Integration between risk and SOX and use of IT 1638



  • So the target date has passed for large non-US companies and we are hurtling towards our first year-end and SOX compliance. Good news is that we can learn a lot from the US and as a result I hear a lot about risk and SOX hamonisation and software soluitions. I was wondering:

    1. How are people finding/achieving harmonisation between risk and SOX? I have been trying this route but there is a tension between risk management and their focus on business and operational risks compared with the financial and predominantly audit emphasis of SOX?
    2. Has anyone found a tool they would highly recommend for SOX management or is everyone still using Word and Excel?


  • Re part 2 of your question, the market leaders include:

    • OpenPages
    • Paisley Consulting
    • SAP
    • Oracle
    • OpenText
    • Movaris
    • Certus
    • Handysoft
    • Stellent
      N.B. SAP’s MIC tool may not be fully supported any more due to their recent acquisition of Virsa. I saw an announcement on this recently but can’t remember the details of it. In any case I would expect new versions of their tool to be offered by Virsa in the medium term.
      The best I have seen is OpenPages, although many of the other tools are good. In the end you would want to look at several and see how well the functionality of eah works for your organisation.
      Word and Excel is no use for a company of any substance.


  • Denis made a good overview over the commonly used SOA tools - although I do not agree with him about the best tool. I have to say that I do not have experience with any of the mentioned tools except for OpenPages. When I first used it, I was very disappointed as it was/is too complicated and missed many useful reporting functions.
    In comparison to OpenPages, the French program RVR is much easier to handle and you can easily educate people in using it properly. One big problem of RVR was its speed, although it is always very problematic for a program to handle thousands of accesses at the same time… I do not know about the price of the two programs and their maintenance/licences costs but - concerning handling - RVR would be my choice.
    The good thing of using a SOA compliance tool is, that you are able to distinguish between several risk levels, so you are able to see at a glance where to concentrate on first --> especially useful for actions you have set after your first testing when you recognized that the current control was not enacted properly or the risk was not fully eliminated.


Log in to reply