Object Module, Inc has developed a robust, fully functional SOX Compliance and Document Management application to assist companies in taking control of the requirements for SOX compliance and completing the requirements with a minimum amount of hassle at a reasonable cost.

In the wake of the SOX Compliance requirements, many companies have scrambled around searching for a way to store, maintain, and control their list of risks, controls, objectives and assertions.

Some companies have developed extensive spreadsheets to meet the requirements. Others have developed their own in-house custom applications for this purpose. All in all, each company uses a different way to store and maintain their requirements for SOX compliance and consistency, security and ease-of-use have been thrown out the window.

The ConTrak SOX Compliance application will alleviate the headaches of managing and maintaining multiple spreadsheets for tracking all of the necessary compliance information. It will also alleviate any fears associated with developing an in-house solution that might not capture all of the necessary information or appropriately present that information for auditors to review.

One of the largest impacts to companies from complying with SOX requirements has been in the form of dollars. When it is time for a SOX audit, companies must ramp up their internal temporary staffing as well as hire an external audit firm to assist in the onerous task of meeting all the requirements. The costs for the additional staff and the external consulting firm can add up rapidly and many of your smaller public companies can barely afford this.

Taking advantage of the ConTrak SOX Compliance application will not only help you organize and streamline the process of gathering all the necessary information, it will save you money. Once you go through the relatively simple set-up procedures and validate that you are capturing all of the necessary information, the audit becomes a fairly seamless and automated process.

One of the most important trends in the software industry is toward software on demand. Software on demand is subscription-based technology offered as a service as opposed to the shrink-wrapped solutions that companies implement and purchase on their own. Software on demand allows companies to purchase and use only what they need, instead of spending excessive resources when they only plan to use a portion of the licenses or functionality. The use of software on demand helps keep the cost of compliance down, and the vendor provides an affordable compliance framework through economies of scale.

The advantages of software on demand reach further than ease of deployment and operational efficiency. With on-demand software, compliance through technology becomes profoundly easier to manage. Based on the ASP/MSP business model, software providers now offer software as a service, reducing the costly maintenance and resource challenges involved with maintaining a solution in house. Software can be accessed by employees as needed. The vendor owns the complexity of managing the environment, applying upgrades, and handling support.

ConTrak SOX helps public companies transfer the cost of compliance through an on-demand software platform focused singularly on efficient, effective Sarbanes-Oxley compliance. Through the on-demand model, ConTrak SOX enables companies to subscribe only to the software and functionality they need. Furthermore, companies can scale their use of ConTrak SOX easily, since OMI manages the IT infrastructure environment for them. To expand their use of ConTrak SOX, subscribing companies have to do nothing more than pick up the phone.

While the software on demand model can be particularly effective in rapidly implementing controls, some companies prefer to keep all mission-critical control systems in house. While a generic control solution can be particularly effective for companies that do not want to invest extensive resources in compliance, companies that perceive their control frameworks as mission-critical or as a competitive advantage will want to keep compliance solutions in-house.

ConTrak SOX is available as both an on-demand solution and as a local installation for clients that want to manage the application themselves. Consequently, ConTrak SOX can represent a rapidly implemented compliance solution provided as an online, on demand software application, or it can be implemented in a company’s own hosting environment. This flexible approach to implementation enables companies to expand or constrict their control investments based on specific company or auditor control requirements.

ConTrak SOX provides functionality to all levels of the corporation to facilitate the implementation of compliance and control measures. ConTrak SOX facilitates the management of the control environment for the overall corporation as well as individual business units and subsidiaries.

ConTrak SOX enables the management of internal controls comprehensively, through the central inventorying and reporting of the entire company’s risk assessment results. The emphasis on centralized management and control enables a company to align its control objectives (stored in ConTrak SOX) with the actual control measures implemented at all levels of the company.

ConTrak SOX provides an enterprise-wide view of a company’s overall control environment, as well as the individual components that comprise the control environment. ConTrak SOX compliance management functionality provides tools for monitoring the effectiveness of controls, tracking the controls inventory, and updating controls to ensure their continued relevance.

Control objectives, accounts, and risk mitigation strategies are managed in ConTrak SOX at the corporate level. Allowing a company’s central compliance resources to create control types, group specific controls by business unit or subsidiary, and assign them to the appropriate subordinate organizations in the company.

Fundamental to effective Sarbanes-Oxley compliance is the effective management of the broader compliance initiatives companies have in place. For example, every A/R control that a company has, rolls up to the effectiveness and completeness of the overall A/R control environment. Likewise, all control initiatives that a company pursues ultimately roll up to quarterly and annual reporting efforts. To account for the aggregation of control tasks into broader initiatives, Control Tasks are processes and sub-processes ConTrak SOX facilitates the grouping of specific control tasks (processes and sub-processes) into Compliance "initiatives". The use of initiatives allows a compliance owner to track company progress toward specific control objectives. The sign-off feature ensures that all components of an Initiative are complete before the Initiative itself is signed off.

The management of controls may roll up to the corporate leadership level, but responsibilities for compliance and controls management reach lower into the organization. Typically, subsidiaries are responsible for implementing their own compliance measures, as long as they adhere to corporate control standards. With ConTrak SOX, this dynamic is supported and streamlined.

