The Sarbanes-Oxley Act was passed in 2002 with the goal of strengthening the accounting practices and controls used by enterprise organizations, and enhancing investor protection mechanisms. For the first time, senior management are personally liable for failure to ensure that financial reporting is accurate and reflects the true financial position of the company, that investors' funds are managed properly and diligently, that company expenditure is controlled and visible, and that the business's operations are protected from identifiable risks. Organizations must have been compliant with the regulations of the Act by June 2004 or be subject to a range of financial and even criminal penalties.

Many of the regulations of SOX are concerned with how the organization is managed, how the senior managers and its Board conduct its business, and how the financial position is reported. However, some sections - such as 404 in particular - mandate the kinds of internal controls that an organization must put in place to comply with SOX. Though compliance with SOX is ultimately reliant on the business and management decisions taken within the organization, in many cases IT systems will be the foundation for the controls and reporting that are necessary for SOX compliance.

Senior management may find it almost impossible to manage their overall expenditure effectively unless they have full visibility over that expenditure and its sources. For large organizations it will be unrealistic to rely on manual procedures to control expenditure because of the sheer volume of business being transacted every day. In these cases, compliance with SOX will become an unattainable goal until adequate IT systems are commissioned to put senior management in touch with their operational environment, and to automate controls to the point where operational staffing levels are sufficient to manage the volume of financial transactions taking place within the organization.

The SOX Act contains detailed and complex regulations that will need to be fully and thoroughly assessed by each organization. For IT managers, the key impacts fall into the following areas:

Information Visibility: The organization must have complete and real-time access to its operational and financial data, with adequate tools to be able to report and interpret the data so that senior management's decisions are guided by accurate and timely information.

Workflow: The IT systems that support the business must in themselves contain intelligence to support the work processes and policies implemented by the organization.

Audit: A comprehensive audit facility must exist to allow the business to track the occurrences of all business functions and data modifications.

Internal Controls: A key mandate of SOX compliance is that the organization must introduce strong internal controls and procedures to manage its operations and finances. The organization must also introduce sufficient mechanisms to monitor compliance with these internal controls and company policies.

Data Integrity: The core business operations of most organizations are by now fundamentally reliant on its IT infrastructure and data processing capabilities. Any long-term system failure or loss of data would be detrimental to the ability of the business to function, the service to its customers, and hence shareholder value. Hence, the means in which that data is stored, replicated and archived, and its integrity is preserved, is immensely critical to the business continuity of the organization.

Data Center Security: Complimentary to data integrity is the security of operational data, and its physical environment. Intellectual property and client information are important assets of an organization, so preserving the confidentiality of such information is critical to maintaining shareholder value. The security against physical damage, corruption or unauthorized access by third parties is also critical to business operations.

Best Practice: Organizations must introduce known industry best practice within its operations throughout every functional area. The operational procedures must be known, clear, and well documented.

Now we will look at how Deecal's platform and how its hosted services allow your organization to comply with SOX in these critical operational areas.

The essence of Deecal's service platform is that it provides online real-time access to your transaction data and reporting, throughout the organization from any location where there is access to a web browser. Users have access to information based on their location in the organization hierarchy, or based on the cards or users for which they are designated as responsible. This gives everyone in the organization immediate access to the financial data that concerns their area of responsibility within the organization, thereby empowering all managers within the organization to perform to their best ability.

The services available on the D.CAL platform - Expense Claim Manager, Purchasing Card Manager, Lodge Manager and Multi-national Manager - all provide a variety of web-based reports and online enquiries to provide immediate and accurate information on the business operations governed by that service.

For example, do you need to know how whether your cash flow over the next few weeks will be sufficient to settle reimbursable claims from the Sales team? A simple online enquiry will show you all claims for any part of the organization broken down by their status as they go through the approvals process, so you can see not only the value of claims already approved for payment, but also the totals of claims coming through the system that are about to be submitted or are awaiting approval.

Similarly, back-end financial systems - such as SAP, Oracle or JD Edwards - can only provide senior management with the quality and accuracy of financial reporting that is possible with the quality of the data they receive. Inaccurate, invalid or missing cost allocation information will make it difficult for such financial systems to accurately report on the expenditure. Organizations that make significant investments in high-end financial systems but invest little in front-end expense management automation may have unwarranted confidence in their organization's ability to provide SOX compliant financial reporting.

