SOX Software Packages 888

  • Hi,
    Just a question to find out if anyone is using some type of software package to assist their Internal Audit department’s need to comply with 404. We are currently using a simple database to house all of our test documents. However, the issue of linking controls to various risks can sometimes be a big waste of time. Does anyone use any type of commercial software package and what is your opinion of it?

  • I’ve used different tools depending on what the client wants us to use. In one environment, we used a content management tool to store documents, version control, checkout/checkin, and searching. You can organize these documents in a folder hierachy that makes sense for the project. There was a companion product that ran on top of it for SOX. we loaded the processes, risks, assertions, controls, test scripts, etc…then as testing occured you could enter your test results and attached documents or link them from the content management tool. It all sounds great…except…there were issues with performance. If the tool is slow or stops working then you are stuck. There is no contigency to keep the testers moving. Tools like this can be nice for following up on deficiencies…you can see all your deficiencies for a particular process.
    Using one of these tools requires an up front effort to set ‘standards’ for use. some people think technology will reduce the effort for sox…maybe but not at first. An example standards needed are object naming standards. This not the sort of tool you can just slam in and go. without standards it will be difficult to find things. Tools in this space are well intentioned but seem immature. We ended up having to put the ‘object number’ in the name of the object (process or control or whatever) so that it could be searchable by number. this is just one example of a limitation. You don’t know these types of issues until you begin using the tool.
    There are also a number of tools that operate like portals. You load basic information about controls and then everything else is an attachment. Many of the external auditors have partnered with software companies for these types of tools. Protivity has product that operates like this. Another one is Focus™. All the attachments are word docs and spreadsheets.
    Many clients don’t have tools so at my current client we organize things in folders on the shared drive and maintain a spreadsheet as an index to the files. It works fine and helps everyone get clearer on their requirements for a tool.
    There are lots of vendors that claim to do SOX. IMHO–the market is immature, growing, and evolving so it may take some time to see some real leaders in this space. Look at the total costs when evaluating not just the cost to purchase the solution. Look at the cost for hardware, system software, cost to implement (consulting, resources), setup standards, training users/contractors/consultants/auditors, and providing long term support.
    Good luck.

  • Bear in mind that whilst SOX tools require some investment in set-up it may be of significant benefit when it comes to maintainability. SOX is an annual effort not a on-off, processes need to be updated, controls need to be assessed and management needs to asset on an ongoing basis. A properly set-up package can save you a lot of time and effort in future years.

  • Oracle’s Internal Controls Manager is a very comprehensive tool. It’s components include a repository for process narratives/risk-control matrix, audit operations, certification management and segregation of duties.
    Has anyone heard of audit firms telling clients that excel spreadsheets are becomming unacceptable for maintaining their documentation? That they must move to an automated tool with better security features?
    I’ve heard this on a couple of occasions, but wasn’t sure if there was an official position on this.

  • Has anyone heard of audit firms telling clients that excel spreadsheets are becomming unacceptable for maintaining their documentation? That they must move to an automated tool with better security features?

    Absolutely not true

  • I’ve used PolicyIQ and had some good success. The software was written originally as a compliance / documentation tool, and was adapted very well to SOX. They start at USD15k for 100 users, and you can use the hosting option to ease the burden on IT.

  • There are ‘numerous’ vendors in this market space and the number of them is growing.
    Several of them that I have used over the last several ears include:

    1. Open Pages ( - One of the best according to Gartner
    2. RCTS by D-and-T - A Risk package modified for Sox
    3. Certus Software: Customers normally complain about its lack of functionality AND its TREMEMDOUS problems of loading and mapping data. Additionally, they DO NOT have shared controls or a controls library.
    4. Policy IQ - From Resources Global Corporation: A package that allows you to be the repository of ALL Sox documentation.
      Hope this helps

  • Certus does allow shared controls and does have a controls library, although we chose not to use it.

  • … into your entire IT system.
    My approach is to intgrete via the Software factory paradigm ccontrol into you IT system. Since a major portion of SOX compliance is the IT system itself. Change order management, provisioning of user access, etc. all provide the neccessary data and links to drive SOD, security and other SOX compliance issues.
    With a standalone tools your looking at lots of manual effort maintaining duplicate data. In my opinion there should be only one employee list. Not one for SODs, one for HR, on for password, management, one for network asset management, etc. only one unique list link to everything. period.

