Microsoft, Oracle Target Sarbanes-Oxley

The two software makers recently released products that help companies meet Section 404 of the act, which mandates that companies attest to the adequacy and efficiency of their internal controls and processes. Microsoft's Office Solution Accelerator for Sarbanes-Oxley also addresses Section 302, requiring "C" level executives to certify their company's reported results.

"Section 404 is where most companies are spending their time and money," said Steve Miranda, vice president of financials applications development at Oracle, Redwood Shores, Calif. "It's what gives teeth to the mandate for realtime disclosure."

Under Section 404 of Sarbanes-Oxley, companies must document all internal processes that could affect the bottom line. These can include the flow of work related to travel expenses, accounts payable, procurement and even quality assurance. But 404 doesn't stop here. Sarbanes-Oxley also demands that companies identify possible risks--such as the potential for fraud or substandard parts--create controls to mitigate each threat, and document those controls, as well. Section 404 also gives companies a mere 48-hour window to disclose material events that could affect their financial well-being.

Microsoft's latest Solution Accelerator--based on Microsoft Office and integrated with Microsoft Windows Server 2003, Windows SharePoint Services, Office InfoPath 2003 and SQL Server 2000--addresses these recurring needs of internal control documentation, monitoring and testing. Microsoft now says this downloadable add-on, comprised of sample code, templates and other customizable functions, is free to all Microsoft Office system customers. The Redmond, Wash., company previously had offered free use of its accelerators to Software Assurance licensees.

Aimed at channel partners and corporate customers customizing Office to Sarbanes-Oxley requirements, the accelerator enables companies to define document types (such as process, risk and control) and their properties. Partners can make use of XML to capture and report document properties, store reference material in a shared document repository, and capture and report modifications. The software also provides an audit trail of changes, according to Microsoft.

Companies can use Microsoft's Sarbanes-Oxley software to customize workflow for each document type, alert workers via e-mail when documents have been created or modified, and display a graphical representation of a document's status. The latter feature, for example, can show if a document remains a work in progress and if it can be considered "effective," based on Sarbanes-Oxley's definition.

Oracle's version 2.0 of Internal Controls Manager operates higher up the food chain and, at $30 per company employee, commands a decidedly higher price. Miranda said Oracle has no reseller arrangement for Internal Controls Manager, although channel partners will receive a commission when they influence a deal. "Over 75 customers are already on the first version," said Miranda of Internal Controls Manager. "Version 2 is based on features our customers wanted to improve efficiencies around process, document and risk assessment."

Part of Oracle's e-Business Suite, the financials application now supports regional variations for such processes as withholding taxes, bills of receivables or different lines of business. In addition, customers now can upload risk libraries developed by each of the Big 4 audit firms. When uploaded, each industry-specific library can be mapped to a company's internal controls and can associate corresponding risks to the different business or financial processes. Once that mapping is complete, companies can define the controls they will use to mitigate each risk.

Another new feature: tighter integration with Oracle's project management application, making it easier to divide and manage the efforts of organizations' Sarbanes-Oxley compliance teams. This feature also allows auditors to record their evaluations of their clients' processes, controls and risks. In addition, the new version now enables business managers to certify their processes and then distribute their certifications to others in the control hierarchy.