April 29, 2005

As many observers expected, the Sarbanes-Oxley Bill (SOX) is opening up a lot new of IT spending, and companies now need to have special applications designed to comply with the new regulations.

However, there is still a lot of confusion and misconception on exactly how technology developers and application service providers can offer their services to satisfy all these tough new regulations.

That's because SOX isn't an e-business category; it can be approached via discrete utilization or mixes of business process management (BPM), business intelligence (BI), enterprise content management (ECM), and other areas.

Furthermore, since SOX is a relatively young initiative, the vendor landscape hasn't yet shaken out; the market contains everyone from giant platform and applications providers down to tiny pure-plays.

Seeking to clarify some of the confusion, Forrester has released its patented Wave graphic for evaluating several vendors (IBM, SAP, Oracle [including PeopleSoft], HandySoft, Open Pages, Certus, Stellent, and Paisley Consulting) addressing SOX compliance.

Microsoft, SAS, and Movaris were invited to participate in this Wave but chose not to do so.

Broadly speaking, Forrester distinguishes IBM, SAP, Open Pages, and Paisley Consulting as "leaders." The other vendors are all "strong performers," with HandySoft coming the closest to crossing over into the leader category.

The good news for prospects is that there are no vendors in the "contenders" or "risky bets" categories. This indicates that vendors have come a long way towards buttressing their SOX technology since 2003.

With the vendors bunched up so close together, one way of understanding individual strengths and weaknesses is to approach the companies via category. For example, Forrester divides the vendors into three boxes, enterprise applications (SAP and Oracle), ECM and infrastructure (IBM and Stellent), and specialists (HandySoft, Open Pages, Stellent, and Certus) and offers the following category evaluations:

Enterprise applications vendors: Strengths:"...very strong offering for initial software releases, with tight integration with ERP [enterprise resource planning] systems for documenting controls and risks and very good reporting and monitoring tools." Weaknesses: "...late to market, so the products had less time to mature. This group also has poorer integration with existing document and records management systems."

ECM and infrastructure vendors: Strengths:"...provide both SOX and compliance frameworks for building additional compliance applications. Integration... includes collaboration, document management, and records management." Weaknesses: "...a tendency to have lighter support for the COSO framework -- a major component of SOX applications."

Specialist vendors: Strengths:"...extensive track record of implementations and deep subject matter expertise...more mature products..." Weaknesses: "Integration with existing IT systems such as collaboration, document management, ERP, and records management varies widely."

Beyond these groupings, another differentiation comes in the way that IBM, Open Pages, Paisley Consulting, and others are pitching SOX compliance as part of a broader risk management strategy.

All in all, Forrester's evaluation and groupings give prospects a way to weight vendor offerings based on priorities like IT integration, an ongoing risk management strategy, or tactical compliance.

Source: Line 56