SOX reality check: Compliance management products
by Richard Mackey
What they can't do
While SOX compliance tools can do a lot, they simply can't make your company compliant. Most of the "compliance tools" are aimed at organizing information, communicating, and helping you assess and visualize your state. While important to the effort, no one would confuse this with compliance itself. SOX compliance is about the effectiveness (and proof of effectiveness) of your business and technical controls that relate to finance. Clearly this goes far beyond security and encompasses more than IT.
What they can do
That said, there are useful tools that can help you through the compliance process. There are tools to help assess compliance state, document audit results, communicate goals and status, and coordinate compliance efforts. That's just the start. In the compliance management space, there are two classes of products, those specifically designed to help companies meet SOX goals and those that provide more generic communication and project management functions that can be, and often are, applied to SOX management efforts.
Compliance tools range from portals, like the SOX Portal in Protiviti's SOX suite, that aid in communications, to document management tools like Certus' 404 and 302 products, to Hyperion's Compliance Management Dashboard that present a graphical display.
Many companies, Microsoft among them, turn to more generic portal and office automation products like Microsoft Sharepoint, Microsoft Office and Microsoft Project to be the centerpieces of their SOX communications and documentation efforts. SharePoint is often used to communicate project goals, meeting schedules, status and documentation across a widely dispersed project group. While not structured specifically with SOX in mind, these generic tools help many organizations achieve compliance.
The rest is up to you
While all these tools can play an important role in helping to organize your compliance effort, the heavy lifting is still left to you. You still need to measure your risk, configure your systems, document your policies, educate your users and administrators, and measure your compliance.
Compliance is a multifaceted problem that simply can't be addressed by one or even a whole set of tools. After all, compliance is about maintaining the integrity of your financials. This is accomplished by applying business and technical controls where they are needed for your business. Technical checks and balances, like change control, provisioning workflow and access control, log review, and vulnerability management, need to be applied alongside business controls to provide assurance that no one can attempt to perpetrate fraud without one or more of these controls detecting or preventing it.
>>Return to Compliance School
01 Feb 2006