SOX Tool and Feedback Survey, July 15, 2008 2472

  • SOX Forum,
    It would be great if persons on this forum can provide feedback about experiences using a SOX tool.
    To protect the guilty, you can simply identify the SOX Tool that you use and provide a grade (A-F) for your evaluation of the product.
    A - SOX Tool provides exceptional functionality and was integral to achieving SOX compliance.
    B - SOX Tool facilitated a more automated approach for SOX compliance and was generally, a good value-add.
    C - SOX Tool was average in performance.
    D - SOX Tool performed less than expected and is not recommended.
    F - SOX Tool failed to meet product requirements.

  • OpenPages FCM - B
    We were already compliant when we implemented the tool, otherwise tending towards an A

  • Paisley FOCUS - C (SOX tool was average in performance)
    This tool is decent, but requires a significant amount of tweaking to conform to your specific business. It has since been replaced by the company, but I cannot comment on the usability of the newer version as I have never used it.

  • Oracle Internal Controls Manager (ICM): D - SOX Tool performed less than expected and is not recommended.
    The use of the ICM tool was not integral to the SOX compliance effort in Year 1. However, the product does not meet the performance expectations, technical fixes involving functionality issues remain uncorrected by the manufacturer, and the SoD tool is too cumbersome for practical application.
    A consulting firm created and currently operates a Yahoo User’s Group to share knowledge about ICM, but the postings on the ICM forum are limited and focus on offering ICM implementation assistance and/or technical support as opposed to serving as a forum to dialogue with other ICM users or to share best practices.

  • Milan and Albie, your comments are interesting.
    We rejected both of these tools in our selection process, Oracle fairly early in the process as there were several showstoppers and Paisley later because although the tool looked pretty slick and well thought out when one got into the details there were a number of key things it couldn’t deliver e.g. inability to associate a single control with more than one process.
    Openpages we found the most appealing principally because the structure of the application was designed very well and can be configured very flexibly without customisation - although the reporting was weaker than others and the user interface was not the most appealing.
    Since the version we selected the reporting and UI have been significantly enhanced - which is easier than to engineer on top of a well designed app than it is to fix a poor structure on something that looks pretty. I think OP have been very smart and developed their app the right way which makes them a sustainable solution. I think this is reflected in their client base.
    Caveat: my comments are principally based on mid-2006 versions.

  • Hi Denis,
    Thank you for sharing your thoughts and experience.
    We went with Oracle ICM only because it was part of a full systems conversion to Oracle Financials that was completed in 2007. Unfortunately, the ICM SOX Tool did not meet expectations nor did it add value to our year one SOX compliance initiatives.
    I had heard from others leading SOX projects that OpenPages was a good product, but the customer support was lacking. Of course, customer support requirements vary based on the technical aptitude of the implementation team, system administrator and end users, and often directly relates to the product quality.
    In my opinion, customer support requirements are significantly reduced when the product/service quality is high and in the case of software, the user base is also high so that users can knowledge share and work through common technical and/or functional issues.
    Not to stray from the topic, but I recently changed my cell phone service from T-Mobile to Verizon and have no need for ongoing customer service, whether the customer service staff are helpful or otherwise. The Verizon mobile phone coverage and service in NYC is excellent and reliable, so it is not necessary to continually follow-up with them.
    So relating this experience back to your experience with OpenPages, a quality product reduces the need for customer service and if it were my choice, I would have seriously considered OpenPages for this reason.
    Apologies as this post probably killed any hope of landing T-Mobile as a site sponsor. Oh well.

  • Perhaps the first question we should ask is what did you expect from a SOX system. If a glorified database of risks, processes and controls then most should suffice. If a method of ensuring adequate self cert and a funky dashboard report then the tools tend to differentiate. If a strong audit tool to enable you to undertake and record independent testing, then most drop off the radar.
    Similarly what sort of return do you expect from your investment on such a system. In a previous role we did look at obtaining a system and shortlisted to Paisely and OP as they seemed the most flexible at the time and best adapted to our methodology. In the end we concluded that the costs of both (including employing someone to maintain either in house) outweighed the benefit and we employed a permanent team that cost less and also resulted in a very significant cut in the audit fees. But that was becuase the comapny was the most complex I had worked with and benefit could be gained from introducing a full independent testing model that the auditors liked.
    In my current role, one of these systems has already been acquired and I am astonished by its lack of flexibility - in particular its inability to adapt to change as the business grows and restructures (or at least it is flexible as long as I pay the consultancy costs.). That could, however, be because it is a couple of years old and therefore not been revised to reflect the current top down risk based approach.
    What is evident to me based on my travels is that a system is only as good as the methodlogy you devise. They won’t provide a solution for you and will highlight any faults in the method/structure you have chosen.

  • Good comments wrightlot.
    I should also qualify my comments by saying our company is very large and have thousands of processes and users.
    We are also starting to think about wider ERM/OpRisk and may look to our exisiting platform to manage this.
    milan, we have found customer support at OP to be fine, but in reality we don’t need much

  • As, we have numerous software products I focused my pick on JIRA (which is change control as well as workflow control facility). While it’s less of a financial systems type product, it plays a vital role in our IT and business areas with some support of 404 requirements (e.g., production release controls, change management, etc).
    Gave it a ‘B’ rating as I personally like this tool and it’s capabilities - even though it emails me a little too often 😉

  • Pentana - B

Log in to reply