2005: A SOX Auditor's Odyssey
by Alex Woodie
The year 2005 is shaping up to be a banner year for auditors performing Sarbanes-Oxley Act audits and, perhaps, for sales of software that helps companies comply with the new regulations. While it appears many companies are choosing to use manual processes to meet their first SOX deadline, iSeries software vendors in the source code management and database audit trail spaces--two primary SOX-related tool categories--are hoping that companies realize the value of software automation to ensure continued compliance.
If you work in a public company with a market capitalization of $75 million or more, the first SOX deadline, on November 15, is probably a blurry memory by now (or a source of continual pain, if you got an extension). If you work in a smaller company with public ownership, the next SOX deadline, June 15, is probably starting to loom large. In any case, you probably realize SOX isn't just a one-time hassle that will eventually go away, but an ongoing requirement that you display certain controls over your accounting systems.
One of the things making SOX such a challenge is that lawmakers did not specify exactly how companies are to be compliant, just that they will need to be compliant. If companies can prove that they have sufficient controls over access to accounting systems using reams of paper reports and teams of weary readers, there is nothing that says they can't do it that way. It would be easier if you used software for SOX compliance--notably a change management system to control access to source code, and a field-level auditing tool to detect changes made to your database--but nothing in the law says you have to use software.
In fact, using manual methods to get through that initial SOX audit seems to be a popular choice, according to software executives and several published reports. Ardi Batmanghelidj, a principal with iSeries auditing tool maker Innovatum, says SOX has been a huge driver of sales for DataThread--a field-level auditing tool for the iSeries database--but that many companies are still using manual processes to gain compliance.
"What I'm finding is a lot of companies are scrambling to say they are compliant, and they're doing it in a very manual fashion. They're running reports and batch jobs at night to see who did what. It's a very inefficient approach. It's labor-intensive, and it's resource-intensive," Batmanghelidj says. "There are two ways of complying, and everybody [hopes to] be compliant by deadline, but maybe not in a desired manner."
Daniel Magid, chief executive at Aldon, a vendor of change management systems based in California, also warns against relying on manual processes to gain compliance. "There is nothing in SOX or the ancillary standards used for compliance that mandates an automated change management system," he writes. "However, attempting to comply using paperwork, e-mail, and manual process is time-consuming and tedious for everyone involved."
A change management system, like Aldon's Lifecycle Manager, can be an instrumental component of a company's SOX compliance strategy. Change management systems institute automated processes for maintaining documentation and ensuring that the required checks are completed as changes are made, according to Magid. "Auditors then have a central place to look for historical change records and process documentation," he writes. "The change management system eliminates much of the administrative effort and opportunity for error in SOX compliance procedures, while making it easier for auditors to ensure compliance."
SOX is also driving big sales at another change management system vendor, SoftLanding Systems. A salesperson for the New Hampshire company says sales were up 20 percent in 2004, and that 2005 is "looking good." According a company white paper, SoftLanding's TurnOver change management system can automate about 40 percent of the items needed for a SOX audit, or 61 of the 164 SOX-related objectives that have been identified by the Control Objectives for information and related Technology, or COBIT.
New SOX Tools
Another iSeries software vendor, ProData Computer Services, unveiled a new SOX-related tool last week. The new product, called DBU Audit, works with ProData's popular Database Utility (DBU) tool to give administrators control over their databases by allowing them to track and monitor any modifications that have made to any iSeries database using DBU.
DBU Audit works by journaling all modifications made by users via DBU, which provides an easy-to-use (and powerful) way to directly update, add, and delete data from DB2/400. DBU Audit enables administrators to start and stop auditing from their interface, to monitor access and changes made to sensitive files (such as the payroll), and to display the audit data for viewing or generation of SOX audit reports. DBU Audit files can be protected from misuse, and the product can be configured for different classes of users.
DataMirror has high hopes for SOX-related software sales in 2005. Last fall, the Toronto software developer unveiled a new software bundle, called Integration Suite 2005, which combines auditing, integration, data transformation, and mirroring into a single package. One of the key elements of Integration Suite 2005 is LiveAudit, which creates audit trails of DB2/400 database changes.
While DataMirror announced the new bundle last fall, it named the product "Integration Suite 2005" with the hope that the market for SOX-compliance-related software would heat up this year. SOX-compliance-related spending had been concentrated in services, and not necessarily software, Nigel Stokes, the company's chief executive, said in an interview last fall. "It's not a Y2K-type deadline to become compliant. We haven't seen the full investment in software," Stokes said last fall.
Continuing on this 2005 theme, MKS, which develops change management systems that compete with those from Aldon and SoftLanding, is ramping up Requirements 2005, a new product the company announced last fall. MKS Requirements 2005 provides a regimented process for managing and documenting the requirements stage of application development, which can be affected by SOX compliance.
By linking developers and their source code changes to managers and their business documentation, MKS hopes to streamline companies' development processes. It also offers triggers for alerting users to "suspect" requirements, which definitely has applicability in a SOX world. MKS Requirements 2005 works with Implementer, its change management software for OS/400, via the MKS Integrity Manager, the company's graphical process and workflow management software.
Other software vendors with OS/400 data auditing tools include Cosyn Software, the New Zealand developer of the Audit Trail/400 package, and Dynamic Systems Solutions, the Florida company that sells the Auditron 400 product. Several developers of security software for OS/400 also sell auditing tools.
SOX compliance is getting a lot of attention from software vendors, and with good reason. According to a July 2004 study by Financial Executives International, SOX compliance was expected to cost each company more than $3 million per year, and there are reports that large companies will pay upward of $35 million in 2005 for SOX compliance.
With so much of that SOX spending going to manual processes, the market for tools that automate SOX automation would seem to be huge. "SOX has been a phenomenal burden on people," says Batmanghelidj. "There's a huge market for automation, as people come to understand what exists."