ConTrak SOX offers functionality that is targeted at business units and subsidiaries. Components of a larger organization often have specific control needs that are much more granular than those of the overarching business. ConTrak SOX meets these business unit and subsidiary requirements through specific functionality that dovetails with the broader compliance management features described above.

Subsidiaries and business units tend to have their own business processes. The logical division of a larger corporation into specific business units or subsidiary business typically entails a difference of purpose or strategy for each of these constituent units. As a result, these business areas have different control needs. To comply with Sarbanes-Oxley effectively, these subordinate units need to control their own business processes. Generic corporate templates are ineffective in that they may not reflect each business unit’s actual approach to the market, but any business unit’s account-specific controls must be consistent with enterprise-wide control objectives and company control methodologies.

Effective control and Sarbanes-Oxley compliance reaches down to the employee level. Within departments, management and individual contributors must ensure that controls are relevant to their daily business activities, and once implemented, employees need to adhere to the control framework adopted by the company.

At the subsidiary/business unit level, accounts can be assigned to specific business units for control and responsibility. Consequently, business units can be held accountable for the controls they have to develop to preserve the integrity of their accounts. ConTrak’s corporate-level functionality can be used to view the aggregate results and accountability framework of the controls assigned to specific business unit and subsidiary accounts.

Role-Based Access Control (RBAC) governs who can use ConTrak SOX, as well as the specific functionality each employee can use. Instead of managing access on an employee-by-employee basis, though, ConTrak SOX allows a company to assign users to groups characterized by similar ConTrak SOX access rights (i.e. roles).

ConTrak SOX has a robust reporting framework that allows a company to monitor the information collected in ConTrak SOX and communicate it to compliance stakeholders across the company. By aligning with the COSO methodology, ConTrak SOX facilitates rapid, cost-effective compliance. Using software on demand, the amount of the compliance effort that the company must satisfy individually is reduced significantly, with ConTrak SOX contributing much of the control environment out-of-the-box.

To enable business units and subsidiaries to manage their control environments effectively, ConTrak SOX enables subordinate organizations to document and report on their own processes. Like the Initiatives functionality at the corporate level, ConTrak SOX’s business unit functionality withholds sign-off on process controls until all subprocess controls have been approved. To support the documentation and auditability of controls, a robust reporting framework provides the evidentiary output needed to monitor and enforce controls across the business units.

ConTrak SOX offers rich features for use in managing the company’s overall control environment. ConTrak SOX enables auditors and process owners to organize, assess, and test internal controls. The result is that ConTrak SOX provides a central system for managing all controls. This enables Enterprise wide auditability and control by allowing the audit of only a single source, instead of having to manage controls documented across multiple compliance systems.

Documentation constitutes the core of Sarbanes-Oxley compliance activities.  Internal controls must be documented, used by employees for business process reference, and reviewed by auditors to ascertain compliance.  ConTrak SOX enables the management of the many documents needed for Sarbanes-Oxley, including: 

• Control Objectives
• Account References
• Control and Process References
• Controls Testing Plans and Results
• Risk Assessments
• Risk Mitigation Plans
• Audit Results

Documents needed at all levels of the Sarbanes-Oxley compliance process can be managed centrally in accordance with a company’s overall control objectives.  Further, each document stored in ConTrak SOX can be associated with specific accounts, controls, control objectives, processes (and subprocesses), and risks defined in ConTrak SOX.  Specific Sarbanes-Oxley compliance measures can be managed alongside the documents that support them.

Evidentiary documentation is necessary in order for internal controls to be meaningful.  Essentially, controls need to have proof of their effectiveness.  The most common form of evidentiary output is the audit trail.  ConTrak SOX generates an audit trail of all compliance activity managed through the system including version control, rollback, and historical functions to demonstrate a complete record of control changes.  ConTrak SOX automates change while providing the comprehensive audit trail on which auditors rely.

Review and approval represents the core of Section 404 compliance programs.  Management systems must have robust review and approval functionality in order to be useful in providing for a consistent control environment.  ConTrak SOX’s review and approval functionality ensures that controls are sufficient and that company executives have accepted them for use in complying with SOX.  As a Web based application, ConTrak SOX automates the review and approval process by distributing content across the company even to remote employees or satellite offices.  Enterprise-wide collaboration on controls initiatives is possible, helping distributed companies to participate in controls development and management projects consistently.

ConTrak SOX enables functionality at the individual contributor level through effective RBAC.  Individual employees are authorized to use ConTrak SOX, based on their roles within the organization.  The specific functionality available in ConTrak SOX to employees is restricted based on the roles to which employees are assigned, ensuring the reduction of risk through excessive access rights.  ConTrak SOX controls employee access, while ensuring they can use the ConTrak SOX functionality they need to contribute to the company’s overall control environment.

ConTrak SOX represents an on-demand software solution that enables rapid controls development and comprehensive compliance management. With ConTrak SOX, public companies can reduce the cost of compliance substantially. Built for Sarbanes-Oxley, ConTrak SOX consists of flexible, functionality that companies can configure to their specific control needs. ConTrak SOX preserves diligence while lowering the cost of compliance.

________________________________________

[1] Silverman, Elissa. Reining in Risk Turns into Big Business. Washington Post. June 13, 2005. http://www.washingtonpost.com/wp-dyn/content/article/2005/06/12/AR2005061201010_pf.html