In-Depth

BI Vendors Respond to Demand for Compliance Features

New BI enhancements pass regulatory-compliance muster

• By Stephen Swoyer
• 07/14/2004

Have you noticed how vendors have taken to hyping compliance-ready enhancements for many prominent product offerings lately?

In the last two months alone, business intelligence stalwarts Actuate Corp., Applix Inc., Business Objects SA, and Cognos Inc. (among others) have retrofitted their products with compliance-aware features, such as auditing, change tracking, and data security features.

Outside of Hyperion Solutions Corp. and SAS Institute Inc., however, few of these vendors are positioning these offerings as dedicated compliance solutions. Instead, they argue, these enhancements introduce safeguards—or controls—necessary to ensure compliance with the Sarbanes-Oxley Act of 2002, the Health Information Privacy and Accountability Act (HIPAA), the Gramm-Leach Bliley Act (GLBA), and various SEC regulations—particularly with the use of spreadsheet programs such as Microsoft Excel.

Take Cognos, which last month introduced an Excel spreadsheet add-in for its dedicated Enterprise Planning product. Delbert Krause, director of Enterprise Planning product marketing with Cognos, says that by themselves, spreadsheets are a compliance nightmare. “What we’re hearing from our friends in the Big Five firms that are doing audits, and from our customers, is that spreadsheets are increasingly seen as a control risk, because it’s hard to prevent access to data, and it’s hard to prove that the data isn’t re-keyed,” he asserts. “It’s impossible to have an audit trail that will effectively manage an enterprise plan, especially when hundreds of people are contributing to the plan.”

Depending on how you look at it, the absence of prescriptive technological guidance from several key sections of SOX and HIPAA is either a blessing or a curse. Take SOX Section 404, for example, which says that IT organizations must have adequate controls in place to ensure the accuracy of their financial reporting. That’s about it, however, in terms of guidance: Decisions about what kinds of controls must be in place, and how many controls must be identified, are left to the discretion of organizations and their outside auditors.

In this respect, then, says Dave Menninger, vice-president of worldwide marketing with Applix, the beefed-up auditing facility that his company introduced earlier this year as part of version 8.3 of its TM1 OLAP server could by itself comprise an adequate control under the terms of SOX Section 404.

“Now we can record and capture and document the different people that were involved in the review cycle,” he comments. “The audit log is available for review and reversal, so if you determine that some particular entries can be or should be reversed, that goes into the audit log.”

Menninger acknowledges that malicious employees can still make changes to the data, but points out that all such changes will be tracked and logged: “Yes, you can make changes, but if you make changes, those are recorded as well. Apart from deleting the entire database, it’s not something that you can access at the operating-system or file-system level [and make changes to].”

Because there’s so much uncertainty about SOX, especially, says Robert Kugel, a vice-president and research director with consultancy Ventana Research, compliance-friendly features (such as auditing, change-tracking, or data safe-guarding) are welcomed by organizations as alternatives to costly custom-built controls or, even worse, manual processes.

“By themselves, spreadsheets don’t address any of these [problems], so that’s where the contributions of these better-than-spreadsheets [such as Actuate, Applix, Business Objects, and Cognos] are important,” he asserts. “It’s doubtful that you could really design the appropriate controls [for SOX compliance] using just plain Excel [on a standalone basis].”

There’s every indication that customers are seeing the light. Mike Thoma, vice-president of product marketing with Actuate, says that his company introduced enhanced auditing capabilities, along with other compliance-friendly features, in Actuate 8, which shipped two months ago. Actuate’s motivation, he says, was a no-brainer, spurred by persistent demand from customers.

“The other part that relates to Sarbanes-Oxley is that now your auditing can get a lot easier,” he maintains. “Customers want to know about the auditing features, but what they also want to do is … navigate through the object hierarchy and know what the source is for this particular number, so they feel a lot more confident than just looking at the display.”

Guy Weismantel, director of product marketing with Business Objects, agrees. Last month, Business Objects shipped Finance Intelligence, an add-on analytic module for its Enterprise 6.5 suite. According to Weismantel, a key feature of Finance Intelligence is a strong auditing facility, designed expressly for compliance scenarios.

“Where we’re seeing a lot of very, very strong initial interest … is [with] compliance management, and within each one of the different [analytic] modules that we’ve introduced there are very strong audit control capabilities and analysis capabilities that our customers seem very, very excited about to assess risk,” he notes.