Newsletters   Subscriptions  Forums  Store   Career  Media Kit  About Us  Contact  Search   Home 
Volume 5, Number 4 -- January 25, 2005

2005: A SOX Auditor's Odyssey

by Alex Woodie

The year 2005 is shaping up to be a banner year for auditors performing Sarbanes-Oxley Act audits and, perhaps, for sales of software that helps companies comply with the new regulations. While it appears many companies are choosing to use manual processes to meet their first SOX deadline, iSeries software vendors in the source code management and database audit trail spaces--two primary SOX-related tool categories--are hoping that companies realize the value of software automation to ensure continued compliance.

If you work in a public company with a market capitalization of $75 million or more, the first SOX deadline, on November 15, is probably a blurry memory by now (or a source of continual pain, if you got an extension). If you work in a smaller company with public ownership, the next SOX deadline, June 15, is probably starting to loom large. In any case, you probably realize SOX isn't just a one-time hassle that will eventually go away, but an ongoing requirement that you display certain controls over your accounting systems.

One of the things making SOX such a challenge is that lawmakers did not specify exactly how companies are to be compliant, just that they will need to be compliant. If companies can prove that they have sufficient controls over access to accounting systems using reams of paper reports and teams of weary readers, there is nothing that says they can't do it that way. It would be easier if you used software for SOX compliance--notably a change management system to control access to source code, and a field-level auditing tool to detect changes made to your database--but nothing in the law says you have to use software.

In fact, using manual methods to get through that initial SOX audit seems to be a popular choice, according to software executives and several published reports. Ardi Batmanghelidj, a principal with iSeries auditing tool maker Innovatum, says SOX has been a huge driver of sales for DataThread--a field-level auditing tool for the iSeries database--but that many companies are still using manual processes to gain compliance.

"What I'm finding is a lot of companies are scrambling to say they are compliant, and they're doing it in a very manual fashion. They're running reports and batch jobs at night to see who did what. It's a very inefficient approach. It's labor-intensive, and it's resource-intensive," Batmanghelidj says. "There are two ways of complying, and everybody [hopes to] be compliant by deadline, but maybe not in a desired manner."

Daniel Magid, chief executive at Aldon, a vendor of change management systems based in California, also warns against relying on manual processes to gain compliance. "There is nothing in SOX or the ancillary standards used for compliance that mandates an automated change management system," he writes. "However, attempting to comply using paperwork, e-mail, and manual process is time-consuming and tedious for everyone involved."

A change management system, like Aldon's Lifecycle Manager, can be an instrumental component of a company's SOX compliance strategy. Change management systems institute automated processes for maintaining documentation and ensuring that the required checks are completed as changes are made, according to Magid. "Auditors then have a central place to look for historical change records and process documentation," he writes. "The change management system eliminates much of the administrative effort and opportunity for error in SOX compliance procedures, while making it easier for auditors to ensure compliance."

SOX is also driving big sales at another change management system vendor, SoftLanding Systems. A salesperson for the New Hampshire company says sales were up 20 percent in 2004, and that 2005 is "looking good." According a company white paper, SoftLanding's TurnOver change management system can automate about 40 percent of the items needed for a SOX audit, or 61 of the 164 SOX-related objectives that have been identified by the Control Objectives for information and related Technology, or COBIT.

New SOX Tools

Another iSeries software vendor, ProData Computer Services, unveiled a new SOX-related tool last week. The new product, called DBU Audit, works with ProData's popular Database Utility (DBU) tool to give administrators control over their databases by allowing them to track and monitor any modifications that have made to any iSeries database using DBU.

DBU Audit works by journaling all modifications made by users via DBU, which provides an easy-to-use (and powerful) way to directly update, add, and delete data from DB2/400. DBU Audit enables administrators to start and stop auditing from their interface, to monitor access and changes made to sensitive files (such as the payroll), and to display the audit data for viewing or generation of SOX audit reports. DBU Audit files can be protected from misuse, and the product can be configured for different classes of users.

DataMirror has high hopes for SOX-related software sales in 2005. Last fall, the Toronto software developer unveiled a new software bundle, called Integration Suite 2005, which combines auditing, integration, data transformation, and mirroring into a single package. One of the key elements of Integration Suite 2005 is LiveAudit, which creates audit trails of DB2/400 database changes.

