Most companies working on Sarbanes-Oxley projects are laser-focused on documenting their internal financial controls to meet the compliance deadlines that take effect late this year. But the law's requirements are also beginning to generate interest in computer forensics tools that could be used to help identify potential cases of financial fraud.
For example, Avery Dennison Corp. is piloting software announced this week by Oversight Technologies Inc. that can be used to monitor finance systems for irregular transactions. Mark Van Holsbeck, director of enterprise security at Avery Dennison, said the software should cut the time workers at the Pasadena, Calif.-based maker of adhesive products spend poring over printouts of financial data to determine whether any information has been altered or corrupted.
Avery Dennison's use of the Oversight tool, which is being tested on a combination of Wintel and HP-UX platforms, wasn't driven by the requirements of the Sarbanes-Oxley Act, Van Holsbeck said. But the technology should help the company satisfy components of the financial reporting law.
Other users are expected to come to the same conclusion about computer forensics technology, which can track how data is used and modified.
Meta Group Inc. analyst John Van Decker said he expects to see an uptick in forensics technology investments related to Sarbanes-Oxley starting this summer. And Michael Rasmussen, an analyst at Forrester Research Inc., estimated that about a third of the clients he works with have put an investigative response plan in place, including the use of business intelligence tools and other technologies to help monitor ERP and e-mail systems for evidence of potential wrongdoing.
Universal Health Services Inc., a King of Prussia, Pa.-based company that operates hospitals and other medical facilities in various states, already has several fraud-detection systems in place that now should be able to help it meet the mandates set by Sarbanes-Oxley, said CIO Linda Reino.
For example, a homegrown system that was installed in 1998 is used to identify any attempts by employees to alter the amounts of their paychecks. The system, which runs on an IBM AS/400 server, is connected to applications at the bank that support Universal Health's payroll operations "to prevent an altered check from being cashed," Reino said.
Manny Abascal, a partner at Latham and Watkins LLP in Los Angeles, said continually reviewing finance data will be a key facet of Sarbanes-Oxley compliance. "Some companies are thinking ahead so that if they find themselves in this position [where fraud is suspected], they're better able to find the data," he said.
Pricing for Oversight's monitoring tools starts at $85,000 and can go up to about $200,000, based on the number of end users, said CEO Patrick Taylor.
Other vendors of forensics tools include Guidance Software Inc., Consul Risk Management Inc. and Addamark Technologies Inc., which this week plans to announce upgraded software for storing and tracking system log data.
Mandalay Resort Group in Las Vegas provides gaming agencies with information to demonstrate its data-protection procedures. But CIO Tracy Austin said those efforts haven't drawn on the use of computer forensics, and the hotel and casino operator hasn't made plans to invest in the tools to aid in Sarbanes-Oxley compliance.
Mandalay "is primarily focused on documenting internal controls," Austin said.