Last week, we reported that $25.1 billion PepsiCo had purchased internal control and assurance software from Nth Orbit. That news was followed by an announcement a few days ago that $24.6 billion Viacom will use OpenPages' SOX Express for Sarbanes-Oxley compliance.

Amidst these and other internal control software announcements, we decided to ask industry expert and AMR Research Vice President John Hagerty about the market:

QUESTION 1: Last week, Nth Orbit and OpenPages each announced large customers. Are these announcements a coincidence, or are you starting to see the big companies make a shift in terms of adoption of 404 technologies?

Coincidence? Not really.

Companies are making decisions on Sarbanes Section 404 software on an ongoing basis. I am working with a lot of firms — not all the same size as these — on their strategy and what and when they should purchase.

If you look at the "replacement" market and introduction into the market of the major software companies (see Question 4, below), there will be a significant Year Two response to SOX to make it repeatable, sustainable, and cost-effective.

QUESTION 2: In early December, CIO Magazine reported that — contrary to original expectations — SOX 404 wouldn't require CIOs to perform heroic feats of integration or "spend fortunes on software." Does that run counter to the moves by PepsiCo and Viacom?

When I read that article, I thought the author started with a flawed premise: huge amounts of technology and software would be needed to comply with Sarbanes-Oxley.

If you envision Mt. Everest as the task, but instead discover that it's really Pike's Peak, it will seem small in comparison. But it's still a big mountain to climb.

WHO'S USING WHOM?

This chart includes recent customer announcements from vendors offering SOX 404 solutions:

Provider

Customers

Product

Axentis

Bombardier, Rockwell Collins, BP

Axentis Enterprise

Cartesis

Sun Chemical, Ernst & Young

Magnitude

Movaris

Proctor & Gamble, Sun Healthcare, Crown Media Holdings, Electro Scientific Ind.,

Certainty

IBM

Huntington Bancshares

Lotus Workplace for Business Controls and Reporting

Nth Orbit

PepsiCo, Tarrant Apparel, Others

Certus Software

OpenPages

Viacom, Computer Sciences Corp., Ambac Financial, Vodafone

Sarbanes-Oxley Express

Oracle

U.S. Restaurant Properties, ViewSonic, CSX Transportation.

Internal Controls Manager

SAS

Merrill Lynch

SAS Corporate Compliance for Sarbanes-Oxley

Note: Other 404 providers, including Handysoft, Open Text, ProActivity and others did not provide customer lists or did not return calls by CW press time. Source: The companies and press releases.

When we started writing about this, we knew there would need to be IT work, but companies told us pretty quickly they needed to fully understand the business requirements driven from Sarbanes before they could scope a response to it. IT didn't get into the discussions in most firms until the second half of 2003.

Do the PepsiCo and Viacom deals go counter to this? Absolutely not. Those firms chose a buy vs. build approach to solve this problem. I have been working with a very large pharmaceutical company recently. They adopted a framework from an auditor, but discovered that:

it was not a real software product;

it was not supported technically; and

it would not be upgraded in the future.

Based on that, [the client] then had — by his own estimation — a $1 million expense line to keep it going. His concern: How to transition this, after Year One, to a maintainable, supported and performing system for ongoing work?

Since the start of the year, we are hearing more from IT about their specific role in all this. As SOX compliance goes from tactical response (finance-driven) to strategic plan (enterprise-based), more constituencies — in particular, IT and the CIO — are becoming very vocal participants in future decisions on how to create that repeatable and sustainable compliance regimen that manages all compliance-related initiatives.

They're starting to plan for this at an IT architecture base, so that responses to future mandates will be swifter and less cost-intrusive.

QUESTION 3: Last month, PwC sold its BPM software unit, Cartesis, to a group of private equity firms. The move was driven largely by SOX's non-audit services ban, which prevents auditors from performing financial information systems design and implementation for audit clients. Do you see Cartesis and/or other similar spin-offs from the Big Four having an impact on the market?

I'm not aware that other Big Four firms have spin-offs they might need to take care of.

Cartesis is an interesting story. Here in the U.S., it's been relatively unknown. But it is Hyperion's biggest and thorniest competitor in Europe, with a dominant presence in its home country of France.

