Dean Berg Stellent

• A Web-based document repository that securely manages all Sarbanes-Oxley documentation.
• A workflow engine that automates and drives ongoing compliance processes.
• A user interface based on The Committee of Sponsoring Organizations (COSO) standard, a staple of the financial profession.

Web-Based Document Repository
Fundamentally, Sarbanes-Oxley compliance is a document-driven process involving large volumes of various types of content, including process narratives, process maps, control test plans and reports, contracts and sales agreements, reports generated by ERP systems, and scanned images. A Web-based document repository can help companies efficiently and securely store and manage these documents as part of daily business routines.

Document management systems enable users to easily check Sarbanes-Oxley content into and out of a repository simply by using a Web browser. By storing this content in a centralized location on the Web, all parties involved in the compliance process ? from individual business unit heads, to legal and accounting departments ? can access needed information anytime, from any location with an Internet connection. Document management solutions can strictly manage who is allowed to access specific content within the repository, as well as which individuals can edit information and which only have ?read-only? status.

In addition, these software suites include version control features that enable companies to maintain an audit trail of the revisions made to Sarbanes-Oxley documents stored in the repository and often automatically convert them into PDF files from any native format.

When evaluating Web-based document repositories, companies should look for a solution that is easy-to-use for both technical and non-technical users. Since user involvement is key to successful compliance processes, it is important the product does not pose any usability, training or technology barriers in order for process owners throughout a company ? beyond just the accounting, internal audit and executive departments ? to effectively participate in the Sarbanes-Oxley compliance process on an ongoing basis.

Workflow Engine
Companies must overcome many process management challenges in order to successfully achieve Sarbanes-Oxley compliance on a long-term basis. For instance, each financial control within an organization ? and most companies have hundreds of them ? has a lifecycle process that entails document creation, review and approval tasks, as well as control testing that needs to be managed and tracked.

Workflow engines ? which are included as core functionality in many document management systems ? automate and drive these ongoing compliance processes, eliminating a number of process-oriented hurdles. Workflows can guide activities related to defining, applying, testing, revising and maintaining financial controls and routing control documentation to the right person at the right time based on predefined rules.

Through the Web and email systems, a workflow engine can notify individuals when process documents need updating or review; alert team members when control testing must be performed; advise upper management of control testing problems; and issue alerts and invoke escalation actions if deadlines are missed.

As companies assess a document management system?s workflow capabilities, they should note whether the solution offers a set of universal workflow processes that can be applied across all financials controls. This functionality eliminates the time-consuming task of separately modeling workflows for each control.

COSO-Based Interface
The COSO Framework requires company management teams to complete two primary tasks:

1. Demonstrate an understanding of the processes underlying each assertion in financial reports through documentation and risk analysis.
2. Assess the design and operational effectiveness of each financial control.

A document management system can help companies organize, analyze and document financial control objectives, business risks, control design and testing, according to the COSO Framework. Users can tap these solutions to conveniently collect this information for efficient and ongoing evaluation, management reporting and auditing. Ideally, organizations should leverage document management software that provides COSO-based templates that assist users in defining each piece of required documentation.

Records Management and Collaboration
In addition to the three critical functionalities described above, companies also should consider records management and collaboration features ? capabilities that can help them meet other compliance mandates ? when implementing a long-term Sarbanes-Oxley technology solution.

Much of the documentation involved in Sarbanes-Oxley compliance must be treated as a record. Document management systems offering a records management component enable users to control and manage disposition and retention schedules for electronic, email and physical records via the Web. Furthermore, these systems enable users to create a sophisticated filing hierarchy to manage financial records. When evaluating records management technology, organizations should ensure it is certified on the U.S. Department of Defense (DoD) 5015.2 standard, which defines the basic requirements that must be met by records management application products acquired by the DoD and its components based on operational, legislative and legal needs. This standard often also serves as the benchmark for many corporations purchasing records management technologies.

With many distinct internal and external groups involved in Sarbanes-Oxley compliance, a Web-based collaborative workspace can drive significant time savings, and expedite decision-making and approval processes. Many document management systems offer collaborative environments that allow Sarbanes-Oxley process owners, control testers, internal auditors, executive management team members, boards of directors and external auditors to access and review compliance documentation easily, without compromising security or auditability.