While DataMirror announced the new bundle last fall, it named the product "Integration Suite 2005" with the hope that the market for SOX-compliance-related software would heat up this year. SOX-compliance-related spending had been concentrated in services, and not necessarily software, Nigel Stokes, the company's chief executive, said in an interview last fall. "It's not a Y2K-type deadline to become compliant. We haven't seen the full investment in software," Stokes said last fall.

Continuing on this 2005 theme, MKS, which develops change management systems that compete with those from Aldon and SoftLanding, is ramping up Requirements 2005, a new product the company announced last fall. MKS Requirements 2005 provides a regimented process for managing and documenting the requirements stage of application development, which can be affected by SOX compliance.

By linking developers and their source code changes to managers and their business documentation, MKS hopes to streamline companies' development processes. It also offers triggers for alerting users to "suspect" requirements, which definitely has applicability in a SOX world. MKS Requirements 2005 works with Implementer, its change management software for OS/400, via the MKS Integrity Manager, the company's graphical process and workflow management software.

Other software vendors with OS/400 data auditing tools include Cosyn Software, the New Zealand developer of the Audit Trail/400 package, and Dynamic Systems Solutions, the Florida company that sells the Auditron 400 product. Several developers of security software for OS/400 also sell auditing tools.

SOX compliance is getting a lot of attention from software vendors, and with good reason. According to a July 2004 study by Financial Executives International, SOX compliance was expected to cost each company more than $3 million per year, and there are reports that large companies will pay upward of $35 million in 2005 for SOX compliance.

With so much of that SOX spending going to manual processes, the market for tools that automate SOX automation would seem to be huge. "SOX has been a phenomenal burden on people," says Batmanghelidj. "There's a huge market for automation, as people come to understand what exists."

Sponsored By

The NGS Business Performance Dashboard consists of a dashboard development module, plus a starter kit of dashboard templates for sales, marketing, finance, and human resources management. Furnished with each template are supporting DB2 data marts on the iSeries, NGS-IQ queries, Excel spreadsheets, and XML files.

The NGS Business Performance Dashboard gives users the ability to view and interact with live business data in a flexible, graphical format through their Web browser. Dashboard elements can include: charts, tables, gauges, maps, and other visualization tools. Decision makers can view up-to-the-minute key performance indicators and scorecards for their organization, identify trends, locate exceptions, and compare multiple charts to contrast performance, such as actual versus target.

Users of the dashboards require no training; they only need an Internet connection and the royalty-free Macromedia Flash Player software. Once inside the Flash file, powerful Flash components can be used to create "what-if" scenarios, filter across various business dimensions, and more. Updates to the dashboards can be scheduled to run automatically from the iSeries or Windows server.

The NGS Business Performance Dashboard gives senior executive and other dashboard users the ability to monitor the areas where they need to focus their attention and then selectively use the full power of the other integrated modules of the NGS-IQ solution to dig deeper into those areas when the data warrants further analysis. The NGS-IQ business intelligence suite includes modules for: advanced query development with drillable HTML, PDF, XML, and email capabilities; a client application providing seamless output to MS Office applications, e.g. Excel spreadsheets, Word documents, Access tables; a multi-dimensional OLAP for desktop analysis; a data warehouse manager with ETL capabilities (extraction, transformation, and loading) required for data mart or data warehouse development; and a business intelligence starter kit with pre-built reports for sales analysis, customer profitability, and inventory management.

NGS provides free trials of the NGS-IQ business intelligence suite.
Contact 800.824.1220 or visit

Editor: Alex Woodie
Managing Editor: Shannon Pastore
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.


New Generation Software
Guild Companies
Cosyn Software
WorksRight Software


2005: A SOX Auditor's Odyssey

iSeries Plays a Central Role in MoMA's Expansion

CXL Debuts iSeries Security Reporting Tool

Brooks Launches ExcelliPrint for IPDS Conversion

News Briefs and Product Shorts

The Four Hundred
Oracle Lays Out Plans to Fuse Its Three ERP Suites

ERP Vendors Target PeopleSoft, JDE Bases

IBM Ends 2004 with Most Profitable Quarter in Its History

Four Hundred Guru
Date-Handling in CL Procedures

Extracting Zoned and Packed Decimal Values from Character Fields

Admin Alert: More on Preparing for OS/400 V5R1 to V5R3 Upgrades

Four Hundred Monitor

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc. (formerly Midrange Server), 50 Park Terrace East, Suite 8F, New York, NY 10034
Privacy Statement