No one said that picking the right Sarbanes-Oxley (SOX) compliance technology would be easy. There are a lot of products that claim to be the answer to various SOX woes.
"[SOX] is a rallying cry for lots of disparate vendors in many categories," said John Hagerty, vice president of research with Boston-based AMR Research. Other assessments are blunter.
"There isn't a software company out there that isn't trying to put the perfume of SOX on whatever pig they own," said Peter Morgan, vice president of marketing with Waltham, Mass.-based compliance software vendor OpenPages, Inc.
Companies have a fistful of cash that they'll spend on SOX technology this year, specifically
Columbia, Md.-based Micros Systems Inc. implemented compliance documentation management software in 2003. The $600 million company provides hardware, software and services to the hospitality and retail industry, and decided early on to use technology to assist with SOX compliance activities. They evaluated their needs, looked carefully at product features, checked references of vendors and decided on OpenPage's SOX Express.
"We use SOX Express for everything, instead of using spreadsheets," explained Yuan-chen Yao, director of internal audit with Micros. Spreadsheets were too hard to manage, track and keep updated, she explained. "Having a tool is very helpful. We have the software installed worldwide, and it makes things a lot easier," Yao said.
Though Micros stopped evaluating documentation tools after implementing OpenPages, Yao reported that many vendors have contacted her over the last few years. The market now has a huge variety of vendors and products, which may prove a challenge to companies choosing tools this year.
Here are the trends you need to know about to navigate the shark-filled waters of SOX technology evaluation and purchasing in 2006.
Business and IT are (or should be) uniting over SOX tool evaluations.
The mantra of uniting business and IT into one decision-making machine goes double for SOX this year, said AMR's Hagerty, especially as the emphasis shifts to compliance process automation. The good news is that a 2005 Gartner survey showed that 80% of CIOs are already on their company's compliance or governance council. But this year, IT employees with key roles in data management, integration and system administration will need to start digging into exactly how the proposed new tools will affect the infrastructure and day-to-day work.
That said, Yao reported that her finance department successfully led the technology evaluation process during their SOX tool implementation project, calling on IT only to help with "logistical" issues during installation. Yao said that this has not been a problem for them, but that only five to six people use the tools on a daily basis.
The emphasis for companies should be on the problem, not the solution.
Compliance technology vendors have historically had the upper hand in SOX compliance tool education -- especially if less technically savvy business people were taking the lead on evaluation. This has to change this year, Hagerty said.
"Understand what processes you're really trying to automate, and then look at the tools that do that," Hagerty advised. "Don't let vendors tell you the problem."
Luckily, companies should now be able to better identify the real problems and highest risks, due to increased experience. While 2004 was about simply meeting the requirements with spreadsheets or custom tools and 2005 was about process development, 2006 will be about automating processes with technology, Hagerty said.
Best-of-breed and ERP vendors are competing.
Currently, the major choices in compliance tools come from specialized, pure-play software companies or ERP vendors seeking to be the single source for enterprise tools. Some users are suspicious of their ERP vendor providing their compliance tools.
"They're saying that maybe you should have someone independent test the system of record," Hagerty said. But, he's not sure whether this will materialize as a strong buying trend.
Companies are solving infrastructure problems in the name of SOX.
SOX compliance has exposed some key infrastructure flaws at companies, like multiple finance applications, ERP problems or lack of enterprise integration, explained Paul Hamerman, vice president of enterprise applications with Cambridge, Mass.-based Forrester Research Inc.
"SOX is becoming a catalyst or driver to make overdue improvements in ERP and IT infrastructure," Hamerman said. Re-spin those purchase requests, and you may have a winner.
Controls automation and monitoring software is taking root.
The marketplace has not had a good understanding of these tools, which "detect errors, monitor transactional integrity, and prevent fraudulent or unauthorized activities," Hamerman said. The software monitors enterprise-wide business and finance processes, and has been a year or two behind documentation tools in corporate adoption. That will change this year, he predicted.
The vendor tools market is consolidating.
"There's a natural shakeout occurring," Hamerman explained. There will be fewer "viable players" in the market and some smaller vendors will probably be acquired, he said. Those that survive will likely partner with complementary vendors for richer offerings or extend their product lines, moving into other governance and risk areas, addressing compliance requirements beyond SOX.
That squares with the experience and plans of OpenPages, which provides a platform and applications for governance risk and compliance management. The company is launching new operational risk management and IT governance applications this year, OpenPages' Morgan said. They have also partnered with several other vendors.
Companies are entering the acceptance stage of SOX and compliance.
It's clear that regulatory compliance, whether driven by SOX, HIPAA, international regulations or future laws, is an increasingly important part of daily business. Morgan believes that more companies are beginning to take "a systematic, company-wide, automated approach" to data governance and compliance, whether required by law or not. Customers, potential partners and creditors are beginning to demand evidence of sound governance, Morgan said, and the market will ultimately force both regulated and non-regulated companies to respond.