In 2003, they started a more aggressive North American sales and marketing effort to get their name out and to compete in deals. The FUD ["Fear, Uncertainty, and Doubt"] thrown out by competitors was its ownership, and how it had to change.

It took a few quarters longer than they had hoped, but with the deal being announced in December and closing in January, they've put that issue behind them. When the requirements come down to financial reporting, legal and management financial consolidations, and planning/budgeting, Cartesis will be in the mix as companies evaluate their options. Cartesis should be able to capitalize on its clear ownership status to gain business here in the U.S.

QUESTION 4: The biggest software players — including IBM, PeopleSoft, Oracle and SAP — have each unveiled internal controls solutions or modules, but have been relatively silent since then. Do you have any insight into how those solutions are being perceived and/or adopted in the market?

Don't forget Microsoft too!

Oracle's product has been out and available since the fourth quarter of 2003. SAP is in early customer adoption now; PeopleSoft is due in Q2 '04. IBM has not yet announced release date, but Microsoft's first version will ship in mid-March.

People are evaluating the products available now and are starting to use the ones that are out.

EDITORS NOTE

According to a recent survey by Financial Executives International, only 25 percent of responding companies had already deployed a permanent technology solution for Section 404 compliance.

Another 52 percent of companies planned to deploy their solution sometime during 2004, and 10 percent plan to deploy after 2004.

Almost 14 percent of the companies had no specific plans to implement a solution tool.

Download Executive Summary

But the timing of these other releases indicates that these vendors believe there is a significant market segment that hasn't bought yet, and they'll be looking to buy and implement as they move into Year Two work — specifically to make the Section 404 work repeatable and cost effective.

A huge number of companies used the frameworks delivered by auditors, but they require a lot of effort and brute force to even consider using them on a continuous basis. This is the "replacement" market everyone — including the independent vendors — have their eyes on.

We recently wrote a report that included the following:

One-third of the companies we interviewed purchased a new tool to manage documentation and/or the whole compliance process, with another third planning to buy a tool in the future. The rest expect to use their existing systems. Among those planning to buy a tool, a few said they would wait a year, even two, until newly introduced frameworks are better developed and more functional.

QUESTION 5: We reported last week that the SEC was considering, yet again, delaying the SOX 404 deadline. If the deadline is pushed out, do you think the technology acquisition rate would be affected?

This is a tough one to predict.

If the enforcement date shifted to the end of the year, I don't think it would have significant impact, as Calendar Year End companies tell us they'll be done their first phase work by June 2004.

There's not a lot of time to react.

If it's pushed a year, I think it will take the wind out of the sails for a lot of companies and they'll finish up what they're doing and wait to see exactly what the PCAOB standards will be and how it will effect them.

If the PCAOB sets a high bar — as it probably will — it could add fuel to a highly structured approach to Section 404 documentation, which should benefit technology-based products. But that's a lot of "ifs" and "maybes" to predict what will happen.

QUESTION 6: Of the internal control weakness disclosures tracked by Compliance Week, most are related to four issues: insufficient inventory controls, misapplication of GAAP, finance department understaffing, and issues with revenue recognition. When companies are conducting due dilligence on the 404 vendors, do you get the sense that they're going into the process with those four issues in mind? Is there a disconnect between the needs of the market and the solutions being offered?

I don't believe these issues are front of mind with evaluators of 404 software.

Why? The 404 stuff documents the processes you go through to define the processes, identify the risks, stipulate the controls to mitigate those risks, and prompts for testing of these controls. They don't go after specific content, i.e. inventory, revenue recognition, etc.

QUESTION 7: All indications are that the SOX 404 tests are going to be difficult to pass. How closely are companies working with their auditors on vendor-selection and solution-implementation issues?

Auditors are the number one influencers when it comes down to what approach they should be taking. So auditors are advising, not directly recommending.

Some companies — specifically the IT people in the organization — have been reluctant to ask the auditors for fear of what they'll hear.

But our first comment to everyone we advise: "Talk to the auditors about what they expect."

For the most part, companies are doing this.

Thanks John.

Topics