Written by Mike Davis, July 2004

TA000590COP

Intelligence

Butler Group Subscription Services

Compliance
TECHNOLOGY AUDIT HandySoft
SOXA Accelerator Version 2.0
Abstract HandySofts Sarbanes-Oxley Act (SOXA) Accelerator is intended to address the on-going assessment, and reporting of the business unit controls required under sections 404 and 302 of the Act. By integrating its best-ofbreed BizFlow Business Process Management (BPM) tool, with the presentation, collaboration, and communication features of Plumtrees corporate portal, HandySoft has created a rapidly deployable solution that can be run by business users. The use of templates and the roll-up is particularly impressive, and the solution will be of benefit to all US listed companies, and others that wish to monitor and improve the processes of their business. Two direct business benefits are the meeting of statutory responsibility and the avoidance of potential damage to corporate reputation. This is a well thought out and intuitive application, which can be rapidly implemented, but the company must ensure thorough awareness and training for it to be effective.

KEY FINDINGS
Potential of very rapid deployment. Attestation is both simple and auditable. SOXA compliance requires organisational training and awareness in addition to the technology. Key:
Product Strength

Graphical development interface suitable for non-IT users. Exploits best-of-breed technologies. Built upon respected BPM platform, and simple user interface.

Product Weakness

Point of Information

LOOK AHEAD
The SOXA Accelerator is just one of a range of business solutions that can utilise the BizFlow BPM platform, along with Plumtrees collaboration and interface. This could be an ideal tool for addressing pending European, and UK legislation for reporting, and auditing.

FUNCTIONALITY
The Sarbanes-Oxley Act 2002 (the Act) was introduced in the wake of the high-profile financial scandals surrounding a number of US businesses, the most notable of which were Enron and WorldCom. The Act imposes new duties and restraints on directors and officers of public companies with the intention of promoting corporate responsibility. Companies have enhanced obligations on the disclosure of corporate information, are required to document the controls on processes, and attest, on a quarterly basis, to the application of those controls. The Act applies to both US and non-US companies. More specifically, it applies to any company (including a foreign company) that has securities registered, or is required to file periodic reports, with the US Securities and Exchange Commission (SEC). However, the Act may also apply to any privately held companies, which have registered with the SEC for a public offering. Section 302 of the Act requires that Chief Executive Officers (CEOs) and Chief Financial Officers (CFOs) certify personally, on a quarterly and annual basis, the accuracy of their organisations financial results. Section 404 of the Act requires that the company reports annually on the effectiveness of its internal controls and the reporting processes that underpin the information provided by the financial results. Section 404 also states that the companys auditors attest to the accuracy of both the information, and the process and the controls. Under the terms of Section 906 of the Act, a person who knowingly files an inaccurate certification, i.e. the CEO or CFO, is subject to a fine of up to US$1 million and/or imprisonment for up to ten years. However, if a person wilfully violates this requirement of the Act, then the maximum punishment is more severe fines of up to US$5 million and/or a jail term of 20 years are contemplated. Whilst the requirements of the Act apply to US-based and listed companies at present, from June 2005 companies from other countries with US listings will also be subject to the Act. The European Union is currently developing an equivalent piece of legislation to apply to all EU listed companies, and the pending Companies (Audit, Investigations and Community Enterprise) Bill will require similar compliance in the UK.1

Product Analysis HandySofts SOXA Accelerator version 2.0 enables a company to build a
control framework for the organisation, and to evaluate and report on those controls, in order to meet the statutory requirement for sign-off on the control environment once per quarter. In most companies, meeting the requirements of SOXA necessitates the delegation of the sign-off of controls and processes down to business units, and a formalised and managed process of Roll-up of sign-offs from the lowest level so that the CEO and CFO can sign-off for the company.

SOXA Accelerator combines HandySofts BizFlow Business Process Management (BPM) package, with Plumtrees Corporate Portal technology for access/presentation, repository, and collaboration.

