When Approva Corp. hit the venture capital circuit in late 2001, the Vienna company's founder Prashanth V. "PV" Boccasam pitched the increasing demand for security-control software, a high-tech gotcha system that would reduce internal waste and fraud by red-flagging unauthorized purchases by employees and other improper business practices.
Consul Risk Management Inc., a Dutch company, was already making software to help corporations limit their risk by controlling access to such critical information as financial statements and health care records.
The companies, it turns out, were on to something big.
In July 2002, after accounting scandals at Enron Corp. and WorldCom Inc., Congress passed the Sarbanes-Oxley Act in an effort to prevent corporate chicanery. It mandates that public companies maintain well-functioning internal controls to ensure the accuracy and reliability of their financial reporting. And it demands that chief executives personally vouch for the effectiveness of those systems.
Since then, Approva's BizRights software has attracted more than $30 million in venture funding, including a cash infusion from business software powerhouse Hyperion Solutions Corp. announced last week. The company has grown from four employees in early 2002 to nearly 170 now. Revenue tripled from the first half of 2004 to the first half of 2005, though executives of the privately held firm declined to provide specific numbers.
"Virtually 100 percent of our business is driven by or related to Sarbanes-Oxley requirements," said Neil Selvin, Approva's chief marketing officer.
Consul has seen boom times, too, already outgrowing its office space in Herndon, its U.S. headquarters. Last month, the firm acquired NetMon2, a New Jersey company that added to its technology resources.
Of course, not everyone has been so happy with Sarbanes-Oxley. Companies have complained that they have spent millions of dollars meeting the law's requirements. In March, Financial Executives International, a trade association for chief financial officers and other executives, estimated that the legislation cost big companies an average of $4.36 million, a 39 percent increase from the group's previous estimate in July 2004. The trade association's voluntary survey included 217 companies with average revenue of $5 billion a year.
But there is a swath of the Washington area economy that has benefited from the new law. They include business schools, such as George Mason University's, which has revamped its curriculum and seen student interest in accounting courses increase, as well as software and service companies like Approva and Consul.
The biggest winners have been the big accounting firms that audit companies' financial systems, find deficiencies and design systems to cure them.
At a national conference of accounting executives in Orlando last week, every hand went up when a speaker asked the more than 500 participants attending a seminar if Sarbanes-Oxley has helped their bottom lines.
"The irony in this whole thing is essentially the big four accounting firms screw up a whole bunch of public company audits and the government rewards them by creating a $30 billion industry called Sarbanes-Oxley," said Allan Koltin, the accounting industry analyst who asked the question in Orlando.
Even the big-name number crunchers cannot agree on just how much business Sarbanes-Oxley has generated, but everyone agrees that it is huge.
AMR Research Inc. put the Sarbanes-Oxley price tag at $6.1 billion, with spending for tech-related compliance tools at $1.7 billion.
Approva's Selvin said some companies took a low-tech approach last year, using Excel spreadsheets and tons of hours to examine them in the effort to comply with the law. "But in 2005, most companies are looking for automated solutions so they'll never to go through the manual effort again," he said.
Software firms such as Approva and Consul tackle the law's requirement that a company establish a dependable check-and-balance system and identify material weaknesses, areas where the company might be at risk for problems such as the use of unapproved vendors or thievery.
Corporations have been required to review their internal controls since the 1970s. Under Sarbanes-Oxley, however, company executives who "willfully" sign off on faulty financial reports face criminal penalties of up to $5 million and 20 years in prison.
"In the criminal code, the penalty falls between second-degree murder and kidnap with ransom," said Kristin Lovejoy, vice president and chief technologist for Consul, which estimates that up to 70 percent of its business now comes from Sarbanes-Oxley compliance.
Consul's signature software, InSight, documents unusual behavior within a company. It creates an audit trail, issuing alerts when company employees venture into unauthorized territory or fail to follow established rules for purchasing and procurement.
"As long as you are doing things that are within your responsibility there's no audit trail created. That way we're not Big Brother," said Joseph Sander, Consul's president and chief executive.
But when an employee in the purchasing department writes a check to an unauthorized vendor, Consul's software alerts company executives, telling them who signed the check and who received it.
The company's clients include the Philadelphia Stock Exchange, the Kroger supermarket chain and Office Depot.
The clients, working with Consul, set up their own rules of engagement, specifying exactly who has access to what in the company. So the InSight software knows that a store butcher at Kroger has no company-approved reason to be searching health care documents concerning an employee in the bakery department.
The software can alert company executives to such breaches almost immediately, allowing companies to meet a real-time reporting requirement of Sarbanes-Oxley.
"It used to be that the CFO wasn't directly responsible for someone in Asia cooking the books because they had no knowledge of wrongdoing," Sander said.
The law has had another positive impact on the accounting industry: It has made studying accounting a lot sexier. "Our enrollment is up," said Linda M. Parsons, an assistant professor of accounting at George Mason University. Parsons said that the new interest comes from increased visibility of accountants and their marketability.
Richard J. Klimoski, dean of the university's school of management, added that increased attention on the profession has energized professors and researchers in the field as well. The business school has emphasized ethics in its established courses and is considering adding courses in forensic accounting and fraud in the coming school year.
Even beneficiaries of Sarbanes-Oxley, like Consul's executives, acknowledge that the short-run costs of complying have been high, although they argue that companies will benefit in the long-run by better understanding and refining their business practices.
With all the money to be made in compliance, though, industry analysts say that some companies have entered the market, selling compliance tools that are faulty or bogus.
"What they are looking for is the unaware corporate buyer," said Jack Martin, the Passaic, N.J., publisher of the Sarbanes-Oxley Compliance Journal. "They are the scourge of this business."