.
"The [compliance] applications can't help you if two-thirds of your world is run off of spreadsheets," agrees John Parkinson, Cap Gemini Ernst & Young's chief technologist for the Americas.
Basically, there are five stages to get to compliance, according to Moran: documentation, analysis of risk, placement of controls, monitoring those controls, and reporting. "And that's all assuming you've got a business model you can actually summarize like that," he adds.
Compliance applications can help you with most of these challenges or just one, depending on the solution. But this is an ideal-world scenario, Moran says. In between each of these stages are most likely layers of business processes on top of layers of business processes — and that's where things can get tricky.
"People are realizing that this is a more a services-, business-orientated process problem," says Mogull. "There's not a magic-bullet technology solution."
Feature courtesy of the CIO Information Network.
Back to Enterprise Storage Forum