For more details on the background to and implications of Sarbanes-Oxley Act, with focus on the issues for the CIO/CTO, please reference Butler Group Reports Solutions for Compliance and Information Legislation and Regulations both published in June 2004. 2

 Butler Direct Limited

Building a SOXA solution on an intuitive, Web-based collaborative platform is important, as many of the team involved in a 404 assessment may not have worked together before, and may in fact be in multiple locations, and the environment needs to facilitate them undertaking their roles without these being a burden.

Figure 1: SOXA Accelerator Architecture Enhancements over Version 1.1, which was released in 2003, include: Revised Section 302/404 Roll-up and certification enforcement. Increased visibility and reporting of financial data. Improved administration interface. Advanced Reporting. Within the structured approach of the SOXA Accelerator, there are a number of predefined roles, based upon best practice, appropriate to the tasks that need to be undertaken: 404 Assessment Project Lead This person creates the Project (404 Assessment) for a business Unit/Location based upon a pre-existing template. She/he assigns access rights for other roles in the project, and defines significant accounts and processes assigning Process Owners and Process Evaluators for each process. Account and Process Approver This person is defined by Project Lead and has the role of approving accounts and Processes mapping. Process Evaluators These define Control Objectives, Risk, and Controls for each process. They assess if Controls exist, whether the documentation is adequate, and if there are compensating controls. The Process Evaluator also defines the segregation of duties within the project, and determines if the Control Objectives are met (by Process) after all of the controls have been evaluated. Process Owner Approves the Control Objectives/Risk/Control mapping. Control Evaluators These persons evaluate the Controls, determine if Controls need to be tested, and approve test results for Controls. They define issues, recommending actions, and approve actions taken for an identified issue.

Product Operation

Intelligence

 Control Testers The role is self-explanatory they test the Controls and document the test results, and attach test plans to the reports. 404 Assessment Approvers These are either determined by the 404 Assessment Project Lead, or set at a corporate level. There can be up to three approvers for any process. The role of Approvers is to sign-off on the Control Objectives for each process. Roll-Up Lead This person initiates the 302/404 Roll-up, either manually or through a schedule. He/she also defines the Corporate Approvers for the roll-ups. Roll-Up Approvers There are up to three approvers per Business Unit that complete the Management Questionnaire and the Certification Statement for the 302/404 Roll-up. All are assigned to the Business Unit user group, and defined within SOXA Administration. In a smaller organisation, some of the of roles may be given to the same person, however, the detailed process control within SOXA Accelerator and the audit trail ensures that there is no compromise in the veracity of the project. Users in all roles have the opportunity to document issues within the reporting/Roll up project, to resolve any issues, and to Check In/Check Out Documents. There are also dashboard and reporting tools from Business Objects (formerly Crystal Reports technology) within SOXA Accelerator to highlight to users, in context, the progress of the project(s) and any outstanding tasks. In establishing a project each company uses Master Templates that come as part of the SOXA Accelerator, to rapidly establish the Section 404 assessment regime. Authorised users can create, modify, or delete templates. They can create associations between the data captured in the master tables. In subsequent assessments, previously amended templates that are company specific and approved by the auditors can be copied, providing an iterative framework for refinement of the Section 302/404 projects. Templates include detailed descriptions of the Control Activities to be undertaken at each stage, including the test procedures. As a project is established, the assessment criteria is defined in a structured form, including the timeframe for reporting, the Business Units to be assessed, User groups that are allocated tasks, the access control rights for each group, and the number of approvers required. The selections are made from pre-defined dropdown menus. Testing schedules can also be defined, including start and end dates, frequency of testing during the period, Timescale for control tests, the Assigned Tester, and the Test Effectiveness Type. Again all selections are made from drop-down menus. As the project progresses tasks are allocated to each of the roles, and the users in those roles, as defined by the process flows. Each has a My Tasks screen listing: Outstanding Activities. Description of the Activity. Date created. Urgency. Deadline (date). As each task is addressed or completed, assessors can identify and record issues, and attach relevant documents if appropriate. Along with the process details, these are saved to an audit trail for managers, auditors, and regulators.

