MetricStream adds full support for IT Controls and Automation of Application Control Testing in its SOx 404 Solution

Redwood Shores, CA - December 29, 2005 - MetricStream, Inc., a market leader in the enterprise-wide quality and compliance market today announced complete support for definition, assessment and monitoring of IT controls, as well as, automation of application level controls in the latest release of its SOx 404 compliance solution. As a part of this announcement, MetricStream is now shipping a library containing over 1500 tests for automating the testing of application level controls within popular ERP systems in key financial processes.
With IT applications automating most business processes in today’s environment, they enable a vast majority of the internal controls within the organization. Hence, it is essential to integrate process-level controls for all key processes into a single environment to enable risk-based internal control assessment. Examples include:
• Process-level application controls (such as orders are processed only within a customer’s credit limits or all goods shipped are invoiced)
• Process-level general IT controls (upgrade process for order management application is well defined and always followed or adequate security exists for the order management application)
• Process-level manual controls (orders and cancellations are input correctly into the application or users are well trained on the sales order policies)
Process-level application controls typically address risks related to completeness, accuracy, validity, authorization and segregation of duties for process level data, while, process-level general IT controls address overall IT-related risks for that application, including processes to ensure validation against intended purpose, change management processes and access control. With the new product release of its SOx 404 suite in December 2005, MetricStream becomes the first compliance vendor to provide such an integrated risk and controls environment to its customers.
In addition, with the new product release, MetricStream will also enable companies to significantly reduce their cost of compliance by providing a framework that defines process-level manual and application controls within a single test, automates the testing of process level application controls, and reports the results for the entire test – including manual and application controls, in an integrated manner. MetricStream leverages the APIs within this framework to automate the testing of controls implemented within either popular ERP systems such as SAP, Oracle and PeopleSoft, as well as legacy/homegrown systems. MetricStream now provides an out-of-the-box library containing more than 1500 tests for automating the testing of application level controls within popular ERP systems in general ledger, procure-to-pay, order-to-cash, inventory / cost Accounting, asset management and payroll processes.
Finally, with the new product release, a customer will also be able to easily define and assess overall IT controls – these are typically COBIT/ITIL/ISO17799 definitions that are reconciled for the COSO internal control model. Such controls are intended to drive IT Governance and ‘tone at the top’. They include:
• Lifecycle: Acquiring and implementing new programs and systems, as well as changes in, and maintenance of, existing systems
• Operations: Managing service levels for applications and infrastructure and for third-party services
• Access: Managing access-control to programs and data including security and authorization
As a result, MetricStream now enables its customers to integrate and reconcile COBIT, ITIL and ISO17799 definitions into the COSO framework and allows customers to use COSO as the default framework for assessing all internal controls, including IT related controls.
"Working with the Fortune 1000 companies, we immediately realized that most pure play SOx 404 vendors stopped short of addressing process-level IT controls and overall IT controls within their solution set,” said Shellye Archambeau, CEO of MetricStream. “MetricStream decided to incorporate full support of definition and testing of process-level application controls, process-level general IT controls, overall IT controls, COBIT framework, as well as automated testing of process-level application controls in its current release. As a result, in one swoop we addressed a gaping hole in most SOx 404 solutions in the marketplace."
"I am very impressed with how MetricStream continues to work closely with its customers to clearly identify and rapidly address the SOx 404 requirements for its customers,” said Joel E. Marks, vice chairman and COO, Advanced Equities. “We look forward to addressing the IT-related control capabilities from MetricStream in our SOx compliance program."
Key modules in the MetricStream solution for Sarbanes-Oxley 404 include:
• MetricStream Core SOx 404 suite
o MetricStream Design: Enables the organization to document the control hierarchy, design assessment plans, and setup the compliance environment for all the business units within the organization.
o MetricStream Assess: Enables the organization to schedule and perform assessments of design effectiveness and operational effectiveness of the controls.
o MetricStream Improve: Enables the organization to manage the remediation, exception, and disclosure processes, track their status, and ensure successful completion.
o MetricStream Monitor: Provides visibility into the ongoing compliance efforts within the organization through role based dashboards and scorecards.
• MetricStream Document Management: Provides a central repository for all documents required for compliance with Section 404 including company's policies, procedures, process documentation and all other regulatory and legal information.
• MetricStream Training: Enables the organization to make compliance a part of the company's culture by driving consistency through managing all aspects of employee training.
• MetricStream Audit: Performs process-level self-assessments and provides support for internal and external auditors.
With the new release, MetricStream Design now enables users to identify any control as a process-level application control or a process-level general IT control or a process-level manual control. In addition, MetricStream Design now enables users to capture general IT controls by defining IT as a separate function with various processes such as acquisition, change management, service level monitoring, security, incident management etc and enabling customers to easily comply with COBIT, ISO17799 and ITIL standards. MetricStream Assess now provides a framework that automates the testing of process level application controls and reports the results for the entire test – including manual and application controls, in an integrated manner and also provides an out-of-the-box library containing more than 1500 tests for automating the testing of application level controls in general ledger, procure-to-pay, order-to-cash, inventory / cost Accounting, asset management and payroll processes.

About MetricStream
MetricStream is a market leader in Enterprise-wide Quality and Compliance Management for global corporations. MetricStream solutions are used by leading corporations in diverse industries such as Automotive, Food, Pharmaceuticals, Manufacturing and Electronics to manage their quality processes, regulatory and industry-mandated compliance and corporate governance initiatives. Key MetricStream customers include Pfizer, Hitachi Computer Products (America), TaylorMade-Adidas Golf, Cannon-ITT Industries and Fairchild Semiconductor. MetricStream is headquartered in Redwood Shores, California and can be reached at www.metricstream.com

Media Contacts:
Laurie Gibson, B3 Communications
lgibson@b3communications.com
650-969-0764