SEC Extends Deadline For CertificationSEC Extends Deadline For Certification

Executives breathed a collective sigh of relief last week as the Securities and Exchange Commission extended the deadline for complying with section 404 of the Sarbanes-Oxley Act. At the same time, the SEC released final rules for the section, which requires public-company executives and auditors to certify the controls and procedures behind their financial reports.

Also last week, vendors, including Oracle and Plumtree Software Inc., rolled out products to help companies comply with the law, which was enacted last year in the wake of corporate scandals that eroded investor confidence in public markets. According to an information Research online poll, just over half of 218 respondents say their organizations already are compliant with the law.

With the SEC extension, certification will be required for financial statements of fiscal years ending on or after June 15, 2004. The original compliance date was Oct. 15 of this year. The new deadline gives companies much-needed breathing room, says John Hagerty, VP of research at AMR Research. Many businesses are looking at long-term solutions, such as performance-management systems. That means they need "to think through the processes and do a lot of IT work behind the scenes," Hagerty says. "This extension allows them to do it all at one time and do it right the first time."

Among the new products is Oracle Internal Controls Manager, which uses risk libraries to identify risks associated with business processes and the effects they might have on financial statements. It lets companies design controls to mitigate those risks.

Integration- and portal-software developer Plumtree and HandySoft Corp. rolled out the Sarbanes-Oxley Accelerator, which combines HandySoft's business-process management technology with collaboration, search, and personalization capabilities from Plumtree's Enterprise Web Suite. Accelerator gives members of an accounting team personalized views of the compliance process based on their responsibilities.

Startup Nth Orbit Inc. last week unveiled Certus, an application that provides a risk-assessment library, document-management handbook, and monitoring controls to ensure that steps are correctly performed and approvals captured in a financial chain.

AMR's Hagerty predicts that there will be at least 50 apps aimed at Sarbanes-Oxley compliance by year's end. Some vendors may repackage existing products to tap into the compliance push, and not all solutions are good for all businesses. "The way you might skin this cat is multifaceted," Hagerty says. "You can come at this from a reporting, documentation, or business-process angle."

Zebra Technologies Corp., which makes bar-code-related products, uses several tools to report and document its financial processes and controls, including Hyperion Financial Management for internal and external reports and Microsoft Excel and Visio to document internal processes and controls. Under the original section 404 compliance deadline, Zebra would have had to complete documentation and testing in the third quarter. Now, 2003 is a "dress rehearsal," VP and controller Todd Naughton says, leaving Zebra time to review the results with its auditing firm and make sure everything is working.

Glass and plastics packaging maker Owens-Illinois Inc. is using section 404 to ensure it's "already doing the right things," controller and VP Edward White says. The company has many of the processes and controls Sarbanes-Oxley mandates in place and is in the early stages of documenting and testing them. The SEC extension, White says, "allows us to slow down and be more deliberate."