Manage Learn to apply best practices and optimize your operations.

SOX reality check: Compliance management products

Despite the all-encompassing nature of SOX, some vendors claim their single tool can do it all. This article looks at what these products can and can't do.

by Richard Mackey

About Compliance School

In Compliance School, guest instructor Richard Mackey shows you exactly what you need to do to meet regulations' ongoing demands and arms you with actionable items to ensure your business remains continuously compliant. Best of all you can attend any of the following on-demand lessons when it's most convenient for you:

Ensuring compliance across the extended enterprise

Compliance improvement: Get better as you go forward  

Gauging your SOX progress  

SOX compliance basics: Taking Action   

compliance-related technology
Sarbanes-Oxley compliance is a major undertaking. It requires the understanding of requirements by people across departments, the coordination of employees and auditors from a variety of technical and business departments, and painstaking tracking of compliance status. SOX compliance also requires accurate documentation and tracking of a wide array of technical, business and legal aspects of the enterprise. Despite the all-encompassing nature of SOX, some vendors claim their single tool can do it all. Let's take a look at what these products can and can't do for you.

What they can't do
While SOX compliance tools can do a lot, they simply can't make your company compliant. Most of the "compliance tools" are aimed at organizing information, communicating, and helping you assess and visualize your state. While important to the effort, no one would confuse this with compliance itself. SOX compliance is about the effectiveness (and proof of effectiveness) of your business and technical controls that relate to finance. Clearly this goes far beyond security and encompasses more than IT.

What they can do
That said, there are useful tools that can help you through the compliance process. There are tools to help assess compliance state, document audit results, communicate goals and status, and coordinate compliance efforts. That's just the start. In the compliance management space, there are two classes of products, those specifically designed to help companies meet SOX goals and those that provide more generic communication and project management functions that can be, and often are, applied to SOX management efforts.

Compliance tools range from portals, like the SOX Portal in Protiviti's SOX suite, that aid in communications, to document management tools like Certus' 404 and 302 products, to Hyperion's Compliance Management Dashboard that present a graphical display.

Compliance tools: The real deal

By Diana Kelley, Burton Group Analyst

Compliance tools purport to present a snapshot of a company's current state of compliance with a variety of different regulations. Keep in mind, however, that much of the legislation pertains to appropriate risk management and business controls; not to prescriptive security settings on systems.

The lack of prescription means that companies must perform risk analysis and create their own prescriptive guidance. Reading through the actual requirements is a great place to start. Commonly-accepted control frameworks, such as COSO, CobiT, ISO 17799 and ITIL, can also be referenced as a starting point from which the key stakeholders -- executives, auditors, IT administrative staff and any other employees involved in the compliance process -- can obtain guidance and insight.

If your enterprise is planning to use a vendor-supplied template for compliance reporting, ask the vendor how the compliance policies were created and how easy it is to customize them. Because regulations aren't prescriptive, most vendors use one of the control frameworks mentioned above as a baseline for the compliance templates. They may even augment the template with information from lawyers, auditors and customers. These templates can be a great guide, but don't rely on them out of the box, even if the template is quite detailed and based on an accepted framework. It will need additional tuning from your IT and security staff.

Bottom line: proceed with caution. If the tuning work isn't done upfront, dashboards can quickly become "garbage in/garbage out."

All these products can help organizations prepare for external audits and can integrate with audit products to facilitate self-assessment. For example, Certus' suite provides a framework that works with Microsoft's Office Suite for easy integration with existing enterprise tools. In addition, Certus provides role-based security to help to ensure only appropriate people get access to the sensitive data collected and managed in the SOX compliance effort.

Many companies, Microsoft among them, turn to more generic portal and office automation products like Microsoft Sharepoint, Microsoft Office and Microsoft Project to be the centerpieces of their SOX communications and documentation efforts. SharePoint is often used to communicate project goals, meeting schedules, status and documentation across a widely dispersed project group. While not structured specifically with SOX in mind, these generic tools help many organizations achieve compliance.

The rest is up to you
While all these tools can play an important role in helping to organize your compliance effort, the heavy lifting is still left to you. You still need to measure your risk, configure your systems, document your policies, educate your users and administrators, and measure your compliance.

Compliance is a multifaceted problem that simply can't be addressed by one or even a whole set of tools. After all, compliance is about maintaining the integrity of your financials. This is accomplished by applying business and technical controls where they are needed for your business. Technical checks and balances, like change control, provisioning workflow and access control, log review, and vulnerability management, need to be applied alongside business controls to provide assurance that no one can attempt to perpetrate fraud without one or more of these controls detecting or preventing it.

>>Return to Compliance School

This was last published in February 2006

Dig Deeper on Security audit, compliance and standards

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.