An Irish-owned company is targeting the regulatory compliance market with corporate governance and risk assessment software tools aimed at helping companies adhere to new financial reporting legislation – a market currently estimated to be worth US$5bn in the US alone.
Dublin-based TeamInfoSec was established three years ago by CEO Paul C Dwyer, who has a 15-year background in information security, computer forensics, hacking and risk assessment. The company has developed software tools to address the growing market for regulatory compliance.
Initially many companies affected by new legislation such as the US Sarbanes-Oxley Act, 2002, (SOX) turned to large consultancy firms to help them achieve compliance, but there is a growing willingness to invest in software – at far lower cost – to fulfil the same function. Data from the Information Systems Audit and Control Association (ISACA), a worldwide IT governance body, estimated that almost 80pc of companies would be willing to invest in a technical solution to become compliant with the SOX requirements, for example.
TeamInforSec’s 404Audit.com product performs audit based on section 404 (Internal Controls) of the SOX. Although certain companies in Ireland and Europe that deal with US firms may be obliged to comply with the SOX legislation, others may choose to do so voluntarily, Dwyer said. “Intelligent companies are staying ahead of the curve and doing the work now. If it’s happening in the US, it’s going to be happening here in the next couple of years.”
Part of the problem is that SOX legislation is subjective and open to interpretation, Dwyer claimed. To counter this, TeamInfoSec’s software uses intelligent risk assessment technology – for which it has a patent pending – in order to profile a company using statistical data. That way, two companies with the same turnover but operating in completely different fields would have different standards applied to them based on their exposure to risk.
Supporting its push into the SOX compliance market, TeamInfoSec hopes to establish a presence in the US by the end of the first quarter of next year.
Another product, 7799Audit.com, is for auditing and benchmarking an organisation against the internationally accepted BS7799 information security standard. It can also be used as evidence for compliance statements relating to section 45 of the Irish Companies Act, 2003.
The UK Government has decreed that all public bodies must be 7799 compliant and according to Dwyer, this will have a knock-on effect in Ireland. “People are not going to have a choice – it’s mandated.”
Using the TeamInfoSec software tools, organisations can perform their own self-assessment audits. This gives a fixed-price service that TeamInfoSec claims can greatly reduce the number of days required to carry out an audit.
“The current way with an audit is that you only know you’re compliant on the last day. With our software, you know when you are compliant at any time during the process,” Dwyer told siliconrepublic.com. He added that the software puts control of the auditing process back in the hands of the client. “You’re not reliant on consulting companies or at the beck and call of an external services provider,” he said.
TeamInfoSec recently signed Fujitsu Services as a partner to sell the 7799Audit software and provide risk assessment services around its implementation. The company is in discussions with a global distributor for its SOX tool and this deal, which will be exclusive, is due to be finalised shortly. The company is also considering a deal with a large multinational that wants to integrate features from 404Audit into a compliance product of its own.
TeamInfoSec is privately held and is being kept deliberately lean by outsourcing its marketing functions and by signing partners to act as its external sales force. “We’ve taken a ballsy strategic decision not to build a professional services side of the business. We can keep feeding the partners and there is no conflict,” said Dwyer.
The company is currently considering whether to establish a research and development facility in Ireland, having recently moved its headquarters back to Dublin from the UK, where Dwyer had been based.
By Gordon Smith