 Butler Direct Limited

For allocated managers, and auditors, there is the ability to search for assessments of processes and to view any issues that have been identified, as each Control has been signed-off. Through the use of Business Objects technology, dashboards showing highlevel graphical views of all projects are available to appropriate users. Details that can be displayed at any point in the project include: Documentation status showing the percentage completed. Testing and Evaluation status showing: Controls evaluated and tested. Controls evaluated and never tested. Controls never evaluated or tested. Controls tested, but not yet evaluated. Controls testing in progress. Assessment status showing: Completed assessments. Incomplete assessments. Process assessment, by process, with the ability to drill down to evaluator and completion date. The interface allows users to identify at which point they, and where appropriate their subordinates, are in the process, including the start and finish dates of all activities, and the responsibility for each of those activities.

Figure 2: Defining Accounts and Processes The solution includes a Knowledge Centre, which all the companys users have access to by default. It includes a community calendar, discussion threads for the posting of topics and replies, an announcements area, whether for SOXA or the company as a whole, and the ability to upload document templates to be used for Control Documentation.
Intelligence

Butler Group believes that a key differentiator of SOXA Accelerator is the ability to modify processes during reporting operation. This may be necessary, for example, if there is a reorganisation of departments during the project. Participants and activities can be changed, added or removed. The solution however, still maintains a full audit and reporting trail to ensure transparency.

Product Emphasis Version 2.0 of HandySoft SOXA Accelerator has been developed with a number of
respected auditors. The solution is flexible to support the different methodologies of the Big-4 auditing firms such as Ernst and Young, and Deloitte and Touche, as well as the Committee of Sponsoring Organizations (COSO) methodology. Ernst and Young. Deloitte and Touche. GR Group. Crowe Chizek.

Butler Group believes that a key benefit to HandySofts approach with SOXA Accelerator is the high degree of automation, removing as many of the potential points of human intervention as possible, and thus opportunities for error.

DEPLOYMENT
HandySoft SOXA Accelerator Version 2.0 includes: HandySoft BizFlow software with the defined workflows, the applications, and the administration functions. Plumtree Portal, collaboration, and Document Management. Business Objects 10 (Crystal Reports). Professional services staff, from either HandySoft, or its certified partners, normally undertake the deployment of SOXA Accelerator. A typical deployment time for the technology is quoted as two weeks, which includes the installation, configuration, data loading, and training. Once deployed the company will require a small level of IT resource to undertake administration and configuration changes as required. Training for deploying companies is provided on-site, on a train-the-trainer basis, creating a core group of experts for the company. It should be noted that whilst the physical deployment of the technology is rapid, a comprehensive documentation of the controls is required first, and the appropriate people need to be trained prior to roll-out, otherwise the solution will not be able to successfully meet the requirements of SOXA, and the company will not be compliant. The currently supported platforms for SOXA Accelerator, is Microsoft Windows Server 2000/2003, with Apache Tomcat, and either Oracle 9i or Microsoft SQL Server 2000 databases. Technical support is provided via a dedicated Web site and Helpdesk access, operating Monday to Friday. Standard support is provided 08:00-17:00 US Eastern Time (ET), Extended Support is provided 06:00 20:00 ET. Maintenance and standard support is charged at 20% of the solution cost per annum.

PRODUCT STRATEGY
SOXA Accelerator 2.0 was released in April 2004. It is horizontally applicable in that a SOXA solution is required by any publicly listed company on the US Stock Exchange, although it is expected that companies will be in excess of 25 persons.

 Butler Direct Limited

Pricing for SOXA Accelerator starts at US$45,000, and increases based upon the number of users. Services, including training, are normally charged at a set fee. Any company specific customisations and enhancements are priced as additional costs. HandySoft is currently developing a Lite Enterprise Risk Management (ERM) Module to be released within six months. It also aims to provide within the next year, applications built around templates similar to its currently available AP Accelerator for Accounts Payable, to improve areas of control deficiencies and process improvement across finance and audit organisations, such as: Internal Control Auditing Work Papers. 409 Event Management. Procurement and other Finance applications. HandySoft also intends to support IBM WebSphere as a deployment platform.