  • One of our clients is looking to purchase Sarbanes Software for their Latin American operations. The major requirement is that the software have a controls library and the ability to share controls.
    At this point, Open Pages has stated that this can be done 'without major difficulty/as part of their core functionality, and a personal contact of mine at Certus says that their version 2.5 does not allow this.
    Can any one that has purchased Certus provide insight into this?
    I was sent the Certus documentation for version 2.5 and I was told that shared controls and the controls library will not be available ‘out of the box’ untill version 3.0- Mid next year. It is very important for this MNC in the NE US that this functionality exists. They will not accept any work arounds for this.
    Thanks for any input

  • I work for an organization that is just launching a SOX pilot. We are not required to implement as of yet, just being proactive. We are looking at possibly using some software to help us with the pilot implementation and possibly for the greater project if green-lighted down the road.
    However, from this discussion, it does not appear that there is a major leader or a major advantage of using one at this stage. As far as linking with internal controls go, our systems (at least the majority of the operational applications) are not based on any of the big platforms like peoplesoft or oracle, so I’m not sure how useful that would be unless we went through some type of major mapping process. We looked at Enforcer, but it did not seem that it would be of great help to us in getting this smaller pilot off the ground.
    In anycase, what I am wondering is, does anyone stand out as a clear winner/favorite for launching a sox project with built in templates, checklists, etc.? Thanks,

    The views expressed here are mine and do not reflect the official position of my employer or the organization through which the internet was accessed.

  • In anycase, what I am wondering is, does anyone stand out as a clear winner/favorite for launching a sox project with built in templates, checklists, etc.? Thanks,

    According to Forrester Research
    Sarbanes-Oxley (SOX) compliance is a rapidly maturing software category that combines enterprise content management, analytics, and enterprise applications. Three criteria provide significant differentiation among the SOX offerings evaluated: integration, collaboration, and reporting and monitoring. The user interfaces also vary widely in capability and ease of use. OpenPages emerged as the leading vendor, with IBM, Paisley Consulting, HandySoft, and Oracle close behind. Enterprises seeking a single platform for enterprise risk management should give preference to IBM, OpenPages, and Paisley Consulting because they provide a broader focus beyond SOX that encompasses additional compliance categories, including integrated enterprise risk management.

  • Hi,
    We are helping one of our clients with ‘Approva’ for segregation of duties. they are currently on SAP. Further, they are using RiskNavigator. So far the experience with these products has been excellent.

  • Also good for SOD is the Virsa Risk Assessment Tool or VRAT

  • For functionality, SOXLab seems like the best. However, I’m not sure what the pricetag is. Does anyone know? What are the pricetags of some of the other softwares out there?

  • The IIA conducts an annual survey of SOX Tools that is published in Internal Auditor Magazine and I think it is in the August 2005 edition.
    I couldn’t find it online at and think it might not yet be posted in the ‘Internal Auditor’ archives section. Perhaps, a hard copy can be found at the library. As with any surveys or product reviews, caveat emptor.

  • :roll:
    There are many tools offered by various vendors in the market. U have Access management tools, that mainly concentrate on SAP, like Virsa Compliance calibrator, Approva, Securinfo, Foxt PCI etc.
    Going for any of these tools at this point in time, calls for an extension of the deadline offered by SEC for compliance. These tools certainly will take lotsa time to be implemented and to integrate with other systems and processes.
    The other Factor to be considered is COST 8O , these tools come for a price that are not so digestable. But large corpns, with good budgets can easily go for one of these.
    Lets all pray to SEC for yet another extension. 😛

  • :roll:
    Lets all pray to SEC for yet another extension. 😛
    ya … That would be great.
    Anyway my view is that most of the vendors which Gartner claims as market leaders are not at all user focussed. They have many many weaknesses that those cannot be implemented at our end.
    For example, Gartner or AMR’s list of vendors are having problems: Account definition is not flexible. access control is not granular enough and more importantly they are sticked to fixed models, when some changes has to be done at our end, ‘no market leader’ makes sense at all.
    Most of them have single view of controls …

Log in to reply