The passage of the Sarbanes-Oxley Act of 2002 (SOX) marks a new era of accountability for corporate officers. Signed into law by President Bush in response to corporate accounting scandals, it is a major concern and top priority for the CEOs, CFOs, boards of directors, and audit committees of public companies, as well as for auditors, accountants, attorneys and regulatory governing bodies. Starting in 2004 (2005 for smaller companies), the financial reports of publicly traded companies in the United States must begin to comply with the financial disclosure requirements of this Act.

One of the major areas of concern is Section 404, Management Assessment Of Internal Controls, which requires companies to include in their annual report "an internal control report, which shall:
(1) State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) Contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting."

Successful compliance with Section 404 of SOX requires management to make visible and provide documentation of the status of all the various compliance issues associated with the new law. In addition, the company's auditors must review the company's SOX compliance and include an assessment in the auditing report. In order to provide such extensive documentation, companies are turning to solutions offering both content management and reporting components, such as IBM Lotus Workplace for Business Controls and Reporting.

The Act has heralded an age of intense content management at a time when content has morphed into many formats. Scanned paper images from accounting departments, electronic forms from human resources, presentations, e-mail, online messaging logs, and even voicemails are all forms of data made equal under the auspices of the Sarbanes-Oxley Act.

Using information technologies, companies can achieve the following goals needed for SOX compliance:

1. An unambiguous definition of the procedures that a business user, not an information technology professional, could easily use
2. A comprehensive explanation of the business process and the associated roles and responsibilities
3. Automatic reference from a single process step to related, unstructured information and reports
4. Clear identification of the controls within the process
5. The ability to monitor processes and procedures related to content management

IBM's Lotus Workplace products, which are geared towards increasing workplace productivity using advanced content management and diversified collaborative tools, have been further enhanced to address the special requirements of Sarbanes-Oxley with Lotus Workplace for Business Controls and Reporting. This offering is an amalgamation of IBM's expertise in enterprise software and KPMG's expertise in business internal controls and auditing procedures. It helps provide a platform for an organization's business reporting process and a framework for gathering and organizing information about business controls.

The Web-based Workplace software leverages a range of third-party control catalogs and knowledge of industry-specific internal processes to help businesses understand and prepare for Sarbanes-Oxley mandates and jump-start the controls process. An organization can identify, assign, test, and monitor controls. The solution provides role-based access, which directs controls and financial reporting directly to the individuals responsible for execution, and provides real-time access with the "at-a-glance" dashboard. Both allow for quick issue identification, risk mitigation, and responsiveness. The solution also adds minimal impact on day-to-day operations enabling compliance activities to become a fluid part of employees' regular routines.

The content management component of this product allows content to be checked in and out of the system's repository. Library services also provide key features allowing metadata and audit log management, as well as content versioning - safeguards that enable users to roll back to previous versions if necessary. This repository is further augmented by the capability to search using full-text, keyword, or advanced technologies such as pattern recognition, expert recommendation, and semantic searching.

Lotus Workplace for Business Controls and Reporting is built on the industry's leading middleware technologies, IBM WebSphere Portal, and IBM DB2 Content Manager, which provide a single, unified and reliable platform for the entire organization. Lotus Workplace for Business Controls and Reporting also includes a fully integrated Crystal Enterprise Reporting Engine for generating the different reports showing the effectiveness and status of the business controls.

Other features of Lotus Workplace for Business Controls and Reporting include:

• A role-based interface. When employees log in to the system, they are presented with their individual tasks and responsibilities and the resources and tools they need to complete those tasks.
• Role-based reports. Role-based reports allow you to report on various combinations of data. You can have executive views showing summaries of control effectiveness and deficiencies in graphical format that are linked to detailed reports about each control. You can generate reports for employees and managers that need to combine information from different data sources.
• Robust security features. You can protect your sensitive data with features such as single sign-on, role-based access and read-only access.
• Scalable framework. The product provides a framework allowing you to organize and document your business processes and expand as needed.
• 24/7 access. Implemented as a Web-based portal application, it gives 24/7 workplace access to employees and users. Even if your employees are offsite, they can retrieve the information and find the tools they need to do their work.
• Collaborative environment. Electronic workplaces allow employees to collaborate on projects and tasks. Presence awareness and instant messaging allow for real-time resolution of questions and problems.
• Ease of navigation. Enhanced navigation allows users to quickly complete control tasks for greater focus on core business.
• Audit trails and archiving. Audit trails and archiving help to ensure process and document integrity.
• Third party enhancements. You can take advantage of industry insights and knowledge of internal control processes and practices via leading third-party control catalogs from vendors such as KPMG.
• Integration of existing systems. It doesn't replace existing SAP, PeopleSoft, etc., applications. Instead it accesses information from those applications to present in reports for management so that management can assess risk in their organizations.

