There’s little doubt that software vendors see plenty of opportunity in offering products that ease the pain of Sarbanes-Oxley requirements — or that claim to, anyway. A recent Internet search on “Sarbanes-Oxley software” garnered almost 80,000 hits, while a search on the broader “compliance software” racked up more than 10 times as many.
Part of the reason is that, as Forrester Research Inc. has noted, such software can include everything from content management to analytics to a range of enterprise applications, and many combinations thereof. That can make choosing the right software difficult. Add to that the fact that, as Forrester points out, products differ enormously in terms of integration, collaboration, reporting/monitoring, and user interfaces, and you have a shopping nightmare.
Enter Paisley Consulting, itself a maker of compliance software. The company, in conjunction with four partners, is offering what it dubs the “2006 Sarbanes-Oxley Compliance System RFP Template,” a sort of über-checklist that helps corporate customers home in on their business needs before commencing a round of RFPs from vendors. Marty Clough, product manager at Paisley, in Cokato, Minn., says, “The template gives organizations all the criteria they need to be sure the vendor will deliver.”
The good news is that the template is free (www.soxrfp.com). With it, a business can narrow the field of candidates in about a month, versus the usual six to eight months, claims Christopher Sprague, director of compliance solutions at Hopkinton, Mass.-based EMC Corp. The bad news? Gratis or otherwise, the template is mostly a vendor-driven product, with input from EMC, Parson Consulting, Paisley, and the compliance industry-backed Alliance for SOX 404 Compliance, although the not-for-profit Institute of Management Accountants also had a hand in its development. What’s more, the RFP template only reduces the number of contenders; it doesn’t provide a clear winner. And while the template is well suited to weeding out applications that may not be a good fit with a business’s needs, it’s not as helpful in eliminating programs that fall short in functionality. “That’s because two vendors truthfully may claim to have the same feature or function,” explains Robert Kugel, vice president at Ventana Research, “but one may be inadequate for what a specific buyer needs.”
Some of the RFP template’s questions are, by necessity, broadly worded, says Kugel. “The template is a necessary first step,” he says, “but people should understand it is only the first step.”
Despite those caveats, the RFP template can prove useful — particularly for CFOs at companies with limited in-house IT expertise. The boilerplate includes evaluation sections on vendor history, product functionality, technology standards, company vision, and training and implementation. Anne Marchetti, global practice director in the governance and risk-management practice at Parson, says the RFP template is intended to simplify the purchasing process, not solve it, by providing “an objective evaluation or scoring tool.”
Kugel warns that the RFP template is not a magic bullet, nor is any software purchased with or without its help. “Buying Sarbox software without understanding the factors that drive compliance costs is doing the proverbial ‘paving over the cow paths,'” he says. “Or worse, erecting a monorail over the cow paths.”