A company advised by former U.S. Attorney General John Ashcroft is selling software that detects internal fraud and helps companies comply with Sarbanes-Oxley (SOX) requirements.

D2C Solutions, founded as a consulting firm in 2000, reinvented itself as a software company one year ago. The company’s risk and compliance management software for ERP systems tracks user access to financial systems to make sure employees don’t gain unauthorized access that could let them commit fraud.

A typical purchase might have four steps: setting up a new vendor in a company’s financial system, cutting a purchase order against an approved vendor list, approving an invoice, then kicking off an accounts-payable transaction, says D2C President Waters Davis

If a single user has access to more than one of those steps, it increases the likelihood of fraud, he says. And, “if a single user had access to all of those steps, they could commit fraud singlehandedly.”

Many products solve this problem at the transaction level, identifying transactions that may conflict with others, Davis says. If a company has tens of thousands of transactions, this is “mathematically a very difficult problem to solve,” he says.

In addition to monitoring sensitive transactions, D2C’s software has patent-pending search algorithms that look at the access individuals have to financial systems.

“Unfortunately, it is common that there is unauthorized access to a single business area where a whole lot more people have access to creating business orders than a company understood,” Davis says.

D2C officials say they have about 10 customers in industries such as oil and gas, pharmaceuticals, and manufacturing, including some of the largest companies in the Fortune 500. Davis says he can’t reveal the names of D2C’s customers, who wish not to be identified because they use the software to solve security problems in their IT systems.

The product typically costs between $200,000 and $500,000, although the price can be many times that for large customers who implement D2C on an enterprise-wide basis, according to Davis. Some customers are using D2C’s software in tandem with other fraud detection products.

The need for corporations to comply with Sarbanes-Oxley has led to brisk business for risk and compliance management vendors. D2C’s competition includes OpenPages, Certus, MetricStream, and MKInsight.