Benefits of Document Management in Sarbanes-Oxley Compliance
Document management systems can make the Sarbanes-Oxley testing and compliance processes significantly more efficient and straightforward for company executives.

Case in Point ? Reliant Energy, Inc.
Reliant Energy, Inc. provides electricity and energy services to approximately 1.8 million retail and wholesale customers across the United States. Sarbanes-Oxley regulations, combined with the dynamic environment of the unregulated energy industry, have created a complex regulatory compliance challenge for this 5,000-employee company.

From the beginning, Reliant viewed Sarbanes-Oxley compliance as an opportunity to develop value-added business processes that would enable the company to better manage and improve its internal controls. Currently, Reliant uses a document management-based solution to meet a number of Sarbanes-Oxley business and technology requirements, including:

• Management of a company-wide compliance effort with a team of less than ten individuals.
• Support for a diverse level of internal control sophistication among process owners.
• Full audit trail capabilities for all process, control and testing documentation to satisfy auditor requirements.
• Easy integration with existing IT infrastructure.
• Built-in logic and workflow options to ensure limited compliance team resources are focused on top priorities.
• Management of Microsoft Excel spreadsheets and Visio documents with a records retention system that meets anticipated SEC regulatory requirements.
• Effective file management functionality that easily supports changes to organizational structure and hierarchies.
• Ability to organize, analyze and document financial control objectives, business risks, control design and testing, according to the COSO Framework.

Using the Stellent? Sarbanes-Oxley Solution (see figure 1), Reliant Resources streamlined its compliance processes by distributing documentation tasks to process owners, and it smoothed its attestation process. Specifically, the solution provides Reliant?s core compliance team with an enterprise-wide view of the company?s internal control makeup ? including the number of manual versus automated controls, and preventive versus detective controls. This view helps the core team track and schedule control changes based on company priorities, which helps the company meet its goal of automating as many internal controls as possible.


Dashboard-style interface that utilizes field-specific terminology.

Additionally, the Stellent solution provides Reliant with centralized process management capabilities and a centralized content repository. The core compliance team easily manages the overall process of Sarbanes-Oxley compliance through an automated workflow system involving the process owners. Reliant customized specific features within the workflow that monitor contributions from process owners to ensure all work and processes meet the quality standards set by the company. In addition, the centralized repository eliminated Reliant?s disparate content repositories and the disconnected areas of the company carrying out compliance efforts on their own.

Another benefit of Reliant?s compliance solution is the ability to easily share content with multiple audiences, including external auditors, process owners, company executives and managers, and internal auditors. Users log in to the system through an easy-to-use, Web-based interface and access information immediately, 24 hours a day. Auditors easily access the latest documentation they need for external audits ? resulting in significantly less preparation time for internal staff.

Following its initial implementation, Reliant was able to easily modify the Stellent Sarbanes-Oxley Solution to fully address the new Public Company Accounting Oversight Board (PCAOB) audit standard. Similarly, Reliant seamlessly integrated the Stellent solution into its IT infrastructure, including its security and email systems, and plans to add continuous transaction and control monitoring capabilities in the near future.

Leveraging Sarbanes-Oxley Solutions for Other Compliance Initiatives
Like many other compliance mandates, Sarbanes-Oxley is primarily a process of massive documentation and testing. Document and content management-based software solutions can efficiently streamline many of these tasks and turn them into ongoing processes that are conveniently and inherently carried out during the normal course of business.

Often, companies can leverage the Web-based document management infrastructure created for Sarbanes-Oxley to comply with various other government mandates that have substantial documentation requirements, such as Joint Commission on Accreditation of Healthcare Organizations (JCAHO) and Health Insurance Portability and Accountability Act (HIPAA) in the health care market, and International Organization for Standardization (ISO) regulations in the manufacturing industry (see figure 2).


Companies can leverage Web-based document management infrastructures created for Sarbanes-Oxley to comply with various other government mandates.

Document management systems that can support a variety of compliance initiatives ? Sarbanes-Oxley and beyond ? with a common content repository and user interface, and process-oriented workflow engine, reduce the number of software applications organizations must purchase for these efforts ? which can lead to substantial cost savings and other significant return-on-investment.