By PETER LOFTUS
DOW JONES NEWSWIRES
THE WALL STREET JOURNAL
Subscribe now to The Wall Street Journal and get up to 8 weeks FREE
April 25, 2005; Page R8

To prove that it isn't issuing paychecks to fictitious burger-flippers, McDonald's Corp. has turned to specialized software.

Like most publicly traded U.S. companies, the fast-food giant has spent much of the past year documenting and testing its "internal controls," or procedures designed to ensure the accuracy of its financial data.

THE JOURNAL REPORT

See the complete Technology report.

This massive effort was triggered by the Sarbanes-Oxley corporate-reform law of 2002, which among other things requires public companies to submit annual reports on their internal controls to the Securities and Exchange Commission, with the first such reports due earlier this year for many companies. External auditors must review the reports.

At McDonald's, guarding against the possibility of the fraudulent addition of fake names to the payroll is just one example of hundreds of controls that need to be documented to meet the Sarbanes-Oxley requirements, says Chris Jensen, senior project specialist in the company's internal audit and controls group.

To help manage the compliance process, McDonald's purchased software from a small firm called Paisley Consulting, of Cokato, Minn. The software, Risk Navigator, provides a framework for the documentation and testing of internal controls and keeps executives up to date on the process. It also helps store the relevant documents for review by auditors.

Hundreds of other publicly traded companies also have snapped up software to help them cope with the new financial-reporting requirements. Boston-based AMR Research estimates companies will spend some $1.71 billion this year on technology to comply with the regulations. Large companies can expect to spend at least $500,000 on a software package for Sarbanes-Oxley compliance, says Paul Hamerman, an analyst with Forrester Research Inc., a Cambridge, Mass., technology research firm.

Consultants and technology analysts emphasize that while the Sarbanes-Oxley requirements could be met without purchasing new software, companies are finding that that approach puts a severe strain on their resources.

"People realized you couldn't maintain [adequate] control over a bunch of spreadsheets and word-processing documents" without tying up a lot of manpower, says John Hagerty, an analyst with AMR Research. "And that's the part that's causing companies heartburn -- how many people would be necessary to manage the task if you didn't have the software."

Says French Caldwell, an analyst with technology research firm Gartner Inc. in Stamford, Conn.: "At minimum, you need something that's going to help you route all these documents for approvals and sign-offs and so on, and something that will preserve them for your external auditor."

Start to Finish

Software packages have emerged to address several aspects of the Sarbanes-Oxley rules, but Section 404 of the law is the driving force in the market, because meeting its requirements is such a labor-intensive process. This is the section that requires annual reports on internal controls for outside auditors and the SEC. These reports must contain details of procedures used to ensure the accuracy of financial reporting, as well as an assessment of the effectiveness of these measures.

Major software makers such as International Business Machines Corp., Oracle Corp., SAP AG and Microsoft Corp. have added Sarbanes-Oxley software to their lineups of business technology. The legislation also has spawned start-ups that specialize in such software, and has prompted other firms to shift their business models to focus heavily on compliance software. In addition to Paisley Consulting, smaller players include OpenPages Inc., Certus Software Inc., HandySoft Global Corp., Axentis Inc. and Movaris Inc.

Many of these software packages are designed to guide the compliance process for Section 404 from beginning to end. For example, with Paisley Consulting's Risk Navigator software, a company's managers can start by logging into an internal Web site to see a list of tasks they're assigned to help meet the Section 404 requirements, says Paisley Chief Executive Tim Welu. Each manager sees only the tasks he or she is responsible for. The software also sends e-mail alerts when certain tasks are required, which contain links to a section of the Web site with more details about the task.

A department head, for instance, would see a list of risks in her department, along with the associated controls, which she is required to test. As she completes some tests, automated e-mails would remind her to complete tests that remain outstanding.

The software also provides electronic forms that managers can fill out to demonstrate that they've completed their portions of the Section 404 compliance, Mr. Welu says. And documents such as Microsoft Word reports and Excel spreadsheets can be uploaded into the system. In the end, Risk Navigator can format all the data and documents to be presented to the external auditors for review.

Mr. Welu says Paisley's software helps companies manage the sheer numbers of people and documents involved in ensuring compliance with Sarbanes-Oxley. At one client, he says, more than 2,000 people use the software, and at another some 70,000 documents have been generated to spell out the company's business processes and controls.

Mr. Jensen at McDonald's says Risk Navigator provides a "common base" where company managers and outside auditors can monitor the documentation and testing of financial controls.

The software can serve as "the one place of truth that everyone can go to and prove, if it's ever questioned, what was your approach" to meeting the Sarbanes-Oxley reporting requirements, Mr. Jensen says.

