IBM Readies Compliance PackageIBM Readies Compliance Package

Much like Y2K before it, the Sarbanes-Oxley Act has energized the software industry, letting vendors spiff up apps so customers can achieve at least partial compliance with the new reporting law. But IBM has decided to help companies turn the dreaded law into an opportunity to improve wholesale-business visibility.

This quarter, IBM plans to introduce Lotus Workplace for Business Controls and Reporting, a package that will combine the vendor's portal and content-management software, its consulting services, and products acquired from KPMG LLP. Pricing hasn't been set.

The package, customizable to various vertical industries, is designed to enable companies to create more automated ways of complying with Sarbanes-Oxley, IBM VP Larry Bowden says. IBM has licensed code from KPMG that takes industry-specific catalogs of process controls and reporting hierarchies. The code then develops a control-assessment template that companies can customize to their own business processes. Under terms of the agreement with KPMG, IBM will take over future development, design, and support of the code, which will become part of the new controls-and-reporting product. KPMG will continue to sell Sarbanes-Oxley consulting services and advise IBM on how to approach specific vertical markets.

Bowden, who oversees IBM's WebSphere portal product as well as its Lotus Software suite, says the WebSphere portal component will enable companies to build role-based dashboards for quick views of compliance activities. For instance, executives would be able to quickly assess the effectiveness of their corporate controls, the compliance status of individual business units, and whether business processes are conforming to new compliance procedures.

The Sarbanes-Oxley Act of 2002, passed by Congress in the wake of last year's corporate accounting scandals, requires that public companies disclose more financial information than in the past and holds corporate officers more accountable for the accuracy of those disclosures. Sarbanes-Oxley's impact on IT comes from its requirements that company officials certify the effectiveness of the internal controls they use for financial reporting.

According to a recent information Research survey, most companies will spend more on IT to comply with Sarbanes-Oxley this year than they did in 2002. Sarbanes-Oxley requires compliance by the conclusion of a company's fiscal year 2004.

The products are intended to deliver a companywide Sarbanes-Oxley compliance app, pieces of which today can be found in other vendors' software and which were designed for parts of a company's reporting structure. Content-management, portal, and messaging vendors have been particularly active in trying to field compliance modules that support their products. "We call many of them boutique offerings. They address a small part of the problem," Bowden says.

Stephen O'Grady, a senior analyst at IT research firm RedMonk, says some companies have invested unwisely in such narrow products when broader compliance efforts were needed. The incorporation of the code developed by KPMG likely makes IBM's offering the most wide-reaching Sarbanes-Oxley product to date, he says, addressing a wider swath of compliance needs than an existing joint product from Documentum and BearingPoint. But for companies in highly regulated industries, software is probably unnecessary. "It's likely that they have all the controls in place already," says O'Grady. "What they need more than anything is a service that provides a gap analysis" to tell them where they may be falling short.

The first version of the controls-and-reporting product is expected to ship before year's end, and a second version is planned for the first quarter of next year, in time for last-minute compliance efforts by companies operating on noncalendar fiscal years. Pricing hasn't been disclosed.