Close Window

Print Story

Implementing Sarbanes-Oxley

The passage of the Sarbanes-Oxley Act of 2002 (SOX) marks a new era of accountability for corporate officers. Signed into law by President Bush in response to corporate accounting scandals, it is a major concern and top priority for the CEOs, CFOs, boards of directors, and audit committees of public companies, as well as for auditors, accountants, attorneys and regulatory governing bodies. Starting in 2004 (2005 for smaller companies), the financial reports of publicly traded companies in the United States must begin to comply with the financial disclosure requirements of this Act.

One of the major areas of concern is Section 404, Management Assessment Of Internal Controls, which requires companies to include in their annual report "an internal control report, which shall:
(1) State the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) Contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting."

Successful compliance with Section 404 of SOX requires management to make visible and provide documentation of the status of all the various compliance issues associated with the new law. In addition, the company's auditors must review the company's SOX compliance and include an assessment in the auditing report. In order to provide such extensive documentation, companies are turning to solutions offering both content management and reporting components, such as IBM Lotus Workplace for Business Controls and Reporting.

The Act has heralded an age of intense content management at a time when content has morphed into many formats. Scanned paper images from accounting departments, electronic forms from human resources, presentations, e-mail, online messaging logs, and even voicemails are all forms of data made equal under the auspices of the Sarbanes-Oxley Act.

Using information technologies, companies can achieve the following goals needed for SOX compliance:

  1. An unambiguous definition of the procedures that a business user, not an information technology professional, could easily use
  2. A comprehensive explanation of the business process and the associated roles and responsibilities
  3. Automatic reference from a single process step to related, unstructured information and reports
  4. Clear identification of the controls within the process
  5. The ability to monitor processes and procedures related to content management
IBM's Lotus Workplace products, which are geared towards increasing workplace productivity using advanced content management and diversified collaborative tools, have been further enhanced to address the special requirements of Sarbanes-Oxley with Lotus Workplace for Business Controls and Reporting. This offering is an amalgamation of IBM's expertise in enterprise software and KPMG's expertise in business internal controls and auditing procedures. It helps provide a platform for an organization's business reporting process and a framework for gathering and organizing information about business controls.

The Web-based Workplace software leverages a range of third-party control catalogs and knowledge of industry-specific internal processes to help businesses understand and prepare for Sarbanes-Oxley mandates and jump-start the controls process. An organization can identify, assign, test, and monitor controls. The solution provides role-based access, which directs controls and financial reporting directly to the individuals responsible for execution, and provides real-time access with the "at-a-glance" dashboard. Both allow for quick issue identification, risk mitigation, and responsiveness. The solution also adds minimal impact on day-to-day operations enabling compliance activities to become a fluid part of employees' regular routines.

The content management component of this product allows content to be checked in and out of the system's repository. Library services also provide key features allowing metadata and audit log management, as well as content versioning - safeguards that enable users to roll back to previous versions if necessary. This repository is further augmented by the capability to search using full-text, keyword, or advanced technologies such as pattern recognition, expert recommendation, and semantic searching.

Lotus Workplace for Business Controls and Reporting is built on the industry's leading middleware technologies, IBM WebSphere Portal, and IBM DB2 Content Manager, which provide a single, unified and reliable platform for the entire organization. Lotus Workplace for Business Controls and Reporting also includes a fully integrated Crystal Enterprise Reporting Engine for generating the different reports showing the effectiveness and status of the business controls.

Other features of Lotus Workplace for Business Controls and Reporting include:

Figures 1 and 2 illustrate the implementation of Lotus Workplace for Business Controls and Reporting for the Acme Company. The menu along the top allows easy access into all the different areas, such as documentation, evaluation, organization, and reports. Figure 1 shows the documentation area. The left part of the screen contains a navigation tree illustrating the organizational structure of the business processes or controls. On the right is detailed information about the accounts receivable process including the owner of this process and the list of subprocesses.

Figure 2 illustrates how you can drill down to the controls that make up a process, in this case the controls that are a part of the Bad Debt process in Accounts Receivable.

Technology Components and Servers

Components of Lotus Workplace for Business Controls and Reporting (LWBCR) are installed on three core systems (machines). Distribution of components on these three systems is based on the role performed by each system in the configuration. A typical distribution of these components is listed here:

A platform for the following components used in application presentation and business logic:

A server for data storage and for controlling user access based on their roles with the following components: CRYSTAL ENTERPRISE SERVER
The Crystal reporting engine is used for generating the reports that access the database on the content manager server and render the images over HTTP. The components installed are: For a Windows installation, these servers should typically have 2.0 GHz P4 CPU with a 2GB RAM on each machine.


The installation of Lotus Workplace for Business Controls and Reporting is a very complex and sensitive process involving the correct installation and configuration of several IBM and third-party software components. It is recommended that you leverage IBM services or hire a Lotus Workplace consulting expert such as Prolifics to expedite the installation process.

Install the Workplace components in the following order:

  1. WebSphere Portal on the Portal server
  2. DB2 Installation on the Content Manager (CM) server
  3. IBM Content Manager on the CM server
  4. WebSphere Application Server installation on the CM server
  5. Installation of Information Integrator for Content Developer Client (II4C) on Portal and the CM server
  6. IBM Directory Server on the CM server
  7. DB2 Developer Client on the Crystal Enterprise (CE) server
  8. Crystal Reports Server Install on the CE server

Getting Started

After the software is installed and configured, you need to input the information specific to your business. The following steps provide an overview of the process you would follow in order to implement Lotus Workplace for Business Controls and Reporting.
  1. Typically you start by defining your organization - the managers and employees that make up your company - and assign the ownership of business units to the corresponding manager.
  2. After entering your organization information, you need to document your business processes, objectives, risks, and business controls. Alternatively, you can import best practices.
  3. Part of defining your business processes and controls is to document how this control can be evaluated and tested along with a date for performing these tests. As you use the system, you will need to continue this evaluation process in order to determine its effectiveness.
  4. You can attach or link documents to the processes with the necessary financial data.
  5. In order to check the effectiveness of the system, generate reports for your processes and controls.


Even though publicly traded companies are required to comply with the Sarbanes-Oxley Act, this legislation does provide an opportunity for all organizations to review their business controls and streamline their business processes. For companies with paper-based financial reporting systems, this can be the time to migrate to online controls and the advantages that come with an online system. With Lotus Workplace for Business Controls and Reporting you have a tool to start and implement the process and a tool that can grow with your needs.

The following is a summary of some its key benefits:

With Lotus Workplace for Business Controls and Reporting, companies gain the information and control needed to assess internal controls for financial reporting, respond to Sarbanes-Oxley Section 404, and improve visibility into business processes.

© 2008 SYS-CON Media Inc.