What to look for in Sarbox tools

John Hagerty, an analyst at AMR Research, says Sarbox compliance must address three issues. First, companies must make sure they document how things are done. Second, they must make sure their control mechanisms are documented. Third, they need to test and document those tests to show that the controls actually work.

“The way people have been testing is by having a person check the established processes annually, or in some cases even monthly or weekly, and that can be a real time sink,” Hagerty says. Through 2004, companies pushed to accomplish these things quickly under the illusion that Sarbox compliance would be like Y2K—a challenge they could master and then put aside. The reality, however, is that Sarbox is an ongoing and evolving challenge, he says. That’s why there is such a demand for automation and for tools to manage the compliance process, he adds.

Gartner analyst French Caldwell says two other factors that should weigh in a decision are cost and the stability of the vendor. “I advise clients to look first for the basic functionality they need, how long it will take to implement and whether they will really get the benefits they expect at a given price,” Caldwell says. Further, in such a heated market, Caldwell warns that some companies, especially small ones, have a strong likelihood of either disappearing or of being acquired, either of which can affect the value of an investment in an application.

Back to feature: Tools to Master the Sarbanes-Oxley Challenge

About the Author

Alan R. Earls is a technology and business writer based near Boston.