He has a point. While Van Decker warns against purchasing software from companies that have "arisen specifically because of Sarbanes-Oxley," Section 404 compliance products from such niche vendors as Movaris Inc. and Nth Orbit (plus programs from Paisley Consulting and OpenPages) do offer certain advantages over apps from better-known ERP and business-software companies. As Biskie points out, "Certus is geared toward doing this work. It's not a bolt-on product that's designed for something else."
Moreover, smaller software vendors can ill afford to lose any customers—a fact that often translates into gold-plated service. "Large companies don't give you the same level of service," claims Kyle Didier, vice president of finance at Minneapolis-based Regis Corp., which recently purchased Certainty, a compliance-management program, from Campbell, California-based Movaris. Buyers of compliance software from niche vendors also can negotiate price reductions, flexible contracts, and service enhancements. Another perk: Groberg reports that programmers at OpenPages consulted with Volt when designing an upgrade to its Sarbanes-Oxley Express (SOX) program, and ultimately incorporated some of those suggestions in later versions of the software.
Let's Play Twister
Of course, service tends to suffer when the service provider goes out of business. And make no mistake, a number of companies currently flogging Section 404-related products will be gone by the end of the year. As John Hagerty, vice president of research at AMR Research, states: "The market simply can't sustain a dozen independent vendors."
While it's tough to tell which companies will capsize, Van Decker says several in the contract-management sector are already foundering. Likewise, the crowded enterprise content-management space appears headed for a shakeout. In December, for example, Documentum was acquired by data-storage giant EMC Corp. Around the same time, Interwoven, which recently merged with rival content-management vendor iManage, reported a net loss of $35.1 million for the first nine months of 2003. That's a sizable hit, considering the Sunnyvale, California-based Interwoven generated revenues of only around $78 million during the same time period.
The prospect has clearly spooked some prospective purchasers of Section 404 software and has bolstered the case for dealing with larger—more stable—software vendors. But staying power doesn't necessarily mean the products of top-tier vendors are up to snuff. Doyle Arnold, executive vice president and CFO at Salt Lake City-based Zions Bancorporation, says he looked at all sorts of Section 404-related software before settling on a program from Providus (a company Zions spun out of Lexign, another software company it had acquired). "All the software [I looked at] was built for another purpose," explains Arnold. "It would have to be twisted to do 404."
Generally speaking, twisting software is not good. That's why most experts say it's unwise to purchase a Section 404-targeted program without considering if the application plays well with others—particularly ERP systems. As part of Crown Media's compliance efforts, for instance, Thompson bought an online purchase-order system called eRequester (from Paperless Business Systems). In making the buy, he says, he was mindful of Crown Media's plan to eventually swap out the company's Best Software general ledger. "We wanted a [PO] system that was open," he explains, "one that would work with whatever general ledger we went with."
Such an approach, while prudent, raises the obvious question: Why not simply use deployed enterprise software for Sarbox compliance? Indeed, at San Jose, California-based Aspect Communications, controller Bruce Ruberg says the company is addressing Section 404 compliance in tandem with a reimplementation of Oracle 11i. "We're redefining all our business flows, which ties in to the 404 sweet spot," he explains. "It makes sense to do them together."
Turned On
Certainly, integrating Section 404 reporting with a company's financial systems would seem to be an ideal approach to Sarbox. ERP vendors have not been shy about playing up the angle, either. Early on, vendors claimed that business users need only turn on the existing controls within their ERP systems to satisfy much of Section 404.
The pitch hasn't gained a whole lot of traction in the marketplace, however. First off, as Van Decker points out, ERP systems can help with the assessment of financial controls—a big task, admittedly—but not necessarily the documentation of controls. And as Hagerty notes, ERP systems come with both inherent controls and configurable controls. Those configurable controls offer a dizzying number of choices. Says Biskie: "There can be a million control options within each process [in an ERP system]. Which one do you choose?"
Even the ERP vendors appear to have backed off their initial "just turn 'em on" approach: in recent months, the major players have unveiled new modules designed specifically for Section 404 compliance. In May, for example, Oracle announced the development of its Internal Controls Manager, an application aimed squarely at Section 404 compliance. Then, in October, PeopleSoft launched its own Section 404 product, called Enterprise Internal Controls Enforcer. And SAP began shipping a similar offering, its Compliance Management for Sarbanes-Oxley Act (part of mySAP Financials), around the same time.
Reader Comments» Post a comment