SOX Software Packages 888



  • Oracle’s Internal Controls Manager is a very comprehensive tool. It’s components include a repository for process narratives/risk-control matrix, audit operations, certification management and segregation of duties.
    Has anyone heard of audit firms telling clients that excel spreadsheets are becomming unacceptable for maintaining their documentation? That they must move to an automated tool with better security features?
    I’ve heard this on a couple of occasions, but wasn’t sure if there was an official position on this.
    Thanks,
    A



  • Has anyone heard of audit firms telling clients that excel spreadsheets are becomming unacceptable for maintaining their documentation? That they must move to an automated tool with better security features?

    Absolutely not true



  • I’ve used PolicyIQ and had some good success. The software was written originally as a compliance / documentation tool, and was adapted very well to SOX. They start at USD15k for 100 users, and you can use the hosting option to ease the burden on IT.



  • There are ‘numerous’ vendors in this market space and the number of them is growing.
    Several of them that I have used over the last several ears include:

    1. Open Pages (openpages.com) - One of the best according to Gartner
    2. RCTS by D-and-T - A Risk package modified for Sox
    3. Certus Software: Customers normally complain about its lack of functionality AND its TREMEMDOUS problems of loading and mapping data. Additionally, they DO NOT have shared controls or a controls library.
    4. Policy IQ - From Resources Global Corporation: A package that allows you to be the repository of ALL Sox documentation.
      Hope this helps


  • Certus does allow shared controls and does have a controls library, although we chose not to use it.



  • … into your entire IT system.
    My approach is to intgrete via the Software factory paradigm ccontrol into you IT system. Since a major portion of SOX compliance is the IT system itself. Change order management, provisioning of user access, etc. all provide the neccessary data and links to drive SOD, security and other SOX compliance issues.
    With a standalone tools your looking at lots of manual effort maintaining duplicate data. In my opinion there should be only one employee list. Not one for SODs, one for HR, on for password, management, one for network asset management, etc. only one unique list link to everything. period.



  • One of our clients is looking to purchase Sarbanes Software for their Latin American operations. The major requirement is that the software have a controls library and the ability to share controls.
    At this point, Open Pages has stated that this can be done 'without major difficulty/as part of their core functionality, and a personal contact of mine at Certus says that their version 2.5 does not allow this.
    Can any one that has purchased Certus provide insight into this?
    I was sent the Certus documentation for version 2.5 and I was told that shared controls and the controls library will not be available ‘out of the box’ untill version 3.0- Mid next year. It is very important for this MNC in the NE US that this functionality exists. They will not accept any work arounds for this.
    Thanks for any input



  • I work for an organization that is just launching a SOX pilot. We are not required to implement as of yet, just being proactive. We are looking at possibly using some software to help us with the pilot implementation and possibly for the greater project if green-lighted down the road.
    However, from this discussion, it does not appear that there is a major leader or a major advantage of using one at this stage. As far as linking with internal controls go, our systems (at least the majority of the operational applications) are not based on any of the big platforms like peoplesoft or oracle, so I’m not sure how useful that would be unless we went through some type of major mapping process. We looked at Enforcer, but it did not seem that it would be of great help to us in getting this smaller pilot off the ground.
    In anycase, what I am wondering is, does anyone stand out as a clear winner/favorite for launching a sox project with built in templates, checklists, etc.? Thanks,
    Rob

    The views expressed here are mine and do not reflect the official position of my employer or the organization through which the internet was accessed.



  • In anycase, what I am wondering is, does anyone stand out as a clear winner/favorite for launching a sox project with built in templates, checklists, etc.? Thanks,

    According to Forrester Research
    Sarbanes-Oxley (SOX) compliance is a rapidly maturing software category that combines enterprise content management, analytics, and enterprise applications. Three criteria provide significant differentiation among the SOX offerings evaluated: integration, collaboration, and reporting and monitoring. The user interfaces also vary widely in capability and ease of use. OpenPages emerged as the leading vendor, with IBM, Paisley Consulting, HandySoft, and Oracle close behind. Enterprises seeking a single platform for enterprise risk management should give preference to IBM, OpenPages, and Paisley Consulting because they provide a broader focus beyond SOX that encompasses additional compliance categories, including integrated enterprise risk management.
    Source:



  • Hi,
    We are helping one of our clients with ‘Approva’ for segregation of duties. they are currently on SAP. Further, they are using RiskNavigator. So far the experience with these products has been excellent.
    Regards
    big4guy



  • Also good for SOD is the Virsa Risk Assessment Tool or VRAT



  • For functionality, SOXLab seems like the best. However, I’m not sure what the pricetag is. Does anyone know? What are the pricetags of some of the other softwares out there?



  • The IIA conducts an annual survey of SOX Tools that is published in Internal Auditor Magazine and I think it is in the August 2005 edition.
    I couldn’t find it online at theiia.org and think it might not yet be posted in the ‘Internal Auditor’ archives section. Perhaps, a hard copy can be found at the library. As with any surveys or product reviews, caveat emptor.
    milan



  • :roll:
    There are many tools offered by various vendors in the market. U have Access management tools, that mainly concentrate on SAP, like Virsa Compliance calibrator, Approva, Securinfo, Foxt PCI etc.
    Going for any of these tools at this point in time, calls for an extension of the deadline offered by SEC for compliance. These tools certainly will take lotsa time to be implemented and to integrate with other systems and processes.
    The other Factor to be considered is COST 8O , these tools come for a price that are not so digestable. But large corpns, with good budgets can easily go for one of these.
    Lets all pray to SEC for yet another extension. 😛



  • :roll:
    Lets all pray to SEC for yet another extension. 😛
    ya … That would be great.
    Anyway my view is that most of the vendors which Gartner claims as market leaders are not at all user focussed. They have many many weaknesses that those cannot be implemented at our end.
    For example, Gartner or AMR’s list of vendors are having problems: Account definition is not flexible. access control is not granular enough and more importantly they are sticked to fixed models, when some changes has to be done at our end, ‘no market leader’ makes sense at all.
    Most of them have single view of controls …


Log in to reply