Figures 1 and 2 illustrate the implementation of Lotus Workplace for Business Controls and Reporting for the Acme Company. The menu along the top allows easy access into all the different areas, such as documentation, evaluation, organization, and reports. Figure 1 shows the documentation area. The left part of the screen contains a navigation tree illustrating the organizational structure of the business processes or controls. On the right is detailed information about the accounts receivable process including the owner of this process and the list of subprocesses.

Figure 2 illustrates how you can drill down to the controls that make up a process, in this case the controls that are a part of the Bad Debt process in Accounts Receivable.

Technology Components and Servers

Components of Lotus Workplace for Business Controls and Reporting (LWBCR) are installed on three core systems (machines). Distribution of components on these three systems is based on the role performed by each system in the configuration. A typical distribution of these components is listed here:

WEBSPHERE PORTAL SERVER
A platform for the following components used in application presentation and business logic:

• WebSphere Portal 5.0.2
• DB2 8.1 ESE Fixpack5 (DB2 Client)
• Information Integrator for Content Developer Client (II4C) 8.2

CONTENT MANAGER SERVER
A server for data storage and for controlling user access based on their roles with the following components:

• DB2 8.1
• Visual C++ 6
• WebSphere Application Server 5
• Content Manager 8.2
• Information Integrator for Content Developer Client (II4C) 8.2
• IBM Directory Server SDK 5.1

CRYSTAL ENTERPRISE SERVER
The Crystal reporting engine is used for generating the reports that access the database on the content manager server and render the images over HTTP. The components installed are:

• DB2 8.1 (required for IDS 5.1)
• IBM HTTP Server 2.x
• Crystal Enterprise Server 10
• IBM Directory Server SDK 5.1

For a Windows installation, these servers should typically have 2.0 GHz P4 CPU with a 2GB RAM on each machine.

Installation

The installation of Lotus Workplace for Business Controls and Reporting is a very complex and sensitive process involving the correct installation and configuration of several IBM and third-party software components. It is recommended that you leverage IBM services or hire a Lotus Workplace consulting expert such as Prolifics to expedite the installation process.

Install the Workplace components in the following order:

1. WebSphere Portal on the Portal server
2. DB2 Installation on the Content Manager (CM) server
3. IBM Content Manager on the CM server
4. WebSphere Application Server installation on the CM server
5. Installation of Information Integrator for Content Developer Client (II4C) on Portal and the CM server
6. IBM Directory Server on the CM server
7. DB2 Developer Client on the Crystal Enterprise (CE) server
8. Crystal Reports Server Install on the CE server

Getting Started

After the software is installed and configured, you need to input the information specific to your business. The following steps provide an overview of the process you would follow in order to implement Lotus Workplace for Business Controls and Reporting.

1. Typically you start by defining your organization - the managers and employees that make up your company - and assign the ownership of business units to the corresponding manager.
2. After entering your organization information, you need to document your business processes, objectives, risks, and business controls. Alternatively, you can import best practices.
3. Part of defining your business processes and controls is to document how this control can be evaluated and tested along with a date for performing these tests. As you use the system, you will need to continue this evaluation process in order to determine its effectiveness.
4. You can attach or link documents to the processes with the necessary financial data.
5. In order to check the effectiveness of the system, generate reports for your processes and controls.

Summary

Even though publicly traded companies are required to comply with the Sarbanes-Oxley Act, this legislation does provide an opportunity for all organizations to review their business controls and streamline their business processes. For companies with paper-based financial reporting systems, this can be the time to migrate to online controls and the advantages that come with an online system. With Lotus Workplace for Business Controls and Reporting you have a tool to start and implement the process and a tool that can grow with your needs.

The following is a summary of some its key benefits:

• Lotus Workplace for Business Controls and Reporting leverages third-party control catalogs that are ERP and industry-specific, and internal controls knowledge from KPMG to create best practices and jump-start the process.
• The portal infrastructure aggregates information for an enterprise-wide view and provides a unified approach for companies to conduct self-assessment of internal controls at an entity-wide level.
• The role-based, real-time access enables companies to make more informed business decisions and help mitigate risks.
• Sophisticated content management and reporting capabilities allow companies to consolidate any format of content whether paper-based, voice-based, or online, and present a detailed assessment of compliance within the auditing reports.

With Lotus Workplace for Business Controls and Reporting, companies gain the information and control needed to assess internal controls for financial reporting, respond to Sarbanes-Oxley Section 404, and improve visibility into business processes.

• Figure 1
• Figure 2