Any product that
• truly enforces segregation of duties thereby avoiding conflicting responsibilities,
• has proper authorizations/workflow management in place
• Adequate management reporting capabilities
• Audit log capabilities
can be considered a compliant product.
Obviously, there are other internal control considerations. In addition, the many principles set down in COBIT or any other industry standard can be studied and applied to these products in greater detail. Besides this, the company’s control environment and risk appetite will also determine how many compliance features the product should ideally be ‘loaded’ with.