But can a company get by without software dedicated to Sarbanes-Oxley reporting? "Lots of companies have chosen not to invest in a whole bunch of technology for this thing," says Mr. Hamerman of Forrester Research. "They have tools in-house they can leverage, like Excel spreadsheets. But that's not going to be very effective."

For one thing, there's a lot of manual effort involved in taking multiple spreadsheets and trying to consolidate them, Mr. Hamerman says. And the database features of Sarbanes-Oxley software make it easier to access data than if it were stored in scattered spreadsheets and other documents.

Volt Information Sciences Inc., a New York staffing and consulting firm, initially began its compliance process by having employees manually create, store and browse through electronic documents for Section 404 compliance, says Kurt Neumann, Sarbanes-Oxley project manager at Volt. The documents were stored in folders on a shared computer drive, he says. But Volt eventually implemented Sarbanes-Oxley software provided by OpenPages.

The shared-drive approach resulted in a mishmash of folders that made it difficult to find specific documents, says Mr. Neumann. The OpenPages software, he says, set up a database that makes organizing and finding documents faster and easier.

"It's a more effective, efficient way to manage the information," Mr. Neumann says. "All you have to do is put information in the tree structure they provide you. It's easier to make changes and keep it up to date."

The framework provided by OpenPages' SOX Express software helps organize the testing of controls, Mr. Neumann says. In that way, he says, it helped Volt unearth some company procedures that had to be fixed. For instance, Volt requires its branch supervisors to check to see that weekly time sheets for its employees who work at client firms have been signed by the clients. Volt input documents spelling out this control and a plan for testing it into the SOX Express database, where everyone involved could easily access the information through an internal Web site created by the software. The testing showed that Volt had no system for recording evidence that such sign-offs took place, Mr. Neumann says. Volt now requires its branch supervisors to save reports confirming that they have checked time sheets for client signatures, he says.

McDonald's recognized that it needed software dedicated to managing the compliance process soon after Sarbanes-Oxley was passed in 2002, says Mr. Jensen. Given the global scope of the company's business, it was apparent that the scale of the task would require a software solution specific to the reporting requirements, he says.

"Because of the amount of documentation required, we needed something that could provide a reporting tool and serve as a repository for information," he says. "If you've got people maintaining the information on their own desktops, or using Excel or Word documentation alone, you just don't have that framework and continuity, you don't have that structure."

More Requirements

Some Sarbanes-Oxley-related software is more narrowly focused. RippleTech Inc., Conshohocken, Pa., for instance, sells software designed to manage the evaluation of information-technology controls as part of Section 404 compliance. It doesn't handle non-IT controls. "We're not trying to do everything for everybody," says CEO Brian McDonnell.

On the other hand, much of the software designed to ensure Section 404 compliance also can be used for Section 302 of Sarbanes-Oxley. Section 302 requires chief executives and chief financial officers to certify in writing that they have reviewed quarterly and annual financial reports, and that the reports are accurate. OpenPages' Sox Express software, for example, helps with the Section 302 process by automatically e-mailing surveys to lower-level executives about their level of confidence in the accuracy of data from their divisions, says OpenPages product-marketing manager Ed Thomas. The CEO and CFO can view the results of these surveys before signing the Section 302 forms submitted to the SEC.

Another area of Sarbanes-Oxley, Section 409, requires companies to immediately disclose publicly if they discover a material change in their financial conditions or operations. New York-based Bowne & Co. offers one solution for this requirement, a service called 8-K Express that converts disclosure documents into the format required by the SEC and files them with the agency. Sarbanes-Oxley also has various record-retention requirements. Several vendors, including EMC Corp. of Hopkinton, Mass., and Stellent Inc. of Eden Prairie, Minn., sell software to assist with this process.

Also, Sarbanes-Oxley Section 301 requires companies to provide a way for employees to anonymously file whistle-blowing complaints. Some firms have developed software that sets up a system for employees to report complaints, including Global Compliance Services Inc. of Charlotte, N.C., and Resources Global Professionals, a unit of Resources Connection Inc., based in Costa Mesa, Calif.

Some vendors of Sarbanes-Oxley software say other software not specifically developed for compliance can help in the process.

Oracle, for instance, for years has sold financial-reporting software called General Ledger. This can help companies close their accounting books more quickly, which is useful in meeting some of the Sarbanes-Oxley requirements for accelerated disclosure of material information, says Steve Miranda, vice president of applications development at Oracle. Oracle also sells business-intelligence software designed to give senior executives a timely view of any material changes in financial results. Oracle does sell software targeted at Sarbanes-Oxley compliance, called Internal Controls Manager.

Subscribe now to The Wall Street Journal and get up to 8 weeks FREE