“Compliance solutions” combine document and content management, workflow, and monitoring to help map and follow the required processes for each Sarbanes-Oxley-mandated control. In a recent study, Forrester Research Vice President and analyst Paul Hamerman identified the top nine compliance vendors based on market share and quality, and determined that their products fall into three categories, each with strengths and weaknesses.
- The major ERP vendors: SAP, Oracle and PeopleSoft have products that work if you have their system in place. But their products don’t integrate well with other systems, and they tend to be earlier, less sophisticated releases than other compliance software.
- Integration and content management vendors: IBM and Stellent provide a good technical foundation for mapping processes and tracking compliance, but not necessarily at the depth required to pass the IT audit.
- Sarbanes-Oxley pureplays: OpenPages, Paisley Consulting, Certus and Handysoft have the most comprehensive and user-friendly products. But their ability to integrate with the systems that companies already have in place varies.
The other investment CIOs may want to make is in software that can help automate some of the more complicated controls, such as change management or segregation of duties. IDC Research Director Melissa Webster says that several vendors now make products that can manage companywide application changes with the level of integration necessary to help prove Sarbanes-Oxley compliance. However, CIOs will need to approach each control as an individual project. Applications that can automate controls for, say, change management have been developed specifically for that task, not others. CIOs looking for a single Sarbanes-Oxley application that can manage their audit and automate their controls will probably be looking for a very long time.