Deecal's services embody industry standard work processes that assist cardholders and managers to perform the necessary reviews and approvals on the procurement or expense items for which they are responsible. For example, Purchasing Card Manager supports purchaser review and manager approval of all procurement transactions, and highlighting of bottlenecks where the proper reviews are not being conducted by supervisors. Expense Claim Manager supports a further two levels of expense claim approval, where the designated approver can be configured to be any manager with the necessary approval threshold limit above the claimant in the organizational hierarchy, or specific designated approvers assigned to the claimant.

Approvers are shown only the transactions or claims that are their responsibility to approve. Organizations can decide that expense claims will be automatically generated by the system from the incoming transaction data, or that claimants should have this responsibility alone. This flexibility encourages the organization to make decisions about the controls and operational procedures it wishes to put in place, and then allows senior managers to be confident that these procedures are being automated and enforced by the organization's IT systems.

Operational audits can sometimes necessitate custom database queries to identify when and why certain changes to users, cards or transactions took place, and who carried out the changes. At Deecal, we recognize that the audit capability must allow the business to supply information to external auditors to satisfy their requirements, but must also provide managers with views of business actions carried out by operational staff on a day-to-day basis. All of Deecal's services use a common audit framework built into the platform that constantly maintains an audit trail of all business actions and data changes. The audit history shows who carried out the change, the business function used within the system, when the change was carried out, the database records changed, and the before-and-after values of the data values changed. Best of all, all of this information is available through real-time enquiry screens, so there is no need to request custom audit reports from the IT department to retrieve audit information.

The days where manual controls on expenditure could rely on the diligence and experience of one or two key staff are drawing to a close. With the arrival of SOX it is no longer adequate for an organization to rely on such random controls to identify improper use of funds. SOX requires that policies and controls be known and documented, and built into the operational procedures and systems used within the organization. This allows exceptions to be highlighted automatically by the systems themselves - no longer relying on random checks or the alertness of staff to bring them to the attention of management on an ad-hoc basis.

Expense Claim Manager allows a variety of policy rules to be defined for the organization, such as how long claimants are given to submit their expenses, policy limits for each category of expenditure, and approval threshold limits for approvers. ECM then allows you to easily identify the expenses that break these policies and to easily notify the claimants or approvers via email notification within the system. During the implementation and training process, Deecal's Professional Services staff outline the controls and work-methods available and assist senior management to choose the policies and procedures that best suit their business. This decision making process allows the organization's policies to be made explicit and documented for external review as mandated by SOX, and for those policies to be built into its systems that provide governance of its expenditure.

SOX requires organizations to have clear answers to IT infrastructure questions such as:

• "Will a hardware failure disrupt your business?"
• "Do your systems have built-in redundancy to avoid system down-time?"
• "How often is your data backed up, and how securely are the backups stored?"
• "How long is your data retained, and how is it archived?"
• "What are your procedures for retrieving archived data?"
• "Do you have migration plans to ensure that records are retained regardless of changes to technology platforms or data formats?"

Questions such as these may previously have concerned only the IT department, with senior management becoming involved only when a systems failure had already begun to affect business operations. Now, with the arrival off SOX, it is senior management's responsibility to ensure that satisfactory answers are forthcoming to these questions on an ongoing basis, and that weaknesses in the IT infrastructure that pose a risk to data or business continuity are addressed quickly.

Deecal's operational platform uses the latest multi-tier architecture with built-in redundancy so that no one point of failure will cause system downtime. The architecture uses industry standard enterprise level technology such as JDBC, XML and XSL, load balanced web servers, clustered application servers, mirrored databases, dual active load balancers, firewalls and switches. Data migration is a fundamental part of the implementation plan for each scheduled upgrade, and archiving procedures can be customized to suit the needs of each organization using the service.

To prevent unauthorized user access, all of Deecal's services feature role-based data access control and two levels of user authentication. This means that users are granted access only to the organization's data that is relevant to their location in the organization and their role. This IT environment provides customers with peace of mind that their business operations are safe and secure.