With businesses stumbling as they attempt to comply with Sarbanes-Oxley regulations, software vendors are starting to cash in with products aimed at helping companies meet the stringent new regulatory requirements. What's more, many of the products are little more than existing software in a new package, which means there's little R&D outlay to hold down margins. "It feels like we are starting to make some money -- but not a ton -- in this area," says Chris Lochhead, chief marketing officer of Mercury Interactive ( MERQ). Until now, many businesses were using what Lochhead calls "brute force" to meet compliance deadlines, solving the problem with existing software or even by hand. But now that many companies have done what they've had to in order to comply once, they don't want to use the same laborious approach year after year. With demand expected to rise, Mercury expects to release enhanced versions of products related to Sarbanes-Oxley by the end of the quarter. Similarly, Serena Software ( SRNA), which sells products to manage changes in enterprise applications, has been selling its existing software to help with compliance. But with demand surging, the company will roll out dedicated Sarbanes products this summer, said Sandra McKinsey, a senior product manager at Serena. It's not only software companies that are attempting to benefit from the Sarbanes-Oxley push. Storage giant EMC ( EMC) says its Centera storage system can add digital "fingerprints" to sensitive documents that determine who will gain access to it, how long it will be stored and when it can legally be destroyed. Centera was one of the company's fastest-growing products last year. EMC also sells an "email extender" used to track and store email messages that should be kept to meet regulatory requirements in the U.S. and in other countries that have their own corporate compliance regulations, said a company spokesman.
The provision of Sarbanes-Oxley causing the most difficulty is Section 404, which calls on companies to assess and, for the first time, report on the state of their internal controls, a system of checks and balances over financial accounting that are designed to prevent corporate fraud. In recent weeks, hundreds of public companies
have warned investors either that they have significant problems with their controls or that they won't be able to finish their reports in time to meet a mandated deadline. On Thursday, antivirus software maker McAfee ( MFE) filed its 10-K with the Securities and Exchange Commission, disclosing several material weaknesses in its financial controls, as did storage software maker Veritas ( VRTS). McAfee's misstep prompted analyst Gary Spivak of the Stanford Group to slightly lower his 2005 EPS estimate by 2 cents to $1.04 to reflect additional expenses needed to fix the problem. In the same note to clients, Spivak said: "If control weaknesses are widespread, this is good for Serena. The number of companies that have had filing problems this year is enormous." Spivak estimates that revenue related to Sarbanes-Oxley could bolster Serena's new-license revenue by about 10% by the third or fourth quarter of the year. Stanford Group does not have an investment banking relationship with Serena, and Spivak does not own any shares. Serena has had a good run for the last six months, appreciating by 33%, while the Nasdaq gained just 3%. Its shares closed Friday off nearly 2% to $23.30 amid the broad selloff in stocks. Even so, Gary Abbott of Merriman Curhan Ford believes Serena looks like "a viable short-sale opportunity," citing five factors, including last year's acquisition of Merant, whose technology he characterized as "old" and aimed at a mature market. Abbott also said, "Insider selling is rampant and management deflects this criticism by pointing to the 10b5-1 plan selling at predetermined intervals that is in place," and added that "secular growth is debatable." His company does not have an investment banking relationship with Serena.