COMPANY PROFILE
HandySoft Corporation has its global headquarters located in Seoul, Korea. US headquarters are located in Vienna, Virginia, and there is also an office in Lisle, Illinois. It has regional offices in London (covering EMEA), Sydney, Australia (covering Asia-Pacific), and HandySoft Japan is located in Tokyo. The company was founded in 1991, and has concentrated on delivering innovative productivity solutions for commercial and government marketplaces. Its US operation is privately owned, and HandySoft Korea is publicly traded on the Korean stock exchange. HandySoft has more than 300 employees worldwide, with 117 in the US and the UK, 41 of which are deployed in Research and Development. In April 2004 the company announced a 40% quarter-overquarter revenue growth for Q1 2004. HandySoft has built upon the foundation of BizFlow, its platform for BPM, workflow automation, and collaboration, to automate and simplify processes, enforce best practices, improve quality and productivity, and to foster collaboration internally as well as with customers and partners. Key technology partners for HandySoft are: Plumtree. Business Objects. HandySoft has more than 350 customers worldwide, which reportedly comprises 2.6 million user seats. It has recently signed contracts with a range of companies to implement both SOXA Accelerator, and the AP Accelerator. Its customers include: Continental Teves. Department of Fisheries and Oceans of Canada. National Institute of Health. National Institute for Standards and Technology (NIST). QBE Insurance Australia. Stolt Nielsen. LOGS Financial Services. United Way.

Intelligence

SUMMARY
HandySoft SOXA Accelerator version 2.0 offers a Web-accessed solution for companies addressing the process and reporting requirements of the US Sarbanes-Oxley Act 2002. Using best-of-breed technologies from HandySoft, Plumtree, and Business Objects, and a design developed in conjunction with respected audit firms, it provides a highly automated, and template-driven environment for Section 302 and 404 Roll-ups. It includes detailed delegation, audit trails, and reporting. Detailed comments and issues can be included throughout, and relevant documents can be attached at any point. This provides both a comprehensive and transparent picture for the board, auditors, and regulators, with the ability to drill down from the dashboard to an individual process. The intuitive interface, and highly functional design should enable companies to rapidly deploy the solution, but the training and awareness of staff to undertake the respective roles should not be underestimated. A thoroughly thought out solution, encapsulating best practice, it is applicable to any company that is US listed. Butler Group believes that SOXA Accelerator is a first-rate tool to help address the requirements of Sarbanes-Oxley.

CONTACT DETAILS
Regional HQ EMEA HandySoft Global Corporation 288 Bishopsgate London EC2M 4QP UK Tel: +44 (0)207 9593042 Fax: +44 (0)207 9593041 www.handysoft.com HandySoft Global Corporation 1952 Gallows Road Suite 100 Vienna VA 22182 USA Tel: 703.442.5600 Toll-free: 800.753.9343 Fax: 703.442.5650

Important Notice: About Butler Group:

This report contains data and information up-to-date and correct to the best of our knowledge at the time of preparation. The data and information comes from a variety of sources outside our direct control, therefore Butler Direct Limited cannot give any guarantees relating to the content of this report. Ultimate responsibility for all interpretations of, and use of, data, information and commentary in this report remains with you. Butler Direct Limited will not be liable for any interpretations or decisions made by you.

Butler Group is the premier European provider of Information Technology research, analysis, and advice. Founded in 1990 by Martin Butler, the Company is respected throughout the business world for the impartiality and incisiveness of its research and opinion. Butler Group provides a comprehensive portfolio of Research, Events, and Subscription Services, catering for the specialised needs of all levels of executive, from IT professionals to senior managers and board directors. Europa House, 184 Ferensway, Hull, East Yorkshire, HU1 3UT, UK Tel: +44 (0)1482 586149 Fax: +44 (0)1482 323577 www.butlergroup.com

For more information on Butler Groups Subscription Services, contact: