MetaGroup SOX PDF

Sarbanes-Oxley and
Regulatory Compliance Issues

for IT Organizations
Note: The opinions, descriptions, and recommendations contained in this document may include
general or summary information about aspects of the Sarbanes-Oxley Act of 2002, and related
current or proposed rules, regulations, or standards of the US Securities and Exchange
Commission and national securities exchanges and associations. The information presented is
intended simply as an aid to your understanding of such rules and neither constitutes nor is
intended to constitute the provision of legal advice. We urge you to refer to the actual laws, rules,
regulations and/or standards, and to consult with legal counsel concerning your responsibilities, if
any, with respect to applicable provisions thereof.
Sarbanes-Oxley and Regulatory

Compliance Issues for IT Organizations
Contents
SECTION 1
The SOX Landscape
Chapter 1 The State of SOX
Compliance Efforts ............................................................ 1
Key Areas for IT Organizations ...................................................................................................... 3
Compliance Progress ........................................................................................................................ 4
Creating a Technology Blueprint .................................................................................................... 6
Maturity Levels ................................................................................................................................... 9
Investment Timeline ........................................................................................................................ 11
Creating a Governance Framework ........................................................................................... 12
Conclusions ..................................................................................................................................... 13
Chapter 2 Gauging SOX Compliance Maturity ...................... 15

Road Map ......................................................................................................................................... 17
Level 1: Building Awareness ......................................................................................................... 19
Level 2: Project Initiation ............................................................................................................... 20
Level 3: Project Execution ............................................................................................................ 22
Level 4: Performing an Assessment and Reviewing Results ................................................... 23
Level 5: Optimization/Continuing Compliance ........................................................................ 24
Conclusions ..................................................................................................................................... 26
Chapter 3 Developing Controls ................................................ 27

A Checklist for Compliance Services ......................................................................................... 27
The Impact of the PCAOB on SOX Compliance .................................................................... 29
Effective Controls = Reduced Audit Costs ............................................................................... 30
The Auditor Has Control .............................................................................................................. 30
Process Controls and COBIT ...................................................................................................... 32
COBIT Components ...................................................................................................................... 33
Management Guidelines ................................................................................................................ 33
Control Objectives ......................................................................................................................... 37
Performing a Health Check Using COBIT Framework .......................................................... 38
Information Criteria ....................................................................................................................... 41
IT Resources .................................................................................................................................... 42
Performance ..................................................................................................................................... 42
The Control Objectives ................................................................................................................ 43
Conclusions ..................................................................................................................................... 44
Chapter 4 Creating a Technology Blueprint ............................ 45

Becoming SOX Compliant ............................................................................................................ 46
Data Audit and Quality Assessment .......................................................................................... 47
Governance Structures and Practices ....................................................................................... 48
Enterprise Architecture ................................................................................................................. 48
Business Application Architecture .............................................................................................. 49
2004 META Group, Inc.
All rights reserved.

Security Systems .............................................................................................................................. 49
Data Archival, Retrieval, and Recovery ..................................................................................... 50
Administrative Controls ................................................................................................................ 50
Infrastructure Management Practices ......................................................................................... 50
Business Continui0ty Plans .............................................................................................................................. 51
The Compliance Technology Blueprint ...................................................................................... 51

Connecting Risk Management to ERP Systems ........................................................................ 56
Auditing Applications Back in Vogue .......................................................................................... 58
Conclusions ..................................................................................................................................... 61
SECTION 2
IT Best Practice Areas in SOX Compliance
Chapter 5 Security ..................................................................... 63
Security Provisions Within SOX .................................................................................................. 63
Getting With the (Security) Program ......................................................................................... 65
The Holistic Approach .................................................................................................................. 67
The Security Game Plan ............................................................................................................... 68
Mapping Security Control Objectives Into SOX ..................................................................... 70
Security Maturity Levels ................................................................................................................ 74
Level 0: Exploration ....................................................................................................................... 74
Level 1: Building Awareness ......................................................................................................... 74
Level 2: Project Initiation............................................................................................................... 74
Level 3: Project Execution ............................................................................................................ 75
Level 4:Assessment/Review of Results ....................................................................................... 75
Level 5: Optimization ..................................................................................................................... 75
Conclusions ..................................................................................................................................... 76
Chapter 6 Risk Management ..................................................... 77

The Role of Service Providers ..................................................................................................... 79
COBIT ............................................................................................................................................... 81
The COBIT Model .............................................................................................................................................. 83
COBIT Domains .................................................................................................................................................. 84
Insurance .......................................................................................................................................... 85
Conclusions ..................................................................................................................................... 86
Chapter 7 Architecture .............................................................. 89

The Accounting Information Systems Connection .................................................................. 89
Defining the Role of Enterprise Architecture ........................................................................... 91
Enterprise Architecture as Change Agent ................................................................................. 92
User Actions .................................................................................................................................... 96
Conclusions ..................................................................................................................................... 99
Chapter 8 Records Management ............................................ 101

Records Capture Issues ............................................................................................................... 103
Beyond Technology, Training, and Marketing ........................................................................... 106
Understanding Technology Solutions ....................................................................................... 107
Records Management Requirements ........................................................................................ 108
ii

Enterprise Control Repository .................................................................................................................... 108
Integrated Workspaces .................................................................................................................................... 109
Process Management ........................................................................................................................................ 110
Conclusions ................................................................................................................................... 111
Chapter 9 Asset Management ................................................. 113

Defining Goals and Objectives .................................................................................................. 114
Accentuating the Processes ....................................................................................................... 114
Political Issues ................................................................................................................................ 115
Action Steps: Identifying Critical Success Factors ................................................................. 115
Making the Project/Asset Management Connection ............................................................. 116
Evolving to an Asset COE .......................................................................................................... 118
Evaluating Asset Management Maturity ................................................................................... 120
Tactical Asset Management ROI ................................................................................................ 120
Mileage May Vary ................................................................................................................................................ 122
Strategic Asset Management ....................................................................................................... 123

Portfolio Management ..................................................................................................................................... 123
Developing Standards ...................................................................................................................................... 124
Conclusions ................................................................................................................................... 125
Chapter 10 Other Compliance Mandates

and Corporate Governance .................................................. 127
Beyond SOX: Financial Investment Companies and Registered Advisors ........................ 129
Basel II Accord ............................................................................................................................... 130
USA PATRIOT Act........................................................................................................................ 131
Governance Outlook Beyond US Borders .............................................................................. 133
Corporate Governance and IT .................................................................................................. 136
Other Compliance Activities ...................................................................................................... 138
Conclusions ................................................................................................................................... 141
Chapter 11 Compliance Issues for Vendors ............................ 143

Regulating Business and IT Service Provider Markets .......................................................... 143
Current Market Trends ................................................................................................................ 146
Impact on Next-Generation Offerings ..................................................................................... 152
Compliance and Outsourcing ................................................................................................... 155
Conclusions ................................................................................................................................... 159
Appendix A .................................................................................... 168

How Do I Achieve and Maintain SOX Compliance?
Appendix B .................................................................................... 199

Sarbanes-Oxley: How Can I Ensure True Success?
Appendix C .................................................................................... 223

How Do I Capitalize on Compliance?
iii

iv
Section 1
The SOX Landscape

Chapter 1 The State of SOX

Compliance Efforts
Although some key dates have been pushed back slightly, compliance with the mandates of
the Sarbanes-Oxley Act still loom large for most corporations. Compliance will require an
ongoing, continual effort. This chapter provides an overview of how organizations can better
understand compliance requirements and how they can develop an IT and services blueprint
that enables compliance and leverages the benefits of that effort.
The Public Company Accounting Reform and Investor Protection Act of 2002, better
known as the Sarbanes-Oxley Act (SOX), is on the agenda of nearly every publicly
traded company. It also applies to those firms that intend to go public at some point in
the future, as well as to others that are being pushed or pulled into adopting more
stringent financial controls and governance processes. Each of these firms is at risk for
being out of compliance. As a result, many firms have established SOX teams to address
the financial controls and accuracy of financial management processes.
These firms are seriously concerned that they do not have the appropriate financial
management reporting processes in place to comply with SOX. Compliance has a significant IT component. The required visibility into financial transactions, for instance, is
complementary to business performance management and enterprise resource planning (ERP) initiatives.
For example, if a process generates a financial transaction, the process must be documented back to the source of the transaction, and organizations must understand where
potential errors/risks may occur. As a result, firms are analyzing and evaluating financial
processes from the source of the transaction through the eventual report on a US
Securities and Exchange Commission (SEC) statement such as a 10-K or 10-Q report.
Depending on who is asked, SOX compliance is viewed as a scourge, a nuisance, a
necessary evil, or a full-time employment act for IT. No matter the perspective, what
makes SOX different is the heightened level of severity around non-compliance. CIOs
as well as other officers of a company can be liable for inaccurate information or insufficient internal controls, with the possibility of fines or prison sentences.

In April 2003, HealthSouth Corporation CIO Kenneth Livesay pleaded guilty to conspiracy to commit wire and securities fraud and to falsifying company financial information filed with the SEC. Methods included: 1) overbooking reserve accounts, which
could later be bled out into revenue; 2) creating fictitious entries in the computerized
fixed-assets system known as AP summaries; and 3) overstating intangible asset accounts, or goodwill, according to the statement. The company terminated Livesay after
he entered his guilty plea in the US District Court. Former HealthSouth CEO Richard
Scrushy, meanwhile, is the first person to be indicted under SOX, though his legal team
is arguing over SOX legality in this instance.
The fact that a CEO and CIO are being prosecuted highlights that there is indeed, a
trickle-down effect of SOX and executive culpability. Although CIOs are not specifically mentioned in the SOX legislation, they can face personal prosecution if they are
suspected of complicity in attempts by their companies to violate the act.
As devastating as potential incarceration could be to top corporate executives, the
negative effects for cited corporations devaluation of debt and equity, erosion of
reputation and market share, increase in the cost of capital, and decline in revenues
could be even worse. The compliance issues and looming deadlines of SOX, Basel II, and
the USA PATRIOT Act, to name a few, demand CIOs have an action plan and conformity program in place to ensure compliance. All major corporations and their executives, regardless of nation of origin, must prepare themselves for the greater regulatory
oversight and overhead that will result from ongoing improprieties by a growing handful
of miscreants. It is important that CIOs understand the regulatory environment and
associated industry requirements and that they comply before key provisions of government laws and regulations are enacted.
Although the SOX extension provides companies with a June 30 fiscal year more time
to ensure proper compliance measures have been taken, it also enforces our position
that the SEC is serious in its attempt to restore public confidence and trust in the US
capital markets. For example, it is hiring large numbers of CPAs and auditors to monitor
SOX compliance. Firms that fail to comply will most certainly face enforcement action/
sanctions by the SEC.This extension does not diminish the importance of firms complying with Sections 404 and 409, which we believe will not be weakened for at least the next
five years, despite the many pleas of firms citing its implementation and compliance
costs. CIOs should not squander this grace period, given that many organizations are
The State of SOX Compliance Efforts

already lagging in Section 404 compliance. The SECs decision confirms the seriousness
of its intent that companies rigorously comply with SOX.
Chapter 1
SOX and related compliance mandates, then, will become permanent elements of business operating models organizations must address them. Handled correctly, compliance can be an enabler for beneficial business change. Beyond meeting the short-term
deadlines, a major part of the compliance effort will involve incorporating it into how
the organization operates infusing it into all aspects of the technical architecture and
examining how all IT products support that effort.
Key Areas for IT Organizations

The fundamentals of SOX compliance include the following:
Management is required to make an annual assertion regarding the effectiveness of

its internal controls over financial reporting. Compliance for most domestic clients
will be for the fiscal year ending on or after June 15, 2004.
Internal controls must be documented and tested, and management must be able to
demonstrate support for its assertions to auditors and regulators.
The external auditor will attest to managements assertions and include a report in
public filings regarding the results of the attestation.
Management must utilize a framework such as the COSO internal control framework for assessing its controls and making its assertions.
Management must disclose in its quarterly Section 302 certification any material
changes in internal control over financial reporting.
Although there are literally hundreds of provisions contained within SOX, a few are of
particularly critical importance to the IT organization. These include the following:
Section 404: This mandates that corporations provide an annual assessment as to

the effectiveness of internal controls in financial reporting, as well as obtain an attestation from external auditors that the controls are effective.

Section 302: This instructs that officers of the company must make representations
related to the disclosure of controls, procedures, internal controls, and assurance
from fraud.
Section 906: This states that the 10-Ks, 10-Qs, annual reports, and periodic reports
containing financial information comply with SOX and represent an accurate picture
of the firms financial condition.
Section 409: This requires that corporations disclose to the public on a rapid
and current basis material changes to the firms financial condition (see Chapter
4 and Appendix A).
ITs role here is twofold. First, it must support enterprisewide compliance around the
key sections indicated here. Second, the CIO must ensure that IT has its own house in
order, with adequate and documented controls around security, application deployment, change management, and other areas (see Section 2).
Compliance Progress
The role of IT in internal control is extremely important, visible, and critical to the
financial reporting process. Section 404 of SOX goes beyond requiring companies to
establish and maintain an adequate internal control structure; in fact, companies now
must assess (and report) effectiveness on an annual basis.
Internal control is defined within US auditing standards as a process, effected by an
entitys board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations

Reliability of financial reporting
Compliance with applicable laws and regulations
SOX mandates an evaluation of internal controls over financial reporting by management. It also requires attestation of that assessment by auditors. Accelerated filers (large,
publicly traded firms) are now required to comply for fiscal years ending on or after
November 15, 2004. Small business and foreign private issuers are required to comply
for their fiscal years ending on or after April 15, 2005. There is also a requirement for
financial records program management with a specific compliance deadline of 2004.

SOX mandates an effective records retention program (storage, archiving, retention, and
retrieval processes and policies) covering records and work papers relevant to the audits
and reviews of financial statements, with a formal compliance date of October 31, 2004.
Chapter 1
Our discussions with clients about SOX concerns reveal that many firms have initiated
business process audit projects (around targeted business applications), often with the
assistance of a compliance/audit vendor. As firms gain a better understanding of their
business processes, many will initiate financial ERP and business intelligence/business
performance management projects to address issues arising from this audit process
(but we believe these projects will be initiated after a firm has successfully completed
Section 404 compliance activities).
Many firms can achieve compliance by configuring existing functionality (e.g., workflow)
in integrated suites they already own and enabling new components (e.g., expense management) that may have pre-existing integration to their solutions.Although new licenses
will be purchased (e.g., business performance management [BPM], expense management, portals, new user licenses for existing software), a larger impact will center on the
need for professional services to integrate the solution and coordinate the appropriate
change management efforts to enable its use.
SOX practically impacts financial management expectations for nearly all companies.
Compliance with SOX is a long-term objective with potentially shifting goalposts. The
Public Company Accounting Oversight Board (PCAOB) is charged with building the
actual requirements of SOX. While the board has stated it wants to produce some
results by the end of this year, it is more likely a two-year effort (minimum) to rewrite
the audit standards for public companies, though some initial pronouncements around
audit standards were made available in March 2004. It has also commented that the
current standards have little to no value, so we can expect significant change from the
current standards. Enterprises investing significant money to meet the standards used
by audit firms prior to that rewrite may be wasting a lot of money. Initially, minimum
compliance may be an important strategy, though ultimately organizations should seek
to gain maximum SOX compliance levels.
Although the act affects publicly traded companies with a public float of more than $75
million, SOX will have an impact on private companies and smaller organizations as well.
Larger customers or suppliers may dictate compliance as part of an ongoing relationship.
Likewise, companies that are looking to obtain financing or insurance may also need to

demonstrate some level of compliance. Overall, the compliance bar is being raised, for
both US businesses and international firms conducting business in the US.
Meanwhile, firms both directly and indirectly affected by SOX are making progress with
improving internal controls. Recent META Group research indicated that 42% of nonSOX-targeted companies plan to evaluate internal controls.Among companies that have
specific compliance issues, research indicates the following:
35% rely on a compliance vendor to help with the effort, and 41% are doing it alone
71% are on track with compliance efforts, and 21% are struggling
59% are in the process of defining a technology blueprint
49% see SOX as a necessary evil, but 39% believe that it will improve the enterprise
Top Preferences for SOX Solutions
Consolidate ERP instances: 6%
Replace legacy ERP solution: 2%
Upgrade to latest version of current ERP solution provider: 8%
Turn on existing (already purchased) functionality: 11%
Implement commitment control: 7%
Enable workflow: 14%
Examine security: 13%
Move from point solutions to integrated enterprise apps: 7%
Evaluate/implement BPM: 15%
Evaluate/implement internal compliance dashboards: 15%
Evaluate/implement investor portals: 3%
Creating a Technology Blueprint

SOX compliance is a multidimensional effort, one that must cover programs to improve visibility/transparency; enhance financial controls, records retention, and communication; and provide for risk management and fraud prevention. Many of the tools that
will enable this effort are technology-related, such as enterprise software applications
and IT services.
Often, SOX compliance programs are led by the chief financial officer (CFO), though
increasingly an enterprise chief compliance officer (CCO) or similar role is leading.
The compliance effort, then, represents an opportunity for the CIO to assist the CFO

and/or CCO and bolster the standing of IT within the organization as a whole. Management cannot ensure compliance without understanding how IT becomes compliant.
Without interaction between IT and business people, efforts to document controls or
processes will simply not work.
Chapter 1
This heightened level of coordination and cooperation that we recommend is a marked

departure from previous compliance efforts, which were typically handled by the auditing
group or other discrete staff. Increased reliance on IT functions to establish and maintain
compliance also means the CIO must develop a technology blueprint, as various SOX
requirements leverage different enterprise application portfolio components.The CIO has
to be part of the core SOX task force to communicate how technology can support
enterprise SOX efforts and how it can be circumvented without the right IT systems in
place. The CIO should also be involved because IT has its own compliance effort.
By the same token, auditors are not IT people. They will focus on risk management and
process control generically. This creates a disconnect. Translating process controls suggested by auditors can be a daunting task. Likewise, IT may have a well-developed architecture, but without proper process controls around risk management, for example.
This represents another issue in the ongoing need for IT and business alignment.
A SOX technology solution is more than a Section 404 risk management tool.Yet most
firms will employ a technology architecture, including leading business applications as
well as legacy solutions, to meet many of the financial control requirements outlined in
the act. Research inquiries increasingly are focused on identifying the technology components and how they contribute to an enterprise SOX initiative. Ultimately, a blend of
data- and content-driven solutions will be used. In many cases, firms are surprised when
they learn that much of this software is made up of tools or solutions they already own,
which may be leveraged in ways not envisioned. We believe a typical SOX technology
profile should consist of a number of components:

SOX Technology Blueprint
Risk assessment tools: 10% of effort

Sections 404 and 302
Content, process, and program management
Transactional solutions: 60% of effort
ERP/best of breed: 50%
Better configuration, workflow, and instance consolidation
Records management and retention: 10%
Section 802
BI/BPM/portals: 30% of effort
Sections 302, 409, and 906
Performance management, consolidations, and internal/
external portals
Compliance dashboards
Data audits and cross-system/process audits
Data and content-based solutions

Risk management/Section 404 management solutions (10% of effort): These

tools should be considered a blend of content, program, and business process management that firms can leverage to: 1) document business processes; 2) provide an
assessment following the Committee of Sponsoring Organizations (COSO) framework; 3) communicate enterprise SOX readiness (possibly through an internal compliance portal) and workflow; 4) build or store process diagrams; and 5) provide the
periodic assessment of financial controls required under Section 404.
Transactional ERP/best-of-breed financial management solutions (50% of effort): Although many firms have implemented leading financial ERP solutions, most
need to revisit configuration of these solutions and implement critical financial controls (e.g., spend management, subscription-based revenue recognition) that are critically linked to workflow in support of required approval/authorization processes
within an end-to-end process. Firms that operate on legacy and custom financial
applications are unlikely to support SOX enablement without significant, expensive,
or unavailable rewrites.
Records management and retention (10% of effort): Section 802 requires that
firms retain all records relevant to the audit and review processes for at least

seven years and that these records not be deleted, altered, or otherwise manipulated during this retention period. For many firms, policies already exist for records
retention and records management (especially in regulated industries). Recently, there
has been clarification from the SEC that these records should also include businessrelated exchanges between parties involved in the audit process that occur using
electronic mediums, such as e-mail, instant messages, or internal chat rooms.
Chapter 1
BI/BPM (30% of effort): Firms will need solutions that can provide visibility and
transparency, while also managing and automating the results and consolidation process across a decentralized enterprise. This is an area where solution and tool decisions must be made from a strategic business intelligence (BI) infrastructure perspective (i.e., choosing a BPM tool that can leverage existing BI investments in reporting, OLAP, data warehousing).
Beyond these application areas, the portions of the IT organization that will play a significant role in compliance efforts include infrastructure and security (see Section 2).
Maturity Levels
As part of developing a SOX blueprint, organizations must look beyond tactical SOX
compliance and focus strategically on leveraging SOX investments. Requirements
for products and services will vary and evolve as efforts mature, shifting from services to a product focus.
For the IT group to effectively participate in the SOX initiative, it must understand the
maturity level or stage of the SOX project and how it can help. SOX projects must be
effectively managed through the following phases, with the IT group playing a strategic role:
Exploration (Level 0): Currently, we estimate that 5% of SOX-affected firms are at

this stage (rolling out through June 2004, depending on fiscal close date), and they
may be considered SOX tardy or immature. The majority of these firms would
have fiscal closes during January-May and will not be required to demonstrate Section 404 compliance until 2005.
Building of awareness (Level 1): We estimate that 10% of affected firms are at this
stage (which will go through September 2004). This is where the enterprise SOX
project is being defined and resources are being identified/sourced for the expertise
to manage the Section 404 process.

Project initiation (Level 2): We believe 15% of firms are currently at this stage with
SOX initiatives, and this phase will go through December 2004. This is where the
formal enterprise SOX project has begun, and the IT group must participate by
sharing documentation (including the creation of new documentation, where absent)
and ensuring that appropriate governance processes are in place.
Project execution (Level 3): We estimate that 60% of firms are actively involved in
executing their internal control projects, given the rolling compliance date (through
June 2005).This is the execution of the internal control project, through the internal
control documentation, risk mitigation, and assessment processes.
Performance of assessment/review of results (Level 4): We believe 10% of firms

are at this stage, and work on identifying the business processes will continue through
April 2005. The assessment process will be ongoing (SOX does not go away), and
firms must decide how frequently and deeply they delve into business processes.
Optimization/continued compliance (Level 5): Few firms, if any, are at this stage,
and for most, this will begin after the initial Section 404 compliance date (June 2004
and ongoing). This is where many firms can (and should) leverage the cost of SOX
business case and improve weak or insufficient areas of compliance.
Level
10
Stage Description
Where Is the
Market Today
Market Timing
Exploration
5%
1/04-6/04
Building of Awareness
10%
1/04-9/04
Project Initiation
15%
1/04-12/04
Project Execution
60%
1/04-6/05
Performance of
Assessment and Review
of Results
10%
1/04-4/05
Optimization and
Ongoing Support
0%
12/04-Onward

Chapter 1
Investment Timeline
Many organizations have already made significant investments in time and resources to
develop compliance programs. At this point, organizations now are investing in some of
the tactical tools they will need for compliance, primarily Section 404 tools that can help
with process mapping, reporting, and creating an environment where reporting can be
evidenced back to the auditor.
SOX Investment Timeline
SOX
Deadline
Pushed
Scoping
Tactical
SOX
Compliance
ERP/FMS
Upgrades
Process
Transformation
Regroup
1H03
2H03
1H04
2H04
1H05
2H05
Business and
Audit Services
IT Services
Content and
Collaboration
ERP/FMS
BI/BPM Portals
Point
After the initial compliance deadlines are met, a period that will occur from the middle
of 2004 through the middle of 2005, organizations will need to regroup and examine
investment requirements over the longer term.
On the other side of the coin, it will take time for vendors to embed SOX-relevant
capabilities into ERP or financial management system solutions. Such enterprise applications are by nature large in scope. Enhancing workflow or reporting, consolidation, and
other functions is a long-term effort, in terms of both development and upgrade cycles.
Most of these will not appear before 2005.
11

Creating a Governance Framework
From an IT perspective, a global and consolidated approach to corporate governance
will yield consistency, savings, and additional leverage over disconnected/disparate approaches. In a recent META Group study, only 46% of respondents indicated that their
SOX compliance efforts were coordinated and integrated with efforts to meet other
regulatory requirements (e.g., HIPAA, Basel II, GLBA).
Although each compliance mandate has different requirements and elements and not all
are equally applicable across all organizations, a need still exists to coordinate and leverage efforts wherever possible on a global basis. This coordination can reduce the overhead associated with gaining and evidencing compliance (including leveraging existing IT
investments such as content management and analytic applications), and it can help ensure that organizations are practicing sound corporate governance and risk management practices enterprisewide and globally.
The corporate governance paradigm includes the following critically linked disciplines:
Regulatory compliance: This ensures compliance to global regulatory demands

and establishes a cost-effective approach (with the identified opportunities for
releveraging corporate infrastructure including IT).
Performance management:This supports a KPI/metrics-based approach, including closedloop planning and reporting for managing top-down and cross-business area performance.
Risk management: Risk management establishes an enterprise approach for managing financial, operational, compliance, and reporting objectives. It includes a codified
process for the identification and assessment of risks in achieving specific corporate
objectives (also including usage of the COSO framework to manage SOX projects,
as well as COBIT for IT governance), applying frameworks to achieve competitive
advantage, and determining sense-and-respond processes for risk. In addition, it includes understanding and managing the risk appetite for a firm.
Ethics management: This supports enterprise strategies around a code of ethics,

including internal and external processes concerning disclosure and communications.
The important point to remember as part of all these efforts is that compliance is an
ongoing, dynamic process. Once the initial work of SOX compliance is completed, orga-
12

nizations must focus on moving to an optimized level of internal control that improves
the efficiency of the entire process.
Chapter 1
At its logical extreme, SOX affects just about everything within an organization ERP,
supply chain, procurement, partner relationships. What happens if a key supplier gets
downgraded and its bonds become junk bonds, thus putting supply of a key raw material
at risk? Compliance can become that complicated an issue. So while basic goals are
important, developing a program that looks at all compliance initiatives is critical. The
good news is that the effort should provide greater visibility into organizational processes and supply chains. Exploiting these improvements will help turn the compliance
effort from a necessary evil into a potential competitive advantage.
Conclusions
Exploiting SOX and related compliance efforts residual benefits is key to improving competitiveness.
SOX compliance will represent a baseline in overall compliance initiatives.
The CIO must develop techniques to leverage IT as part of improving compliance initiatives.
A technology blueprint should be developed that addresses programs to improve

visibility/transparency; enhance financial controls, records retention, and communication; and provide for risk management and fraud prevention.
SOX compliance is about process, not just products. Organizations have already
invested heavily in the IT products most relevant to SOX compliance efforts, especially short-term tactical requirements. Changes to enterprise software will occur
over a longer period of time.
While spending and development may experience a brief lull after initial compliance
efforts, annual evaluations and organizational evolution will demand ongoing support.
Regulatory compliance efforts should be considered in the context of an overall

corporate governance initiative. Organizations should designate a chief compliance
officer (CCO) to spearhead the compliance effort.
Organizations thinking about SOX must shift from seeing the process as a cost of
compliance to considering it as a lever to do business more effectively.
13

14

Chapter 2 Gauging SOX Compliance

Maturity
Sarbanes-Oxley (SOX) compliance efforts involve multiple participants, dimensions, and phases.
Organizations must define a holistic road map for tactical and strategic compliance that
captures all required elements and that measures and tracks progress, maturity of capabilities, and benefits achieved over time all of which is discussed in this chapter.
SOX compliance, along with adherence to other regulatory dictates (e.g., HIPAA, USA
PATRIOT Act, GLBA), will have a permanent effect on the operations of virtually all
organizations above the level of small business. Even private/non-profit firms and public
companies below the $75M cutoff are being affected.
Affected organizations must define and implement comprehensive compliance and risk
management strategies and programs that address these regulatory mandates independently and collectively seeking leverage in compliance efforts wherever possible.
However, most Global 2000 organizations are addressing compliance, even for SOX
alone, in a piecemeal fashion.
The Public Company Accounting Oversight Board (PCAOB) has proposed standards
for the internal controls required for SOX Section 404 compliance, to be effective June
15, 2004.This due date has recently been pushed to fiscal YE04 for affected organizations.
It has mandated professional auditor certification requirements and created uniformity
in currently disparate compliance/auditor practices. The draft (An Audit of Internal
Control Over Financial Reporting Performed in Conjunction With an Audit of Financial
Statements) outlines a broad range of internal controls, including the level of required
business process or systems documentation, and proposes an extensive audit process.
This gives independent auditors a wide range of authority for the design, testing, and
evaluation of internal controls.
This directive has broad implications for an organizations SOX compliance efforts, impacting enterprise applications (e.g., ERP, CRM, supply chain management, business performance management/business intelligence), security, and systems integration as firms
tighten up financial controls, with full impact, or cost of SOX, being understood when
firms are well along with their Section 404 exercises.The directive exacerbates a current
state we see in many organizations: underestimation of the level of effort required to
gain and exhibit SOX compliance.
15

The PCAOBs move should help dissuade organizations from positing that the enforcers
of SOX regulations lack teeth or that they are losing interest. In addition, most organizations still have substantial efforts ahead of them to address other requirements of other
major sections (e.g., 409 [disclosure], 302/906 [certification], 802 [records management]).
Although certain mandates (e.g., SOX Section 404) will take precedence, given the time
frames and penalties for non-adherence, organizations must quickly move to develop
broader enterprisewide efforts, often using SOX work as the template and guideline.
The Public Company Accounting Oversight Board
The Public Company Accounting Oversight Board (whose acronym, PCAOB,

is sometimes affectionately pronounced "peek-a-boo") is a private-sector, nonprofit corporation, created by the Sarbanes-Oxley Act of 2002, to oversee the
auditors of public companies. Its stated goal is to "protect the interests of
investors and further the public interest in the preparation of informative, fair,
and independent audit reports." Given its recent rulings, however, which provide
external auditors great latitude in scrutinizing clients SOX compliance
adherence, the group has emerged as a marked benefactor to these auditors'
already burgeoning revenue streams.
There are multiple elements that an organization must address when defining a SOX
compliance program. Organizations must profile their current state and then track progress
over time across these multiple elements, which include the following:
Defining SOX program ownership, participants, and the overall program plan;
ownership for most organizations should ultimately report up to the chief compliance
officer or similar executive position
Defining compliance elements and metrics by section
Assessing current-state compliance levels by section
Defining a road map to move efforts forward, assess progress, and coordinate across
multiple initiatives
In addition to strong/defined ownership, organizations must deploy clearly defined
and adequately resourced SOX teams made up of finance, audit, IT organization, and
line-of-business professionals.A single controlling entity must exist to coordinate efforts
across multiple sections, including assessment of additional program plan elements.
16
Gauging SOX Compliance Maturity

Chapter 2
Additional Program Plan Elements
Other program plan elements that must be assessed include:
Understanding of overall requirements to meet SOX compliance
Strength of SOX leadership at the operational and executive levels
Maturity/comprehensive of the defined IT blueprint for SOX (see Delta

2555)
Adequacy of the current IT infrastructure to meet tactical SOX

requirements
Clarity and appropriateness of the external auditors role in SOX efforts
Adequacy of the budget for SOX compliance
Adequacy of processes to ensure audit committee involvement in audit or

service provider usage
Understanding by management of the need to leverage SOX investments

for greater competitive gain
Assessment of the overall strength of financial controls in place
Road Map
More than one year after SOX legislation was signed into law, its effect on improving
corporate financial accountability/visibility is unclear, especially given the fact that most
companies are still working to enable and evidence compliance. However, given the
creative nature of the corrupt or criminal executive mind, companies intent on bending
the financial rules will still be able to do so it may just take a little more work.
The immediate priority for organizations is to meet mandated SOX compliance deadlines, with the next major date being fiscal YE04. This involves solid project and program
management best practices and techniques (harkening back to Y2K efforts).
As they strive toward those deadlines, however, organizations should also be building for
the future. Organizations must look beyond mere tactical SOX compliance and focus
strategically on leveraging SOX investments. The first step is to gain compliance, but
organizations must also develop plans from the outset to maintain compliance on an
ongoing basis as well as to leverage it for greater competitive advantage and to exploit
the residual benefits that SOX compliance will deliver (e.g., greater process transparency, visibility, and control).
17

The improved visibility and transparency that gaining SOX compliance will enable, coupled
with an opportunity to clean the IT house (e.g., consolidate excessive ERP instances),
mean that SOX regardless of its impact on corporate corruption can enable organizations to become more nimble, flexible, and (if they evolve the business and operating
models to reflect it) more competitive. In this way, organizations can turn SOX compliance from a cost of doing business to a means of doing business better.
For the IT group to effectively participate in the SOX initiative, it must understand the
maturity level or stage of the SOX project and how it can help. Within the IT organization, this usually falls under the auspices of IT financial management or an IT governance/operations office that can support the various IT departments (e.g., applications,
development, data, security). Although the deadlines for many sections of SOX have
passed (e.g., Sections 302/906), most firms are in the Section 404 stages, where the
documentation and assessment of internal controls around financial management are
required. This will be effective from June 2004 through June 2005 since auditors must
provide an attestation that its clients processes are sound. (This range is important, as
compliance must be demonstrated as fiscal closes approach within that time frame.)
SOX projects must be effectively managed through the following phases, with the IT
group playing a strategic role:
Exploration
Currently, we estimate that 5% of SOX-affected firms are at this stage (rolling out through
YE04, depending on fiscal close date), and they may be considered SOX tardy or
immature. The majority of these firms would have fiscal closes during January-May and
will not be required to demonstrate Section 404 compliance until 2005. During this period, the IT group should not remain silent and should engage in the following activities
(even in advance of a formal enterprise SOX initiative):
Educating the IT group on the business and technical issues related to SOX
Evaluating the SOX impact on the IT group and infrastructure, including support
of business applications, IT financial management, and governance
Pre-evaluating the existing IT architecture, including controls around business

applications and security
Establishing an IT SOX team and communicating the need to link to upcoming

enterprise SOX initiatives
Building a SOX IT game plan to cover the previous steps
18

Level 1: Building Awareness
We estimate that 10% of affected firms are at this stage (which will run through September 2004). This is where the enterprise SOX project is being defined and resources are
being identified/sourced for the expertise to manage the Section 404 process. During
this period, the IT group can assist by supporting the following processes:
Identifying the appropriate role for audit firms or service providers and determining the access to IT business processes they will need
Evaluating the compliance service provider landscape, understanding the capabilities of the major players, and making a selection about who should be enlisted to
help (it is rare that a firm can do this solely with internal resources, and it is
unadvisable)
Communicating the role of IT (e.g., access to infrastructure, governance) to the

enterprise SOX initiative (in advance to of being told how it will fit in)
Chapter 2
At this level, the organization should also fulfill the following requirements:
We have a SOX task force in place. For this element, a firm must have completed
its core ERP implementation with all minimum interface requirements, and its business and IT resources should not be overly committed to ongoing geographic or
organizational rollout.
We have strong SOX leadership at the operational and executive levels. Enduser training is commonly shortchanged due to budget and time shortfalls.To achieve
par for this element, end users must have received sufficient training to allow them
to run basic ERP functions in support of business processes.
We have defined an IT blueprint for SOX. A compliance solution requires a combination of business processes and technology infrastructure. Although technology
can support many of the business process requirements, it is not the sole solution.
Instead, technology must be considered within the context of how it can work in
conjunction with financial, accounting, and other business processes.The technology
blueprint identifies where appropriate investments in technology should be made.
We have defined our external auditors role in our SOX efforts. The challenges
organizations face in interpreting external audit firms appropriate roles are exacerbated by the complexity and fluidity of SOX regulations, and the fact that SOX nonexperts in the rank and file of Global 2000 organizations are often being tasked with
driving SOX compliance efforts and selecting external service providers to help.
19

Organizations must also guard against the appearance of conflicts when using external auditors for additional services, even if that work is technically allowed.
We have allocated adequate budget for SOX compliance. Organizations must

leverage a portfolio management approach to allocate resources to areas where
non-compliance exposes the greatest risk. Once highest-priority compliance
projects are identified and funded, compliance teams must examine available resources and distribute them appropriately.
We have the adequate IT infrastructure in place to meet tactical SOX requirements. The CIO must guarantee that the SOX project is effectively supported for Section 404 business process documentation activities. This includes
the identification of where IT investment can be leveraged to ensure that business applications and IT infrastructure can adequately support SOX requirements
for an effectively managed and certified business process.
We have adequate processes in place to ensure audit committee involvement in audit/service provider usage. Section 404 internal control/risk management business applications are targeting management tools to help organizations
develop a plan to document business processes and risk areas, and to facilitate the
auditor assessment process at year end. Connectivity to ERP processes should
be enabled to evaluate adherence to documented controls in the assessment
process.
We fully understand the requirements to meet SOX compliance.
Management sees opportunities to leverage SOX investments for competitive gain.
Regardless of specific SOX compliance, we have adequate financial controls

in place.
Level 2: Project Initiation

This phase will extend through the period of initial compliance with Section 404. This is
where the formal enterprise SOX project has begun, and the IT group must participate
by sharing documentation (including the creation of new documentation, where absent)
and ensuring that appropriate governance processes are in place. During this period, the
20

IT group can assist by supporting the following processes:
Reviewing the enterprise SOX plan and proactively enlisting for all IT-related activities
Leveraging any existing work on IT governance (e.g., COBIT controls) and mapping them to the COSO framework (what an auditor or compliance consulting
vendor will most likely use to structure the Section 404 control project)
Assessing plan alignment with IT business processes/objectives
Selecting a risk management solution to assist in the internal control documentation, risk identification, and assessment phases (see Chapter 6)
Identifying where IT new governance initiatives can lead to improvement in IT

management and signing up (through project goals/objectives), where appropriate
Chapter 2
At this level, the organization should also be able to support and document the following
statements:
We can comprehensively aggregate financial data. If ERP is the software used

for the key applications that are the heart of the enterprise, this should be achievable. Even a partial ERP suite, including financials, order processing, and materials
management, would suffice. If legacy software is the backbone of enterprise applications, subsequent steps in building will be compromised because software configuration, rather than programming, is a key element.
Financial reporting details are readily accessible by executives. In a post-training mode, the end users are capable of fulfilling their functions without overwhelming levels of help desk assistance.
We can support frequent flash reporting. If IT operations around ERP are generally routine, this should be an obtainable goal. Note that firms in their first year of
ERP operations tend to score low in this regard because the notion of sufficient IT
resource is still in question.
Management has tools to drill down on accounting reports. Business and enduser staff will be primed for evolution only if existing operations are reliable.
We can routinely highlight key analysis areas based on tolerances and financial metrics. This indicates that business management is aware of how ERP drives
business processes related to business decisions.
21

We can segment reporting into material/significant elements.
Our firm possesses a strong financial mindset.
We have adequate visibility into any outsourced financial processes.
Level 3: Project Execution

We estimate that 60% of firms are actively involved in executing their internal control
projects, given the rolling compliance date (through June 2005). This is the execution of
the internal control project, through the internal control documentation, risk mitigation,
and assessment processes. During this period, the IT organization should focus on:
Granting access to IT controls, creating controls (if missing), and leading internal
IT assessments
Providing quality control and supporting enterprise initiatives
Identifying gaps in business applications, IT infrastructure (including security), and

governance
statements:
22
We have business-assigned business process ownership. Active ownership presumes that the business people do more than request or approve changes to
business processes and actually participate in those changes.
End users receive periodic refresher training. Periodic refers to quarterly or

semiannual formal training events or for individual users or a small group of
users a focused training session. In essence, the goal is to ensure that the enduser base keeps up with changes due to upgrades of business process evolution.
We have measures of our current KPIs. This presumes that the organization has:
1) identified the key performance indicators (KPIs) that will be used to guide
center-of-excellence efforts around business process improvement; and 2) measured current performance in that regard.
We have inventoried our application portfolio.
Business process improvement is a top priority.
Senior management sees a compliance center of excellence as the means to

improve results.
Our ERP infrastructure is flexible.
We have an acceptable level of data synchronization.
Chapter 2
Level 4: Performing an Assessment and Reviewing Results

We believe 10% of firms are at this stage, and work on identifying the business processes
will continue through April 2005.The assessment process will be ongoing (SOX does not
go away), and firms must decide how frequently and deeply they must delve into business processes. During this process, the IT group should focus on the following:
Establishing an ongoing (most will choose quarterly to match the 10-Q reporting
process) assessment process, including documentation reviews and risk mitigation processes
Ensuring that all IT controls impacted by SOX are being effectively executed to
achieve compliance
statements:
Business staff works directly with configuration staff.
End users are trained to business process roles.
An enterprise program management office (EPMO) directs major business

process change priorities.
We have targeted measurable KPI improvement.
Our KPI measurements are in the system.
Our enterprise application infrastructure is flexible.
Our application portfolio has been rationalized.
23

Level 5: Optimization/Continuing Compliance
Few firms are probably at this stage, and for most, this will begin after the initial Section
404 compliance date (fiscal YE04 and ongoing).This is where many firms can (and should)
leverage the cost of SOX business case and improve weak or insufficient areas of
compliance. Here, the IT group should do the following:
Recommend IT projects (e.g., business applications, security) to achieve better

compliance/efficiency; establish measures to identify and close performance gaps
Implement IT improvements to optimize compliance processes, improve effectiveness, and reduce risk
Ensure that an IT blueprint for compliance exists
Link SOX to other measures to ensure consistency across global compliance initiatives
Link IT to newly established corporate governance offices (there will be a trend

toward global corporate governance)
statements:
End-user performance is linked to business process performance. At this stage,

with end users already trained to their roles within one or more business processes,
the organization can monitor their performance not only in terms of the fulfillment
of business functions but also in terms of contribution to workflow and business
process fulfillment. Ideally, such performance monitoring will be linked to career
evaluation, bonus plans, and the like.
Business process changes are directed by KPI results. Key performance indicators
are closely monitored by the business process owners. Results provide direction
for continuing business process improvement, which can be enabled through
changes to the enterprise software configuration.
Business processes are continually reviewed and improved.
Our application portfolio has been optimized.
We have a highly adaptive infrastructure for enterprise apps.
Although organizations are in various stages of Sarbanes-Oxley projects, they must attempt to ensure that the IT group is adequately included as a supporter of enterprise
24

internal control projects.This includes jointly working to ensure enterprise internal controls are effectively linked and leveraged to IT systems/processes, and ensuring that IT
financial and governance processes support organization compliance. Regular progress
assessments are required, and organizations should track this progress by continually
updating their maturity toward completion of individual sections as well as collective
progress overall.
Chapter 2
SOX Maturity Matrix

The following SOX maturity matrix is based on META Groups SOX maturity assessment:
Compliance
Internal Audit
SOX Compliance Process
2
1
Section 802
Section 404
Result
Par
Section 409
Section 302/906
Source: META Group
25

Conclusions
26
Support of regulatory compliance efforts, including SOX, is a permanent element in

the risk management portfolio plan of most organizations. Defining, assessing, and
tracking the maturity of these efforts must become standard business practice.
SOX requires that firms have documented and compliant internal controls around
financial management processes. This includes ensuring that IT infrastructure (both
solutions and governance processes) have effective controls enabled. Firms must
ensure that the IT organization is effectively engaged throughout the enterprises
SOX initiatives, for which a proactive approach is required.
Organizations must apply solid project and portfolio best practices across SOX
compliance efforts to ensure adequate coordination, track progress and maturity,
and help ensure that the minimum requirements for compliance levels are met.
SOX has a major impact on the IT organization, including support for business applications and IT governance (including IT controls financial management and business processes). Engaging in active support of the enterprise SOX project is critical.
Developing Controls
Chapter 3
Chapter 3 Developing Controls

Although most organizations doing business within the US will be affected by Sarbanes-Oxley
in some way, their responses will vary greatly based on numerous factors. This chapter outlines how organizations can use internal and external resources to create and maintain the
process controls SOX requires.
We continually emphasize that Sarbanes-Oxley and related compliance mandates are
permanent elements of business operating models and must be addressed as such. SOX
and related regulatory compliance requirements do not go away and are never finished.
If anything, regulatory requirements will become more onerous over time. Given the
need to maintain ongoing compliance and permanently live by (and ideally exploit) its
dictates, organizations must invest in SOX support services and products from the start,
under the guidance of a strategic, flexible, and adaptive plan.Although requiring an upfront
investment, these efforts will ultimately lead to a more streamlined and cost-effective IT
operating environment. Such efforts will also occur in parallel with broader initiatives
(e.g., on demand business transformation outsourcing) to make IT services streamlined,
efficient, and stronger competitive enablers.
A Checklist for Compliance Services

The following are three classes of business and IT service providers offering SOX compliance services:
External auditors (e.g., Deloitte, Ernst & Young, KPMG, and PricewaterhouseCoopers
among the Global 2000)
Risk management firms (e.g., Protiviti, Jefferson Wells) that have audit and related
skills but do not actually perform external audit work
IT service providers (ITSPs) offering direct and indirect SOX services (e.g.,
BearingPoint, IBM BCS)
The first two groups also offer their own software tools (e.g., process analysis/management, repositories) to support SOX efforts. These tools vary in terms of capabilities and
sophistication and are generally provided in conjunction with larger service efforts. Long
term, most software solutions will come from enterprise independent software vendors (e.g., ERP, FMS, enterprise document management, portals, analytics) as SOX compliance becomes a core capability integrated into these applications.
27

The following service providers can play roles in SOX compliance efforts:
Education: All providers, especially external auditors, are actively providing advice/counsel
on SOX (meaning, interpretation, and impact).This is generally allowed under SOX regulations, as long as education does not lead to process redesign or other prohibited activities when performed by external auditors.
Business/financial process:
Assessment: Regulations generally (i.e., most of the time, but clients must understand and interpret regulatory caveats) allow all three service provider classes to
perform.
Design/redesign: In general, a clients external auditor is prohibited from performing this.
Attestation: The external auditor is required to attest to a clients SOX compliance.

Process change management:
Best practices/advice: This is allowed, but a clients external auditor generally is not
permitted to manage any financial/regulated process change-management efforts.
IT financial management systems:
Assessment: This is generally allowed for all three service provider classes to
perform.
Redesign: A clients external auditor generally is not allowed to perform this.
Application deployment: In general, a clients external auditor is not allowed to

perform this.
Application management: A clients external auditor generally is not allowed to

perform this.
Providing software application/tools: This is allowed, but a clients external auditor is

generally not allowed to populate a tool with specific content and best practices.
This highlights the complicated/regulated role external auditors play in SOX compliance.
Given its recent decision to maintain all business and IT services in a single entity, Deloitte
in particular faces regulatory challenges and complexities. The challenges organizations
face in interpreting external audit firms appropriate roles are exacerbated by the complexity and fluidity of SOX regulations and the fact that SOX non-experts in the rank and
file of Global 2000 organizations are often being tasked with driving SOX compliance
efforts and selecting external service providers to help with them. Organizations must
28
Developing Controls
also guard against the appearance of conflicts when using external auditors for additional
services, even if that work is technically allowed.
Chapter 3
Organizations must build SOX stipulations on external audit firms appropriate roles
directly into strategic sourcing and service supplier relationship management processes,
specifically addressing how decisions are made to direct work to auditors and who
must approve. In many cases, executive management and board audit committees must
approve these work assignments, but practically speaking, they will rely on the advice of
others in the organization (e.g., IT group, procurement) on what work to direct to which
service providers. Organizations must also pay keen attention to the process of managing relationships and handoffs among external audit and other service providers, potentially including audit firms hired to perform SOX-related work. All involved parties must
directly gain a clear understanding of SOX stipulations. However, in general, the following
constraints apply to external auditors:
Services external auditors cannot provide:
Performing managements role (e.g., making decisions, signing off on findings)
Designing compliance processes
Implementing financial systems
Auditing their own work

Services external auditors can provide:
Advice, education, and training
Diagnosing, but not fixing, regulated financial processes
Attesting to 404 compliance

So, how do you manage the required handoffs in a compliant manner? ITSP activities are
not specifically addressed under SOX regulations, but given the fact that these firms are
directly involved with designing, deploying, and managing regulated financial management
systems, they are (practically speaking) already affected by and exposed to regulatory
risk. This will, in particular, affect financial management systems process outsourcing/
transformation efforts given current inadequacies in outsourcers capabilities to provide
the requisite level of visibility into the processes to ensure SOX compliance.
The Impact of the PCAOB on SOX Compliance

The Public Company Accounting Oversight Board (PCAOB) has recently approved rules
that will govern how external audit firms assess Section 404 compliance.The PCAOB left
29

intact key elements that were originally proposed in its draft but also made many
clarifications about how SOX is to be enforced by external auditors. Although there
will be significant IT and non-IT costs borne by US companies (as well as foreign
companies and privately held firms), regulators and the PCAOB believe these costs
are a necessary investment to regain investor confidence/protect against fraud by
demonstrating that results are accurate and the financial process used in their creation
have sufficient internal controls.
The PCAOB has frequently acknowledged that implementation of the standard will entail significant costs, much of which will be incurred in the first year (Example: $4B revenue company with $6M-$8M of SOX-related spending in Year 1). This is clearly consistent with our studies that show that close to 40% of firms will ultimately improve business processes (and become more efficient). Still, organizations must understand these
rules of engagement and ensure that Section 404 projects are effectively supported by
enterprise financial control initiatives, including support from the IT group.
Effective Controls = Reduced Audit Costs

The PCAOB has emphasized the need for companies to develop objective and highly
competent internal audit departments. Many firms will engage a compliance service provider to enable a best-practice approach to SOX. We believe that this must also be
supported by the need for transparency/visibility, auditability, and an IT infrastructure
that can be leveraged to automate and effectively control business activity. The PCAOB
reiterated that the standard makes it clear that an effective internal audit function permits the auditor to reduce the work that would otherwise be necessary.When developing a business case for an internal control project or business applications that support
internal controls, it should be assumed that in its absence a firm can expect increased
costs from auditing services after the fact.
The Auditor Has Control

The new standard concerns the scope of the auditors work in an audit of internal financial controls. The auditor is tasked with evaluating managements assessment of internal
controls where the auditor must obtain a high level of assurance that the conclusion
expressed in managements assessment is correct. This requires firms to have an effective internal control documentation and assessment process in place. The auditor must
also obtain proof as to the effectiveness of internal controls over financial reporting,
including the use of business applications (and the governance of these processes) where
deployed. Auditors must obtain evidence about the operating effectiveness of internal
30
Developing Controls
controls for financial reporting, and this must be done/accompanied by an audit of the
companys financial statements.The auditor will need to test controls because the auditors
own work must provide the principal evidence for the his or her opinion on internal
controls as well as the effectiveness of the audit committee (within the enterprise) and
the 404 control effort.
Chapter 3
Size will determine the types/nature of control processes that will need to be in place
because internal control is not one size fits all. Accordingly, size and complexity of the
entity will determine the nature of control that is necessary (i.e., in smaller firms, or in
firms with less complex operations, the need for elaborate internal control systems will
be reduced).
Companies will need to concern themselves with material weakness and significant
deficiencies. Most will deploy the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) framework to help with the assessment of controls
and leverage the Control Objectives for Information and related Technologies (COBIT)
governance framework if this has been deployed (as many of the COBIT control
points map directly into COSO). If the auditor concludes that the audit committees
oversight of external financial reporting and internal controls over financial reporting is
ineffective, that is a strong indication of material weakness and, at a minimum, is a
significant deficiency. The auditor must issue an adverse opinion on internal controls
when a material weakness exists.
The PCAOB requires that the auditor test controls every year regardless of whether
the controls have obviously changed, because each years audit must stand on its own,
and the walkthroughs must be performed by the auditor because the objectives of
walkthroughs cannot be achieved secondhand. SOX controls must be continuously proved
and do not go away after the initial audit. However, we believe a strong control process
will help organize all the material in one place for the auditors, ultimately saving time and
audit costs. It is important to note that the internal audit committee must specifically
pre-approve all internal control-related services to be performed by the independent
auditor. A process to record and provide an internal assessment is critical.
The PCAOB clarified numerous items, including determining where walkthroughs of
financial processes are required by the auditor, the effect of a misstatement of financial
results, the effect of an ineffective control environment, and leniency for the inclusion of
entities acquired late in the year (at the auditors discretion).Walkthroughs (consisting of
31

a combination of procedures, including inquiry, inspection, observation, and a demonstration of performance) will be required for all major classes of transactions (formerly
all types of transactions as initially proposed) so efforts must be made during 404
projects to focus on major/significant processes. Walkthroughs are an important part of
the principal evidence that must be obtained by the auditor. There has been much concern about the effect of a misstatement; however, the PCAOB has defined its effect as
inconsequential if it were to have an immaterial impact on financial results. Still, firms
must evaluate all processes capable of generating a control inadequacy. If a firm has an
ineffective control environment, this would signal a significant deficiency. With entities
acquired later in the year, an auditor may choose to limit scope of the work to exclude
the entities testing of those internal controls.
Process Controls and COBIT

Processes are the components of a governance structure that enhance repeatability,
clarity, reliability, and security. However, many ITOs are uncertain whether they have
processes to cover all aspects operations or whether the processes they do have are
hitting the mark. As ITOs are driven to aid in the compliance effort, the focus on IT
processes is intensifying. CIOs are looking for ways to analyze the state of their processes and direction to improve existing processes while developing those that are
missing. Fortunately, existing governance models provide a framework for building a
complete set of robust, scalable, integrated processes to improve quality and efficiency.
Currently, IT auditors in more than 60 countries use COBIT to evaluate ITOs worldwide;
however, fewer than 10% of IT shops use this or any other framework for self-evaluation.
With the recent regulatory push swinging the pendulum back to highly process-oriented
ITOs, the use of COBIT as a checklist for IT process health is expanding rapidly.
COBIT is a public-domain (www.isaca.org/cobit.htm) framework developed by the Information Systems Audit and Control Foundation that outlines four domains (planning
and organization; acquisition and implementation; delivery and support; and monitoring)
composed of 34 major processes that expand into 318 detailed objectives (see Figure 1)
where ITOs must provide controls (processes) to enable a safe, reliable IT environment
for business. This framework can form the basis of a series of activities that help CIOs
develop a holistic set of processes with established measurement criteria, defined interdependencies, and reduced handoff ambiguity. All COBIT documents referenced here
are available as PDF downloads at the aforementioned Web site.
32
Developing Controls
Chapter 3
COBIT Components
The two COBIT framework components most effective for IT process health checks
are the Management Guidelines and the Control Objectives.
Management Guidelines
COBIT Management Guidelines provide a governance focus as a business aid to balance
IT risk and return. The IT governance approach links processes, resources, and information, enabling CIOs to leverage best practices into all facets of the IT organization (ITO).
For each major process, the guidelines provide the following:
A brief description of the process purpose, including the business goal it addresses.
For example, the business goal for the process Manage Projects is setting priorities
and delivering on-time and within budget. Savvy CIOs compile these descriptions
into a services list, cataloging for business the activities IT performs for or with the
business. In certain cases, these descriptions will need augmentation with information contained in the following areas of the guidelines to afford business an adequate
understanding of the IT work performed.
33

COBIT Domain Model and Control Objectives
The COBIT framework includes 34 processes categorized into four domains (Planning & Organization,
Acquisition & Implementation, Delivery & Support, and Monitoring) as shown in the framework diagram:
Business Objectives
COBIT
M1 Monitor the
processes
M2 Assess internal
control adequacy
M3 Obtain independent
assurance
M4 Provide for
independent audit
Information
PO1
PO2
Define a strategic IT plan

Define the information
architecture
PO3 Determine the technological
direction
PO4 Define the IT organization and
relationships
PO5 Manage the IT investment
PO6 Communicate management
aims and direction
PO7 Manage human resources
PO8 Ensure compliance with
external requirements
PO9 Assess risks
PO10 Manage projects
PO11 Manage quality
Monitoring
IT Resources
Planning &
Organization
Delivery &
Support
Acquisition &
Implementation
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
Define service levels

Manage third-party services
Manage performance and
capacity
Ensure continuous service
Ensure systems security
Identify and attribute costs
Educate and train users
Assist and advise IT
customers
Manage the configuration
Manage problems and
incidents
Manage data
Manage facilities
Manage operations
AI1
AI2
Control Objectives for M4

Audit Charter
Independence
Professional Ethics and
Standards
Competence
Planning
Performance of Audit Work
Reporting
Follow-up Activities
AI3
AI4
AI5
AI6
Identify solutions
Acquire and
maintain
application
software
Acquire and
maintain
technology
architecture
Develop and
maintain IT
procedures
Install and
accredit systems
Manage changes
Each of the 34 process expands into specific control objectives, as shown here for the Monitoring Process
number 4 (M4). A paragraph description for each control objective describes the process requirements.
34
Critical success factors (CSFs) defining the consequential and observable organizational, technical, strategic, and tactical actions required for the ITO to achieve
process goals. They help define accountabilities for both IT and the business and
therefore indicate areas where governance principles might need to be defined. As
IT/business relationships mature, these success factors should form the basis of
overall IT governance. Distributed ITOs and those without mainframes will need to
review this area of the guidelines for appropriateness. Some of the statements contained in this COBIT section reflect ITs batch-processing history and are not applicable to all ITOs.
Developing Controls
Key goal indicators (KGIs) providing measures (lagging) indicating success of the
process in achieving its business outcomes, providing a safe, reliable, cost-effective
environment with integrity. Goal indicators address what needs to be accomplished
by the process.
Key performance indicators (KPIs) measure (leading) indicating capabilities and skills
and predict whether the process goals will be attained. Performance indicators address how well a process is performing. By combining the KGIs and KPIs into an
overall measurement approach, ITOs gain insight into factors important to business
continuity. However, few of these measures are useful as communication metrics
with the business. Their usefulness lies in their ability to granularly indicate where IT
may need internal process improvement.
A maturity model describing the process requirements from Level 0 (non-existent)

to Level 5 (optimized). They describe how well developed processes are while enabling pragmatic comparison and gap analysis between as-is and to-be-stated. As
described the following section, the maturity descriptions help CIOs pinpoint which
processes need to be addressed first to improve IT process health.
Chapter 3
The information criteria defining the information characteristics within the process:
Effectiveness: Information is relevant and pertinent to the business process and is

delivered in a timely, correct, consistent, and usable manner
Efficiency: The provision of information through the optimal (most productive and
economical) usage of resources
Confidentiality: Protection of sensitive information from unauthorized disclosure
Integrity: Information accuracy and completeness as well as its validity in accordance with the businesss set of values and expectations
Availability: Information is available when required by the business process, and

hence also concerns the safeguarding of resources
Compliance: Complying with those laws, regulations, and contractual arrangements

to which the business process is subject (i.e., externally imposed business criteria)
35

Information reliability: Relates to systems providing management with appropriate information for it to use in operating the entity, in providing financial reporting to
users of the financial information, and in providing information to report to regulatory bodies with regard to compliance with laws and regulations
These criteria should be used as signposts assisting CIOs in meeting outcome and performance measures (KGIs and KPIs) by flagging the importance of system and service
availability, pointing out integrity and confidentiality risks, noting where reliability, effectiveness, and compliance must be confirmed, and indicating process and operations where
cost efficiency is critical. Although ITOs easily determine many criteria, areas of confidentiality and compliance requirements demand business involvement. ITOs involved in
developing service-level agreements should pay particular attention to the information
criteria section of the guidelines because these are all subject to a level of perception
from users. Clearly defining levels of confidentiality, availability, etc. will make service
levels more valuable to both business and the ITO.
The following are the IT resources required by the process:
People: Staff skills, awareness, and productivity to plan and organize
Application systems: The sum of manual and programmed procedures
Technology: Hardware, operating systems, database management systems, networking, multimedia, etc.
Facilities: Resources to house and support information systems
Data or information: Data objects in their widest sense (e.g., external and internal,
structured and non-structured, graphics, sound)
The resources required by each process are generally obvious, rendering this component of the guidelines least valuable for ITOs. Where this information can be used to the
ITOs advantage is as an education tool with business, if it is unaware of the complexity of
IT activities.
36
Developing Controls
Control Objectives
Control objectives are the link between the business goals and IT processes, developed
within the principles of business re-engineering (see Figure). They are stated as desired
business results achieved when the control objectives are fulfilled. A paragraph description for each objective, directed at IT staff members and business process owners, gives
the reader working documentation outlining the minimum activities required for success. They are the policy and practice of IT control.
Chapter 3
Manage Project Control Objective
A charter for the audit function should be established

by the organizations senior management. This
document should outline the responsibility, authority,
and accountability of the audit function. The charter
should be reviewed periodically to ensure that the
independence, authority, and accountability of the
audit function are maintained.
To answer the question How do we ensure adequate control over IT? business and IT
leaders can turn to the Control Objectives of COBIT. Not all organizations require the
same level of regulation to be effective and meet their goals. Reading the aforementioned
objective, some company leaders will adopt a complete methodology, embarking on
extensive project management training and template generation. Others will ensure that
MS Project is used on all projects over some financial or effort threshold. However, to
evolve to completely optimized processes, organizations will eventually incorporate mature
methodologies.
The detailed Control Objectives provide organizations with options. They should be
reviewed and the relevant ones noted and strived for. Some objectives will not be relevant for some organizations, and trying to achieve all the relevant objectives would
overwhelm young and small organizations. Practicality must be the rule when determining which and to what level of effort detail Control Objectives will be pursued. Ensuring
a business environment that is safe, secure, and reliable for business needs to be the
criterion businesses use when evaluating their use of this component of COBIT.
37

Performing a Health Check Using COBIT Framework
The steps subsequently outlined are aimed toward providing ITOs with a framework
within which to achieve best-practice processes. Organizations must proceed through
many stages of process development to reach that level of maturity, and the journey is as
important as the goal. ITOs build their culture and behaviors around how the work gets
done. Developing process maturity will require a culture change within the ITO. Savvy
CIOs recognize the value of setting short achievable goals for growth. Although these
recommendations focus on the ultimate goal of complete best practices, when using
COBIT (or any other framework) for process development, prioritizing processes, selecting an appropriate target maturity level, and focusing on one or two critical success
factors at a time will produce the best results.
We have developed a worksheet template (see Figure) to assist ITOs in performing a
process health check. The template contains all the information required to calculate
process health. CIOs should modify the control numbers (shaded columns) to reflect
interim goals, thus encouraging behavior change rather than providing a discouraging report showing very low process health scores for extended periods as the team works
to develop only certain components of a selected processes. Specific worksheet modifications will be recommended subsequently.
First and foremost, CIOs must ensure the ITO has a complete set of processes covering
all IT responsibility. The simplest way to accomplish this is to use the summary list of 34
processes as a checklist, with CIOs asking their teams: Have we defined an information
architecture? How do we determine our technological direction? and How do we
monitor our processes? These are broad, general questions, so if answers are not forthcoming, CIOs can immediately recognize deficiencies. ITOs should have some activities,
process, or processes in place for each overall process outlined in the guidelines.
It is not recommended to remove any of the 34 processes from the worksheet; however, those not in improvement mode may have the text grayed to indicate dormancy.
38
Developing Controls
Chapter 3
Health Check Worksheet
ID #
PROCESS
PO1
Max
170
0%
PO2

architecture
You Max
8
155
0%
PO3
Determine technological
direction
145
0%
5
5
7
8
2
3
1
4
15
3
195
175
0
0
0%
0%
PO4
Define the IT organization

and relationships
You Max
You Max
You Max
You Max
You Max
PO5
Manage the IT investment
9
12
PO6
Communicate management
aims and direction
Manage human resources
10
7
5
6
5
8
2
1
1
2
11
8
170
160
0
0
0%
0%
6
8
8
10
3
5
6
5
3
7
6
7
3
5
4
4
3
7
2
4
6
8
13
19
120
200
195
245
0
0
0
0
0%
0%
0%
0%
12
18
230
0%
17
230
0%
14
195
0%
160
0%
8
12
7
5
6
6
5
5
3
5
14
8
215
205
0
0
0%
0%
195
0%
12
230
0%
145
0%
9
10
6
9
5
6
5
5
9
8
5
9
5
5
5
1
3
5
2
2
13
21
3
3
220
275
130
145
0
0
0
0
0%
0%
0%
0%
11
11
7
4
6
6
2
3
2
3
5
8
165
175
0
0
0%
0%
8
11
7
12
6
5
6
5
6
4
7
8
7
11
8
5
1
1
4
5
3
2
2
4
7
5
30
6
8
4
165
290
140
225
170
0
0
0
0
0
0%
0%
0%
0%
0%
PO7
PO8
Ensure compliance with

PO9
Assess risks
PO10
Manage Projects
PO11
Manage Quality
AI1
Identify automated solutions
AI2
Acquire and maintain

application software
AI3
AI4
AI5
Acquire and maintain

technology infrastructure
Develop and maintain
procedures
Install and accredit systems
AI6
Manage changes
DS1
Define and manage service

levels
DS2
DS3

capacity
DS4
DS5
DS6
Identify and allocate costs
DS7
DS8
Assist and advise customers
DS9
DS10
Manage problems and

incidents
DS11
Manage Data
DS12
Manage facilities
DS13
Manage operations
M1
Monitor the processes
M2
Assess the internal control

adequacy
180
0%
M3
Obtain independent
assurance
210
0%
7
306
4
185
4
226
5
116
7
129
8
318
175
6400
0
0
0%
0%
M4
Provide for independent audit
0
34
0
306
0%
0%
0
170
0
185
0%
0%
0
226
0
116
0
129
0
318
Column Percentages
0%
0%
0%
0%
Average %
0%
For a process to be complete, it should include all the components listed as CSFs in the
Management Guidelines. Using the success factors as a checklist for each process, CIOs
can determine what percentage of factors their current IT processes meet.
The worksheet contains the number of CSFs for each objective in the Max column
under the CSFs heading. When an ITO is working on implementing a subset of the complete CSFs, the number being focused on should become the Max, or control number
39

in the spreadsheet. In the example that follows, if only the underlined CSFs were in place
or under development, the control number of CSFs for PO10 should be changed from
eight to five to provide improved focus on the interim goal (see Figure).
Critical Success Factors for PO10-Manage Projects
Experienced and skilled project managers are available
An accepted and standard program management process is in place
There is senior management sponsorship of projects, and stakeholders and IT staff

share in the definition, implementation, and management of projects
There is an understanding of the abilities and limitations of the organization and the
IT function in managing large, complex projects
An organizationwide project risk assessment methodology is defined and enforced
All projects have a plan with clear traceable work breakdown structures, reasonably
accurate estimates, skill requirements, issues to track, a quality plan, and a
transparent change process
The transition from the implementation team to the operational team is a wellmanaged process
A system development life-cycle methodology has been defined and is used by the
organization
This serves the following several purposes:
40
Beyond giving the CIO an understanding of process maturity, this information can
make benchmarking activities more fruitful. When comparing against external service providers, the ITO should expect the external provider to be at Level 3 maturity or above. Service level, cost, and quality can be more accurately compared when
the ITO has attained similar process maturity or factors into the comparison the
difference in maturity level.
Plotting maturity ratings for each process within (or across) domains on a Kiviat
diagram can help CIOs gain valuable insights into the interdependencies of processes.
A pattern of immature processes within a domain can indicate the need for processes improvement focused specifically within the domain (see Figure for a sample
Kiviat template for the Planning and Organization processes).
Maturity evaluation facilitates development of process improvement plans as outlined subsequently.
Developing Controls
Maturity Kiviat Diagram for Planning and Organizational Processes
Chapter 3
5
Manage Quality
Define the information architecture
3
Manage Projects
Determine technological direction
1
0
Assess risks
Ensure compliance with external

requirements
Define the IT organization and

relationships

Communicate management aims and
direction
Information Criteria
Handling information as outlined in the information criteria section of the framework
(see Figure) helps fulfill the processes intended quality, fiduciary, and security requirements. By comparing the primary and secondary criteria within the Management Guidelines with the current ITO process expectations, CIOs gain awareness of inadequate
emphasis paid to such things as confidentiality, compliance, and integrity. The percentage
of criteria met is one process health gauge.
41

Summary Table: Domains and Processes
P
P
P
S
S
P
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
Define and manage service levels

Manage performance and capacity
Identify and allocate costs
Assist and advise customers
Manage problems and incidents
Manage Data
Manage facilities
Manage operations
P
P
P
P
P
P
P
M1
M2

Assess the internal control
adequacy
Obtain independent assurance
AI3
M3
M4
P = Primary
S = Secondary
P
P
P
P
Information
S
P
Facilities
P
P
AI4
AI5
AI6
Identify automated solutions

Acquire and maintain application
software
Acquire and maintain technology
infrastructure
Develop and maintain procedures
Manage changes
AI1
AI2
Technology
S
P
P
Applications
P
P
P
People
Reliability
P
P
Compliance
Availability
Efficiency
P
P
PO5
PO6
PO9
PO10
PO11
Monitoring
Integrity
Effectiveness
S
S
S
S
PO7
PO8
Delivery and
Support
P
P
P
P
PO1
PO2
PO3
PO4
Acquisition and
Implementation

Determine technological direction
Define the IT organization and
relationships
Communicate management aims
and direction
Ensure compliance with external
requirements
Assess risks
Manage Projects
Manage Quality
Process
Domain
Planning and
Organization
Confidentiality
This chart indicates the information criteria affected by these processes and the IT resources involved.
S
S
P
P
P
S
S
S
S
S
S
S
S
S
P
S
P
S
S
S
P
S
P
S
P
S
S
P
P
P
P
P
P
P
P
P
P
S
P
S
S
S
S
S
S
S
S
P
S
S
S
S
S
S
S
S
P
P
S
S
= Applicable
IT Resources
Applying the right resources to a process is essential for success. CIOs can use percentage of resources in their ITOs process of those listed in the guidelines to evaluate this
component of the processes health.
The worksheet control numbers for the information criteria and IT resources required
for a process should not be modified, because these factors are realistic regardless of
the level of maturity or stage of implementation of a process or improvement activity.
Performance
Leading and lagging indicators (as listed within the KGIs and the KPIs of the Management
Guidelines) are evaluated by comparing them with existing measurements. Determining
42
Developing Controls
the percentage of measures in place will provide adequate indication of initial process
measurement health. As with the CSFs, not all ITOs will be in a position to measure
and monitor all these measures on every process. A target number of measures in the
outcomes (KGIs) and performance (KPIs) categories should be selected (one to two
measures each, initially), with more included as the ITO develops data capture methods and familiarity with monitoring them. The control numbers in the Max worksheet
columns should be modified to reflect the number of measures being monitored for
each process.
Chapter 3
The Control Objectives

Similar to the method of appraising process maturity by comparing the actions taken
within the ITO to those listed in the Management Guidelines, Control Objective descriptions provide CIOs documentation against which to compare process details. The number of objectives not met by the ITOs processes will indicate areas for improvement.
As previously indicated, detailed control objectives might not all be relevant for an ITO,
and as with several other components of COBIT, ITOs will not strive to achieve all
objectives until full process maturity is realistic. Control Objective selection, more than
any other area within COBIT, requires business involvement. The exceptions are processes within Delivery and Support internal to IT. These are the following:
DS2 Manage third-party services
DS3 Manage performance and capacity
DS4 Ensure continuous service
DS9 Manage the configuration
DS10 Manage problems and incidents
DS11 Manage data
DS12 Manage facilities
DS13 Manage operations
The worksheet control number in the Max column of the control objectives columns
should be modified to reflect the number of objectives the ITO is attempting to fulfill.
COBIT provides explicit guidance for all 34 high-level control objectives in the form of
navigation aids, which IT personnel and LOB users depending on their particular perspective should implement to organize and categorize control objectives according
to IT processes, information criteria, or IT resources.We believe COBIT provides more
43

high-level control processes/standards guidance than many standards models in use by
more than 50% of Global 2000 ITOs. COBIT incorporates the principles of many disparate models and methods. But after determining which IT processes are relevant to the
enterprise, it is recommended that the models and control methods incorporated by
COBIT be used. However, COBIT alone might be too generic to make the control
objectives operational. The following standards can be used in translating COBITs 34
high-level control objectives to concrete measures:
SEI Capability Maturity Model

System development methodology (SDM) for development
IT Infrastructure Library (ITIL) for service management
International Standards Organization (ISO) 9xxx for quality management
CCTA Risk Analysis and Management Method (CRAMM; see ED Delta 123)
IT security (ITSEC) and British Standard (BS) 7799 for logical and physical security
of data and systems
Conclusions
44
Organizations should leverage external service providers and their tools as needed to
gain minimal SOX compliance levels but focus efforts on building a long-term strategic
compliance model that leverages the new capabilities compliance will enable.
Organizations must review and understand the stipulations that SOX has on external
service provider usage especially auditors in gaining and evidencing SOX compliance and build them into service sourcing and management processes.
Business leaders whose CIOs focus on IT governance through process improvement will derive the benefits of business continuity, integrity, and agility that result
from complete, robust IT processes.
Leveraging the work done by IT auditors in determining process requirements to

enable business objectives, CIOs can quickly evaluate their existing processes and
develop holistic process improvement plans.
Chapter 4 Creating a Technology Blueprint
Chapter 4
Successful compliance efforts demand that the IT organization (ITO) frame and communicate enterprise-level process capabilities and deficiencies, demonstrate how technology may
be used to implement needed Sarbanes-Oxley (SOX) initiatives, and ensure that the internal
IT processes and controls that affect financial performance and reporting meet or exceed
those needed for compliance. This chapter discusses how the ITO can develop a technology
blueprint to address such issues, and link existing technologies to compliance programs.
At the core of Sarbanes-Oxley is the need to restore trust in the financial reporting
practices and controls in place at publicly held enterprises. Sections of SOX require the
CEOs and CFOs at such companies to:
Attest to the quality of the data reflected in financial statements and reports
Mitigate the risks inherent in financially related business processes and information
flows
Provide real-time alerts to key constituents of events adversely impacting financial

condition or operations
Understand the consequences of willful non-compliance (see Figure)
45

Abstracts of Key Sarbanes-Oxley Sections
Section 302: Corporate Responsibility for Financial Reports
Chief executive officers (CEOs) and chief financial officers (CFOs) must certify in each annual or quarterly
report to the Securities and Exchange Commission that they have personally reviewed the financial
statements and, based on such review, state that the report filed fairly presents all material facts that have
bearing on the financial condition of the company. The CEO and CFO are responsible for instituting and
ensuring adherence to controls needed for proper disclosure. In addition, these executives must stipulate all
significant deficiencies in the design or operation of internal controls that could adversely impact the
companys ability to report financial data, any weaknesses in internal controls, any fraud (whether or not
material), significant shifts in internal controls, and any corrective actions with regard to material
weaknesses.
Section 404: Management Assessment of Internal Controls
In addition to its annual report, management must submit an internal control report stating its responsibilities
to establish and maintain an adequate internal control structure and procedures for financial reporting, as
well as an assessment of their effectiveness relative to financial reporting. Further, the companys
registered public accounting firm shall attest to, and report on, the assessment made by management as
part of its regular audit activity.
Section 409: Real-Time Issuer Disclosures
Each publicly held enterprise must disclose to the public on a rapid and current basis such additional
information concerning material changes in the financial condition and operations of the issuer, in plain
English, as necessary or useful to protect investors and in the interest of the public.
Section 906: Corporate Responsibility for Financial Reports
Section 906 amends Title 18 of the United States Code to ensure that each Sarbanes-Oxley-mandated
report shall be accompanied by a written statement issued by the signatories stating that the financial
results and operations of the issuer are fairly stated. Whoever willfully certifies any statement or report that
does not comport with the requirements may be subject to fines and imprisonment.
Forward-minded organizations will use the mandates inherent in SOX to address needed
improvements in the enterprise, information, and technology architectures proactively.
By leveraging the skills and disciplines necessary to implement or enhance key enterprise-level systems to ensure SOX compliance, the ITO will be well positioned (and
should be encouraged) to bring about needed improvements to the business processes
and procedures in place to collect, collate, verify, and distribute the information necessary for compliance.
Becoming SOX Compliant

Many senior IT practitioners focus attention on improving IT management controls on
an after-the-fact basis. As issues and problems surface, expedient actions are typically
taken to shore up, recover, and correct root causes to prevent recurrence. Due to the
volume of work in most IT shops and the belief that the activities to repair that which
is not broken are wasteful and potentially disruptive corrective activities are usually
planned for sporadically and seldom sanctioned to address inherent procedural or environmental flaws until they are disruptive. Going forward, it is our belief that the need to
be SOX compliant will transform such thinking from reactive to proactive.
46

In addition to the controls and processes usually examined during the annual planning
process (i.e., cost containment, sourcing, technical architecture review, and performance
improvement), SOX compliance requirements will force particular attention on reviewing and strengthening the adequacy and effectiveness of financial controls, systems, and
reporting with outside auditors. Such efforts by ITOs to make distinct connections among
business processes, information flows, management practices, and IT capabilities represent a significant departure from the role usually played by the ITO. If done well, however, the CIO and his or her organization will be well positioned to extend the ITOs role
as a partner capable of leveraging technology to mitigate business risk.
Chapter 4
To reach this desired end state, several key activities must be staged and completed.
Areas marked for detailed review of controls and procedures should include:
Data
Governance structures and practices (i.e., corporate and IT)
Enterprise architecture (i.e., manual and automated processes)
Applications and technology architectures
Security systems (i.e., automated and physical)
Data archive, retrieval, and recovery capabilities
Administrative controls (i.e., vendor, service provider, and asset management)
Infrastructure management practices (i.e., computer operations and communications)
Business continuity plans
Data Audit and Quality Assessment

SOX compliance efforts should begin with an audit of financial data and an examination of
how each critical entity is created, retrieved, updated, and deleted in the functional areas
that directly influence the completeness and accuracy of the companys financial reports
and controls. During this activity, the definitions of each key entity should be checked for
consistent interpretation and application. The formulas by which this data is calculated
should also be compared to ensure uniformity across business functions and processes.
An identification of job classes and individuals that have been granted both create and
delete rights should also be included in the data audit process to feed into the data
security review process. In addition, the number and location of the specific information
stores and the levels of redundancy associated with each key entity should be identified
during this phase of activity. As required, corrective actions should be taken to remove
ambiguity, eliminate redundancy, and improve overall data quality. For example, if one
business unit tracks available inventory as in-transit, received, stored, and outbound
47

prior to payment and resalable returns while another unit tracks only a subset of these
stages, the inventory level will neither be true nor reflected accurately on financial statements. Granting the ability to make adjustments to the data for more than one function
(e.g., distribution and manufacturing) or job class (e.g., warehouse management and procurement) exacerbates the problem and compromises quality.
Governance Structures and Practices
Sarbanes-Oxley will have an impact on improving governance structures and fortifying
internal controls within ERP and operational systems. Key factors that influence how
well this requirement is met include the ability to identify and mitigate risk and the need
for accountability relative to the acquisition, use, and disposition of assets. Weak governance structures can serve to hinder the ability of the organization to be SOX compliant.
From an IT perspective, this can lead to efforts to implement projects and technologies
that are not coincident with overall strategy or investor interest. As a result, resource
assignments may be unsuitable or technologies that serve to heighten rather than reduce
risk may be implemented.Working with the CEO, CFO, and other functional heads (e.g.,
general counsel, general auditor), the IT organization should ensure that oversight and
prioritization methods reflect objectivity and sound business judgment. With regard to
enterprises that have outsourced any or all of their financial practices or information
processing capabilities, it is important to note that Sarbanes-Oxley attestation requirements do not differentiate between those that are internally managed and those that are
outsourced. Therefore, to be compliant, organizations must have documentation, control, and visibility capabilities into outsourced financial processes to the extent that they
at least match the internal practices. However, since the primary document that
outsourcers provide to client auditors attesting to audited control procedures Statement of Accounting Standards 70 was not designed to provide evidence of SOX
compliance, CEOs and CFOs must direct that more in-depth control audits for outsource
financial processes take place. CIOs should be prepared to assist in such activity planning
to randomly test and validate results in their quality assurance/control environments.
Enterprise Architecture
To varying degrees, both manual and automated processes represent vulnerabilities to
SOX compliance. Processes that are long-lived may neither be properly documented
nor identified within the bounds of a single function responsible for effective execution
of assigned tasks (e.g., decision support for asset acquisition may be owned concurrently by finance, procurement, or operations). If the integrity of the processes and
interfaces (i.e., both upstream and downstream) are not well known or controlled, or
48

have not been well tested, inherent flaws may not be identified and corrected until there
is an adverse impact on the accuracy or the effectiveness of reported of data business
operations. As such events occur they will have to be isolated, corrected, and reported
in periodic SOX filings. IT organizations that conduct proactive reviews of processes and
linkages should strive to uncover the means by which vulnerabilities may be shored up
and also look to redesign workflows, leverage existing process activities and resources,
speed the ability to process and disseminate data, and improve quality and decrease
costs within the ITO and across the enterprise.
Chapter 4
Business Application Architecture

Enterprises have multiple business applications with layers of complexity that are inherently vulnerable and pose a significant threat to financial data and reporting integrity.
Flaws in system interfaces and controls may result in improper or incorrect transactions
that may either inflate business or functional performance (e.g., revenue, receivables) or
mask operating vulnerabilities and deficiencies (e.g., erroneous carrying cost exposure,
payables). Other defects (e.g., credit processing, return authorization) may also be present
that enable fraud or theft and present a SOX compliance risk. Investments made in
equipment based on incompatible standards (e.g., enterprise wireless) may also present
risks relative to financial data accuracy, security, and operational performance. Technologies that require massive process redesigns (e.g., ERP, CRM) may result in processing
errors (i.e., both human and system) that compromise accuracy and performance. To
address these vulnerabilities, CIOs may have to reconfigure their environments and
revise the methods employed to select, implement, and deploy technology solutions.
Further, they should ensure that detailed risk-reduction steps are incorporated into
project plans.
Security Systems
To ensure SOX compliance, organizations should develop security plans that address
both the logical and physical needs of the business in all functions and at all levels. SOX
requires companies to deal aggressively with security flaws that may result in fraud or a
compromise of data accuracy. This spans from activities to ensure a segregation of duties between creators and deleters of requisite data (see previous section) to simulated computing hacking attempts to audits of physical assets at all sites. Reviews of these
areas should be done periodically (in ways that are consistent but not predictable) to
uncover inherent flaws and weaknesses in controls and reporting processes. The IT
organization should be proactive in supporting such efforts by properly maintaining and
operating key applications (e.g., fixed assets) and, if appropriate, providing guidance to
facility management regarding physical security devices.
49

Data Archival, Retrieval, and Recovery
Unauthorized or non-restricted access to key data, both physical and logical, may serve
to reduce data integrity and reporting accuracy. Such actions may also result in violations
of privacy laws or fraudulent activity. Examples of these types of violations might include
modifications to physical media or applications such as pricing (i.e., relative to prices,
discounts, and deals), accounts payable (i.e., in reference to payees, amounts, addresses,
etc.), inventory management (i.e., with regard to vendor preference and contract parameters), payroll and benefits (i.e., linked to employees, pay amount, commissions, incentives, deposit accounts, etc.), and so on. Effective data management practices should
include the ability to recover from both single and multisystem failures (especially for
data shared between and among platforms and applications). Timeliness measures included in Sarbanes-Oxley also point to the need for rapid recovery (i.e., Section 409).
Such capabilities rely on both the effectiveness of the interfaces and the completeness of
the operations procedures. Thus, internal and external audit reviews of the ITOs capabilities in this area are required.
Administrative Controls
Policies and practices surrounding vendor and asset management often contain control
weaknesses (e.g., procurement, fixed asset tracking, service-level monitoring). This is
largely due to the fact that such weaknesses usually lie on the cusp between functions
and shared responsibility which, more often than not, leads to process breakdown.
The IT organization can address this situation by building or enhancing software to capture errors, duplicate payments, or trends that point to potential fraud. Organizationally,
the governance structure may also be confirmed or amended to reset vendor approval
and authorization levels. Contracts with providers of goods and services should be managed in line with a clear articulation of service levels, payment schedules, and penalties for
non-performance.As a functional head with an expansive view of the organization and its
processes, the CIO is well positioned to assist functional units in utilizing such reviews to
identify process flaws and subsequently influence control improvements, reporting accuracy, and operational performance beyond what is required by Sarbanes-Oxley.
Infrastructure Management Practices
Unreasonable or significantly increasing levels of errors (i.e., crashes, downtime, or
reboots) typically point to systems and technologies that were implemented or enhanced with little or no attention paid to performance tuning, capacity planning, system
testing, or routine monitoring and maintenance. To safeguard the signatories and the
organization from SOX compliance violations, CIOs must ensure that the IT operating
50

environment is kept up-to-date. Further, in light of their fiduciary responsibility, CIOs
should install and maintain the technologies required to provide early warning of likely
failures or signal actual violations. They should also review help desk practices and reporting procedures and use them to identify patterns and trends that may result in
increased vulnerability or disruption if left unchecked. In addition, CIOs must be proactive in managing third-party providers (including outsourcers) that directly touch or
influence financial data accuracy and reporting capability. As required, external auditors
should be engaged to assist in these activities.
Chapter 4
Business Continuity Plans

Recent events and continued geopolitical unrest have pointed directly to the need to
solidify and test the organizations ability to recover from adverse impacts to critical
business operations. Business continuity efforts should span the entire breadth of the
enterprise (integral and extended) and incorporate into the plan the tasks required to
recover both manual and automated processes directly related to ensuring SOX compliance. In this regard, it is likely that the CEO and CFO will look to the CIO to plan for
and test IT recovery capabilities, and also to guide efforts to ensure that the vulnerabilities in processes performed by other key functions and upstream partners, suppliers,
and customer environments are understood and minimized.
The Compliance Technology Blueprint

SOX compliance is a multidimensional effort, one that must cover programs to improve visibility/transparency; enhance financial controls, records retention, and communication; and provide for risk management and fraud prevention. Many of the tools
that will enable this effort are technology-related, such as enterprise software applications and IT services.
Often, SOX compliance programs are led by the CFO, though increasingly an enterprise
chief compliance officer (CCO) or similar role is leading. The compliance effort, then,
represents an opportunity for the CIO to assist the CFO and/or CCO and bolster the
standing of IT within the organization as a whole. Management cannot ensure compliance
without understanding how IT becomes compliant.Without interaction between IT and
business people, efforts to document controls or processes will simply not work.
This heightened level of coordination and cooperation that we recommend is a marked
departure from previous compliance efforts, which were typically handled by the auditing group or other discrete staff. Increased reliance on IT functions to establish and
51

maintain compliance also means the CIO must develop a technology blueprint since
various SOX requirements leverage different enterprise application portfolio components.The CIO has to be part of the core SOX task force to communicate how technology can support enterprise SOX efforts and how it can be circumvented without the
right IT systems in place. The CIO should also be involved because IT has its own compliance effort.
By the same token, auditors are not IT people. They will focus on risk management and
process control generically. This creates a disconnect. Translating process controls suggested by auditors can be a daunting task. Likewise, IT may have a well-developed architecture, but without proper process controls around risk management, for example.This
represents another issue in the ongoing need for IT and business alignment.
A SOX technology solution is more than a Section 404 risk management tool.Yet, most
firms will employ a technology architecture, including leading business applications as
well as legacy solutions, to meet many of the financial control requirements outlined in
the act. Research inquiries increasingly are focused on identifying the technology components and how they contribute to an enterprise SOX initiative. Ultimately, a blend of
data- and content-driven solutions will be used. In many cases, firms are surprised when
they learn that much of this software is made up of tools or solutions they already own,
which may be leveraged in ways not envisioned. We believe a typical SOX technology
profile should consist of a number of components (see Figure).
SOX Technology Blueprint
Risk Assessment Tools 10% of effort

- Sections 404 and 302
- Content, process, and program management
Transactional Solutions 60% of effort
- ERP/best-of-breed 50%

Better configuration, workflow, and instance consolidation
- Records management and retention 10%
Section 802
BI/BPM/Portals 30% of effort

- Sections 302, 409, and 906
- Performance management, consolidations, and
internal/external portals
- Compliance dashboards
- Data audits and cross-system/process audits
- Data and content-based solutions
52
Risk management/Section 404 management solutions (10% of effort): These

tools should be considered a blend of content, program, and business process management that firms can leverage to: 1) document business processes; 2) provide an
assessment following the Committee of Sponsoring Organizations (COSO) framework; 3) communicate enterprise SOX readiness (possibly through an internal compliance portal) and workflow; 4) build or store process diagrams; and 5) provide the
periodic assessment of financial controls required under Section 404.
Transactional ERP/best-of-breed financial management solutions (50% of effort): Although many firms have implemented leading financial ERP solutions, most
need to revisit configuration of these solutions and implement critical financial controls (e.g., spend management, subscription-based revenue recognition) that are critically linked to workflow in support of required approval/authorization processes
within an end-to-end process. Firms that operate on legacy and custom financial
applications are unlikely to support SOX enablement without significant, expensive,
or unavailable rewrites.
Records management and retention (10% of effort): Section 802 requires that
firms retain all records relevant to the audit and review processes for at least
seven years and that these records not be deleted, altered, or otherwise manipulated during this retention period. For many firms, policies already exist for records
retention and records management (especially in regulated industries). Recently, there
has been clarification from the SEC that these records should also include businessrelated exchanges between parties involved in the audit process that occur using
electronic mediums, such as e-mail, instant messages, or internal chat rooms.
BI/BPM (30% of effort): Firms will need solutions that can provide visibility and
transparency, while also managing and automating the results and consolidation process across a decentralized enterprise. This is an area where solution and tool decisions must be made from a strategic BI infrastructure perspective (i.e., choosing a
BPM tool that can leverage existing business intelligence investments in reporting,
OLAP, data warehousing).
Chapter 4
SOX compliance is about process, not just products. Many organizations have already
invested heavily in the IT products most relevant to SOX compliance efforts, especially
short-term tactical requirements (see Figure). Offerings must meet specific SOX stipulations and requirements not just offer more IT stuff in a loose SOX wrapper. Firms
must focus on the following dimensions of technology:
53

54
Visibility/transparency: Organizations must provide visibility and drill down into

financial results, often across a multi-ERP environment (which frequently complicates results analysis). Fraud can be reduced by enabling transparency, particularly
through a Web browser interface, to encourage more managers to view results.
Currently, many firms obtain management reporting from their ERP general-ledger
solution and aggregate financial results using offline processing in Excel and Access
to accumulate and rationalize data.This creates a major challenge when consolidating
both internal management and external financial results, while ensuring consistency
in financial management content across the enterprise. In a recent META Group
multiclient study on BPM, it was determined that more than 65% of firms rely on
Excel as a primary tool for financial consolidations. This will be a problem/risk area
under SOX. Ideally, firms should source all of their financial management reporting
from a consistent repository, such as a data warehouse, and use financial analytics/
BPM solutions (e.g., Hyperion, Longview, ERP vendor solutions) to provide consolidation of results and drill-down capability as well as compliance dashboards and
frequent flash reporting to identify anomalies before they become part of the permanent accounting record. Although this approach will not eliminate questionable
offline analyses, it can provide one version of the truth for a financial information/
access repository.

Chapter 4
Implementations to Optimize SOX

47%
47%
Analytics/Business Intelligence (N = 265 )

Business Continuity (N = 145)
43%
43%
Business Performance Management (BPM),

Including Financial Reporting and Consolidation (N = 151)
11%
11%9%
9%
11%
36%
36%
40%
40%
Discrete Compliance Solutions (e.g., Internal Controls,

Section 404-Specific Tools) (N = 174)
Document Management (N = 157)
ERP Customer Relationship Management (CRM) (N = 161)
27%
27% 11%
11% 22%
22%
11%
27%
26%
26%
26% 10%
10%
10%
29%
29%
20%
20%
20% 12%
12%
12%
29%
29%
43%
43%
24%
24%
10%
24% 10%
10%
24%
24%
43%
43%
19% 12%
12%
12%
19%
19%
27%
27%
23%
23% 13%
13%
23%
13%
26%
26%
38%
38%
ERP Financial Systems (N = 143)
29%
29%
17%
17%11%
11%
11%
17%
41%
41%
Content Collaboration (N = 165)
33%
33%
ERP Human Resources (N = 128)
35%
35%
ERP Supply Chain Management (SCM) (N = 154)
34%
34%
21%
21%
14%
21%
14%
21% 14%
31%
31%
Homegrown/Customer Systems (N = 158)
34%
34%
20%
20%
13%
20%
13%
20% 13%
34%
34%
Learning and Education Systems (N = 167)
32%
32%
22%
22%
13%
22%
13%
22% 13%
34%
34%
32%
32%
21%
21%
12%
21%
12%
21% 12%
Manual Process (e.g., Use of Excel Spreadsheets) (N = 141)

0%
20%
22%
22%
13%
22%
13%
22% 13%
40%
60%
30%
30%
35%
35%
80%
100%
Plan to Acquire/Upgrade Within 12 Months

No Plans to Acquire/Upgrade
Control: Many firms, through their prior investments in ERP and best-in-class
solutions, already own the code to the financial solutions they will ultimately
need to meet SOX financial transaction requirements. Firms must reconfigure
these solutions for tighter financial controls, such as use of contract management, three-way matching for invoice-purchase-order-goods receipt, and expense
management processes that ensure appropriate authorizations. Firms should evaluate ERP systems (e.g., Oracle, PeopleSoft, SAP) and best-of-breed products (e.g.,
Concur, diCarta, Contiki, Softrax) that can provide tighter/optimized processes
(e.g., single-source transactions versus requiring rekeying of financial codes in multiple systems, ensuring controls in role security such as separation of duties for
requestor and approver). Firms may also use SOX to justify moving off legacy
mainframe financial applications or consolidation into fewer, more consistent ERP
instances to deliver consistent financial management functionality.
Communication: SOX compliance will require wide-scale communications capability, and many firms will implement internal and external portals, content management processes, and e-mail-based workflow. Internal communication tools are nec-
55

essary to facilitate the identification and resolution of changes in financial position
(Section 409) as well as to coordinate the official external response to external
parties through aggregation of data and content (e.g., PeopleSoft Investor Portal,
Plumtree). This will prove critical to enabling multiple individuals to collaborate on
out of tolerance results that were identified during the analysis of anomalies,
including compliance dashboard results.
Risk management/fraud prevention: Firms must document their financial management/control business processes as part of Section 404 and will require tools to
help coordinate these activities. Such solutions should bring together content, program management, and business process management capabilities, and many leading
solutions are blending these capabilities (e.g., Oracle, Documentum, Movaris).Although
the landscape is becoming one of boutique solutions, firms should first leverage
tools that may come bundled at no (or minimal) cost from their audit/compliance
service provider until they fully understand the ultimate requirements (which will
be determined by future case law). Many firms will also turn to data auditing tools
(e.g., ACL) to gain an understanding of risk areas as data is bridged from one component solution to another. Firms should also leverage business intelligence to provide
deeper analysis into transactional areas (e.g., Concurs use of Cognos Metrics Manager) and thereby identify areas of risk.
Connecting Risk Management to ERP Systems

Section 404 requires that firms understand, document, and improve internal controls
around financial reporting, work to improve the accuracy of transactional information
collected from business processes that result in financial transactions (most eventually
do), and build a sustainable process improvement procedure. Many firms are implementing risk management applications to assist with internal control and assessment
processes. A main objective of these tools is to lower external audit verification costs,
and tools that have more automation and tighter integration with ERP processes may be
favored. Until recently, ERP integration has not effectively been positioned in this new
application space. More firms are considering ERP integration to be a critical requirement, and now must decide between ERP-based and third-party tools that can effectively integrate. It is not a one size fits all decision.
56

The three major phases that need to be supported by a risk management tool are:
Documentation of internal controls: To store documentation (e.g., content, process flows) about all relevant critical financial controls.
Identification of risk areas: To identify areas where there may be financial/operational risk and address how that risk is being mitigated.
Ongoing process assessment: To provide an ongoing evaluation of internal controls

(most firms are desiring quarterly review to coincide with the 10-Q process). This is
where ERP integration is critical.
Chapter 4
Ongoing assessment has the critical requirement of integrating with legacy processes (including ERP, operational, and offline management processes). Depending on the level of
business application consolidation that an organization has undertaken, an ERP-based solution or a solution that has leveraged significant ERP integration will be critical (obviously, the
strongest case for an ERP-based solution will be for a company that has moved to a singular
ERP solution for financial and operational areas). The assessment process requires the
enforcement of centralized policies and procedures to detect and manage exceptions
early (ongoing monitoring is one of the five components of the COSO Framework).
Unlike standalone solutions that are focused on immediate documentation needs, an
integrated ERP solution for SOX works in conjunction with the transaction systems to
address long-term management of Section 404. ERP-centered risk management applications (e.g., Oracle Internal Controls Manager, PeopleSoft Enterprise Internal Controls
Enforcer, SAP) as well as solutions that have effective integration with ERP (e.g., Movaris)
have prebuilt diagnostic tools to test and continuously monitor many controls within
ERP transaction systems and automatically alert process owners to configuration changes.
A major advantage of leveraging an ERP-based tool (or a third-party tool that has integration into ERP) is to be able to exploit integration that can enable access to timely, accurate, and relevant information across the enterprise with a single source of truth.
When selecting a risk management application, firms should consider the following ERP
integration capabilities:
Built-in assessment processes: ERP systems help enforce policies and procedures
through functionality such as workflow, role-based security, and configured business
57

rules. Whereas control may have been an afterthought during system implementations prior to SOX, companies are currently considering activating more of the
existing controls within their ERP systems.
ID control changes: To help ease the burden of evaluating and testing system controls going forward, these solutions can assess whether a companys ERP transaction
systems are working as intended, and if the people with access to the system have
changed. This will enable companies to manage the impact of employee changes,
system modifications, upgrades, and potential system failure on internal controls.
Inventory and monitoring: This involves automatically inventorying and monitoring

the embedded controls within the transaction systems, including:
User authority and limits to enforce segregation of duties and approval limits
(e.g., the ability to prevent someone in accounts payable from setting themselves
up as a vendor and creating a fraudulent payment).
Business rules and configuration switches within the transaction systems (e.g., if
someone changes the configuration option to allow changes in revenue-recognition methods, a company risks having inconsistent revenue recognition across
contracts).
An audit trail of system changes for evaluation and testing purposes, and to
provide greater confidence in certifying internal controls.
Global support: Although SOX is US-based compliance regulation, global operations may be considered if the firm has equity/debt issued in the US. Niche players
are not global and this may favor ERP providers, which is very important to large
global enterprise customers that need one integrated operational solution to support global compliance (e.g., IAS, Basel II, SOX).
Auditing Applications Back in Vogue

Global 2000 organizations typically have multiple ERP and best-of-breed solutions feeding
financial transactional processes.This presents many opportunities for corruption of transactional data, including timing of interface/validation tables, manual intervention, and overlap
of security rights (e.g., between requestor and approver). Typically, many operational processes (e.g., SCM, CRM, HR) result in financial transactions, and organizations must assess
enterprisewide risk identifying where business processes can be broken and developing self-assessment processes where managers can certify that appropriate review/corrective actions are taken. Unfortunately, the current approach for most organizations is to
document and review all processes, going beyond the scope of what is required.
58

There must be a strong relationship with an organizations audit partner for risk management initiatives. Large audit organizations (e.g., Deloitte & Touche, Ernst & Young,
PricewaterhouseCoopers) and compliance consulting vendors (e.g., Protiviti) have developed combined service/software offerings aimed at helping organizations assess risk management compliance. Although management is required to file a report with its annual
disclosure about the effectiveness of its internal controls, the organizations public accountant must attest to and provide an opinion as to the effectiveness of the internal controls
surrounding financial processes. In addition, organizations must be able to evaluate their
position on a quarterly basis and make the appropriate disclosures. Section 302 requires
organizations to disclose the status of their internal controls along with officer certification
in their public reports.Therefore, Sections 404 and 302 are inextricably linked.
Chapter 4
Sarbanes-Oxley requires business processes to be effective from a reasonable assurance perspective. We believe the degree of action will be determined by the severity of
breakage in business process. At this point, do not believe the intention is for a full business re-engineering process along with new ERP and business intelligence infrastructures, though that may be advisable for a small percentage of organizations.
Several business applications have come to market to address an organizations auditing of
internal controls. However, it is critical to note that these are regulatory not technological
(e.g.,Y2K) or competitive (e.g., business process re-engineering, ERP, e-business) mandates.
Businesses require frameworks to plan assessment projects (a project management tool
is required), develop an assessment of the current state, prepare required documentation, and document plans to close potential gaps.The risk management business application should provide the following:
Support for the COSO internal controls framework.
An enterprisewide evaluation of internal controls through the documentation of

processes and a collaborative management commentary capability regarding the risks
and actions taken to mitigate threats. Organizations must be able to track/report the
severity of compliance issues.
A collaborative interface into the organization to enlist the appropriate parties in the
business control process.
59

An appropriate level of detail for internal management and auditors to make an

assessment. In essence, an evaluation is required at both process and entity levels
(i.e., conclusion of all process effectiveness).
A summary conclusion on the integrity of the resulting public financial reporting, as

well as an evaluation to which the auditors will eventually attest.
An ongoing evaluation (e.g., quarterly) to track progress/change in internal controls

using indicators as severity level (e.g., red/yellow/green). A communications/knowledge-sharing mechanism for the organization should be provided, along with the
capability to track project plans/status for evaluating risk areas.
A scalable and secure solution that can be extended to all contributing corporate users.
Support for content distribution and record management/archiving.
Mediation through the life cycle of business processes as issues progress through
unreliable/insufficient/reliable/optimized states.
Although these tools should focus on financial reporting elements, they must also provide the ability to extend beyond compliance to regulation for financial processes, and
extend into the safeguarding of enterprise assets. These tools should be capable of
repurposing to cover the ongoing enterprise auditing process.
Leading compliance tools are from Protiviti (Robert Half), Paisley Consulting (partnership with Ernst & Young), and Open Pages. PeopleSoft partnered with Protiviti and has
integrated its audit/risk management functionality. Some risk management solutions provide a risk assessment from a security perspective. Oracle has brought a proprietary
solution to market, leveraging its projects functionality (e.g., Internal Controls Manager),
and should be considered for an organization that has Oracle applications particularly
Oracle projects. Currently, SAP offers Audit Information Manager and will extend mySAP
Financials to enhance its corporate governance offerings to include support for Section
404, internal controls, and further audit information system functionality, and to provide
whistle-blowing provisions of SOX. Because there is a close relationship with project
management solution requirements, we believe more vendors will repurpose their project
solutions within the next six months. Documentum has released Corporate Governance
and Compliance, a risk management solution built on its content/records management
solution, and eRoom and Oracle provide the most comprehensive enterprise capability.
60

Although the impact of SOX is still being defined, point solutions (e.g., Lotus Notesbased) may be outgrown quickly and replaced by larger, more stable applications.
Chapter 4
Conclusions
Enterprises will need to look across financial controls in most business processes to
ensure they are in compliance with SOX.
A SOX technology blueprint will include Section 404, ERP, and best-of-breed transactional, content, portal, and business intelligence solutions.
SOX will have an impact on most firms enterprise application infrastructure, since
these applications can provide the required infrastructure to ensure a firm can meet
the standards set forth in the act.
Technology solutions can be leveraged to meet most SOX requirements. However,

firms must view this as a process issue and bring technology in where there is an
appropriate fit.
Organizations should develop an enterprise strategy for risk management and should
evaluate third-party tools where appropriate, some of which may be coupled with
compliance consulting services.
Risk management auditing applications help organizations perform self-assessments,

which enable them to determine their level of exposure to compliance regulations.
61

62
Section 2
IT Best Practice
Areas in SOX
Compliance
Security
Chapter 5
Chapter 5 Security
SOX requires new attention to security as part of a risk management framework to certify
internal controls and attest to the accuracy of financial information (e.g., relating to fraud,
accidents, or lack of discipline). Information security has moved from being a good idea to
being a mandate, and companies must act now to meet these new requirements. This chapter examines SOX security issues and identifies specific actionable areas on which organizations can build their own customized security plan.
The regulatory environment is among the most significant drivers of security and riskrelated activities. While information security is a central SOX control requirement, the
act is not very clear about specifics. Therefore, no list of specific activities can be compiled that applies to all organizations covered by SOX each must tailor its security and
other compliance activities to its own situation.
However, SOX does build on existing security and control-related regulations, including
the Foreign Corrupt Practices Act of 1977 and the Federal Deposit Insurance Corporation Improvement Act of 1991. SOX adds the requirement for management certification
of a companys internal controls as well as reporting on internal controls for financial
reports. Organizations should immediately include security control review as part of
their SOX compliance, and in fact, SOX will accelerate the rate of creation of security
programs in corporate America. Pre-SOX, META Group estimated that 80% of large
corporations would have formal security programs by YE06; now we believe the corporate environment will reach 80% penetration by YE05.
The draft National Strategy to Secure Cyberspace reinforces the need for these programs by creating a national focus on information security. This raises information security to the level of the board of directors and CEO and advocates that organizations are
responsible for ensuring that appropriate security has been implemented for information
systems, networks, and data. Failure to do so can result in legal liability for damages to
third parties. Organizations should add information security to the boards agenda, including regular briefings from management as well as risk management discussions.
Security Provisions Within SOX

Many US publicly traded firms are justifiably concerned about compliance with Section
404. By law, companies must certify internal financial processes while external auditors
will issue an opinion as to their completeness during the year-end audit process. Section
63

404 requires that firms understand, document, and improve internal controls around
financial reporting; work to improve the accuracy of financially oriented transactional information collected from business processes; and build sustainable process
improvements.
However, several other SOX mandates also have strong security implications:
Section 302 requires that officers of the company make representations related to
the disclosure of controls, procedures, internal controls, and assurance from fraud
Section 409 requires that the organization disclose to the public on a rapid and
current basis material changes to the firms financial condition
Section 802 requires authentic, immutable records and retention
Section 906 requires that the 10-K, 10-Q, annual, and periodic reports containing
financial information accurately represent the firms financial condition
Although SOX does not require specific security features, these requirements have obvious security implications. If the data is not adequately protected, then neither the
auditors who must render that opinion, nor the corporate officers who are required (in
Section 302) to personally sign affidavits attesting to the completeness and accuracy of
that information, can in fact be reasonably sure that the data is either accurate or correct. No one can be sure of the accuracy of the 10-K reports and other financial documents based on such unprotected data.Thus, security controls reduce the personal risk
that corporate officers face of possible arrest, as well as the significant risk corporations
face of stock devaluation, loss of business, and bond rating devaluation, from failure to
comply adequately with SOX.
A comprehensive security program is not only a SOX requirement but also an integral
part of corporate governance and corporate and IT architecture. Organizations with
strong governance including a security program do not have to scramble to meet the
requirements for each wave of new regulations. Compliance becomes largely a paper
exercise, matching the requirements to programs and systems already in place.
64
Security
Getting With the (Security) Program
META Group research, including polls of attendees (mostly CFOs and IT managers) at
META Group events, shows security as one of the top four priorities for SOX initiatives.
However, in many cases, security is mistakenly thought of as an IT issue and is handled as
a series of projects rather than as a program with repeatable processes that must be
integrated with the business.This routinely leads organizations into a cycle of failure with
security that is very difficult to stop. A program is needed to address these security
issues comprehensively and change the culture so that risk management is an aspect of
all business thinking.
Chapter 5
We recommend a multifaceted and multidimensional approach to the examination of

information security. This approach is not technology-centric, but instead examines
organization/people, policy, and process, all in combination with technological solutions
as appropriate. Furthermore, instead of examining the issue of data security in a vacuum,
we encourage a systems approach that takes into account the surrounding environment: network, operating systems, and applications, in addition to the DBMSs themselves. It is only through a holistic analysis of the surrounding environment that it is
possible for ITOs to accurately assess the security available, and required, to meet the
needs of SOX, HIPAA, the Gramm-Leach-Bliley Act (GLBA), international regulations,
and client privacy concerns.
In many cases, security is mistakenly thought of as an IT issue and is handled as a series
of projects rather than as a program with repeatable processes that must be integrated
with the business. This routinely leads organizations into a cycle of failure with security
that is very difficult to stop. A program is needed to address these security issues
comprehensively and change the culture so that risk management is an aspect of all
business thinking.
A confluence of many factors, including increased regulatory scrutiny, means businesses
are paying closer attention to and spending more on security-related issues. We
estimate security budgets are increasing at a 40%-50% CAGR in many organizations,
driven by increased investment in both technology and external services. In fact, the
investment growth in third-party security operations services should outstrip that of
technology acquisition by next year. Security budgets are becoming more centralized,
with a security team coordinating investments in most organizations. Improved product
integration and maturity will also help stabilize the investment curve during the next
couple of years.
65

Still, throwing money at a problem usually does not solve it, and security is no different.
Information security is no longer a backroom issue or the sole province of technicians.
Our research indicates a disconnect between how senior executives and IT and security
management view security policy compliance.While the majority of Global 2000 companies have a dedicated information security group, the roles and responsibilities within
these groups are often unclear.
Technicians alone, even those armed with the latest technological developments, can no
longer do a good enough job. Poorly organized security can result in:
Service interruption and data problems

Loss of goodwill and thus customers
Market share erosion and earnings loss
Lawsuits, fines, and sanctions
Developing a security program requires management that provides guidance regarding the
needs of the business as a whole.This represents a significant change in how most organizations have traditionally approached information security. Security teams must typically deal
with fragmented budgets, years of underinvestment, and technology that is complex and
expensive. All this can combine to create an inconsistent approach to security.
Perception of Policy Compliance
Executive & LOB Management

CIO & IT Management
Security Management
66
20%
40%
Always
Mostly
60%
Half the Time
80%
Rarely
Security
The organization looking to develop an enterprise security program must focus on creating a holistic approach, adhering to legal and regulatory guidelines, and exercising due
diligence and a standard of care that is appropriate for a given industry.
Chapter 5
The Holistic Approach

If an organization cannot demonstrate prudent security, clients and partners will go elsewhere. Security cannot be achieved by technology alone it must become a core part of
the culture. That requires cultural, behavioral, procedural, and technical change. Still, 100%
security is virtually impossible the goal is appropriate levels of security investment.
Information security has broad implications that require a holistic program life-cycle
approach to succeed. The holistic approach involves concentrating on the following:
Technology
Policy
Processes
Weaknesses in any of these areas will cause the program to fail. For example, technology
is expensive, can involve a considerable amount of new and unproven products, and in
itself is not the solution to information security.Technology, while useful and necessary, is
the least mature area of IT today. Yet many technologists will maintain they can handle
the information security program on their own. But if a tool or technology does not
work as advertised, it is the technologist who will take the blame.This type of disconnection between the security program and the business must be avoided.
Policy and process are as important as the technology being used. Development of policy
and process must happen on a continual basis. Policies must be actionable and specific to
the domains they cover. The consequences of non-compliance should be severe. Processes must cover risk assessment (see Chapter 6), control selection, implementation,
ongoing maintenance, and forensics and reporting.
Failure to develop and enforce appropriate policy exposes the business to untenable risk.
A consistent policy framework and hierarchy contribute to policy awareness, enforcement, and adherence. Such a framework helps develop policy on an ongoing basis. Consistency and continuous improvement are more important than having comprehensive,
end-to-end policy from Day 1.
67

While security policy creates a rules framework, it is processes that enable such a framework to scale. Developing strategic processes such as policy creation, communications
(see Chapter 3), and data classification help to create a healthy security program. Eventually, strong operational processes in areas such as monitoring, response, and reporting
can result.
The Security Game Plan

The following figure shows a high-level view of the META Group model for developing
an information security program. The first step in this approach is to generate a program
plan. The plan provides a road map for future activity, but the act of creating such a plan
also helps to prepare the enterprise for necessary security changes. This is the most
important step because, without adequate preparation, any security program is doomed
to failure. This preparation involves:
Building a foundation on the basis of the enterprises need for security management
Ensuring that an appropriately structured security organization is in place
Ensuring that the enterprise is motivated to support these efforts
Next, the security team must define security domains. The primary purpose of domain
definitions is to delineate policy boundaries. The security policies defined later in the process will be specific to these domains.To group resources according to security needs into
security domains, security management must build a resource-classification scheme. A
security domain consists of all secured resources that exist within a secured perimeter.
The META Group Security Model
Program Governance
Generate
Program
Plan
Charter
Organization
Process
Marketing
68
Fast Track
Security
Operations
Define
Security
Domains
Define
Trust
Models
Define
Requirements
Policy
Project
Technology
Governance
Process
Prioritize
Security
Most organizations use various computing platforms, operating systems, applications,
and relational database management systems (resources) for both related and unrelated business functions. Any attempt to fix security must deal with the fact that
more things need to be fixed than there are staff and money available to fix them (at
least in the short term).
Chapter 5
One task in planning security improvements is to assess risk. However, long before that
task is reached, areas of potential risk must be identified.Todays computing environment
simply offers too many risks to address them all. Grouping the enterprises resources
the business objects that require protection from unauthorized access into security
domains helps to facilitate that process.
Once the domains are in place, the organization can move forward to create policy, select
technology, and develop processes. Organizations that have an enterprise architecture or
an enterprise program management office already in place will be in a good position to
implement this sort of security program (see Chapter 7).
At the most basic level, though, developing an information security program involves
seven fundamentals:
1. Charter a champion: One person, whether it is the CIO or a designated chief
security officer, needs to be responsible for security.
2. Plan a program: It is important to know where the security program is going,
but the plan is what tells you how to get there.
3. Focus and organize: There will always be too much to do when developing a
security program. The key is to accept it and deal with it.
4.
Learn to influence: A security program needs support to succeed.
5. Divide and conquer: Trying to do everything at once is a sure recipe for failure.
The security program needs to break large goals into smaller, more manageable
tasks.
6. Improve key processes: Without processes, the program will not scale.
7. Call for reinforcements: Outsiders can be useful in providing external review.
69

Companies addressing SOX can establish a baseline of security controls using this approach in concert with one of the many standards available, including ISO 17799, ISO
13335, or Generally Accepted System Security Principles (GASSP). Although these standards are not complete programs, they provide a laundry list of controls that can be
used as the basis for a comprehensive security program. Other elements of a successful
security program that will result in meeting these requirements include the following:
Program planning: Security is an ongoing program with repeatable processes

and continuous improvement (as opposed to being a project).
Operations: The security program includes management and operations of traditional security technology such as firewalls, intrusion detection software, and
antivirus software. In many ways, security operations represent the (limited)
extent to which most organizations currently view security.
Mapping Security Control Objectives Into SOX

In May 2003, the US Securities and Exchange Commission (SEC) published new guidelines for Section 404 that redefined internal control over financial reporting, referencing
the Committee of Sponsoring Organizations (COSO) Internal Control Integrated
Framework. The COSO is a voluntary private-sector organization whose charter is to
improve the quality of financial reporting through ethics, governance, and internal controls. The organization was formed in 1985 to sponsor the National Commission on
Fraudulent Financial Reporting (the Treadway Commission). The COSO Report Internal Control Integrated Framework was published in 1997. It defines internal control
as a process affected by a companys board of directors and employees.
70
Security
Chapter 5
The COSO Framework
X
The process to determine whether
internal control is adequately
designed, effective, executed and
adaptive
The process which ensures that
relevant information is identified and
communicated in a timely manner
The policies and procedures to

ensure that actions to manage risk are
identified, executed and timely
The evaluation of internal and external
factors that impact an organizations
performance
The control conscience of
an organization. The
tone at the top
The COSO framework gives the auditors something to assess against. COSO is usually
represented as a cube. One of the dimensions includes operations, compliance, and financial reporting. The second contains the business units and specific activities that should
be covered by the controls. The other defines the five primary control objectives:
1. Control environment: The foundation for effective control. It addresses IT at
the company level.
2. Risk assessment: A subject near and dear to the hearts of security professionals. Its goal is to manage risk to predetermined levels, not to eliminate it.
3. Control activities: Policies, processes, and procedures put in place to ensure
that risk mitigation strategies are executed.
4. Information and communication: Recognition by COSO that communication
and combination of information from all levels of the organization (a.k.a. transparency) are keys to success.
71

5. Monitoring: The continuous assessment of controls for appropriateness and
effectiveness. This control objective specifically addresses security monitoring
from continuous risk assessment through vulnerability management and intrusion detection.
The COSO framework is overwhelmingly the framework of choice in the US, based on
comments sent to the SEC, and it has been adopted as an acceptable framework for
SOX compliance. Although COSO is the primary methodology, foreign firms that trade
on US exchanges can use CoCo,Turnbull, King Report, or other country-specific authoritative control frameworks (e.g., KonTraG in Germany).
Regarding security and asset protection, the COSO report notes that safeguarding of
assets can be considered a subset of an entitys operations. The most relevant internal
control process for fraud prevention and information systems security pertains to asset
protection and security. Assets can be both intangible, such as business continuity or
reputation, and tangible, such as data files and records. However, COSO does not dictate requirements for control objectives or related activities, which leaves many organizations confused about what they have to do to achieve compliance.
On October 7, 2003, the Public Company Accounting Oversight Board (PCAOB) published a proposed audit standard that highlights the importance of general controls but,
like the SEC guidance, does not address specific controls. However, COSO references
COBIT, established by the IT Governance Institute, which was used to develop a control
objective template.
COBIT was first released in 1996. It is an IT governance tool that links IT control practices with business processes and provides a framework of resource risk management
processes. COBIT is based on the philosophy that IT resources need to be managed by
a set of naturally grouped processes to provide the pertinent and reliable information an
organization needs to achieve its objectives. COBIT supports self-assessment of strategic organizational status, identification of actions to improve IT processes, and monitoring of the performance of these IT processes. It has been adopted as an international
standard in more than 100 countries.
72
Security
Chapter 5
COBIT Model Control Objectives
PO1
PO2
PO3
PO4
Business Objectives
PO5
PO6
M1
M2
M3
M4
COBIT

Assess internal control
adequacy
PO7
PO8
Information
Monitoring
DS1 Define service levels

DS2 Manage third-party
services
DS3 Manage performance
and capacity
DS4 Ensure continuous
service
DS5 Ensure systems
security
DS6 Identify and attribute
costs
DS7 Educate and train
users
DS8 Assist and advise IT
customers
DS9 Manage the
configuration
DS10 Manage problems and
incidents
DS11 Manage data
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
IT Resources
Delivery &
Support
PO9
PO10
PO11

architecture
Determine the
technological direction
Define the IT organization
and relationships
Communicate
management aims and
direction
Manage human
resources
Ensure compliance with
Assess risks
Manage projects
Manage quality
Planning &
Organization
People
Application Systems
Technology
Facilities
Data
Acquisition &
Implementation
AI1 Identify solutions
AI2 Acquire and maintain
application software
AI3 Acquire and maintain
technology architecture
AI4 Develop and maintain IT
procedures
AI5 Install and accredit systems
AI6 Manage changes
Major control objectives in COBIT related to security include the following:
M2: Assess internal control adequacy

M3: Obtain independent assurance
M4: Provide for independent audit
P08: Ensure compliance with external requirements
P09: Assess risks
DS5: Ensure system security
73

META Group recommends a hierarchy of controls, including COSO for high-level governance and COBIT for the next level of detail. Below COBIT are a number of securityrelated standards (e.g., ISO 17799, ISO 13335, NIST 800-53) that can be used to map
specific processes and requirements to control objectives.
Security Maturity Levels

For the information security group to effectively participate in the SOX initiative, it
must understand the maturity level or stage of the SOX compliance effort and how it
can help. META Group defines the following maturity levels for SOX compliance (see
Chapter 2) and their associated security elements.
Level 0: Exploration
The organization establishes a SOX team and informally evaluates controls. SOX-affected firms may be considered SOX-tardy or immature. Security activities at this
stage should include the following:
Identifying and cataloging security risks for financial controls

Defining the risk assessment process
Defining the data and resource classification process
Level 1: Building Awareness

At this level, the enterprise SOX project is being defined and resources identified/sourced
for expertise to manage the Section 404 process. During this period, the security group
can assist by supporting the following steps:
Developing and starting to execute security and awareness programs for three
major audiences: the IT organization, executives, and the general population
Communicating the role of security in the SOX compliance process
Level 2: Project Initiation

During this stage, the formal enterprise SOX project has begun, and the security
group must participate by sharing documentation (including creation of new documentation where absent) and initiating key processes. Security processes in this
stage include the following:
74
Reviewing the enterprise SOX plan and enlisting resources for all security or
risk-related activities
Developing a program and annual plan for the security program
Security
Level 3: Project Execution
This entails the execution of the internal controls project, through the internal controls
documentation, risk mitigation, and assessment processes. During this period, the security group should focus on the following steps:
Initiating execution of risk assessment and data classification processes
Identifying and initiating projects to close security gaps related to Section 404
compliance
Integrating program management with security governance
Chapter 5
Level 4: Assessment/Review of Results

The assessment process will be ongoing (i.e., SOX does not go away), and firms must
decide the frequency and depth required for business processes. During this stage, the
security group should focus on the following:
Establishing an ongoing assessment process (including documentation reviews

and risk mitigation processes)
Ensuring that all risk-related controls affected by SOX are being effectively executed to achieve compliance
Level 5: Optimization
During this stage, organizations are optimizing their processes for efficiency and cost
savings. Level 5 should be an ongoing compliance effort.The security group should focus
on the following activities:
Recommending security projects to achieve better compliance/efficiency
Establishing measures to identify and close performance gaps
Monitoring for ongoing Section 404 compliance and protecting the integrity of
financial controls
Implementing improvements to optimize compliance processes, increase effectiveness, and reduce risk
Linking security to newly established corporate governance offices
75

The enterprise needs to establish and follow a timeline to reach a level of SOX maturity
to meet the deadlines for Section 404 and other SOX sections. Again, however, this
timeline will be different for each organization depending on its initial state and the specific deadlines it must meet. Obviously, however, any compliance effort for any new
regulation must start with a comprehensive review of the organizations current state
and ability to comply, including its security situation and needs.
Establishing a security program that can effectively address the security controls required by COSO and SOX requires immediate attention by personnel knowledgeable of
security (whether internal or outsourced).This initial effort, focused on financial management security controls, should be viewed as an off-budget, stopgap measure to meet the
minimum criteria for Section 404 compliance.These controls must then be bundled into
a multiyear effort to establish a more comprehensive security program, based on mature and repeatable processes, which should be initiated as soon as possible.
Conclusions
76
Information security is a key component for SOX compliance, embodying each

of the ideals of risk management, with recommended actions at each stage of
SOX-compliance maturity.
Ignoring security in SOX initiatives may reduce the effectiveness of compliance

efforts and leave organizations open to fines and other liabilities.
An enterprise security program is rapidly becoming the norm in most

organizations.
Failure to comply with legal mandates exposes the corporation to undue risk
and can result in personal liability.
Leading organizations are implementing a process-centric approach to security management, versus the traditional interrupt-driven, activity-based, reactive approach.
A holistic approach to security requires cultural, behavioral, procedural, and

technical change.
Organizations must address security at the board level as part of their SOX
compliance efforts. A gap analysis against the COSO framework is a good first
step in creating a comprehensive security program, which includes ensuring
that security is a component of all business thinking.
Risk Management
Chapter 6
Chapter 6 Risk Management

SOX has introduced a level of risk into business and IT environments, requiring a new level
of risk management (RM) in IT. This necessitates planning and the application of tools
including COBIT and proper insurance. This chapter examines how RM tools and techniques should be applied to mitigate SOX risks.
IT risk management is a systematic process of managing IT risks and business exposures,
as well as controlling business processes and IT activities, with the intent of providing an
efficient preloss plan that will minimize the adverse impact risk will have on earnings, cash
flow, goodwill, brand image, and shareholder equity.
Global 2000 organizations typically have multiple ERP and best-of-breed solutions feeding
financial transactional processes. This presents many opportunities for corruption of
transactional data, including timing of interface/validation tables, manual intervention, and
overlap of security rights (e.g., between requester and approver), corruptions that can
negatively impact SOX compliance efforts. Typically, many operational processes (e.g.,
SCM, CRM, HR) result in financial transactions, and organizations must assess
enterprisewide risk identifying where business processes can be broken and developing self-assessment processes where managers can certify that appropriate review/
corrective actions are taken.
Sarbanes-Oxley requires business processes to be effective from a reasonable assurance perspective.We believe the degree of action should be determined by the severity
in breakage in a given business process. At this point, we do not believe that the intention
of the legislation is to mandate a full business re-engineering exercise along with new ERP
and business intelligence infrastructures, though this approach may be advisable for a
small percentage of organization.
The current approach for most organizations is to document and review all processes.
Such an approach goes beyond the scope of what SOX requires, particularly when it
ignores existing internal auditing procedures. Organizations should instead start their
compliance efforts for Section 404 either with a data analysis to identify potential problem sources or a review of known areas of exposure.
77

Businesses require frameworks to plan SOX assessment projects (a project-management tool is required), develop an assessment of the current state, prepare required
documentation, and document plans to close potential gaps. The risk management business application should provide the following:
Support for the Committee of Sponsoring Organizations (COSO) internal controls

framework.
An enterprisewide evaluation of internal controls through the documentation of

processes and a collaborative management commentary capability regarding the risks
and actions taken to mitigate threats. Organizations must be able to track and report
the severity of compliance issues.
A collaborative interface into the organization to enlist the appropriate parties in the
business controls process.
An appropriate level of detail for internal management and auditors to make an

assessment. In essence, an evaluation is required at both process and entity levels
(i.e., conclusion of all process effectiveness).
A summary conclusion on the integrity of the resulting public financial reporting, as

well as an evaluation to which the auditors will eventually attest.
An ongoing evaluation (e.g., quarterly) to track progress/change in internal controls

using indicators as severity level (e.g., red/yellow/green). A communications/knowledge-sharing mechanism for the organization should be provided along with the capability to track project plans/status for evaluating risk areas.
A scalable and secure solution that can be extended to all contributing corporate users.
Support for content distribution and records management/archiving.
Mediation through the life cycle of business processes as issues progress through
unreliable/ insufficient/reliable/optimized states.
Several business applications have come to market to address an organizations auditing
78
Risk Management
of internal controls. However, it is critical to note that they are designed to meet regulatory not technological or competitive mandates (e.g., business process re-engineering, ERP, e-business). Although these tools should focus on financial reporting elements,
they must also provide the ability to extend beyond compliance to regulation for financial processes, and extend into the safeguarding of enterprise assets. These tools should
be capable of repurposing to cover the ongoing enterprise auditing process.
Chapter 6
Leading compliance tool vendors include Protiviti (Robert Half), Paisley Consulting (partnership with Ernst & Young), and Open Pages. PeopleSoft partnered with Protiviti and has
integrated its audit/risk management functionality. Some risk management solutions provide a risk assessment from a security perspective. Oracle has brought a proprietary
solution to market, leveraging its projects functionality (e.g., Internal Controls Manager),
and should be considered for an organization that has Oracle applications particularly
Oracle projects. SAP offers Audit Information Manager and has extended mySAP Financials
to enhance its corporate governance offerings to include support for Section 404, internal controls, further audit information system functionality, and whistle-blowing provisions of SOX. Because there is a close relationship with project management solution
requirements, other vendors are repurposing their project solutions to encompass SOX
support. Documentum has released Corporate Governance and Compliance, a risk
management solution built on its content/records management solution, and eRoom and
Oracle provide the most comprehensive enterprise capability. Although the impact of
SOX is still being defined, point solutions (e.g., Lotus Notes-based) may be outgrown
quickly and replaced by larger, more stable applications.
The Role of Service Providers

Many organizations are looking to consultants, their external auditing firms, and other
service providers for help planning and executing SOX compliance programs. Financial
and IT service providers are deploying offerings targeting all these areas, but organizations considering such providers must guard against real and perceived conflicts of interest and ensure they can ultimately independently guarantee compliance, as well as understand their roles relative to emerging risk management software solutions.
Organizations must carefully assess the roles that external business, IT, and financial service providers can play in supporting regulatory efforts particularly through 2004,
when most efforts are being phased and their details are clarified. Such providers can
potentially deliver important expertise and support for compliance processes, but the
extent of their use is ultimately an executive-management decision, because true requirements have not been formalized through regulation. SOX addresses this point through
79

its auditor-independence rules, which require corporate audit committees to pre-approve
all non-audit work given to external auditors. However, because it does not ban non-audit
work, gray areas exist about what is acceptable. In the short term, these service providers
will more often play an advisory role. Longer term, more traditional systems integration/
application deployment services will grow in importance, as enterprise financial and related
software applications become core platforms to enable compliance.
Careful assessment is also important for avoiding the regulatory pitfalls of using outside
services. They include performing specific services banned by the regulations, performing work and maintaining relationships that promote a perception of potential non-compliance or impropriety, and performing work or services that organizations should ideally internalize to better understand if compliance is being achieved and evidenced. The
nature and level of risk are also dependent on which type of service provider is performing the service. The point, however, is that there are some things organizations
should not outsource.
Organizations must immediately deploy and strongly enforce enterprise processes to
manage when and how external services providers are employed for any work that
touches or affects any regulatory compliance dimension. Organizations must also recognize that longer term (2004+) given the general increase in regulatory oversight and
with more service offerings touching regulated processes (from SOX process assessments to FMS [financial management systems] BPO/BTO) engaging and managing
external service providers will become a partially regulated process.
Organizations should deploy and enforce a service architecture model to improve overall service provider usage, as well as help ensure appropriate external service provider
use for compliance efforts. A service architecture defines the following:
80
When to outsource (e.g., use any external service provider from contract labor to
entire business/IT process services) work versus perform it internally
When employing an external service provider to perform work meets regulatory

dictates
Which external service providers are viable candidates for different types of work
(e.g., master service-level agreements, predefined shortlists, standard shortlisting
procedures)
Risk Management
What the processes are and who is involved with identifying, vetting, engaging, and
managing the service provider and its delivery processes (e.g., sourcing, supplier
relationship management, project/portfolio management)
Chapter 6
Given the nascent, often unclear, and sometimes convoluted nature of most current
regulatory requirements particularly as they are phased in and clarified during the
next several years it is imperative that managing external service provider usage
receive executive attention and support, as well as adequate and skilled resources to
implement it. Along with management support, these efforts will require joint efforts
among the IT group, finance, and sourcing/procurement as well as appropriate specific
oversight committees and task forces. Often, regulatory compliance efforts will serve as
the impetus to accelerate existing sourcing and supplier relationship management improvement efforts, as well as to prepare organizations for larger IT and business process
outsourcing initiatives.
External service providers are deploying several types of offerings around regulatory
compliance efforts such as SOX. Organizations must independently determine whether
it is appropriate to employ specific services and service providers based on individual
circumstance and specific regulations. This includes reviewing regulatory requirements
and consulting with respective financial/legal counsel and experts. However, it is important to highlight that compliance to the letter of the law may still lead to perceived
conflicts of interest in the eyes of shareholders, clients, partners, and regulators. Providers must also use care and caution when defining and packaging new offerings. Although
compliance-related services are lucrative particularly in a down market longerterm ramifications of non-compliance with what at the time seemed appropriate and
legal (remember Andersen) must remain an over-riding consideration.
COBIT
SOX mandates the use of a comprehensive management framework, and the PCAOB,
which is charged with enforcing SOX, strongly recommends the use of COSO and its IT
component, COBIT, for that framework. Fortunately, COBIT is an excellent tool for
developing comprehensive RM checklists for IT and line-of-business (LOB) process
owners, thereby greatly strengthening any organizations efforts to comply with SOX.
First released in 1996, COBIT is an IT governance tool that links IT control practices
with business processes and provides a framework of resource risk management processes for business leaders, IT professionals, and auditors.The COBIT risk model bridges
the gaps among business and regulatory risks, control needs, and IT technical issues.
81

COBIT is an effective process tool that can be used to generate management awareness,
present IT control diagnostics, and ensure LOB accountability for residual SOX-related
risks. COBIT applies to enterprisewide information systems, including personal computers, minicomputers, mainframes, and distributed environments. It is based on the philosophy that IT resources need to be managed by a set of naturally grouped processes to
provide the pertinent and reliable information an organization needs to achieve its objectives. COBIT supports self-assessment of strategic organizational status, identification of
actions to improve IT processes, and monitoring of the performance of these IT processes, and it has been adopted as an international standard in more than 100 countries.
The COBIT framework consists of 34 high-level control objectives one for each of
the IT processes grouped into four logical domains: 1) planning and organization; 2)
acquisition and implementation; 3) delivery and support; and 4) monitoring. By addressing these 34 high-level control objectives, the business process owner and the CIO can
ensure an adequate control system for SOX compliance in the IT environment, thereby
lowering the risks associated with the introduction of technology to automate business
processes. COBIT provides explicit guidance for all 34 high-level control objectives in
the form of navigation aids, which IT personnel and LOB users depending on their
particular perspective should implement to organize and categorize control objectives according to IT processes, information criteria, or IT resources.
COBIT Model: Four Domains and 34 High-Level Control Objectives
Business Objectives
PO1
PO2
PO3
PO4
PO5
PO6
COBIT
M1
M2
M3
M4

Assess internal control adequacy
Information
4. Monitoring
Define SLAs
capacity
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify and attribute costs
DS7 Educate and train users
DS8 Assist and advise IT
customers
DS9 Manage the configuration
DS10 Manage problems and
incidents
DS11 Manage data
Effectiveness
Efficiency
Confidentiality
Integrity
3. Delivery &
Support
Availability
Compliance
Reliability
IT Resources
DS1
DS2
DS3
82

Determine the technological direction
Define the IT organization and relationships
Communicate management aims and
direction
PO7 Manage human resources
PO8 Ensure compliance w/external requirements
PO9 Assess risks
PO10 Manage projects
PO11 Manage quality
1. Planning &
Organization
People
Application systems
Technology
Facilities
Data
2. Acquisition &
Implementation
AI1
AI2
AI3
AI4
AI5
AI6
Identify solutions
Acquire and maintain application software
Acquire and maintain technology architecture
Develop and maintain IT procedures
Manage changes
Risk Management
COBIT provides more high-level control processes/standards guidance than alternative
standards models currently used by many ITOs. In addition, there is a real possibility that
the PCAOB may require organizations not using COBIT for their SOX compliance to
document why they chose an alternative. COBIT incorporates the principles of many
disparate models and methods. However, COBIT alone may be too generic to make the
control objectives operational.The following standards can be used in translating COBITs
34 high-level control objectives to concrete measures:
Chapter 6
SEI Capability Maturity Model

System Development Methodology (SDM) for development
IT Infrastructure Library (ITIL) for service management
CRAMM (CCTA Risk Analysis and Management Method)
ITSEC (IT Security) and BS7799 (British standard) for logical and physical security of
data and systems
The COBIT Model

The COBIT model views risks and controls, including but not limited to those associated with SOX, from the following three distinct vantage points:
LOB issues: Business managers typically focus on the following three LOB issues:
Quality is defined as the value of cost and delivery

.
Does the system do what it is intended or designed to do, and
does it meet or exceed LOB expectations?
.
Does the system optimize the most economical and productive
use of resources?
Fiduciary is the effectiveness and efficiency of the IT system, while providing reliable information and complying with laws and regulations
.
Is the system compliant with contractual arrangements and governing laws?
Security deals with three key control points: confidentiality, integrity
(veracity of data), and availability (timeliness)
.
Does the system prevent the unauthorized disclosure, modification, or destruction of data?
.
Is the data reliable and up-to-date?
83

IT resources: On the other hand, an IT manager may want to focus on IT resources,

such as data repositories, application systems, technology, facilities, and people:
Is there an adaptable, scalable infrastructure in place to meet LOB needs?

Are the requirements better met through a selective outsourcing agreement?
Are adequate and trained resources available to code and support the
business application?
IT processes: Process owners, IT specialists, and LOB staff may have a specific
interest in a particular process or activities/tasks; auditors may be interested in the
IT processes or the overall COBIT framework:
Does the process employ control procedures in alignment with information policy and generally accepted IT best practices?
Do the processes support the control objectives?
COBIT management guidelines are composed of maturity models to help determine the
stages and expectation levels of control and compare them with industry norms. The
guidelines include the following:
Critical success factors to identify the most important actions for achieving control
over IT processes
Key goal indicators to define target levels of performance
Key performance indicators to measure whether an IT control process is meeting

its objective
COBIT Domains
Domain 1 Planning and organization: This addresses topics such as strategy

and tactics for the ITOs contribution to the SOX effort, ensuring that the business
objectives are being met. These activities must be planned, communicated, and managed, and a proper organization and technological infrastructure must exist. In this
first domain, 11 high-level control objectives are identified to ensure the proper
information architecture is defined and the technological direction of the organization is established.
84
Risk Management
Domain 2 Acquisition and implementation: This addresses the realization of

the IT strategy.The solutions have been identified, developed or acquired, and implemented. Solutions need to be integrated into the business process. In addition, included in this domain are change management and maintenance of systems to ensure that the life cycle is continued for these systems. This section is vital to compliance with Section 404, which requires documentation of IT methodologies to demonstrate that they are not creating errors in financial records.
Domain 3 Delivery and support: This defines the actual delivery of required
services, from operations through security, including training and capturing information required for SOX compliance. It also covers delivery and documentation of
services from third-party suppliers and therefore can be used to determine whether
such services meet SOX requirements. Such activities support the processes that
are the lifeblood of the organization. This domain includes the actual processing of
data by application systems, often classified under application controls. COBIT includes control over the IT process of defining service levels (capturing, creating, and
communicating the ITOs value proposition) that satisfy the business requirements.
Domain 4 Monitoring: This focuses on ensuring achievement of the performance objectives established for the ITO, including gathering data to document the
proper functioning of interfaces between systems and other potential problem spots
in maintaining the accuracy of financial records, required by SOX. It addresses
managements oversight of the organizations control processes and independent
assurance provided by internal and external audit.
Chapter 6
Insurance
As a result of the post-Enronitis epidemic and the trickle-down effect of the SarbanesOxley Act, CIOs are becoming increasingly concerned with officer and director (O&D)
liability and the potential risk of fines and penalties (as well as personal-asset jeopardy)
that can be levied against directors and key officers if they are found liable. The risk
extends beyond just Sarbanes-Oxley legislation.
CIOs (and IT software development firms and vendors) should be cognizant that commercial general-liability (GL) insurance does not provide coverage for programming errors, contract performance disputes, or any other professional-liability issues, including
those associated with SOX compliance. Therefore, IT consultants and companies that
have GL coverage without professional-liability (e.g., E&O) coverage are taking a serious
85

risk. Even if the company is not at fault, litigation is time-consuming, costly, and potentially
disastrous to the enterprises reputation. Professional-liability insurance includes coverage for potential risks associated with legislative mandates (e.g., SOX, HIPAA, GLBA,
ADA, Privacy Act, Foreign Corrupt Practices Act, wrongful termination), BI (disastrous
event or sustained systems outage), IP, Internet, and other IT-related risk exposures.
More than 50% of the respondents to a recent study of corporate officers and directors
conducted jointly by the Institute of Internal Auditors and the National Association of
Corporate Directors indicated that their companies did not have effective risk management (RM) systems, including a holistic approach to insuring residual risks (e.g., errors
and omissions [E&O], business interruption [BI], extra expense, Internet professional
liability, intellectual property [IP] infringement).
This is a critical issue for CIOs, given that as many as 40% of CIOs will be non-compliant
with IT-specific regulations by 2005 and only 15%-20% of affected CIOs will be certified
by auditors/examiners to be fully compliant in 2004. We believe several factors, such as a
lack of regulatory knowledge, business acceptance of risks, and underinvestment in needed
IT controls continue to affect the relatively low rate of overall regulatory compliance.
To avoid problems, CIOs should understand the basic elements of IT-related policy coverage and limitations. CIOs should engage the CFO and legal counsel/corporate risk
managers in a review of residual IT exposures to ensure the enterprise has examined
applicable insurance options and alternatives to determine if (and what level and type of)
insurance placement is needed to cover SOX risk, including a legal review of personal
liability.
Non-compliance with legislative mandates can result in sanctions and fines, but it increasingly puts the enterprise at risk to employee- (and shareholder- or consumer-)
initiated litigation, which can be quite costly.
Conclusions
86
Organizations should develop an enterprise strategy for risk management to ensure

compliance with Sarbanes-Oxley Section 404 as well as future regulations and should
evaluate third-party tools where appropriate, some of which may be coupled with
compliance consulting services.
Risk Management
By implementing COBIT risk management processes, the CIO can lower IT risks to
the business and improve IT risk/reward communications.
CIOs should adopt the COBIT risk management process to adequately address
SOX requirements and avoid harming the organizations financial standing, market
share, brand image, and goodwill.
Understanding the appropriate role and tightly controlling external business and IT
service provider usage are critical to gaining and exhibiting compliance with new
regulatory mandates, as well as optimizing external service provider usage.
Although external business and IT service providers can play a major and valuable
role in helping organizations achieve regulatory compliance, situations exist where
their usage is inappropriate, and in general, organizations must not over-rely on them
to define, deliver, or guarantee compliance.
Risk management auditing applications help organizations perform self-assessments,

which enable them to determine their level of exposure to compliance regulations.
Failure to consider insurance as either a stopgap or risk-transfer strategy puts the

business, executives, and directors at risk (as well as their personal assets).
As part of an overall risk management strategy, CIOs (and IT vendors) must have a
well-grounded understanding of the various insurance policies available to transfer risk.
Chapter 6
87

88

Chapter 7 Architecture
Increased legislation around accuracy, privacy, and timeliness of information is a trend, not
a fad. An overall compliance program should be created to address this press of new
legislation, and work in concert with enterprise architecture (EA) efforts. This chapter
presents an approach for leveraging IT architecture to respond more effectively to the
compliance onslaught.
META Group research indicates that 50% of US businesses facing Sarbanes-Oxley (SOX)
compliance are treating the effort as a one-off project. However, the reality is that businesses face a wave of regulatory efforts with which they must comply, at all levels of
enforcement. Failure to address this trend will lead to excessive costs and effort at least,
and to excessive fines and possible criminal penalties at worst. The better strategy is to
treat compliance as an ongoing program, applying governance principles and building it
into business practices and IT architecture.
The Accounting Information Systems Connection

Financial reporting is a product of information processing, which is a product of managing
the information inputs and outputs of business processes. Around 1957, large organizations began automating business processes with computer information systems. Initially
limited to ledger processing of only the largest organizations, automated information
processing evolved and proliferated on a broad scale to include divisions, departments,
and smaller organizations. At first, cost and technology capability limited information
processing to a centralized approach. Information systems planning processes were leveraged to focus IT investments on areas of strategic importance at the enterprise level.
Information system plans documented what was to be automated, as well as how it was
to be controlled and governed enterprisewide. Enterprise architecture was a key component of planning information systems and translating business requirements, strategic
intent, and appropriate governance into holistic system design and implementation. As
information technology evolved and became more affordable (e.g., personal computer
availability, client/server design, commercial off-the-shelf software), information system
control decentralized.
Sarbanes-Oxley requires appropriate control over material business processes and related information. The only viable way to achieve compliance with Sarbanes-Oxley is to
holistically and proactively manage business processes and related information with technology. Audits will support compliance, but proactive and holistic design and execution
89

are also required.Tracing the history and evolution of information processing shows it is
deeply rooted in accounting information systems. In projecting trajectory based on external trends and the recently enacted Sarbanes-Oxley Act, IT implications include:
A rapid trend toward centralization of control over planning, design, and implementation of information technology solutions
A reincarnation of information management as a corporate discipline
Institution of information systems that provide near-real-time performance information
Increased use of workflow, business process management, and document imaging

solutions
In a global trading environment, where information technology connects markets and

trading partners (and exposes and rapidly communicates improprieties), legislation
will continue to be introduced to encourage appropriate behavior.The Sarbanes-Oxley
Act, HIPAA, the Graham-Leach-Bliley Act, the USA PATRIOT Act, Basel II, and other
legislation will all have the same impact on IT. Processes must be controlled with
appropriate policy and support technological infrastructure. Information technology is
an enabler to compliance. Architecting the enterprise and its information technology
infrastructure to account for current and future legislation makes too much sense to
ignore. In fact, failure to accept that the velocity of legislative control will increase and
to act accordingly will put organizations at a competitive disadvantage, and borders
on managerial negligence.
Pressure from compliance-related and service-oriented architecture trends will have
a convergence effect, causing enterprise architecture and enterprise program management (EPM) efforts as well as compliance efforts/programs to coalesce into an
overall holistic improvement trio. Prescient organizations will reap the rewards of
refining their operational and financial processes to support associated business and
financial performance metrics. Business process management will be enabled to support compliance, transparency, optimization, adaptability, and even Web services within
such organizations by 2007.
90
Architecture
Chapter 7
Defining the Role of Enterprise Architecture

Enterprise architecture is not a new idea, but it is now being fostered and applied in new,
innovative ways within leading organizations. A truly useful EA program moves beyond
technology to encompass business issues, such as regulatory compliance, and enhances
the relationship between the IT group and the business.
The notion of creating an architectural construct for information technology used within
the enterprise was first introduced some 15 years ago. EA was seen as a master plan to
reach an improved future state for IT that spanned the entirety of an organization. Although this is a noble goal and still remains the basis for EA efforts, such architectures
often failed to account for the effects of political realities, business expediencies, and
technological change within the average business.
Since the concept of EA was first suggested, IT organizations have grown dramatically and
have taken on increased importance. Now, organizations are considering EA for business
reasons. Realizing that change has become the norm, progressive organizations pursued EA
programs in an effort to bring some order to IT. EA efforts currently strive for a more
complete representation of business, information, technology, and applications.
To create enterprise architecture, business managers and IT professionals must achieve
a common and cohesive vision of the business and key business challenges as well as the
opportunities and problem corridors the company expects to encounter. Unfortunately, the day-to-day activity of both groups tends to be focused on short-term operational issues. This tactical perspective cannot yield a sustainable competitive advantage,
because investments (particularly in infrastructure and human resources) require time
to mature. The enterprise architecture discipline is enjoying a renaissance in companies
that are tired of throwing good money after bad on reactive, project-level IT fires.
Enterprise architecture, then, is a process that expresses the enterprises key business,
information, application, and technology strategies and their impact on business functions
and processes. EA institutionalizes disciplined analysis and decision making. It must be
driven by the enterprise business strategy, and it must represent a holistic view across
the enterprise.
A properly implemented EA program will bridge the gap between strategy and implementation. It also better prepares the organization for change.
91

The EA effort is both a process and an entity. From the sequence of EA processes and
analyses, a company will derive various EA artifacts guidelines, principles, and frameworks unique to its situation and strategy. The goal of EA is not simply to create a
sustainable technical infrastructure, but to link business and technical strategy in a selfreinforcing partnership of ideas and engineering activities.
Enterprise Architecture as Change Agent

In the past, most systems were developed to address a set of known, obvious requirements.That approach is no longer tenable.Although change in most organizations is inevitable, the specifics of change are usually unknown. Systems and organizational constructs
need to be built adaptively to facilitate this inevitable change.The primary design goal for
an EA must be to enable rapid change in business processes and in the applications and
infrastructure that enable them. EAs that achieve this goal are characterized by seven
properties:
1. Consistency: Change is required at warp speed, and the EA practice should
facilitate this by selecting solutions that will establish harmony among the existing environment and the new or enhanced infrastructure, systems/applications,
and business processes.
2. Extensibility: Every architecture component should be designed such that it
encompasses the full enterprise, meaning it should be enterprisewide to the

fullest extent possible.
3. Scalability: The architecture should seek solutions that can grow, morph, or
even mutate as the business requires it, depending on the changes that occur in
the business environment.
4. Supportability: This involves the capability of the solution not only to support
the full extent of the business, but also to be supported by its provider on either
a local or global basis.
5. Comprehensiveness: As the architecture seeks to provide the widest possible
solution or support to the business at large, the architecture should also be such
that it covers the current and future environments of the organization, tending
toward completeness.
92
Architecture
6. Lucidity (business change-driven): IT organizations are expected to respond
Chapter 7
to a schizophrenic enterprise where change is constant and the architecture should play the bridging role, establishing clear targets for change and making them understandable to the organization in clear business language. It is also
becoming imperative for organizations to distinguish between change through
growth (continuity), which is more of the same, versus real change (disruptive), which introduces different design perspectives, roles, and actions.
7. Component-based nature (modular or reuse-driven): Systems/applications
should be selected or developed to establish a culture of optimum reuse, in

which the portability/modularity of solutions (or components within solutions)
is the primary design goal.
Facilitating change enables the IT organization to respond in a timely manner to the
needs of the business. It enables the IT group to be more proactive and anticipate
change, rather than simply dealing with it as the need arises. EA, strategy development,
and enterprise program management are the key disciplines needed to manage such an
environment.
The entire EA process is implemented and governed through the discipline of EPM.
EPM is the key to implementing architecture. It combines corporate-level project and
program management skills with the value management, process management, and
human-resource capabilities necessary to manage projects. Having an effective EPM
office is a best practice found consistently in the most successful IT organizations.
When closely aligned with a parallel enterprise architecture program, the benefits of
each are magnified.
Although it is not an ivory tower concept, enterprise program management, and the
associated enterprise program management office (EPMO), could be perceived as such
if not carefully managed. One of the major concerns of an EPMO is the integration of
planning, strategy, resource allocation, and architecture management to consistently achieve
a high-value program and high-value project execution. The EPMO is an organizational
construct that is responsible for the enterprise-level management of the portfolio of
programs/projects within the enterprise. It enables implementation of strategy through
projects, establishing and reinforcing the functional competency of project and program
management within an enterprise.
93

Successful EPM functions evolve to provide three major capabilities to the enterprise:
1. Promoting program/project management (PM) best practices throughout the
community of PM professionals to reduce project failure rates.

2. Facilitating dynamic project portfolio optimization processes (assessment,
reprioritization, resource realignment, and closing the loop) to ensure the project
portfolio represents the best use of resources enterprisewide to deliver business value.
3. Delivering accurate and timely decision-quality information to the executives
responsible for dynamic project portfolio optimization decisions.

EPM is increasingly critical to business survival in a world of multi-tier, cross-functional
projects (ERP, supply chain management, e-business, and customer relationship management) and dynamically changing competitive pressures. Program management offices
(PMOs) have been part of many IT organizations for nearly 20 years. PMOs generally
track related projects tied to the delivery of a major application. Systems integrators
and consultants have been responsible for establishing PMOs within their clients to implement standard project management and reporting procedures across multiple projects.
Organizations must invest time and management attention in baseline infrastructure development. Best practice requires attention to PMO organization and governance, improvement in the PMOs business savvy, formalization of architecture implementation,
and adoption of new program/project management tools.
An EPMO is responsible for tracking the budget, resources, schedules, and interdependencies of all significant IT projects. For a PMO to evolve into an EPMO or to initiate one
from scratch, the EPMO must be responsible for tracking not only application projects,
but any significant effort involving IT resources as well. This requires standard reporting
procedures and criteria to be established for all IT areas.The individual project managers
or technical managers responsible for infrastructure projects must do this reporting at
the detail level. Such reporting demands tremendous discipline in completing the required reports and project plans, though much of this can be facilitated with office automation, project management, collaborative, and workflow software.
94
Architecture
It is no accident that establishing EPM and fostering project management discipline in an
organization are inextricably tied to enterprise architecture.The transition planning phases
of the process model rely on the rigorous adoption of project management best practices. Many enterprise architects have leveraged an EPMO build as a foundation for
introducing the architecture process and accelerating its development/adoption.
Chapter 7
Establishing an EPMO requires the support of senior business and IT leadership, as well as
the correct staffing, communications, reporting procedures and standards, and architectural documentation to be successful. Often, the chief architect or other IT leaders
understand the need for an EPMO, but ultimately, the CIO must be informed and make
the decision.
EPM provides the mechanism for assessing the cost and risk of new, proposed projects
based on past experience. The best way for an organization to maintain its competitive
edge is to ensure that the projects and programs that receive the allocation of limited
corporate resources result in the greatest possible business value. This is the true EPM
value proposition.
Effective EPM ensures business decisions are highly quantitative (versus subjective), balances risk and value of business ventures, cultivates a learning-focused and change-tolerant pool of human capital, and can mitigate staffing problems by identifying the requisite
skills needed to perform projects in support of the business agenda.
Without EPM, burgeoning cost overruns, mismanagement, and resulting project failures
can draw the ire of senior management, and in some cases even prompt the outsourcing
of IT. Building best practices rather than merely adopting cookie cutter approaches
from outside vendors and surrendering control to external consultants is critical to
success. Global 2000 organizations must adopt strategies for developing EPM talent inhouse and bootstrapping adoption, in addition to leveraging emerging organizational structures such as effective program management.
Although the blistering pace of technology change decoupled strategic planning and budgeting processes from the enterprise architecture process, they are about to be reunited. More tightly controlling spending on information technology and governing what
is implemented, eliminated, or changed are the only mechanisms to ensure compliance
with Sarbanes-Oxley and will supersede the need for speed.
95

Because this is countercultural in many organizations, instituting such governance and
rigor will require strong leadership, sponsorship, and support, as well as compliance audits. Similar to the Sarbanes-Oxley compliance audits that are outlined in the legislation,
IT audits will be required to ensure appropriate control is maintained on information and
supporting information technology. COBIT is a likely candidate for an approach to auditing IT for compliance controls (see Chapters 3, 5, and 6).
User Actions
Compliance with Sarbanes-Oxley will be no small task. Because it is currently a law, pure
compliance though mandated will be seen in few, if any, organizations. Organizations must leverage a portfolio management approach to allocate resources to areas
where non-compliance exposes the greatest risk.
Many of the analysis tools that financial portfolio managers use can be applied directly to
managing IT investments in hardware, infrastructure, applications, people, information,
projects, and processes. The most successful business leaders have distinguished themselves by following the models of the financial industry and applying portfolio management disciplines to business and IT investments.
Leaders have found portfolio management valuable and viable when they were able to
answer the following questions positively:
Will it improve communication with the business?

Is balancing reward and risk the issue?
META Group research indicates that CIOs who embrace IT portfolio management have
exemplary records of continuous IT efficiency improvement, with some enterprises
able to reduce costs by up to 30% while improving effectiveness with enterprisewide
asset deployment/management. Much like a financial investment portfolio, IT portfolio
management enables the CIO to categorize, evaluate, prioritize, purchase, and manage
technology projects and assets (hardware, software, and people).
One main benefit of the portfolio management approach as we define it is that it
can be applied at varying levels, from very basic to extremely sophisticated. Individual
organizations can apply portfolio management at the level of sophistication appropriate
to their situations. Small organizations or those in relatively stable situations can remain
at a fairly basic level, while Fortune 500 companies often become very detailed, leveraging complex financial models and management techniques.
96
Architecture
A second key benefit of IT portfolio management is the introduction of the concept of a
management life cycle with a beginning, a middle, and an end for each portfolio
investment. Great financial managers often know what will drive them to exit an investment even before they buy into it. In contrast, all too often, IT managers do not recognize that software and processes have a life cycle. The result is that, while hardware is
refreshed and replaced on a regular schedule in many organizations, software and processes often long outlive their usefulness.
Chapter 7
A third important benefit is that portfolio management encourages a regular review of

investments. Currently, many IT organizations conduct a single annual review of their
investments as part of the annual budget process. Savvy CIOs understand the relationship between IT portfolio management and maximizing cyclical economics.
Once highest-priority compliance projects are identified and funded, compliance teams
must examine available resources and distribute them appropriately. Compliance must
be instilled into all levels of the organization, including IT delivery and operations. SarbanesOxley compliance principles and policies must be specifically created and communicated to each key stakeholder group. Audits must be instituted to ensure behavior is
consistent with management intent. Governance must be centrally established to ensure
that change is architected to support compliance. Strategic systems planning, enterprise
architecture, and IT portfolio management must be leveraged to support enterprisewide
transformation that complies with Sarbanes-Oxley. Full compliance is evolutionary, and
must be accompanied by appropriate risk management (see Chapter 6).
Sarbanes-Oxley is just one data point toward a global expectation that organizations not
only act with integrity, but also have the controls in place around processes and information (or processing of information) to support integrity. Meeting this expectation will
have a positive financial impact on the organization. Investors and customers alike will
reward organizations capable of demonstrating excellence. More than ever, organizations
must recognize that their individual piece parts (e.g., processes, people, information, systems) exist under the same organizational umbrella for a common purpose creating
value for interested stakeholders and acting accordingly. Mandates for future success
include the following:
Maintaining effective corporate governance, from the board of directors down to

the rank and file
97

Defining an organizational strategy, inclusive of legislative compliance and replete

with supporting operational policy
Including an organizational blueprint or enterprise architecture that incorporates

internal and external trends (e.g., current and new legislation, changes in workforce,
technological evolution)
Managing and coordinating organizational evolution through a project portfolio, coordinated via an enterprise program management office or similar function
Designing and building an enterprise information architecture that provides accurate

and timely historical information and reasonable forecasts
Implementing appropriate checks and balances, as well as rewards and punishments

to support desired behavior
Although the focus of corporate compliance is currently on demonstrating appropriate

financial controls, the spirit of Sarbanes-Oxley remains to be fulfilled in providing accurate, future-based, predictive information to interested parties (e.g., investors, regulators, governing bodies). We expect future legislation or interpretation of existing legislation to support this spirit and design adaptability to new legislation into processes and
supporting information systems. Organizations must ensure data quality by rationalizing
systems and institutionalizing data management principles. Firms must also consider areas where change can become material and design governance and analytics into these
areas as part of a holistic improvement program. Candidate areas include the following:
98
Project portfolios, both business and IT, since projects are the building blocks of
strategic change
Customer relationship management, as customer loyalty and interaction drive revenue and future performance
Financial and operational analytics, as pro formas (to a large extent) drive investor
expectations
Product life-cycle management, as product life cycles correspond with current and
future revenues
Architecture
Chapter 7
Conclusions
Sarbanes-Oxley compliance is heavily dependent on information systems. Business

leaders must centrally plan, architect, and implement a holistic compliance solution.
An enterprise architecture cognizant of ever-increasing legislative compliance demands, combined with a plan to achieve that architecture and a program to oversee
its execution, is a business imperative.
Compliance is not accidental. A road map and a destination are required to thrive in
a world with ever-increasing legislation.
An effective EPMO is a best practice found consistently in the most successful IT

organizations. When closely aligned with a parallel enterprise architecture program,
the benefits of each are magnified.
99

100

Chapter 8 Records Management

SOX compliance requires that an organizations auditing firms capture a wide range and
fairly large volume of both structured and unstructured records concerning financial performance. This chapter discusses the implications of records management requirements and the
business process and IT infrastructure changes these requirements demand.
A complete SOX records management solution requires management of both structured (e.g., financial data, database records, ERP extracts) and unstructured data (e.g.,
documents, images, e-mail, collaborative exchanges). Yet the definition of what constitutes a record within the SOX framework that is, how records are created, accessed, and managed, and which retention rules apply is sometimes overlooked.
Section 802 addresses the destruction or fabrication of records (evidence) and the
preservation of financial and audit records. The final rule issued by the US Securities
and Exchange Commission (SEC) requires that the auditor retain records relevant to
the audit or review, including workpapers and other documents that form the basis of
the audit or review of an issuers financial statements, and memoranda, correspondence, communications, other documents, and records (including electronic records)
that meet the criteria as specified.
SOX also requires that firms retain all records relevant to the audit and review processes
for at least seven years and that these records not be deleted, altered, or otherwise
manipulated during the retention period. Such records include documents generated by
financial management (e.g., invoicing), ERP, and EDI or e-commerce systems, as well as
unstructured records (e.g., business-related electronic-media exchanges via e-mail, IM,
and chat room meetings among parties involved in the audit and review process).
The SEC has specifically ruled that discussions of differences of opinion carried on via
electronic channels are subject to the retention requirements of Section 802. This requirement applies to the company under audit, any consultants or third-party auditors
that may be critiquing its SOX compliance efforts, and the firm that conducts the SOX
audit. It applies both to communications across corporate boundaries between any of
these third parties and the enterprise and to internal communications inside the enterprise or any of those third parties. Since SOX makes no distinction between internal and
outsourced functions, it presumably applies to outsourcers as well.
101

At first glance, this seems onerous, but it may not be as difficult as it initially appears.
First, Section 802 applies only to records relevant to the SOX corporate audit. This
includes all corporate financial documents both information in databases and such
publications as quarterly/annual reports and SEC filings and documents and electronic exchanges specific to the audit itself.Thus, only a small and fairly contained subset
of corporate communications is covered. We do not expect it to expand to anything
like the all-encompassing records storage requirement of SEC regulation 17a-4, for example, which mandates the retention of all customer communications (most notably email and IM) between broker/dealers, registered representatives, and customers. On
the other hand, the penalties for failure to comply with this portion of the act are
potentially massive, and neither the act itself nor the SEC or PCAOB have completely
defined what is considered relevant, allowing room for significant interpretation. Therefore, we recommend a conservative approach.
Second, the requirement to preserve these records unaltered for seven years is easily
accomplished with a simple technical solution write them to a WORM (write once,
read many) drive or the more recent immutable magnetic storage (e.g., EMC Centera,
Network Appliance SnapLock), with WORM typically the standard solution for longterm data preservation. In addition, organizations seeking a more complete records
management strategy for their SOX (and other valuable business) requirements may
wish to investigate managing these records according to the DoD 5015.2 specification,
as well as storing them on immutable media, though the SOX regulation does not require either of these specifically.
Once records are written to WORM they are unalterable, and the media itself will last
beyond seven years if stored in a controlled environment. Courts accept WORM as
unalterable, solving the problem of documenting that the records were not changed
should they be required in an investigation. Many organizations are making two copies of
relevant data, one to WORM media that is locked (vaulted) and a second to more
accessible medium (SAN, NAS) for reference as needed to support business processes.
102
Records Management
Chapter 8
Section 802 Compliance

We possess a comprehensive records management

program
The quality of our RM programs procedures,

schedules, and training is high
We possess comprehensive (e.g., paper, electronic

transactional, communications) RM practices
The adequacy of our RM retention life cycle is high
The immutability of our RM practices is high
The accessibility and control of RM content are high
The adequacy of our RM documentation and audit trails

is high
Records Capture Issues

The true challenge involved with managing this information is that there is no turnkey
solution to totally automate the capture of these records. E-mail and IM records are the
most problematic. Because these communications take place either via the companys
internal network or on outside carriers such as Yahoo across corporate firewalls (not a
recommended practice), differentiating SOX material from other material, particularly
in the heavy e-mail streams in many corporations, is difficult. While Microsoft Outlook
and Lotus Notes dominate the corporate e-mail space, the market for corporate IM
and Web meeting solutions is much more fragmented, and a large corporation could
have several different solutions in use in different lines of business (LOBs). Records
management techniques and technologies may never have been applied to many of these.
We recommend the enterprise create a secure electronic worksite that includes email, IM, and Web meeting capabilities to support the actual SOX audit or review processes. This may be built directly on top of the corporate records management system
leading ECM vendors (e.g., Documentum, Open Text, FileNet, IBM, Hummingbird,
Stellent) have built collaboration systems as extensions to their base records management applications. If all parties both internal and external (e.g., the SOX auditors)
are required to use this site for all electronic communications, they can be captured and
stored fairly easily.
However, not all relevant communications may happen during the audit period or involve only those designated to participate in the audit. Some questions about what
needs to be captured have yet to be answered. For instance, a large amount of commu-
103

nication is going on at present in many US-based corporations as they gear up for their
first audit. In most cases, these discussions involve employees and consultants who will
not be part of the actual audit, including internal and third-party auditors, internal and
possibly external legal experts, and on the technical side, ITO technical staff and consultants supporting the compliance effort. Requirements for capturing and preserving these
discussions are still unclear. For instance, do discussions among inside audit, financial,
and legal staffs (and possibly outside auditors and other experts designed to define the
corporate interpretation of the SOX requirements) need to be preserved? Do discussions between those business people and ITO staff and consultants concerning implementation need to be saved? Do purely technical discussions among the ITO staff and
consultants about how to satisfy the corporations need for data to support the SOX
audit need to be captured?
These groups are probably using the normal corporate electronic channels for communication. But copies of these communications including those with outside consultants that in many cases are taking place over Web-based public services such as Yahoo
and are beyond the corporations control may also be required by SOX regulators.
Many of these employees and outside organizations will not be involved in the actual
audit, and for legal reasons therefore the enterprise does not want them to have access
to the secure audit site. At this writing, it is not clear whether these communications fall
under the SOX retention requirement or not, but many probably will, which means that,
to ensure compliance, companies will want to capture all this material and sort it out
when specific rulings clarify this issue.
One option is a second secure site to support the multiyear compliance design and
support effort. This proliferation of sites, however, will lead to confusion and will probably only annoy participants, who will constantly have to decide whether the communication should go through normal systems, the SOX compliance design system, or the
actual SOX compliance system. Those only peripherally involved may forget to use the
special site for their SOX compliance. In any case, this multiplicity of special sites may
prove impractical in many organizations. However, one thing that the ITO does need to
do is discourage (or even ban) employees and consultants from using public systems
such as Yahoo IM for their SOX communications. While it is possible to capture IM
sessions from Yahoo and some other public systems (AOL, MSN), it is complex both
technically and legally, and can be expensive as well.Thus, the ITO at least wants to keep
all SOX traffic on its or its consultants internal systems.That may require that it open its
internal IM and Web meeting system to its outside consultants, within the constraints of
a centrally managed environment.
104
Records Management
Collection of this material from normal corporate channels can be partially automated by
setting the corporate e-mail system to copy copies of all e-mails with SOX or SarbanesOxley in their headers and all e-mails originating from or going to specific individuals
the SOX consultants or employees who are assigned full-time to SOX compliance to a
SOX e-mail account that then can be automatically managed in the SOX records management system.This may result in capturing messages that do not need to be preserved, but
it will be better than missing messages that should be preserved.
Chapter 8
However, some communications will invariably be missed. Thus, to some extent, compliance will depend on the voluntary actions of individuals, and that opens the door to
anything from honest mistakes to purposeful omissions which of course is the case
with records management in general. Some companies are already talking about adding
a checkbox to each e-mail that enables the sender or recipient to flag it as SOX-relevant.
The problem is that honest employees might forget while the dishonest employees
exactly the people SOX is intended to stop might attempt to circumvent the system.
This virtually guarantees that those messages will be mishandled.
The bottom line is that corporations will fall short of full compliance with SOX Section
802 to the extent that they depend on voluntary action by employees to identify and
capture relevant electronic records and SOX-related communications. This is a potential major SOX compliance issue, particularly in large corporations where the daily email volume is measured in tens of gigabytes. It is likely to be less of a problem with
auditors, who may choose simply to capture all e-mails, IM sessions, and Web meetings
involving persons engaged in SOX audit work, whether they are actually SOX-related or
not. Corporations can do the same thing with individuals assigned to work specifically
on SOX. The problem will be most severe for corporate senior management exactly
the individuals that SOX compliance is most likely to focus on because for them
SOX traffic will be only a percentage of their total e-mail and IM traffic, even during
SOX audit periods. They are also less likely to remember to check off a SOX checkbox.
Best practice for these individuals will probably be to focus on training their personal
administrative assistants to be alert to SOX traffic.
The automated methods of capture are intrusive and do raise privacy issues for employees, particularly if all electronic communications involving some individuals assigned
to SOX full-time are captured. Those employees should be warned that their communications are being preserved. However, this may simply become a requirement for the
job, and they may have to use alternative systems for personal electronic communica-
105

tions during the day (even if this is against corporate policy) or simply forgo such communications. Ultimately, given the extent of the possible consequences for failing to
comply with SOX, the corporation may have no other choice.
Beyond Technology, Training, and Marketing

However, no technical solution can solve the compliance problem alone. A SOX-compliant solution demands that technology work in conjunction with financial, accounting,
and other business processes. It requires changes in how people work and in the work
processes and corporate culture behind them. This cannot be accomplished on an ad
hoc basis it requires a formal records retention policy that is part of a broader,
corporatewide SOX strategy.
Employees must trust the retention system, or they will purposely thwart it. Employee
distrust of the records retention and concern over the potential that those records
could be used against them internally by their managers or by other employees with
access to those records are major potential problems that must be overcome to
win employee cooperation, without which the enterprise simply will not be able to
comply with Section 802. To do this, the company must create clear corporate policies
surrounding the access and use of the material preserved under the SOX requirements.
The policies must be designed to provide affected employees with as much privacy as
possible and to reassure them that the information will not be used against them internally by management or by fellow employees. That policy needs to be thoroughly explained to everyone subject to SOX records retention requirements as part of SOX
training, and it should be rigorously enforced.
The enterprise must identify all individuals who are involved in the SOX audit and
compliance process inside the corporation and all accounting firms, auditors, and consultants involved from outside the enterprise. This should specifically include all secretaries/admins supporting persons involved, who are often the people who actually handle
communications routing, set up Web meetings, etc. It includes corporate and LOB legal
and financial staff, COOs, CFOs, CEOs, and presidents or their equivalents both for the
parent organization and all US-based LOBs. All these employees must clearly understand the new expectation of accountability created by SOX and their role in SOX
compliance, including the need to identify all electronic communications concerning
SOX.The enterprise cannot rely on word of mouth or informal methods to convey the
important messages surrounding SOX to those involved.
106
Records Management
Formal training for all these individuals, therefore, is absolutely necessary if the enterprise is going to achieve SOX compliance. Unless the organization has an in-house SOX
expert who specifically understands all SOX requirements from an end-user perspective and who is a good teacher, the organization probably would be wise to consider an
outside consultant with this combination of skills and knowledge.Training should emphasize the potentially severe personal as well as corporate implications of failing to comply
and corporate policy that prevents the data from being used against the employee.
While SOX only specifically mentions senior management as being personally liable,
other key players in the SOX process should not presume they are immune to personal
prosecution (whether judicially or liable for breaking company policy, etc.).
Chapter 8
However, the best training wears off in time as the impact and memory fade. Thus, it is
vital for the enterprise to keep users aware of SOX through internal marketing. This
should include posters and other items that individuals will see every day as well as
follow-up training before each annual SOX audit is conducted. SOX slogans should be as
common in the lives of these individuals as the famous loose lips sink ships was to the
American public during World War II and for much the same reason. It will remind
them to think about compliance throughout their day. Individual items such as coffee
cups, printed pens, and note pads for their desks, are inexpensive to have made and can
be a constant reminder.
Understanding Technology Solutions

Business intelligence (BI), business process management (BPM), and records management systems will play an important role in the technical infrastructure supporting SOX
records management. A SOX technology solution is more than a Section 404 risk management tool. Ultimately, a blend of data- and content-driven solutions will be required.
Most firms will employ a technical architecture, including leading business applications as
well as legacy solutions, many already in-house, to meet many of the financial control
requirements outlined in the act.
Firms with existing investments in enterprise content and records management technology (e.g., Documentum, IBM, Hummingbird, Open Text) are exploring ways to leverage content and records management, in addition to any collaborative and workflow
components also offered by these vendors, as a strategic foundation for all content and
records generated through the review and audit cycles.
107

Firms will need BI/BPM solutions that can provide visibility and transparency, while also
managing and automating the results and consolidation process across a decentralized
enterprise. This is an area where solution and tool decisions must be made from a
strategic business intelligence infrastructure perspective (i.e., choosing a BPM tool that
can leverage existing BI investments in reporting, OLAP, data warehousing, etc.). Organizations will need solutions that can automate and control financial consolidations (e.g.,
Hyperion, PeopleSoft EPM, Longview) and also support the reduced amount of time
available to produce externally facing financial statements (e.g., 10-K, 10-Q). Many firms
will augment these processes with internally facing portal solutions (e.g., PeopleSoft,
SAP, Plumtree) and externally facing portal tools (e.g., PeopleSoft Investor Portal, Cartesis)
to help with financial statement and content preparation, as well as to provide information on required corporate disclosures (e.g., director holdings/information/affiliations,
changes in financial condition required under Section 409). By 2006, XBRL (Extensible
Business Reporting Language) will become an important component of both internally
and externally facing financial information solutions to standardize report content and
provide XML-based linkages to SEC, Hoovers, etc.
Records Management Requirements

Section 404 specifically requires that firms document their processes and that the tools
provide a blend of content, program, and business process management. When selecting
a tool, firms should gravitate toward vendors they may have already engaged for records
management, program management, or business process management to leverage existing infrastructures. In addition, when establishing BI platforms (e.g., Hyperion, Cognos,
SAS) to support these efforts, firms will need to retrieve records and images (e.g.,
invoices, contracts) in addition to meeting the data requirements to provide an audit
trail down to the transactions and their drivers. We predict that this will eventually lead
to convergence of both data and content solutions for SOX compliance and business
performance management solutions and tools. To create this seemingly complex semblance of structured and unstructured data elements (documents, financial records,
processes, analytics, and communications) and to assess readiness to meet SOX
records requirements, organizations should consider the following technology and architecture factors.
Enterprise Control Repository
A secure repository is needed for standard operating procedures, financial records, and
other documents or records that must be maintained, updated, retained, archived, or
destroyed centrally in compliance with SOX and documented organizational policy and
108
Records Management
practices (e.g., as required under Section 404). Certainly, most firms with existing investments in enterprise content and records management technology (e.g., Documentum,
IBM, Hummingbird, Open Text, FileNet) are now exploring ways to leverage content and
records management as a strategic foundation for all content and records generated
through the review and audit cycles, as well as to leverage any collaborative and workflow
components also offered by these vendors. Furthermore, a centralized content repository with a base built on a records management foundation (i.e., compliant with DoD
5015.2) ensures systematic control over all content during its life cycle and manages
retention and destruction rules for this content.
Chapter 8
Beyond meeting the SOX requirements, being able to provide complete, secure, and
timely access to information (content) throughout the enterprise, while also protecting
content integrity, managing availability, protecting sensitive information, and reducing
operational costs (or cost avoidance) is fundamental to an effective enterprise records
management strategy. Broken down into its base components, the retention regulations
required under SOX are essentially no different from retention requirements already
incumbent on most organizations, though largely ignored in a digital form to date due to
the difficulty of applying a consistent set of policies to tactical solutions. It is the nature
of the content required under SOX that is the differentiator.
Integrated Workspaces
As critical documents and records are maintained in a secure SOX repository, a closely
linked factor to be considered is enabling the communications throughout this process
among the different stakeholders and various internal staff as well as with accounting
firms or any number of board members or other relevant parties that would like to see
a more aggregated and personalized environment. Ideally, this would be an environment
where certain snapshots (e.g., financial extracts), key performance indicators (based on
analytics), or other point-in-time content (daily ledgers, purchase orders, etc.) can be
securely deployed and accessed as well as personalized for specific users and for whatever role or position they have within the process.
This is very relevant for internal review, enabling identification of problems before they
become material and facilitating identification of risk as well as collaboration (e.g., to
query ERP or other line-of-business systems). An integrated workspace can also be
used as a centralized workplace for statements on director-level or company information as well as on all types of content and resources related to achieving compliance
with Section 404 or any of the other sections requiring a collaborative process, reten-
109

tion, and aggregated access. This portal-like workspace is tightly linked to, and indeed
built on, a secure, records-compliant repository and provides one method of addressing these various components, especially with dispersed user bases as well as dispersed
systems managing the content and procedures during the compliance process.
Process Management
Also closely linked to a records repository (as a foundation) and integrated workspaces
(as an aggregated interface) are the structured and ad hoc work processes that are
mandated for collecting, compiling, reviewing, formatting, collaborating, publishing, and
distributing financial information. Moreover, differing content within the SOX process
may be subject to multiple paths, rules, or review status, with procedures linked to, for
example, the documents or data according to predefined internal controls for the SEC
Form 10-Q financial reporting process.
Documents and data may be automatically linked to specific workspaces, enabling a
review team to interact with a filing calendar, provide complete audit trails and history,
centralize e-mail communications, and resolve issues in an ad hoc manner. Moreover,
structured work processes manage exception handling through workflow embedded in
a high-risk business process to automatically identify, escalate, and communicate exceptions. Indeed, a process-enabled portal infrastructure may access a data warehouse or
an analytics engine that will provide snapshots, allowing for aggregation and an integrated
interface and thereby enabling this information to be viewed in the context of a larger
structured process.
It is clear to most organizations involved in building a SOX technology framework that
a complete solution encompasses management of both structured data (e.g., financial
data, database records, ERP extracts) and unstructured data (e.g., documents, images, email). A successful SOX framework, built on a solid records management foundation,
does the following:
Benefits the organization by providing centralized availability of documents
and content
Aids the organization in responding to investigations, discovery, and litigation conducted by governing bodies
Ensures the preservation of evidence
Enables an organization to better meet shareholder governance expectations
110
Records Management
Chapter 8
Conclusions
SOX demands rigorous capture and retention of a large volume of financial records,
including informal electronic communications (via e-mail, IM, Web meetings) concerning SOX 404 and other SOX sections.While most financial documents are fairly
easily identified and captured for the SOX record, e-mails and other informal electronic communications present a more difficult challenge.
While technology can be applied to the problem, by itself it will be insufficient to

capture the complete record that the regulations require. Thus, a SOX program
must include company policy additions, education for all employees involved in the
SOX program and eventual audits, and follow-up marketing to reinforce these regulatory responsibilities with employees.
Clients should view SOX and other compliance/risk-related projects as an opportunity to standardize and upgrade all content-related systems. As part of this process,
content-related purchases should be viewed as an infrastructure-like purchase to
which a consistent set of content and record policies can be applied.
To meet SOX compliance, an organization must have complete, secure, and timely
access to content throughout the enterprise, while protecting content integrity, managing availability, and ensuring immutability throughout the life cycle.
Technology solutions can be leveraged to meet most SOX requirements. However,

firms must view this as a process issue and bring technology in where there is an
appropriate fit.
Enterprises will need to look across financial controls in most business processes to
ensure that they are in compliance with Sarbanes-Oxley. A SOX technology blueprint will include Section 404, ERP, and best-of-breed transactional, content, portal,
and business intelligence solutions.
111

112

Chapter 9 Asset Management

Most IT organizations (ITOs) have an asset management program in some form, but many of
these organizations continue to struggle to live up to original expectations, while those with successful programs are progressing into advanced asset management with only marginal difficulty.
The key for transforming struggling asset management programs is to identify and correct problematic issues before moving into expanded roles and responsibilities. This chapter examines the
problems, their solutions, and the evolution to a best-practice asset center of excellence (COE).
Asset management is the combination of tools, processes, and organizational interfaces that financially manage, optimize, and dispose of IT assets. An asset center of
excellence (A-COE) represents the evolution of AM programs into cohesive crossdiscipline, cross-platform programs that incorporate chargeback, baseline/benchmark
metric generation, stewardship, and financial planning of all IT assets.
The benefits of this type of activity should not be underestimated. Communications are
improved, resulting in improved IT/customer relationships. Project estimates and cost
information become more accurate, resulting in better overall IT costs. Finally, the added
element of reliable cost data empowers executives to balance the technical requirements and risk with the long-term financial exposures, positioning the ITO as a strategic
partner when making business decisions. By taking ownership of asset procurement,
optimization, and fiscal stewardship across all enterprise IT resources, the A-COE will
enhance the business credibility of IT organizations and drive best-of-breed cost advantages (25%+ savings).
Asset management programs will continue to evolve, initially focusing on cost savings
and gradually evolving into a greater value-add role in the ITO decision-making processes. Best-practice ITOs will implement robust portfolio management disciplines, using information gathered and distilled by AM programs. Successful infrastructure asset
management programs will be thrust into application asset management, as next-generation application cost control becomes a larger corporate issue.With this evolution, asset
centers of excellence will be responsible for corporatewide asset procurement, planning,
and deployment, offloading operational responsibility for AM from lines of business and
freeing up resources to work on other projects.
113

Defining Goals and Objectives
The first challenge AM programs face is definition and communication. AM has been
defined in a variety of ways by vendors (to the confusion of customers) to include
systems management, procurement, financial accounting, and capacity planning, among
other items. Due to this wide variation in role responsibilities, AM programs without a
strong definition have floundered in trying to satisfy multiple undefined constituents.
These programs inevitably fail to meet expectations that were never understood to be
within the scope of the program.
Connected with poor definition is lack of clear goals, objectives, and road maps. Many
successful AM programs are caught in a quagmire when asked to take on additional
responsibilities for other assets, most of the time with little or no additional resources.
Although original AM program scope is historically tactical, growing responsibilities
require clear strategic direction on what will be managed, by whom, and when. Definition standardization improves organizational understanding and eliminates ambiguous
expectations.
Another definition issue is the failure to track and communicate success to the larger IT
organization. Successful AM programs are quick to point out successes, and in some
cases, accomplishments are rewarded to ensure continued support. Without clear success stories and communication,AM programs become background noise and are quickly
lowered in priority within the large IT initiatives list.
Accentuating the Processes

Many asset management programs are expected to implement tools to solve particular
issues, often providing some near-term relief, but these efforts ultimately fail when lack
of process results in suspicious data.The view of project versus process methodology is
part of the problem. AM projects are often viewed as onetime events to select tools,
aggregate and analyze data, and then hand off to an operating division. However, the lack
of established processes quickly renders data inaccurate. Furthermore, AM data often
conflicts with that of other sources, undermining overall credibility. Asset management
programs must provide clear, accurate information, which should not be presented until
processes improve data to a satisfactory level.
When data is found to be inaccurate, exception processes and reporting are required to
correct the erroneous information and identify process gaps. Iterative data verification
should be considered an integral process when establishing AM programs. Each iteration
114
Asset Management
of data cleansing should be targeted at troublesome areas that subsequently require
minimal upkeep. Tools can be helpful to understand asset deployment and configuration
and to monitor use, but with assets constantly changing and organizations restructuring,
data reconciliation processes must be clearly defined and followed to continuously improve data accuracy and reduce errors.
Chapter 9
Political Issues
In general, the strongest AM programs have not only executive support for reducing
cost, but also a focus on delivering value (e.g., improved delivery time), assisting in overall
buy-in. Without additional value-add, processes are often circumvented using numerous
tactics (e.g., This is the only product that will solve our particular problem), which
causes process erosion and sheds a negative light on AM in general.Within the organizational structure, there is often a political agenda that conflicts with asset management
goals and objectives. Project and application rollout are often considered to be career
advancement opportunities, driving unrealistic cost and benefit analyses. Exacerbating
the problem are programs championed by the lines of business, which are interested
only in quick results. AM programs must focus on ensuring that supporting analysis is
performed on aspects such as total cost of ownership (TCO) and the asset life cycle, but
these areas should be tread on carefully, since decisions ultimately lie elsewhere in the
ITO. AM programs must follow a delicate path, understanding and communicating the
balance between cost and value without impeding overriding corporate issues.
Action Steps: Identifying Critical Success Factors

CIOs should do the following:
Concentrate on issues: Target the highest pain points
Prepare for success: Understand asset management evolution, and plan ahead for
process and data integration of new functions
Communicate: Ensure that objectives are clearly communicated, successes are

advertised, and reports meet constituent requirements
Process: Ensure processes support improved data integrity
Understand accurate versus inaccurate data: Since AM data initially will not be
accurate (nor will it be useful), focus on key data that can be used to manage the
largest pain points and to facilitate portfolio management, using formal, iterative
processes to improve data accuracy and sampling methodologies to spot-check
cleansed data
115

Making the Project/Asset Management Connection
The historical gap between project management (PM) and the subsequent management
of IT assets has been highlighted by recent efforts to reduce costs and develop portfolio
management. The fundamental difference between PM and asset management goals is
the key issue creating high long-term costs. Projects are charged with getting applications/assets into production within set deadlines and certain cost parameters (usually
focused on capital constraints versus long-term expenses). The result is development of
contract terms and conditions (Ts&Cs) and costs that even robust AM programs cannot effectively control or improve. AM core disciplines are focused on driving overall
costs down, but leading practitioners are also experienced at identifying hidden longterm costs that dwell in the fine print of agreements. To begin truly understanding and
controlling IT costs, IT organizations must move toward integrating project and asset
management.
Software asset managers have long understood that the best leverage in any software
purchase exists well before the initial acquisition. Subsequently, ITOs can only negotiate
based on key change events that increase vendor leverage. This puts the ITO in a weak
position, made all the more difficult by software vendors desire to retain revenue streams
(especially maintenance), even at the expense of potential new business. In addition, payment streams over time (from project acquisitions) obfuscate absolute cost of maintenance (purchase versus ongoing costs), causing poor understanding of long-term costs.
The most significant issue to address is that of organizational silos. In the case of project
management, we often see no involvement from AM in the decision to acquire assets.
Initial asset management involvement comes when the project is complete, at which
time the procurement and Ts&Cs are set in stone. The cross-organizational issue is also
problematic because the capital budget for projects often resides within the PM team,
while the resulting expenses are incurred by IT infrastructure after the project has been
completed. Exacerbating this problem is the fact that many project groups are often
located within lines of business, which creates even higher (political) obstacles to efficient procurement. In addition, without a comprehensive approach toward vendor management, vendors that are intentionally shunned from infrastructure often appear within
project groups, resulting in mixed messages or worse, repetition of the past errors.
Strategically minded CIOs are moving to eliminate the historical problem of poor communication and cooperation between PM and AM that has hindered effective cost control. Best-practice organizations are building on a series of activities and process integration that will reap long-term rewards.
116
Asset Management
A growing trend toward involving asset management at the onset of projects (and architecture creation) leverages experience in efficient and cost-effective procurement. This
enables procurement delay to be minimized and protective Ts&Cs to be pre-established.
AM programs can also assist project teams by using existing assets to start projects, or
alternatively, substituting an asset refresh for a new project request, thereby effectively
eliminating any procurement delay. For the longer term, AM teams will also begin managing application costs, helping project teams to improve overall costs.
Chapter 9
The use of RFP (request-for-proposal) templates to establish pertinent Ts&Cs will greatly
speed the overall process while forcing vendors to answer difficult questions before any
decision is made rather than after the vendor is fully aware that the business is
secured.Although the specific answers to questions are important, the questions that are
not answered (or those that are dodged) will provide insight into risks of the acquisition.
For example, if the vendor is unwilling to provide long-term unit costs, the customer can
assume that the purchase is a loss leader, which the vendor intends to make up over the
longer term.
One clear requirement is the need to build a network of relevant people prior to project
execution. We continue to see many acquisitions in which key people are not informed
of information before the decision is made. In organizations with corporate procurement departments, key executives must be notified early in the process to ensure swift
resolution. The executive approver must be clearly in the loop and be kept apprised of
the economics, Ts&Cs, and risks associated with the acquisition. Since this is a daily
activity for AM programs, acquisitions can be prioritized and facilitated through existing
processes, mitigating unnecessary delay and workload.
For project teams, the benefits are clear. Better estimates will build more confidence in
project teams. The ability to leverage existing assets can help facilitate quick starts to
projects. Improved Ts&Cs help enhance project budgets, not just infrastructure costs.
For AM teams, the ability to finally improve vendor and negotiation management will
reap rewards that far exceed the additional effort in project involvement. By helping
sculpt the costs and Ts&Cs before vendors are chosen, procurement effectiveness becomes optimized for any given acquisition. The ability to leverage the existing asset installed base and additional vendor business becomes a critical factor in controlling the
explosive number of vendors and products in the IT suite.
117

The final result of asset management/project management cooperation is the realization
of true portfolio management. By working together, AM and PM will streamline procurement and the impact of any given project or asset on the entire product portfolio.Through
this relationship, corporations will finally realize the true value of ITOs and facilitate a
comprehensive cost-control program.
Evolving to an Asset COE

As asset management programs mature, executive support becomes critical in moving
to an asset center of excellence. Beyond the cost-savings focus of asset management
programs, asset COEs will drive improved manageability and control of IT organizations.
IT executive management must break into a champion role in driving AM programs into
asset centers of excellence, pointing attention to asset costs and value. One key component of the maturity to an A-COE is the building of AM processes across platforms and
disciplines, developing true end-to-end asset management.
A-COEs can help CIOs through the four broad areas noted below. Each of the focus
areas delivers direct improvement on costs, improved decision making, or better value
to customers.The ultimate result is proactive management of IT assets, thus reducing or
eliminating poor decisions based on inadequate asset information.
1. Managing the Business
As portfolio management becomes widely adopted as a methodology to manage IT
services, asset information becomes the critical basis for supplying consistent, reliable
data for building and maintaining portfolios. By categorizing assets into those that run,
grow, or transform the business, CIOs can better set the thresholds for investment (or
cutbacks) in a given fiscal year. For example, during tough economic times, this categorization provides the ability to understand the ramifications of cost reduction, instead of
simply implementing a crude, across-the-board cut. In addition, a better understanding of
asset life cycles and proactive management enables CIOs to manipulate assets to accommodate shifting priorities of projects, with minimal impact to the organization. Asset
information thus becomes the central point for determining investment decisions, preventing potentially disastrous mistakes (e.g., spending to transform the business when
the run-the-business assets are in danger of failing).
2. Delivering Better Value
Facilitated through asset information, infrastructure groups are able to provide information (and options) that enable customers to manage costs and understand viable alternatives. One benefit is the ability to illustrate the cost differential between standard tech118
Asset Management
nology and unique architectures over time. Because A-COEs are able to deliver reliable
cost metrics, customers will ultimately rely on this information to make decisions. This
improved decision process results in, at a minimum, better chargeback metrics and, at
best, improved adherence to corporate standards. The tighter adherence to standards
will enable operations to more efficiently align resources and improve skill sets, and
thereby provide better support to customers. These improved conditions will ultimately
result in application asset management moving into A-COEs, as the disciplines honed
during infrastructure management become critical for managing long-term, application
life-cycle design.
Chapter 9
3. Controlling the Business

A-COEs will become instrumental in improving IT controls.Through 2005, development
of asset life-cycle review will enable ITOs to respond quickly and accurately to internal
auditing questions about IT assets. This also extends outside the corporation into facilitating license compliance. The central repository and associated knowledge from an ACOE enable quick and full understanding of existing licenses and generation of reports.
Many ITOs currently are not able to generate license compliance reports quickly (or
even at all, in some cases), as required by agreements or vendor requests. Until vendors
begin to provide license tools (no earlier than 2004), internal reports will be required to
prove license compliance.
Asset COEs will also provide an independent arbitration of issues surrounding financial
and technical asset decisions. A-COEs typically carry no vested interest in whether the
product is the least expensive solution or the best technology only that the solution is
right for the corporation (with the criteria varying widely among different ITOs).Through
cost modeling and centralized knowledge,A-COE managers can provide an independent,
unbiased opinion on ROI and risks of acquisition. Since most product acquisition risks
occur sometime after the original deal, centralized A-COE knowledge of vendor tactics
and hidden cost increases empower IT executives to make decisions that balance longterm risks with realistic long-term costs, rather than follow vendor and internal ITO
hype. By 2006, best-practice ITOs will consider A-COEs to be a critical resource for
guidance on technology decisions, facilitated through improved data and analysis.
4. Improving Efficiency
A-COEs facilitate more efficient use of IT resources through numerous channels. Centralized negotiation leads to better contracts, due to concentrated expertise (though
ultimately, the technical manager may sign the deal), and decreased technical manager
workload by up to 15%. Technical departments are also typically ill-equipped to accu 2004 META Group, Inc.
119

rately diagnose and correct inaccurate invoices. Transferring these activities to an ACOE not only improves processes and cost efficiency, but also enables technical resources to become more focused on running a technical organization. As well, technical
managers performing these tasks are generally influenced by the relationship with the
vendor, which is counterproductive to AM best practices.
In addition, sizable savings are attributed to AM programs during progression to A-COEs.
Through improved negotiations, invoice verification, financial modeling, and asset lifecycle management, ITOs can realize significant cost savings/avoidance over time. Immediate return on asset management is generally centered on improved price negotiations
and invoice error correction. Cost-efficiencies in A-COEs are typically delivered through
improved cost modeling, contractual protections, and leveraged procurement.
Evaluating Asset Management Maturity

Most organizations are at different asset management maturity levels, which can be categorized as follows:
Level 1: Reactive AM
What assets do I have?
Level 2: Active AM
How can I manage multiple asset types across geographic and organizational
boundaries?
Level 3: Proactive AM
How can I leverage planning information to optimize asset procurement, utilization, and management?
Level 4: Transactive AM Asset COE

How can I propagate processes across organizations/disciplines?
How can I use central information for more effective chargeback?
Tactical Asset Management ROI

Tactical asset management is often implemented to solve a particular problem (e.g., mainframe software, PC hardware). More than 60% of programs remain very tactical in
nature, failing to deliver full efficiencies from a concentrated A-COE. CIOs who are
considering building a more robust AM program should review the following ROI data
points to support the business case:
120
Asset Management
Lease returns: As a financial vehicle, leases are effective only when returns are
performed in a timely manner. Tracking hardware assets (e.g., desktops, servers) as
they relate to their contracts can save leasing company penalties when assets are
not turned in on time. Best-practice AM programs have reached 100% on-time
returns, avoiding costly lease overruns and delivering more effective computing in a
timely manner.
Invoice errors/vendor challenges: ITOs that have not had effective invoice verification processes can typically achieve 5% savings during the first two years of establishing an effective asset management program. In addition, customers have often been
charged more than contractual rates due to lost contracts or poor vendor backoffice processes. Effective AM programs are attuned to contract terms and conditions, ensuring ITOs pay the correct contractual price, not the then-current price.
Centralized purchasing and standardization: Centralizing and standardizing IT

purchasing can achieve volume discounts, yielding significant cost reductions. Renegotiating large mainframe software contracts alone can yield tremendous IT savings. For
each desktop and laptop purchased, a savings of 3%-5% can be achieved by centralizing
the PC procurement function and obtaining special bids on volume purchases.
Product removal: Many ITOs have assets (especially software) that are underused or
not used at all. AM programs provide the only efficient method to track the asset
financial life cycle, providing an effective process to ferret out these assets for disposal.
Recovery of lost/unused assets: By tracking assets throughout their life cycle, IT

groups have much better insight into lost and unused assets. IT groups that begin
tracking assets commonly discover far more desktop assets than employees. Although some employees require multiple desktop assets (e.g., power users, engineers), a significant percentage of desktop assets are simply unused (an average of at
least 2%). In addition, our research indicates that 10%-15% of laptop computers are
lost or stolen annually, amounting to millions of dollars lost for large enterprises.
Software license compliance: Managing software licenses can also yield tremendous payback. It is not uncommon for IT groups to overpurchase desktop software
by as much as 40%. Typical enterprises overpurchase by 10%-15%. This is a result of
the fear of software audits, which can yield penalties of as much as $100,000 per
license violation. Although actual audits are infrequent, there is a higher incidence
recently due to the tough economic environment. Activity of the Business Software
Chapter 9
121

Alliance has increased significantly during the past 24 months. Tracking software assets and reconciling them back to software contracts will help to avoid painful software audits as well as the need to haphazardly purchase additional software licenses.
Reuse of assets: By tracking assets throughout their life cycle, assets can be reclaimed. Proper software asset accounting can lead to reuse without overpurchasing.
Tax burdens: If assets are purchased, tax burdens can be reduced by as much as
25% by properly disposing of assets when they have been fully depreciated and are
no longer of value to the enterprise. In addition, notoriously inaccurate fixed-asset
ledgers could result in inaccurate corporate financial reporting, which is currently a
very sensitive issue.
Increased efficiency at the service desk: Accurate information regarding hardware and software can accelerate diagnosis of problems and avoid dispatching of illprepared personnel. In addition, tracking problems associated with assets can give
better insight into real costs of asset ownership and provide trending information
that can assist in contract negotiations.Typical efficiency gains range from $30-$100+
per desktop, per year.
Improved warranty service: Knowing the disposition of each asset allows more
efficient use of warranty periods, reducing overhead associated with understanding
whether warranties are still in effect. In the long term, this understanding helps build
optimal asset refresh dates based on when asset warranties (or maintenance contracts) expire.
Mileage May Vary

Simply taking industry averages may not yield the appropriate proof points to gain executive-level sponsorship and attention. Therefore, IT groups should run a small-scale physical audit to more accurately predict the amount of return they can expect to receive. It
is common for AM programs to uncover unexpected savings that were not included in
original estimates. Examples of this include the discovery of unknown stockpiles of assets sitting unused in warehouses, shelfware, and overly robust software. Most AM programs reviewing past performance fully justify the efforts, and often take on additional
responsibilities in other areas of concern. There are numerous additional benefits to an
A-COE that bring value to an ITO.The combination of ROI and increased value results in
a compelling executive story that cannot be delivered through a tactical AM program.
122
Asset Management
Chapter 9
Strategic Asset Management

Investing in asset COEs involves organizational processes, specialized skills, and investment in tools (e.g., asset repositories, discovery tools) for managing IT assets throughout their life cycles. Although these investments are often viewed with an eye toward
immediate ROI, ITOs are increasingly leveraging data captured in asset management to
better position the ITO as a partner in business technology decisions. To support such
efforts, we recommend that customers review the following benefits of strategic AM
programs and align project plans to support these longer-term objectives.
Portfolio Management
Although projects are readily mapped to portfolio management techniques (see Chapter
7), assets are much more difficult to manage without establishing processes to keep
information current. One of the core foundations of portfolio management is the ability
to understand the costs and ramifications of decisions across both project and asset
portfolios. Existing portfolio management programs rely on general/fixed asset ledger
information, which is too high level to permit robust portfolio management. Strong asset
management processes and tools are building blocks of establishing a cross-portfolio
view of deployed versus project and refresh asset requirements. In addition, the ability
to develop further views of assets (e.g., by platform or service) facilitates portfolio
management across all layers of management not just executive. The resulting ability
to leverage decisions made at all levels becomes instrumental in confidently deciding
which investments will be made.
We find that most IT organizations improve long-term costs by leveraging the following
tactics in developing portfolio management:
Cost modeling: TCO modeling of IT assets leads to improved contract protections and shifting focus during negotiations. The result is significantly improved costs
over asset life cycles, because historically hidden costs are revealed during initial
procurement instead of during subsequent asset change events (e.g., upgrades, relocations). Improved cost models also help improve IT credibility, since accurate estimates will foster respect for ITO business acumen, which is currently a weak ITO
trait. By 2005, more than 25% of AM programs will also be responsible for application
asset management activities, providing additional expertise in controlling cost and
deployment information.
Cost trends: Understanding asset cost trend information provides the improved
ability to manage asset life cycles and retirement thresholds. A granular understand-
123

ing derived from historical costs builds a baseline for improved cost management as
well as portfolio balancing capabilities.
Effective/equitable chargeback: Comprehensive chargeback based on controllable cost drivers results in more efficient computing, with architecture standards
and policies that have financial merit instead of being just another IT statement. Linking high-cost customers to high costs results in more equitable computing for all ITO
customers. Equitable chargeback also provides customers with the opportunity to
control both internal and corporate costs through closer adherence to standards
after initial decisions are made. In addition, the ability to tie applications to the associated infrastructure becomes a powerful tool for communicating the impact of
business decisions on the ITO.
Developing Standards
Beyond the tactical programs designed to solve a singular problem, the centralized cost
information gathered for managing assets becomes the focal point for understanding IT
costs and helps guide overall IT architecture and project decisions. The long-term impact of delivering cost-effective computing ultimately becomes the largest return on
investment for AM programs. Some examples of these benefits include:
124
Procurement efficiencies: A comprehensive AM program provides understanding

and coordination of procurement activities across the corporation, thereby achieving maximum long-term savings. Because most ITOs are careful about near-term
savings, longer-term issues are often ignored or trivialized.The added discipline from
AM programs that are focused on alignment with architecture and project initiatives
(focusing on forward-looking terms and conditions) will help direct procurement
focus toward that which will ultimately result in the lowest cost (sometimes at a
higher initial cost).
More attentive vendors: ITOs that focus on problem issues through a single escalation point receive better service than those using multiple, separate interaction
points. Vendors and customers develop a stronger relationship and a better understanding of what constitutes critical problems.When discussions are dispersed across
ITOs, issues that are not related to revenue-generation opportunities are relegated
to a lower priority, regardless of customer criticality.
Independent arbitrators: Strategic AM programs excel at improving decisions

through independent and non-partisan information flows.Technical engineers, archi-
Asset Management
tects, and procurement teams all have a vested interest in decisions affecting technology. Centrally positioned AM programs are able to provide balanced information
to facilitate executive decisions. Leveraging the cost models previously noted, AM
can assign risk and cost to decisions based on vendor cooperation (or lack thereof)
to assign a more comprehensive understanding of any technology decision.
Chapter 9
As IT grows into a mature service-oriented business, CIOs must become literate in how
to run the ITO as a business. Without AM, it is difficult to effectively manage diverse IT
businesses and costs. As systems, staffing, and associated interactions increasingly influence the costs of one another, the ability to understand resource allocation and impact
across the entire ITO becomes imperative. How else will IT begin to be managed as a
business?
The asset management road map must incorporate strategic responsibilities and objectives, including chargeback and planning/budgeting. Additional responsibilities should be
addressed as part of phased, future integrations. Ongoing objections to successful AM
maturation should be countered through:
Regular communications
Understanding of the various constituencies involved
Tailoring deliverables to the needs of those constituencies
Conclusions
CIOs should leverage asset management programs to improve IT service delivery

and value. Asset COEs will enhance the business credibility of IT organizations and
drive best-of-breed cost advantages (25%+ savings).
Asset management programs must identify impediments to the evolution of the

asset COE to support a larger role within IT organizations. If AM programs do not
overcome internal obstacles, they will fail to deliver best-practice, cross-platform,
and cross-discipline benefits.
CIOs must integrate project and asset management disciplines to improve costs
and control vendor behavior. Only after this integration will IT organizations be able
to manage IT as a portfolio, enabling improved value to and communication with
lines of business.
125

Portfolio management will be enabled through improved cooperation among project

and asset management teams. Lack of integration and communication between the
two teams will preclude efficient delivery of IT services.
Asset centers of excellence can generate significant ROI for IT organizations beyond
mere cost savings. Best-practice ITOs are building on strong asset management programs during development of portfolio management, focusing on building cross-platform, cross-discipline asset centers of excellence.
Portfolio management of IT resources builds a better understanding and alignment
of IT value to lines of business, enabling improved delivery of business services from
the IT organization.
126
Asset management is a key building block for improving long-term computing

efficiency and building a credible relationship between the IT organization and
lines of business.

Chapter 10 Other Compliance Mandates

and Corporate Governance
As organizations accelerate business and IT projects to ensure compliance with SarbanesOxley and other regulatory edicts (e.g., IAS, Basel II), they will need to define, enhance, and
enable corporate governance efforts and link them with risk management and compliance
strategies. This chapter discusses how a global and consolidated approach to corporate governance will yield consistency, savings, and additional leverage over disconnected/disparate
approaches.
Achieving consistency with regulatory compliance in a global enterprise is often a difficult (if not impossible) task due to the numerous business areas affected (on top of
redundant/mirror organizational structures globally). Many firms still have not consolidated compliance management into an organizing structure. In a recent META Group
study, only 46% of respondents indicated that their SOX compliance efforts were coordinated and integrated with efforts to meet other regulatory requirements (e.g., HIPAA,
Basel II, GLBA). The primary owner of SOX is the CFO in most organizations, but many
administrative and business areas are now engaged (63% of firms also rely on the legal
department for enterprise SOX projects). In reality, that is just one more major issue
added to the CFOs plate, and most firms are in search of an organizing structure or
approach to compliance.
For example, SOX Section 404 which requires that CEOs and CFOs personally certify financial internal control processes vetted by independent auditors currently
looms large in company compliance plans. However, this is only a section of one of the
major new regulations with which they must comply. For instance, SEC 17a-4, HIPAA,
and SOX compliance directives all dictate strict provisions for the creation, storage,
access, reporting, and security of content. SOX Section 409 compliance requires realtime reporting of material events that could affect a companys financial performance.
Many IT organizations have delayed implementation of procedures to meet the IT aspects of these requirements, with a focus on Section 404 compliance activities, largely
due to the longer-term architectural issues and emergent vendor-supported solutions.
CIOs and their chief architects must create an infrastructure for the rapid assessment
of the critical events that can materially affect the companys financial statements, while
supporting real-time data to meet the more stringent SEC filing requirements specified
by SOX. We believe that, for the majority of large-cap, public float companies (complex
127

and multivariate financial systems, disparate business processes), the financial impact of
Section 404 compliance will pale in comparison to the costs of Section 409 compliance
by a factor of 2x-3x.
Vendors from many different market segments are offering real-time rapid assessment
solutions. Among them is ERP vendor PeopleSoft, which offers a Material Event Manager
for more rapid financial disclosure reporting and Global Consolidations for consolidating
data across disparate financial systems. CIOs should also examine business intelligence
vendors closely, viewing Section 409 compliance an analytics issue as opposed to solely
a compliance requirement that can be solved only by ERP systems (or document management solutions).
The Compliance Landscape
Gramm-LeachBliley Act (GLBA)

SEC Rules
17a-3 and 17a-4
Privacy of financial
information
Fiscal accountability for all

public companies
Basel II
All records related to

securities transactions to be
maintained for 3 years
Health Insurance
Portability and
Accountability Act
(HIPAA)
Right to carry
insurance between
jobs; privacy of
patient information
Sarbanes-Oxley
Capital assessment
and reporting standards
for global banking
COMPLIANCE
USA PATRIOT Act

Customer documentation
requirements to
know your customer
NASD 3110
Written policies and
procedures for review
of correspondence
with the public
DoD 5015.2
and UK PRO
Federal standards
of records management
As businesses contend with SOX directives to address flaws in financial practices and
reporting procedures, it is likely that corollary legislation to address security flaws and
vulnerabilities will soon be passed (2004/05). Just as SOX was enacted to safeguard stakeholders financial assets, the increasing rate of breaches in information security and physical premises defenses will prompt legislators to require senior executives to attest that
due care and diligence have also been taken to protect human, capital, and non-tangible
resources across the enterprise.
128
Other Compliance Mandates and

Corporate Governance
Beyond SOX: Financial Investment Companies and Registered
Advisors
Chapter 10
On December 17, 2003, the SEC published final rules that require investment companies and investment advisers registered with the SEC to adopt compliance programs.
Under the final rules, investment companies and investment advisers are required to
do the following:
Adopt and implement written policies and procedures reasonably designed to

prevent violations of federal securities laws
Annually review those policies and procedures for adequacy and effectiveness
of implementation
Designate a CCO (chief compliance officer)
The effective date of the new rules is February 5, 2004. However, the compliance date is
not until October 5, 2004.
Dedicated Budget for Specific Regulations
Which regulations are represented in your total budget for

compliance-related initiatives?
SOX (SOX)
56%
Heath Insurance Portability and

Accountability Act (HIPAA)
56%
48%
USA PATRIOT Act

Financial Modernization Act (GrammLeach-Bliley)
35%
33%
Basel II
28%
SEC Rule 17a-4
27%
IAS
0%
20%
40%
60%
80%
129

Basel II Accord
Currently, the most visible compliance area is corporate governance. So far, the action
has been more in the US than in Europe or Asia Pacific. Although difficult SOX requirements are being discussed in IT organizations (ITOs) throughout the US, regulations in
European nations are rather soft (mostly voluntary) and hardly ever affect the ITO
directly. Corporate governance in Europe is characterized by a traditionally strong relationship between owners and managers (insider systems).Yet, as enterprises grow and
relationships expand, the need for a more transparent and independently controlled
relationship becomes apparent.
The regulatory trend focus is not just a North American phenomenon. In Europe, for
instance, most banks have already begun their preparations for the New Basel Capital
Accord, or Basel II, which now will take effect at the close of 2007. Basel II is a set of new
banking regulations aimed at managing capital adequacy, central supervision, and market
discipline for European banks. In some ways, these regulations are similar to the US FDIC
rule change of 1991. The net impact seems to be an overhaul of bank accounting and
reporting, as well as a demand for SOX-like performance from corporate borrowers.
According to our research, approximately 30,000 banks must comply with and meet a
definite timeline for completion with a requisite commitment of resources. Failure to
comply poses a threat to the survival of any organization that has not properly prepared.
European, Middle Eastern, and African (EMEA) CIOs in the banking and financial services
industries have been exhaustively diligent in analyzing and preparing for the accounting
and financial reporting changes required by Basel II and International Accounting Standards (IAS) regulations. Nevertheless, the initial success and timeliness of the planning
phases are giving way to execution challenges centered on loose program management
coordination among the CFO, COO, and CIO.
Because of the critical nature of information models, processes, reporting tools, and IT
applications for Basel II and IAS compliance, CIOs are increasingly called to take a leadership position in driving the compliance program management efforts. CIOs must not
overlook the looming and potentially onerous requirements of Basel II (covering capital
requirements, risk management, and disclosure). Although Basel II dictates are not scheduled to fully take effect until the end of 2007 (and it is not clear to what degree US
regulators will adopt or support Basel II requirements), the accord will certainly affect
global banking institutions at the very least.Although most firms are already in the throes
130

of assessing/interpreting/addressing Basel II requirements, it is important to ensure IT
groups are integrated into the efforts and, wherever possible, Basel II efforts should be
coordinated and integrated with other enterprise compliance initiatives.
Chapter 10
Basel II will most likely continue to evolve; however, we do not expect any immediate or
major delays, extensions, or changes to the 2007 compliance schedule. CIOs and their chief
technology officers (CTOs) should plan and build an adaptive technical architecture to
incorporate any changes and the corresponding technical upgrades, should they surface.
CIOs/CTOs should integrate the Basel II solutions within the existing technical infrastructure and any other planned major systems implementations.The CIOs focus should
be to deliver enhanced controls and business benefits from Basel II, such as reducing
capital set-aside requirements and enhancing shareholder value.
USA PATRIOT Act

The USA PATRIOT Act was signed into law on October 26, 2001. Title III of the law is
the International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001
(the Act), which contains new provisions relating to money laundering and terrorist
access to the US financial system.
The anti-money-laundering (AML) provisions of the USA PATRIOT Act continue to
cause a profound transformation in the way the US investment industry conducts its
business. During the past year, under the authority of the USA PATRIOT Act, which
amended the Bank Secrecy Act, the US Department of the Treasury and relevant federal regulators have issued rules requiring a broad range of compliance mechanisms,
including the following:
Establishing AML programs
Filing of suspicious-activity reports
Prohibiting financial services to foreign shell banks (i.e., banks without a physical
location)
Maintaining records with respect to accounts for foreign banks, and the sharing
of transactional information among financial institutions and between financial
institutions and law enforcement
131

Section 312 of the USA PATRIOT Act focuses on money laundering through correspondent banks or private banking accounts. The rule sets minimum requirements for financial institutions offering private banking services to their clients. As one of the minimum
requirements, financial institutions are to ascertain whether any private banking client
might be a senior foreign political figure.The institution is to exercise reasonable diligence
in seeking to determine such status. If an account is maintained on behalf of a senior
foreign senior political figure (or his or her family members or close associates), enhanced due diligence is required. This enhanced due diligence must be reasonably designed to detect and report transactions that could involve the proceeds from foreign
corruption. Foreign corruption means assets or property that is acquired by, through, or
on behalf of a senior foreign political figure through misappropriation, theft, or embezzlement of public funds, or the unlawful conversion of property of a foreign government, or
through acts of bribery or extortion.
The rule is currently in effect.The US Department of the Treasury issued an interim final
rule (billing code 4810-02). This regulation became effective in July 2002 for financial
institutions that are the following:
An insured bank governed under the Federal Deposit Insurance Act

A commercial bank
An agency or a branch of a foreign bank in the US
A federally insured credit union
A thrift institution
A corporation acting under Section 25A of the Federal Reserve Act
A broker or dealer registered with the SEC
All financial institutions must have a US Department of the Treasury Office of Foreign
Assets Control (OFAC) compliance program in place today.The October 1, 2003, deadline to implement the Section 326 CIP Policy was not changed for OFAC requirements.
Financial institutions are currently required to screen the names of their new and existing customers against OFACs list of specially designated nationals (SDNs). Wire transfers must also be screened against the OFAC list because wires are the tool of choice
for money launderers and terrorists. The SDN list also includes OFAC-blocked countries from which financial institutions are restricted from doing business.
On October 1, 2003, financial institutions were required to screen their customer accounts against a new watch list (Section 326 List), which has been replaced by the OFAC
132

SDN List or the biweekly FinCEN 314(a) List. The most efficient way to automatically
screen customer accounts and transactions against government watch lists is for CIOs
to invest in a name-matching software program. This software automatically compares
customer names, generates written proof of compliance, interfaces with most core data
processing systems, and includes instant data updates via e-mail.
Chapter 10
Another important provision of the USA PATRIOT Act, Section 1012, amends the Hazardous Materials Transportation Act. Section 1012 is important to CIOs of energy, chemical/petrochemical, transportation, Department of Motor Vehicles, and other enterprises
and agencies because they most likely will be required to redesign or implement appropriate system changes that better support hazardous material (hazmat) compliance provisions (e.g., hazmat material identification, transportation licensing provisions). CIOs of
affected industries would be wise to revisit their material safety data sheet applications
to determine if existing systems meet, or can be modified to comply with, Section 1012,
rather than starting anew with yet another application/system designed specifically to
comply with the Act.
Governance Outlook Beyond US Borders

The situation has been changing in recent years, shifting toward the more fluid and armslength approach that has been taken by the Anglo-Saxon countries (i.e., the UK, Ireland,
Australia/New Zealand, and the US [outsider systems]). Although these changes in
corporate governance have been significant in some European countries (e.g.,The Netherlands, Finland, France), transformations in other countries have been less visible (e.g.,
Germany, Italy), and in a few countries they are hardly detectable (e.g., Luxembourg).
Overall, divergence in Europe is increasing, making it difficult for the European Union
(EU) to establish corporate governance legislation. However, after a major pushback by
the European Parliament in 2001, the consultation phase on a new Action Plan for Company Law has been concluded, and new legislative initiatives at the EU level can be expected by 2H04. Similarly, the Organisation for Economic Co-operation and Development (OECD) Principles of Corporate Governance are currently under review, and an
update can be expected by mid-2004. (On a pedantic note, an EU directive is not a bill or
a law, per se; it is just a directive instructing member countries to enact law to enforce
the criteria set out in the directive.)
In North America, the Ontario legislature passed Bill 198, which contained numerous
important changes to the Securities Act.These amendments will have a significant impact
133

on registered issuers in Canada. In substance, the amendments give the Ontario Securities Commission (OSC) many similar rights and privileges as the US SOX/SEC laws and
regulations. Bill 198 empowers the OSC to enact rules for the following:
Determining appointment/requirements for audit committees
Defining systems of internal controls, disclosure controls, and procedures
Setting forth the provision of certifications relating to internal controls, disclosure controls, and procedures
Defining auditing standards for reporting on internal controls
Establishing maximum penalties of $5 million and imprisonment up to five years

for noncompliance
The OSC has stated that small cap (e.g., public float) companies will be exempt from
some of the specific rulemaking.
Meanwhile, in Australia, the attorney generals department has proposed changes to AML
regulations governing financial institutions by releasing Anti-Money Laundering Reform
Issues Paper 1 for the financial services sector. We expect this new law to be finalized in
2004/05 and reflect the revised FATF 40 recommendations (OECD Financial Action Task
Force). Financial institutions (bank and non-bank) should not underestimate the impact
the proposed changes will have on all aspects of their operations, nor the length of time
it will take to implement the systems and compliance process changes.
The present reporting-based approach of the Australian law will expand to adopt a riskbased monitoring approach consistent with international expectations.This will put considerable legal and financial responsibility on ITOs and the enterprise to take the necessary steps to work with business units to make the requisite consumer financial application changes (or implement new ones) to comply with the law.
134

Chapter 10
Regional Compliance Map
US
Mostly concerned about
SOX and HIPAA
Europe
Mostly concerned about
privacy and company law
revisions
More awareness of IAS,
Basel II
Asia Pacific
Privacy maturing, critical
infrastructure protection,
cybercrime
Map: Theme and Region

US
Europe
AP
Corporate
Governance
SOX
33 Codes of
Conduct
CLERP
Privacy
HIPAA,
Safe
Harbor,
COPPA
EU95/46,
EU02/58,
National
PA&PAA
Infra
Protection/
Cybercrime
FERC,
NIIPA,
PDD63
Various
Crime
1901Etc.
Regulated
Industry,
Examples
FDA21,
GLBA
1400/02
Record
Retention
DoD
5015.2
PRO,
DOMEA,
MoReq
VERS
Australian financial institutions will need to examine and retain identification documentation (identification records and photographs, such as drivers license, birth certificate,
passport, etc.) at the time of opening the account (document imaging for storage and
retrieval comes to mind); conduct enhanced due-diligence review (perhaps automating
background checks using Internet third-party providers) on customers assessed as higher
risk; and monitor the transactions over the life of the customer to be alert to changes in
the money-laundering risk profile (e.g., automated audit/reporting applications, such as
Tripwire [www.tripwire.com], which sells data integrity checking software).
An interesting opinion rendered by the Australian CPA organization
(www.cpaaustralia.com.au) provides a keen perspective on the pending Australian Corporate Law Economic Reform Program (CLERP) 9 bill in what might be a mere windowdressing effort on the part of government to legislate meaningful reform:
Australias largest professional finance and accounting body is today questioning whether
the draft CLERP 9 Bill has missed an opportunity to redefine the big picture for corporate
disclosure in Australia despite including many positive reforms. CPA Australias concerns are in
response to initial indications of extensive reforms to audit regulation, but what appears to be
limited focus on the wider financial reporting framework and the responsibilities of other key
stakeholders including boards and management
135

Firms operating worldwide, and in many cases companies with close ties to corporate
customers in other continents and countries (e.g., through tightly integrated supply chains),
will need to comply at least partially with these regulations. For instance, any EU-based
banking subsidiaries of US or Asian corporations will need to comply with Basel II, and
foreign suppliers in highly integrated supply chain relationships with US-based customer
corporations will need to provide some SOX information. Thus, the situation is much
more complex than a simple focus on a single set of regulations. It requires coordination,
guidance, and support from the top of the enterprise and, for firms above a certain size,
a dedicated organization that reaches into every business unit. Only governance from
the top of the enterprise can accomplish this.
Corporate Governance and IT

Although each compliance mandate has different requirements and elements and not all
are equally applicable across all organizations, a need still exists to coordinate and leverage efforts on a global basis, wherever possible. This coordination can reduce the overhead associated with gaining and evidencing compliance (including leveraging existing IT
investments such as content management and analytic applications), and help ensure that
organizations are practicing sound corporate governance and risk management practices
enterprisewide and globally. This leverage can be compounded with consolidating approaches to create the visibility required for compliance and performance management.
Organizations must consider the consolidation and the deployment of enterprise compliance offices led by a senior corporate governance officer (or similar entities and roles)
to drive, coordinate, and leverage all compliance efforts. By 2006, we believe consolidated global compliance management will become commonplace.
The term corporate governance is being used loosely in many Global 2000 organizations, where it often refers to efforts to organize structures to handle regulatory
compliance. The corporate governance paradigm is based on four inextricably linked
disciplines:
1. Regulatory compliance ensures compliance with global regulatory demands
and establishes a cost-effective approach (with the identified opportunities for

releveraging corporate infrastructure, including IT).
2. Performance management supports a key performance indicator/metrics-
based approach, including closed-loop planning and reporting for managing topdown and cross-business-area performance.
136

3. Risk management establishes an enterprise approach for managing financial,
Chapter 10
operational, compliance, and reporting objectives. It includes a codified process

for the identification and assessment of risks in achieving specific corporate
objectives (also including usage of the COSO framework to manage SOX projects,
as well as COBIT for IT governance), applying frameworks to achieve competitive advantage, and determining sense-and-respond processes for risk. In addition, it includes understanding and managing the risk appetite for a firm.
4. Ethics management supports enterprise strategies around a code of eth-
ics, including internal and external processes concerning disclosure and

communications.
The linkages among these areas are critical. Organizations cannot effectively support
regulatory compliance without a successful performance management program (to leverage business intelligence processes to ensure the requisite visibility and transparency
into enterprise financial and operational reporting) or risk management (to ensure that
organizations have a framework to manage and audit risk associated with processes).
Ethics management is also a key linkage to ensure that the entire firm is committed to
minimizing the risk involved in regulatory compliance.
Opportunities to consolidate IT approaches to corporate governance are numerous and
necessary to develop a common approach to optimize and leverage IT infrastructure
around the following:
Staffing: Organizations must deploy IT solutions experts that are integrated

into local compliance teams, yet link back to central IT strategic planning to
ensure consistency.
Application portfolio rationalization/planning: This is a high priority in

many organizations, particularly within key initiatives such as compliance and
outsourcing, further complicating this endeavor. Compliance mandates that
are typically addressed through specific one-off point solutions (e.g., content
solution for SOX, another for HIPAA) often operate in direct opposition to
application consolidation and raise IT costs. Further complicating matters is
the increase in both IT and business process outsourcing, where users must
now manage a portfolio, part of which is managed, and in some cases, effectively controlled by one or more outsourcers with their own portfolio
137

management objectives. The IT organization must raise the importance of
portfolio optimization across an enterprise that is often reacting to external
governance requirements as well as leading cost-saving trends (e.g.,
outsourcing). The CIO must identify where IT investment can be leveraged
to ensure that business applications and IT infrastructure can adequately
support compliance requirements for an effectively managed and certified
business process.
IT value: This provides the ability to ensure a consistent approach to communication of IT strategic initiatives.
Other Compliance Activities

IT organizations must ensure that appropriate IT controls are in place for many of the
specific regulations, and they must also provide their independent auditors with documentation that supports managements assessment. This includes design documentation
and the documented results of testing procedures. Specific guidelines include adopting a
formal governance program, conducting an assessment of internal controls, and promoting an IT code of ethics program. Given the complexity of the situation, particularly for
ITOs supporting worldwide enterprises that may be impacted by different sets of regulations in different geographies, this requires an IT governance effort that parallels corporate governance.
The spirit of corporate governance is changing, but the speed of this change and the
way things change is not necessarily the same worldwide. CIOs should work with their
internal audit, human resources, risk management, and general counsel staff (or corporate policy committee) to fully understand the compliance requirements as set forth by
the various agencies, supervisory policies, regulatory directives, and prevailing laws. Concomitant with that understanding, it is incumbent upon the CIO to then communicate
the IT compliance requirements to the ITO staff and use the governance committee (IT
steering committee [ITSC], working council, etc.) to solicit buy-in and the appropriate
commitment from the business to fund and implement the requisite IT controls and
oversight activities. Proper operations and good governance of ITSCs are even more
critical during times of crisis, scandals, lawsuits, and recessions. By regularly working
together on strategic IT initiatives, ITSCs expend minimal energy relearning about members and maximum energy on issues.
Forward-thinking CIOs should assess their vulnerability and quantify risk before such
138

actions are mandated using existing (e.g., NIST SP 800-53, NIST SP 800-30, FIPS 199) and
pending (e.g., NIST SP 800-53A, NIST SP 800-60) federal policies and methods that may
serve as compliance models for SOX legislation.The most savvy CIOs use an established
control framework, such as COBIT, to conduct a self-assessment and then seek thirdparty, independent verification/validation of controls and identification of residual exposures and risk.
Chapter 10
CIOs should apply the lessons learned from Y2K (e.g., inventory controls, assessment and code remediation processes for disparate financial and fixed-asset reporting systems) and apply portfolio management discipline as a means to better ensure
compliance (e.g., retiring legacy systems and consolidating accounting and asset management systems to reduce complexity and ensure Section 404/409 compliance activities in the process).
Ethical business practices within the ITO largely instituted as an overall program
approach toward quality assurance, security, and risk management communicate a
vital message to the business community at large. CIOs must adopt rigorous data
integrity control processes so that automated corporate data is not compromised by
unauthorized access, modification, destruction, or disclosure. They must adopt bestpractice principles and communicate their ethics standards to the ITO staff and business colleagues.
Other suggested activities around compliance and governance activities include:
Working with the business (chief privacy officer, CFO, general counsel, HR, etc.)
to better understand the operational, financial, and compliance risks across the
business (usually most effective when done through a steering committee)
Giving serious consideration as to who should be on the compliance and risk

management and applications project teams
Determining what mechanisms are already in place to track and evaluate compliance and ITO risks
Determining if existing technology and current applications can be improved to

reduce risks
139

Developing an automated means within applications to monitor transaction activities to establish controls and ensure they are consistent with prevailing laws,
as well as consumer and employee policies and practices
Providing evidence that the ITO is compliant with prevailing laws and directives,
and that prudent care has been taken to minimize and control risks
Periodically conducting an ITO self assessment and third-party audit of IT systems and controls
Demonstrating the compliance controls to the regulator/examiner/auditor
Promoting an ITO compliance-awareness campaign
Being prepared to brief the board of directors/executive management/audit committee on the ITO state of compliance; COBIT is a good starting point for conducting a controls self-assessment
In considering governance, privacy legislation, hazmat, and anti-money-laundering security-related compliance issues, we foresee a major impact on the level of security required to protect the information being collected and stored as part compliance mandates contained in various state, federal, and international laws, directives, and regulations. For example, consumer-related information collected, if stored in California, would
be covered by California SB1386, which addresses disclosure of unencrypted personal
informational to an unauthorized individual. So, as a minimum due-care process (from a
US-centric perspective), the information must be stored encrypted on the financial
institutions system. In addition, access to the information will have to be limited and
logged; with the log reports being reviewed periodically to ensure that no unauthorized
access has occurred.
These compliance activities will require new security policies and technologies, in addition to well-defined security processes that detail how the policy and laws will be enforced via the selected technologies. This will, in turn, require a significant commitment
to information security on the part of the Australian, Canadian, and EMEA financial institutions, over and above what they are currently doing.
140

The level of encryption and the access control process must be defined via a risk assessment process that will identify the threats, their probability of occurring, and the appropriate controls to mitigate risk.
Chapter 10
The role of establishing and maintaining trust is centered on the CIOs response to the
issues of risk, corporate governance, and regulatory compliance. CIOs must continually
strive to strike an appropriate balance between government and market regulation, because regulation will not work fully by itself and the cost of total compliance can easily
outstrip available IT resources. CIOs must stress that business ethics and individual
behavior within the ITO remain integral to risk management, credibility, and trust.
Conclusions
Strong governance is required if multinational organizations are going to fully

meet the various, complex requirements of the evolving new worldwide regulatory environment. While focused efforts to meet specific requirements are
needed, without coordination across the enterprise and enterprisewide enforcement, they will never be able to guarantee complete compliance.
A consolidated approach to corporate governance is critical to ensure that IT

can leverage a common infrastructure for regulatory compliance, performance
management, risk management, and ethics initiatives. A corporate governance
organization can serve to help facilitate IT coordination by focusing enterprise
initiatives around governance pillars.
Organizations must develop global and integrated corporate governance strategies, practices, and processes that are supported by a standard IT architecture
and application portfolio.
Complying with regulatory directives, supervisory policies, and laws results in

several benefits to an ITO, including more effective controls, better governance,
and more efficient resource utilization.
Protracted litigation, censure, fines, sanctions, imprisonment, and personal liability are the by-products of a failure to properly manage legal and regulatory compliance mandates.
141

142

Chapter 11 Compliance Issues for Vendors

End-user compliance efforts will positively affect sales for business and IT product and service vendors. However, the market boost for many vendor categories will come later than
initially expected, and business and IT service providers must rethink what constitutes core
service-offering elements to support and respond to this changing environment. This chapter
explores the size and shape of the developing market for compliance products and is focused
on information for vendors.
Becoming more adept at managing compliance efforts will be a major focus for most
enterprises through 2006.Traditionally, business service offerings that address corporate
governance processes were delivered through discrete practices primarily by firms that
also provided audit services, while business solutions around performance management
and transformation were addressed by IT service providers. Such efforts typically were
addressed in isolation from other initiatives, particularly those involving IT systems, services, and operations. In addition, most IT service providers did not possess practice
areas that covered such topics. Those that did (e.g., the traditional Big X firms: E&Y,
PwC, KPMG, Andersen, Deloitte) kept these practice areas largely separate from IT
service offerings. Risk management, performance, ethics, and compliance were the domain of the chief financial officer, executive managers, internal auditors, and other select
executives, while IT services were in the domain of the CIO.
However, this is all changing, and business and IT solution vendors and service providers
must respond to a shifting environment where corporate governance is more critical,
visible, and pervasive. Corporate governance is now high on the agenda in all Global 2000
(G2000) organizations, particularly those headquartered in the US or listed on US exchanges. Security concerns and increased geopolitical risks are also contributing to an
increased emphasis on global resource continuity (GRC).The result is that multinational
organizations are recognizing that governance strategies, practices, and processes must
become pervasive.
Regulating Business and IT Service Provider Markets

The emerging regulations covering a business service (e.g., audit/tax) providers work are
effectively regulating portions of the IT service provider (ITSP) market, raising liability
stakes and further dismantling historically cozy user/provider relationship models. The
new environment will challenge users and providers but eventually create stronger, more
accountable supply-and-demand models.
143

The argument is that management consultancies drove executives to pursue (and profit
from) unsustainable business models. Audit/tax firms drove and helped (as well as profited from) the creation of illegal financial vehicles to support such business models, funneled ill-gotten/non-existent gains, and covered those efforts tracks. Although much less
nefarious, ITSPs collaborated with enterprise software vendors to promulgate expansive and expensive enterprises and e-business software applications. These applications
made various illicit efforts more viable and nearly impossible to track and weed out
given the financial and reporting systems overall convoluted state. Although this is a
somewhat extreme interpretation, it is the mindset behind the existing regulatory environment one that will not lessen in the foreseeable future, if ever. As with many
business service providers, ITSPs are now operating in a quasi-regulated and sometimes
specifically regulated market.
Going forward, ITSPs will face far more scrutiny over regulatory demands on and
resulting legal/financial liability from the services they provide. It will force them to
become more judicious about projects undertaken and clients with whom they will do
business. In addition, regulatory mandates coupled with general dissatisfaction with
the external services quality/cost are prompting G2000 organizations to invest in
significantly improving capabilities to source and manage business and IT services, further driving provider accountability and pressuring margins. Collectively, these changes
will force ITSPs to better sell services based on real business benefits and clearly defined
and controlled outcomes not faith-based initiatives for change.
It will take two to three years to clarify the regulations full impact on the business and IT
service market, but providers must begin work immediately to evolve their sales and
delivery models. By 2006/07, the services market will look different from how it did in
the past and be subject to much more regulatory and legal oversight and liability. Greater
transparency and visibility internally and externally will lead to a much clearer understanding of what services are being provided, their ramifications on business process
performance, and the ultimate business value that is being derived. However, this will not
be enough to avoid the ultimate liability exposure that dealing with regulated processes
will entail.
The regulation of business processes and external service providers that support them
is nothing new. Many regulations in the US date from the 1930s. The impact such regulations have on the broader ITSP market has changed. This was inevitable given ITs pervasiveness and profound impact on the way organizations operate particularly around
144
Compliance Issues for Vendors

regulated processes such as financial and reporting systems. Business process regulation
has become the new driver for IT investments and direction (see Figure).
Chapter 11
Business service providers have long operated under regulatory conditions, though during the past 10 years they have run into regulatory problems and conflicts of interest, as
they bundled additional services often IT-related atop traditional audit/assurance
offerings. Although PricewaterhouseCoopers, Ernst & Young, and KPMG have shed their
formal IT service arms, they are already rebuilding such capabilities (albeit on a smaller
and more controlled scale). In maintaining all business and IT services under a single
entity, Deloitte & Touche has the finest line to walk to ensure regulatory compliance.The
growing regulatory sphere of control and associated liability is now being extended to
pure-play ITSPs.
The New BPR: Business Process Regulation
Historically, business megatrends (e.g., business process re-engineering,
e-business) and potential disasters (e.g., Y2K) have driven IT direction,
spending, and market growth. More recently, regulatory mandates (e.g.,
SOX, HIPAA, Basel II, GLBA, USA PATRIOT Act) have emerged as
potentially more severe IT nuisances, as have some of the few current
drivers of IT investments (though nowhere near to the level of past big
things, to date). In addition, the costs of failure are higher, particularly for
executives being held liable for regulatory compliance. Painfully, IT's
critical role and the true cost of its past often haphazard promulgations
are now being recognized at organizations highest levels.
The old pillars of a client/ITSP relationship (i.e., personal relationships, past performance,
and personal trust) are being subjugated and, in some cases, torn down as a result of
these changing market conditions. The new pillars are visibility, clarity, and accountability.
There is already a clear regulatory conflict in providing audit and IT services related to
underlying financial applications. It is not a long stretch to find a conflict in advising on
financial management system (FMS) process optimization (or providing process outsourcing)
and implementing underlying software applications particularly if the client organization
is eventually found to have committed illegalities through those processes.
ITSPs must understand which services are appropriate to provide around FMS transformation and compliance efforts and guard against guilt by association (e.g., automating
flawed compliance processes). Given the systems and processes involved, much IT-
145

related FMS and Sarbanes-Oxley (SOX) compliance work will be pulled under the regulatory umbrella regardless of whether tax/audit firms are involved. ITSPs must carefully
craft any offering around compliance efforts such as SOX to control how and how much
they interact and overlap with regulated efforts growing regulatory sphere of control.
More important, they must ensure that all appropriate client executives and board committees have signed off on provider selection and work plans when required. This might
mean, for example, that ITSPs must explain and rationalize specific proposals to board
audit committees.
ITSPs must also ensure that there is a separation between IT system work, regulated
process analysis/design work, and regulated process assessment efforts for any initiatives that touch regulated processes. Although currently there are no regulations against
using a non-audit firm to design/review regulated processes, the potential for liability
exists if those processes and underlying supporting IT systems do not adequately protect against financial transgressions. In the current legal environment, the search for
perpetrators casts a net broad enough to cover these not-so-peripheral activities (e.g.,
Enron is attempting to sue its bankers for providing past bad advice, so why not its ITSPs
and ISVs for software applications that did not catch its fraudulent activities?). ITSPs
must prepare for this more common eventuality.
It is clear that the regulatory net will widen to cover a broader range of business and IT
services and service providers. The sector where regulatory mandates will have the
greatest impact is IT, especially for business process outsourcing. Clients and providers
are tasked with both providing compliance for outsourced processes and demonstrating said compliance. This is a potentially onerous and currently ill-defined task that will
have a minimal negative impact on outsourcing in the near term (12-18 months), yet will
likely spur outsourcing for the longer term (24+ months) as clients increasingly rely on
external experts for compliance management.
Current Market Trends

Although compliance efforts will positively affect sales for business and IT product and
service vendors, it will not prove the windfall some have anticipated (at least outside the
external audit space).
Although SOX spending has been a lonely bright spot of late in the market for business
and IT products and services, it will not usher in a repeat of the boom years circa 19952000.There are various reasons for this, including the following:
146

SOX compliance is about process, not just products: Although organizations might
spend significant money meeting SOX requirements, many of these expenditures are
in the form of internal resources applied to decipher mandates, map and document
processes, and revise organizational operating and governance models. This represents a
real cost of business, but not one that will necessarily go into the pockets of vendors
external auditors and some consultancies being the exception. However, savvy end-user
firms will leverage SOX to sponsor IT portfolio improvement projects.
Chapter 11
Organizations have already invested heavily in the IT products most relevant to

SOX compliance efforts, especially short-term tactical requirements: Many organizations already have in place the accounting, transactional, records management, and
analytical tools and systems that will play a critical role in SOX compliance efforts. Although many will need to invest more (e.g., buy more ERP licenses, get financial control
processes out to more users [expense management]) especially as products are
tailored to better meet SOX requirements organizations are not starting from scratch,
which often was the case with e-business or ERP efforts.
The enterprise software boats turn slowly: Ultimately, SOX compliance is an enterprise effort that requires supporting enterprise applications. This will especially benefit
ERP vendors, but it is a longer-term process (12-36 months) to enhance such applications to better support SOX and then roll out those upgrades into the client base.
Caveats aside, SOX will positively benefit many business and IT product and service
firms. The most obvious benefactors, especially in the short term, are the Big 4 external
auditors (i.e., Deloitte, E&Y, KPMG, and PwC) as well as risk-management services firms
(e.g., Protiviti) and related specialists (e.g., SAS 70 Solutions). For example, auditors have
seen rates and volumes increase 2x-3x as organizations are required to invest in more
expansive audits that include signing off on SOX compliance efforts.They have also seen
additional strong business demand in helping non-attest clients with more intimate advice and counsel around SOX compliance efforts. Business services (e.g., compliance
advice and counsel, auditing, risk management) will continue as the biggest sell-side benefactor to SOX for the next 12-18 months.
IT service providers with established FMS practices (e.g., IBM, BearingPoint, Accenture)
are also benefiting. However, SOXs impact on outsourcing especially business process outsourcing and IT work that involves SOX-affected applications (ultimately just
about everything) is still indeterminate.
147

Some organizations particularly those with convoluted/inadequate financial processes,
systems, and controls might view outsourcing as means to accelerate/improve compliance efforts, a position that outsourcers eagerly support. Other users are rightly concerned about the additional complexity that SOX compliance efforts introduce when
affected processes and systems are outsourced to a third party, especially given that
SOX mandates and more recent Public Company Accounting Oversight Board (PCAOB)
edicts do not differentiate between compliance requirements for insourced versus
outsourced processes. Ultimately, compliance complexity will spur outsourcing demand,
but not until providers do a better job of defining how they will address compliance
a challenge for offshore and IT-focused outsourcers.
Recent META Group research reinforces these positive, though in some cases more
muted, impacts that SOX compliance efforts will have on the business and IT product
and service vendor market.The polling was conducted in 4Q03 as part of a META Group
teleconference on SOX best practices and found the following:
SOX will drive sales: Of the business and IT product and service vendors polled, 92%
indicated SOX would drive increased year-over-year sales. Twenty-one percent cited a
significant increase in business, and 71% indicated a nominal to moderate increase. In
addition, and even more important, 97% reported that SOX would have a long-term (e.g.,
12+ months) impact on their sales. This highlights that SOX compliance efforts, unlike
Y2K for example, do not have an ultimate end date and will become a permanent feature
in organizations operating models. If the polling sample is expanded to include dont
knows representing 23% of respondents that lowers the positive number from
97% to a still strong 75%.
But not yet: However, 57% of respondents indicated that, to date, sales have not met
expectations, with 43% responding that sales had met or exceeded expectations. This
highlights an overestimation that many vendors made of the short-term SOX investment demand (audit and selected advisory services aside). But this question had a high
percentage of dont know respondents (46%), and their inclusion reduces has not met
expectations from 57% to 31% and met/exceeded from 43% to 24%. This illustrates
the challenges tying specific sales to the SOX driver versus other buying factors.
148

Chapter 11
Vendor Survey Results

1. Please select the category that best describes your firms SOX-related offerings
4% Business/risk/audit services
36% IT services
6% Enterprise resource planning/financial management systems
6% Content and collaboration
2% Enterprise analytics
15% Business performance management
17% Infrastructure and/or security
14% Other
2. Considering your clients SOX efforts, what percentage do you feel will achieve minimal SOX compliance
levels?
34% Most/all of my organizations clients will meet SOX requirements in the allotted time frames
52% Some of my organizations clients will meet SOX requirements in the allotted time frames
14% Most of my organizations clients will not meet SOX requirements in the allotted time frames
3. What has been your firms top challenge in selling its SOX products/services?
14% Defining a compelling value proposition
6% Differentiating/winning against the competition
35% Mapping offerings against prospects SOX requirements/showing SOX relevance
35% Gaining adequate visibility/getting on prospects radar
4% Identifying the appropriate decision maker
6% Other
4. To what degree have your firms sales of its SOX-related product/services met expectations to date?
5% Sales have exceeded expectations
38% Sales have met expectations
57% Sales have not met expectations
5. How much of an incremental sales increase (year over year) does your organization expect SOX to
create?
21% Significant sales increase as a results of SOX
71% Nominal to moderate sales increase as a results of SOX
8% No sales increase
6. Do feel that SOX will have a long-term (e.g., 12+ months) impact on your firms sales?
97% Yes
3% No
Selling SOX is not easy: Vendors face numerous challenges turning SOX opportunities
into sales. The top-cited impediments (35% of those polled) identified were mapping
offerings against prospect SOX requirements/showing SOX relevance and gaining adequate visibility/getting on prospects radar screen. Defining a compelling value proposition was third at 14%, while identifying the appropriate decision maker and differentiating against the competition came in at less than 10%.This highlights that it is not clear how
to translate SOX needs into specific purchasing decisions.
Findings from surveys conducted in 1Q04 include:
SOX compliance efforts are often pursued independently: Only 46% of respondents indicated their SOX compliance efforts were coordinated and integrated with
efforts to meet other regulatory requirements (e.g., HIPAA, Basel II, GLBA). This creates
149

significant opportunities for business service providers (e.g., Big 4 auditors, Protiviti) to
assist organizations in building out global compliance and risk-management strategies,
models, and capabilities. We see this as critical to making global compliance a core competency for G2000 organizations within the next two to three years. Clients can partially
fund these efforts through the eventual savings that result from reducing the overhead
associated with gaining and evidencing compliance (including leveraging existing IT investments, such as content management and analytic applications).There are also opportunities for IT product firms to tailor offerings to support global compliance (e.g., analytics,
embedded ERP/FMS capabilities).
Improvements to IT system/application rollout are required: Ninety-two percent
of respondents indicated they would make changes to rollout processes, which points to
an increase in SOX IT spending. Enterprise application vendors (e.g., ERP, CRM, SCM)
must build in capabilities (e.g., ensuring proper controls are in place and documented,
providing mechanisms to manage and demonstrate controls) to support such needs by
YE04. IT service providers must enhance deployment methodologies and processes to
support SOX and related compliance requirements around their controls and documentation. Offshore firms in particular have much work to do in this area if they hope to
make remote application configuration and deployment viable and compliant versus
just cheaper realities.
Security remediation and improved security strategies are required: Ninety-three
percent indicated SOX compliance created the need for security control remediation,
and 89% plan to reevaluate security strategies to ensure SOX compliance. This is an
obvious play for any service provider with a security practice, provided that it is SOXfluent versus just focused on more traditional security elements. From an application
standpoint, much of the remediation will occur in supporting the reconfiguration of roles
in business applications, including ERP.
SOX IT blueprints are still a work in process: Seventy-one percent of those polled
were still in the process of defining a SOX IT blueprint (see Chapters 1 and 4), which
means they have not yet defined how their IT portfolio will support SOX needs. This
compares to a 59% response level from an October poll (see Delta 2675). Just 8% indicated they have defined and implemented a blueprint, while 12% had defined but not yet
implemented one. The final 10% were not pursuing the development of a SOX IT blueprint. IT service providers can take the lead in aiding client efforts to define these blueprints and map them to their current environment. There is a natural urge for service
150

providers to skew the blueprints toward their preferred application components, especially if they provide the components themselves (e.g., IBM). Such an urge must be tempered (obviously) with what is right and best for the client. Application vendors must
understand where they fit in these blueprints, ensure adequate integration points with
other elements, and use the blueprints as a road map for future application development
efforts. As the blueprints mature, spending on additional IT applications and tools will
increase, and organizations will better understand what additional IT products are needed
for SOX.
Chapter 11
Most organizations are now in the midst of executing SOX compliance efforts:
From a SOX progress and maturity level, most organizations are progressing toward
compliance:
Exploring: 9% (4Q03 10%)

Building awareness: 14% (4Q03 25%)
Initiating project: 21% (4Q03 40%)
Executing project: 43% (4Q03 20%)
Performing assessment and reviewing results: 13% (4Q03 5%)
Optimizing and performing ongoing support: 1% (4Q03 0%)
Product vendors and service providers must understand where specific clients/prospects are in this maturity model and tout offerings appropriate for that level. Business
and IT service providers have the additional opportunity to help clients understand maturity and how to progress up the curve, though clients will view IT service providers
with parallel agendas (e.g., outsourcing, application development, products) more skeptically than they do business service providers.
Concerns still exist over evidence of SOX compliance for outsourced processes:
This question elicited the greatest percentage of dont knows of any polling question
(54%). Of those that did know, 59% expected to certify SOX compliance for outsourced
processes, and 4% indicated they had already done so. Twenty percent expressed concerns over being able to accomplish this, and 17% were ignoring outsourced processes
as part of their SOX efforts. IT and, especially, business process outsourcing providers
will face increased challenges and scrutiny during the next 12 months as organizations
begin to recognize the difficulty and uncertainty in certifying SOX compliance for
outsourced processes. This is, in part, a function of inadequate regulator (e.g., PCAOB)
guidance, a situation that will not change prior to 2H04. It is also due to the fact that
151

outsourcers generally do not fully understand SOX requirements, outsourcers do not
have adequate process controls in place to the level that SOX requires, and controls are
not adequately documented (where they do exist). Long term, however, outsourcers
will benefit from SOX once they can prove to clients they can adequately meet its
requirements as organizations view outsourcing as one means of alleviating some of
the overhead associated with SOX compliance.
Most organizations view SOX compliance efforts as beneficial: Fifty-two percent
of respondents felt SOX compliance was a necessary cost of doing business, and 41%
indicated that SOX compliance efforts would ultimately lead to increased competitiveness. This points toward opportunities for IT products firms and, in particular, for business and IT service providers to work with clients to define leverage opportunities
above and beyond minimal SOX compliance and investments, and to process changes
that are being made.
Impact on Next-Generation Offerings

Clearly, the implication is that the consumption of business and IT services must account
for corporate governance demands and constraints. For example, organizations cannot
pursue business process outsourcing (BPO) without fully determining whether outsourced
processes are and can be evidenced as compliant with SOX mandates. Organizations
should not consider offshore outsourcing without fully assessing the various risk elements associated with selecting specific providers and country locations, as well as exposing potentially sensitive data, intellectual property, and business process information
in foreign markets and with offshore providers. Organizations must determine the appropriate services to engage in with a regulated provider (e.g., external audit firm) and
ensure that all relevant parties (e.g., audit committee, executive management) are in the
loop in the decision-making process.
Turning this around, firms selling business and IT services must understand corporate
governance implications in their offerings. There are two dimensions to this. The first is
from the strict regulatory perspective. Providers that advise on and implement IT systems, or operate/manage regulated processes, will not remain immune to some level of
regulatory oversight. The associated risk and exposure associated with providing such
services will also increase.
The second dimension that corporate governance will affect is client requirements and
service-offering appeal. Organizations will consider providers to assist with governance
152

assessment issues. They will also demand that providers detail how service offerings will
fit into and support GRC models, requiring that risks associated with specific type offerings (e.g., offshore, BPO) are defined upfront and factored into pricing and other contractual arrangements and obligations. Corporate governance elements will become important determining factors in service provider selection and satisfaction.
Chapter 11
Business and IT service providers must fundamentally rethink the common components
in a compelling service offering. This will redefine and broaden the definition of full
service (see Figure). There are various areas where corporate governance elements
affect other service offerings, in addition to the already mentioned offshore and BPO
scenarios. Examples include assessing the risk associated with deploying new financial
management systems and processes, appropriate governance models for sourcing and
consuming external services, and how most major process areas (e.g., CRM, ERP, SCM)
evolve to support compliance, as well as leverage the improvements gained through such
compliance efforts (e.g., greater process visibility and transparency). All these areas are
potential targets for new service offerings if providers can assemble the appropriate
skills, resources, and process frameworks.
Broadening the Business and IT Service Footprint
To date, most business and IT service providers have been caught up in
expanding their footprints by moving upstream and downstream. For example,
this elusive quest to become full-service providers led to IBMs PwC Consulting
acquisition, Accentures movement into outsourcing, and Cap Geminis Ernst &
Young acquisition (see Delta 2147). Although laudable, such movements still do
not create true full-service providers from the perspective of comprehensive
offerings across all business process and industry segments. They also largely
do not address gaining competencies around governance issues. Service
providers must recognize that corporate governance capabilities are an
additional dimension, or a third leg on the proverbial stool, that they must
integrate into service offerings.
To address such requirements, service providers need to define new service offerings
that include corporate governance dimensions and reconfigure the resource teams
that deliver and support them. For example, though most service providers are currently arranged around industry and process areas (e.g., CRM), an added dimension is
required to address corporate governance. Such practice areas should exist discretely
but be applied against client engagements in conjunction with industry and domain
expertise, ideally in preconfigured offerings that target specific process areas (e.g.,
153

global supply chain management, next-generation financial management, optimized
sourcing, procurement).
A major challenge for most service providers is acquiring the required domain expertise.
Providers will need to grow such skills organically, as well as consider strategic alliances
and acquisitions to gain more robust skills (see Figure). Although service providers must
incorporate corporate governance elements into service offerings, governance dimensions themselves must also be better integrated among the individual pieces. Many business and IT service providers have offerings that target requirements for discrete compliance mandates. What is required beyond that is the development of offerings focused
on integrating and leveraging compliance efforts, and supported clients must develop
integrated enterprisewide strategies and programs. It also involves building out governance models that support compliance requirements, apply risk-management assessments against compliance efforts (e.g., how much compliance is enough), and include risk
awareness in governance programs.
Other skill sets beyond corporate governance are required to fully build out new leading-edge integrated business and IT service offerings. Tax and treasury domain expertise
is relevant when organizations are engaging in offshore, BPO, and insourced business
process improvement efforts. Providers must help clients determine the tax implications of performing certain business processes offshore or the opportunities to improve
cash flow from improved financial management processes. The key underlying element
in all this is assessing the appeal and measuring the return of any service provided or
consumed in the context of tangible business value derived.That calculation must include
corporate governance elements as well as those related to broader business processes.
154

Chapter 11
Baking the Corporate Governance Service Pie

Most IT service providers at best dabble in governance practice areas. Most business
service providers have limited IT skills and capabilities. Many outsourcers have inadequate
operational business process knowledge for interpreting governance demands. Most
business service providers lack comprehensive outsourcing capabilities and, in some
respects, are also limited in providing such services (e.g., to audit clients). There are
various moves afoot to address this, and several firms have emerged as early leaders in
this respect.
Deloitte and PricewaterhouseCoopers are the two firms that have been the most
aggressive in integrating corporate governance and related elements into the core service
offerings. Deloittes integrated service offering program is driving the development of more
comprehensive and cross-functional service offerings that combine expertise and
resources from multiple domains (e.g., risk, compliance, tax, IT see Delta 2576).
Ironically, a key enabling factor to these offerings is Deloittes IT service arm that it nearly
spun off in early 2004. Although PwC sold off its formal IT consulting and elements of its
business process practice to IBM, it retains adequate IT skills and capabilities and is
integrating them into a set of governance, risk management, and compliance-enabled
offerings. Under the banner of integrity-driven performance, PwC is focusing on enabling
clients to embed an integrated approach into core business processes enterprisewide,
leverage IT investments to support such processes, and ultimately develop a meaningful
measurement system to define value, contribution, and cost. Among traditional IT service
providers, Accenture and IBM are doing the most relative to corporate governance,
particularly through work to support BPO efforts, though also through targeted compliance
offerings. However, these firms lack the corporate governance domain expertise depth that
a Big Four firm like Deloitte or PwC possesses, and will need to organically build out these
capabilities, as well as partner or potentially acquire additional resources. On the other
hand, these firms have greater capabilities relative to implementing and possibly ultimately
managing defined solutions.
Compliance and Outsourcing

Deciphering the detailed meaning and implications of compliance regulations like SOX
and determining what it means to gain and evidence compliance are onerous and, in
some respects, impossible tasks for affected organizations.The impossible elements come
in around certain process areas where regulators (e.g., US Securities and Exchange Commission, PCAOB) have not yet defined what an organization must do to show compliance. One such area is with outsourced business and IT functions and processes. These
run the gamut from outsourced application development and Web hosting to broad
finance and accounting BPO.
155

Although it has been clarified that organizations must gain and evidence SOX compliance
for outsourced processes, we are still awaiting clarification on the how to and which
controls and documentation are required. Recent extensions to Section 404 compliance
dates exacerbate this problem because, in most cases, it will be more than six months
before audit results are available to determine how leading auditor firms are interpreting
SOX compliance for outsourced processes.
Regulators are working to define clarifications, but it is not apparent when they will
arrive. In addition, SOX dictates are at the process level and do not define narrow
checklist-like instructions that clients, outsourcers, and auditors can follow. Important,
even though clarification is forthcoming, organizations and their outsourcers cannot sit
by in the interim and wait for details, given the amount of work involved to document
and evidence controls around affected processes. We are still awaiting requirements/
clarifications for SOX 409 (where an organization must put in processes for rapid notification when financial objectives will not be met).
During the next 12-24 months, compliance and related outsourcing concerns (e.g., offshore backlash, protectionism) will dampen outsourcing growth, especially for BPO services. Nevertheless, overall IT outsourcing and BPO levels will continue to grow briskly.
Longer term, as outsourcers master compliance and develop proven capabilities to help
clients SOX efforts, SOX demands will become a contributor to outsourcings growth.
Regardless of its demand impact, increased regulation of outsourcing is here to stay, and
providers must learn to deal with and exploit it .
Regulatory and SOX compliance must become the third leg (not the third rail) on the
outsourcing stool. BPO/BTO providers (e.g., Accenture, IBM, Unisys) are developing
business process component models/frameworks that, coupled with supporting models
for IT processes/functions, collectively create the model for their outsourcing offerings.
Missing is an approach to corporate governance, risk, and compliance mapped back to
business and IT processes. Although outsourcers cannot and should not independently
define what constitutes corporate governance best practices, they should drive efforts
with users, regulators, and audit/risk consultancies to do so in an outsourced operating
environment.
Outsourcers must assign dedicated resources to SOX compliance from an outbound
offering perspective. This key role must report to the executive level and work closely
with sales, marketing, offering development, and services delivery groups. Outsourcers
156

must familiarize themselves with the current regulatory environment and develop a
program to track and interpret emerging standards, clarifications, and interpretations.
They should take an active and proactive stance to lobbying regulators to develop interpretations that are most favorable to them and to their clients interests.This will require
defining what is best, cheapest, or most expedient for the outsourcer (e.g., watereddown requirements might not benefit the client equally).To address the problem upfront,
compliance should be core to its marketing and value message.
Chapter 11
Where appropriate, outsourcers should develop/expand working relationships with the

Big 4 audit firms or Tier 2 providers (e.g., Grant Thornton, BDO Seidman, BKD).Through
such relationships, outsourcers can gain the auditors perspective and insights on how it
will interpret SOX compliance requirements for outsourced processes, and what is
required for a SOX audit.The potential for tighter go-to-market alliances might also exist
(e.g., IBM and KPMG linking up to develop a Notes-based SOX Section 404 tool).
Outsourcers that have stronger financial services/practices and advisory offerings are in
a better position to interpret SOXs meaning and impact. IBM, CGE&Y, Accenture, and
BearingPoint (though it does nominal outsourcing) all have advisory practices that actively work with the CFO organization. Although this does not automatically translate
into better capabilities for SOX-compliant outsourcing, the overall relevant domain knowledge is higher. By contrast, smaller firms and offshore/Indian firms have more to prove in
helping clients ensure SOX compliance. For offshore firms, this involves proving process
integrity on the IT side of SOX (e.g., application development, deployment, management), as well as in the fledging areas of finance and accounting BPO.
One common misperception that remains is that existing outsourcing audit mechanisms,
primarily the SAS 70 audit, are adequate for SOX compliance (see Figure). The growing
consensus is that even an SAS 70 Type 2 audit might not prove enough for SOX.The SAS
70 standard was developed long before SOX regulations and was not designed to focus
on the type of controls that SOX addresses. In addition, there have been no requirements for users to request an SAS 70 audit, and many have not. One SAS 70 audit could
potentially suffice for multiple clients of an outsourcer, whereas with SOX compliance,
this is likely unacceptable. We are seeing more cases where aggressive/thorough clients
are demanding additional controls and documentation beyond an SAS 70 Type 2 audit to
enable what they estimate is good enough SOX compliance. It is not expected that the
PCAOB will define requirements above and beyond an SAS 70 for SOX compliance until
later this year.
157

SAS 70 and SOX Compliance
SAS (Statement on Auditing Standards) 70 is an international auditing standard
developed by the American Institute of Certified Public Accountants for service
organizations. An SAS 70 audit is the means through which an auditor examines a
service organizations or outsourcers control activities, particularly around IT and related
processes. SAS 70 is based on SAS 55, Consideration of Internal Control in a Financial
Statement Audit, and on the COSO framework. There are Type 1 and Type 2 audits.
Type 1 is a point-in-time/snapshot audit that focuses on general and application controls
but does not include testing by auditors. A Type 2 audit occurs over a period of time (e.g.,
6-12 months), focusing on general and operational controls during a life cycle, with
auditors typically performing actual testing. A Type 2 is obviously more expensive as well
as burdensome for the outsourcer. Only a CPA firm can perform an SAS 70 audit, and
the Big Four audit firms, as well as the specialist firm SAS 70 Solutions (formerly part of
Andersen), perform the bulk of the audits for G2000 organizations.
A final challenge to SOX compliance that affects outsourcers is inter-enterprise compliance. Users must approach process compliance holistically, covering insourced and
outsourced processes, as well as intersection points and continuums of processes that
span supply and service chains. For example, how can a users controls account for the
breakdown in a suppliers financial controls that could lead to a parts shortage, which
could affect revenue/profits, which would then require a timely disclosure? Clearly, organizations cannot address SOX compliance in an isolated fashion. Outsourcers have the
added dimension of being intertwined in numerous client compliance efforts across
multiple process areas.This in itself increases the outsourcers risk and demands greater
focus on enabling compliance, for its own sake as much as its clients.
Overall, vendors must develop a realistic time frame and approach to compliance product and service markets. Although end users are facing short-term imperatives, that
does not translate into quick buying decisions or the propensity to find allure in slightly
warmed-over offerings in a SOX wrapper.Vendors must make the effort to tailor offerings to meet users business pains from SOX, not just search for appeal in IT features/
functions. For many vendors, this implies working with SOX domain experts (e.g., external audit firms, business/finance/risk consultancies) as well as key clients to gain an adequate awareness and understanding of SOX implications and compliance requirements.
Although these investments will take time, they will also lead to more robust and mature
solutions that will meet clients strategic not just tactical needs. Given that SOX is
not going away and not likely to lessen in importance, the investment is worthwhile,
158

though more tactical solution providers must recognize a shorter opportunity window.
In addition, vendors must realize that SOX is not the only compliance mandate end users
face.The degree to which any offering creates and enables leverage across clients multiple
compliance efforts is the degree to which it will further gain strategic importance.
Chapter 11
Conclusions
SOX and related compliance efforts are part of the permanent fabric of organizations operating models. Vendors and services must reflect this reality in all
their offerings.
Compliance creates long-term opportunities for business and IT product and service vendors, but only if the solutions offered can support users strategic compliance needs.
In addition to driving increased business for audit/risk service firms, SOX compliance efforts will prove to be a boon to IT product and service vendors. However, it will also be a more complicated sell than were past demand drivers (e.g.,
Y2K, e-business).
Business process and IT outsourcing currently do not mix well with SOX and related compliance requirements. However, outsourcers and their clients cannot wait
for regulatory clarification and must define, document, and rationalize interim bestfaith efforts for gaining and evidencing SOX compliance for affected outsourced
functions and processes.
Addressing SOX and related regulatory compliance efforts is a challenge and a risk,
as well as an opportunity for business and IT outsourcers. Longer term, enabling
compliance becomes a standard element in an outsourcing scenario. It also means
that outsourcers overall risk and exposure increase as a result of operating in a
more highly regulated environment.
As organizations progress and mature in their SOX compliance efforts, opportunities for IT service providers and especially for IT product vendors will grow,
but only for those that develop truly relevant and beneficial SOX offerings mapped
to clients strategic compliance needs.
159

160
Note: The opinions, descriptions, and recommendations contained in this document may include
general or summary information about aspects of the Sarbanes-Oxley Act of 2002, and related
current or proposed rules, regulations, or standards of the US Securities and Exchange
Commission and national securities exchanges and associations. The information presented is
intended simply as an aid to your understanding of such rules and neither constitutes nor is
intended to constitute the provision of legal advice. We urge you to refer to the actual laws, rules,
regulations and/or standards, and to consult with legal counsel concerning your responsibilities, if
any, with respect to applicable provisions thereof. Opinions and recommendations expressed by
outside parties who participated in the META Group events transcribed here are their own.
META Group is not responsible for any inaccuracies contained within these transcripts; please
visit metagroup.com to hear the audio files.
Appendix A
Transcript 2048
28 October 2003
How Do I Achieve and Maintain SOX Compliance?

Content & Collaboration Strategies, Enterprise Analytics Strategies, Enterprise Application Strategies,
Professional Services Strategies, Heller Ehrman White & McAuliffe, LLP
Bill Buchler, John Van Decker, Stan Lepeak, Charlie Brett META Group
Jeff Selman Heller Ehrman White & McAuliffe, LLP
Bill Buchler: Welcome to todays How-To Webcast How Do I Achieve and Maintain SOX Compliance?
To help you ensure that Sarbanes-Oxley Act (SOX) compliance is not just the cost of doing business, todays
teleconference will address the various components of a holistic SOX strategy, including legal ramifications
that can serve as a springboard for doing business better. In addition to META Groups lead SOX analysts,
todays call will also feature lead counsel for SOX compliance from the international law firm of Heller,
Ehrman, White & McAuliffe, LLP.
Figure 1 2003+ Business Scenario Update
Stan Lepeak: We have a lot of material to go through today, so let us jump right into it and move to Figure 1,
where we see the smiling mug shot of Mr. Bernie Ebbers, our well-known friend from WorldCom. In terms of a
business update, we all know the scenario here. SOX is on everyones agenda: public companies, private
firms, large organizations, small, those based in North America, and those based elsewhere. Certainly, this is
a higher priority for large, US-based firms, but this is something that everyone is working on these days.
208 Harbor Drive Stamford, CT 06902 (203) 973-6700 Fax (203) 359-8066 metagroup.com
Copyright 2003 META Group, Inc. All rights reserved.
Transcript
Depending on your perspective, it is a scourge, a necessary evil, or a full employment act for IT. What we
want to go through today is doing some level setting in terms of what is required, where organizations are at,
where your peers are at in meeting SOX compliance, and what we feel is imperative that you need to get
done short term for tactical compliance and longer term for strategic compliance, as well as leveraging some
of these SOX investments for the bettering of your companys competitive capability.
Firms are rushing to evaluate their financial processes. There is a lot on the table; there is a lot to get done.
But I think what is key is to lay out a road map such that these efforts are achieving compliance, but are doing
so in a way that also can help you to maximize business benefits. What is key with all this as opposed to
other recent full employment acts for IT and others, such as e-business and ERP initiatives and Y2K is that
this does not go away. What we are looking at here is laying out a road map that will serve your organization
for years to come. And there are a lot of different pieces to that.
Figure 2 All Companies Will Need to Care
John Van Decker: Again, thank you Bernie, because as a result of some of the accounting flops that have
occurred over the past 18 months, we have the Sarbanes-Oxley Act, with the intention to protect investors by
improving the accuracy and reliability of corporate disclosures. And what I am seeing in numerous client
inquiries is that the impact is not just on the publicly traded companies. Rather, I see that many other
companies, namely smaller public companies as well as private companies, will need to care.
So I think we can take a look at a number of organization categories. What I am seeing is that for private
companies, members of the board, many of them are participating in Sarbanes-Oxley projects with their
public companies. They are going through an assessment process in their public companies, and they expect
the private companies (on which they are serving as board members) to also go through a financial controls
process.
Transcript 2048
Transcript
Growing companies companies that are below $75 million want to grow up and will eventually fall under
the SOX microscope. The $75 million is the threshold right now, but I think there is also the possibility that will
go lower. Companies that are pursuing an exit strategy (e.g., they want to be acquired) will have their financial
control scrutinized during the buyers due diligence process. When they do get acquired, they will need to
conform to a larger enterprise standard. By having a certified set of controls around financial management
processes, that is going to make the privately owned firm more attractive to the firm that is doing the
acquiring.
Also, many private companies are in business with larger companies. Let us say they are part of the supply
chain or sales channel. They may have a higher level of systems and process integration, and may need to
adhere to the controls of the larger firm. Also, the Public Company Accounting Oversight Board and we will
go over that in a little bit more detail in upcoming figures spells out requirements for all public companies.
Public companies that are under $75 million will have to conform to internal control requirements by their
auditors for fiscal years ending April 15, 2005, and later.
There are many institutions that receive public company grants. And the grantee organizations may be
required to demonstrate an internal control competency around grant management as well as overall financial
management. So I think, in general, SOX is raising the bar. For companies looking for financing and
insurance, Sarbanes-Oxley is raising the bar around the expected financial controls. So while it is specifically
targeted for the publicly traded company with revenues over $75 million, all companies will have an impact
and will feel the impact.
Figure 3 Critical Issues
Transcript 2048
Transcript
Stan Lepeak: Figure 3 details the critical issues that we are going to get into in todays session. First we are
going to provide a SOX update and talk about the findings of some research that META Group has been
performing on this topic over the past couple of months. Then John is going to lay out a SOX IT blueprint,
looking at, from an architectural standpoint, what are the different classes of products that will fit into a
comprehensive blueprint to address SOX compliance and also talk about some of the specific vendors
therein.
We will talk about the records management imperative and where that fits into SOX compliance. Then we will
look at some of the legal issues around SOX in general, but also specifically delve into some of the legal
issues and ramifications of records management. So first let us look at some of the findings of some recent
META Group research.
Figure 4 The Last META Group SOX Survey Says
On Figure 4, here are the results of a survey we did over the summer. In the interest of time, we are not going
to read through all these, but just to highlight a couple of key points. This was a survey that was conducted
approximately eight weeks ago. At this point in time, 65% of organizations were actively engaged in a SOX
project, and another 25% were getting ready to kick them off. So by this point in time, well over 90% of the
respondent organizations were actively engaged in a SOX initiative.
Transcript 2048
Transcript
For those initiatives, they are global in nature 88% of organizations responded that compliance efforts in
SOX were global initiatives. So despite the fact that some of the ramifications for non-US-based divisions and
companies vary from those based in the US, these are really global initiatives. They are initiatives that are
primarily led by the CFOs organization 45% of respondents cited the CFO as leading the SOX initiative,
and another 24% indicated that SOX was being led by the internal audit group. I think the point here to
emphasize is that, while there are key leaders for these initiatives, these are joint efforts involving lines of
business, professionals, the CFOs organization, internal audit, and then certainly IT professionals within the
organization, and then also external groups such as the external audit firms and related IT service providers.
A key point though is that firms were unsure of SOX readiness. Only 6% indicated at this point in time they
were in fact ready for SOX compliance. These other surveys have borne out a similar figure 20% estimated
that major investments were going to need to be made, and 27% indicated at least minimal investments, but
the real telling number was that 48% of respondents were unsure. We have done some additional work since
that time, which continues to illustrate that people are still in the learning phases of what it will take to fully
achieve SOX compliance.
I think the point here is that this is still very much a work in progress, even from the standpoint of scoping the
initiative to the extent that you can accelerate those efforts, but also start to put a framework around how
you achieve SOX compliance so you can understand where the effort is being made in an appropriate volume
and amount, and where perhaps you can pull back, given there is a lot to get done in a very short time frame.
Figure 5 Where Are Firms on the Curve?
Transcript 2048
Transcript
John Van Decker: We have been involved in a number of surveys. We have participated in Webinars with
vendors that provide compliant solutions, and we are seeing a tremendous amount of consistency across all
the surveys and the responses. Most folks believe that they are not ready yet for Sarbanes-Oxley, or more of
a full-blown Sarbanes-Oxley solution blueprint. About 90% of publicly traded firms are actively involved in
Sarbanes-Oxley projects, but the majority are focusing on Section 404. The idea is that they will go through
Section 404, which is really the internal controls evaluation, and then out of that identify IT projects.
So I think we are going to see an increase in IT spending the first quarter of next year through 2004/05. And I
think a lot of organizations are looking eventually toward a global corporate governance initiative. Many are
actually seeding that with Sarbanes-Oxley compliance. I think over time we will start seeing more corporate
governance executives, but at this point, Sarbanes-Oxley compliance is within the bailiwick of the CFO.
Figure 6 Top Preferences for SOX Solutions
One thing that I see quite a bit is vendors pitching that they are the only Sarbanes-Oxley solution, and as we
go through a briefing with them, it turns out to be a Section 404 tool, which involves internal control
documentation and assessment. But to enable Sarbanes-Oxley from the transactional and business intent,
intelligence, and financial management perspective, I think it gets back to better configuring solutions that you
have already purchased.
Transcript 2048
Transcript
So go back to ERP instead and look at some consolidation opportunities. Perhaps replace some of the legacy
ERP solutions. I am starting to see that, in my business performance management inquiries from clients,
there is a need for visibility and transparency. And according to this survey, 30% of companies are looking at
business intelligence (BI) and business performance management to help provide that visibility and
transparency. So a lot goes back to doing a better job at more smartly configuring existing solutions, and
perhaps making some investments in business intelligence and performance management.
Figure 7 PCAOB Update
The PCAOB just released a draft on October 7. The draft is entitled An Audit of Internal Control Over
Financial Reporting Performed in Conjunction With an Audit of Financial Statements. I think what is important
here is that this is an independent accounting organization that is putting some controls and some meat
around Sarbanes-Oxley expectations, around auditors, and around audit work.
A number of deficiencies were identified, and I think the important point here without going through the whole
draft is it is putting more auditor definition around Sarbanes-Oxley. I think it is going to put more
standardization around auditor focus. In addition, I think it is also going to give auditors a lot of leeway in
determining what financial controls are, since it is clearly identified within this draft that internal control is not a
one size fits all. It varies by company, it varies by industries, etc. The important takeaway here is that for
those thinking that Sarbanes-Oxley was just a legislative act, we are starting to see more standards and more
guidelines being applied to Sarbanes-Oxley. So if anything, this makes it much more real.
Transcript 2048
Transcript
Figure 8 Business/IT Services SOX Checklist
Stan Lepeak: We are going to talk about the role of external service providers relative to SOX compliance.
This is particularly important given some of the recent wordings that have come out of the PCAOB about the
ideal role of external auditors. So in terms of the class of the service provider, there are four types. In
business services, you have your auditors, the Big Four, E&Y, KPMG, Deloitte, and PwC. You also have
other specialized management risk assessment firms. Those are firms that have similar skills to the external
auditors, but do not actually perform audit work.
Then on the IT side, you have your classic IT consultants and systems integrators that are operating in the
SOX arena, so firms like BearingPoint as well as IBM. In the fourth class that we identify are the outsourcers.
Again, IBM would fall under this class, as well as CSC and EDS. Here, these are the firms that are often in an
outsourced fashion managing some or many or in some cases all of the financial applications that fall under
SOX compliance.
The ironic part about the services, particularly on the tax audit side, is that these firms, which are very much
part of the solution, are also to a degree part of the problem. So many have made the argument that, if the
auditors had done a better job with Mr. Ebbers or Tyco or Enron, we would have fewer problems today. And
while the vast majority of the audit work that has been performed historically has been at least adequate, if
not good, it is a bit ironic that the firms now are seeing revenue leap dramatically as their role has been
significantly expanded, in terms of not only expanding the basic audit but also getting involved in SOX
compliance efforts.
Transcript 2048
Transcript
The challenge for users is to recognize where it is appropriate to use the external audit firm and where it is
not, because there are very specific stipulations within SOX as well as coming out of groups like the PCAOB,
which define where an auditors role is appropriate. So the key point here is to have a mechanism in place to
determine when it is appropriate to allow the external auditor to perform non-audit work around SOX
compliance. Obviously, these firms are the experts relative to process control, and often are experts in terms
of understanding your organization itself. But you need to be very careful about where they are deployed, and
as you move up the continuum, these activities become much more highly regulated and potentially much
more risky from the standpoint of whether or not it is appropriate for the auditor to perform them.
So the key piece here is to ensure that audit committee involvement is built into a process to determine where
the external auditor can be utilized outside of performing basic adaptation work around the normal yearly
audit or around SOX compliance. There are other types of external service providers that have relative
capabilities in this respect, but they may also have additional agendas in terms of selling IT-related services,
in terms of system implementation or customization. Certainly, we have heard from some of the outsourcers
how the best way to address SOX compliance is to outsource everything to them, and we feel that could be
potentially risky as well.
Figure 9 Service Developments and Trends
Transcript 2048
Transcript
Just to highlight some recent activities in this space, one that came out quite recently is IBM has announced a
relationship with KPMG, where KPMG is going to provide to IBM some of its control catalog, so basically
sample process models, which will then be embedded in a Lotus-based tool from IBM that organizations can
use to define appropriate process control and then document them and place them in repository appropriate
for review.
The key point here is that KPMG is the first of the audit firms to recognize that they are an audit firm and not
an ISV (independent software vendor). While all four of these main audit firms have tools that can be utilized
in SOX compliance, it is our position that they are very much tactical tools. These firms are not going to
support from a software vendor standpoint and a support and maintenance standpoint in the long term. So
KPMG is the first to step up and identify a partner in the form of IBM to really take over the management of
the software piece of these tools, while KPMG will provide the domain knowledge around process controls.
Deloitte is also looking at identifying a software partner, and we fully expect that all four of the major audit
firms will hook up with a software provider to maintain those tools that they were initially developing internally.
Deloitte has finally articulated its go-to-market message around the combined Deloitte, Deloitte Consulting
Group, with a strong emphasis on what it is calling integrated service offerings. These look at compliance
problems from multiple different perspectives regulatory risks and IT perspectives. They have some
offerings there relative to helping clients look at SOX compliance but also look at some of the broader
implications of leveraging SOX efforts for greater corporate benefit.
Finally, another key point was looking at the SOX wildcard relative to business process and IT sourcing. We
are not going to dwell too much on it here, but the key challenge for an organization is that, even if they have
outsourced a business process, they are still liable under SOX to ensure evidence of compliance. The
challenge is that most outsourcers today do not provide the adequate level of documentation that a client will
need to be able to sign off on SOX compliance or evidence that to their auditors. So there is commonly an
SAS 70 document, statement of accounting Standard 70 that outsourcers provide to a clients auditors, but
that document (which has been around historically) is not designed nor is it adequate for evidencing SOX
compliance. So any organization that has outsourced business processes or outsourced IT processes that fall
under SOX compliance, we urge you to immediately begin to work with your outsourcer and your auditor if
you have not already, to determine what degree the existing documentation is appropriate for SOX
compliance and what more needs to be done.
Finally, an overall recommendation is that, while the auditors can provide great benefits to these efforts, it is
ultimately the clients responsibility, and the client needs to take ownership of this. The auditors are there to
do a job, but management ultimately has to do its job relative to SOX compliance. And the auditors still are
having their own set of problems such as the bullet point on business process integrity. So the bottom line
here is that the clients need to ultimately take responsibility for SOX compliance regardless of the help the
auditors can provide.
Transcript 2048
10
Transcript
Figure 10 Assessing SOX Maturity
Stan Lepeak: This is just a forward pointer to make all our end-user clients aware that META Group is in the
process of rolling out a SOX Maturity Model with an offering. If you are interested in learning more about this,
contact your account manager, and he or she can arrange a session with John Van Decker and myself or
Charlie Brett to talk about this. This is a forward pointer in that we are putting some structured deliverables
together to help organizations understand their level of maturity overall relative to SOX, their level in specific
section areas, and also to help lay out that road map we were discussing earlier, which will be followed both
to achieve SOX compliance and then to maintain that compliance over time.
Transcript 2048
11
Transcript
Figure 11 The SOX Dimensions
John Van Decker: We may want to repeat that question after the next couple of figures so we can first define
what a SOX technology blueprint is. I had mentioned before that many vendors are positioning Section 404
tools as the SOX solution, but in essence, Sarbanes-Oxley has an impact on all of your applications that
provide some input and controls in your financial management process. I am not going to go into a lot of detail
in this figure. We also covered this at the last Trend Teleconference.
It is critical is that firms go through their applications, especially those that provide and are part of the financial
management control processes, and understand where and how the application can provide visibility and
transparency into the financial accounting process. They can also revisit and ensure that the applications
provide internal control. They can be linked to contracts, to invoices, to trade agreements, etc., and provide
the appropriate records retention capability, to be able to provide communication both internally and externally
as we get some Section 409 initiatives.
Transcript 2048
12
Transcript
Figure 12 The SOX IT Blueprint: Section 404
Section 404 is for organizations to provide an annual assessment of internal controls. We see that IT
organizations should consider employing risk management applications, to help document the process and to
provide a periodic assessment of internal controls. I am seeing that more firms are looking to provide this on a
quarterly basis to help assist the auditor who will look at this on a more annual basis. These activities are also
linked to service providers initially, compliance and auditing vendors but I think the next phase will be
more grownup business applications, such as those provided by ERP vendors, as well as some business
process management and document management vendors.
I think they need to be linked into existing application infrastructures, so this will move then to be supported by
the systems integrators versus the compliance auditors. And the functionality around these Section 404 tools
is for documentations in this process modeling/program management so organizations can understand where
they are in their documentation assessor processes, as well as communication. I think the next phase for
these applications will be to leverage ERP applications, and we are already seeing from PeopleSoft and
Oracle applications that integrate and leverage some of the controls that are already inherent in the ERP
solutions.
Transcript 2048
13
Transcript
Figure 13 The SOX IT Blueprint: Sections 302/906
This gets back to providing a business intelligence environment that can help consolidate financial information
and enable more frequent flash reporting, to be based on data marts, data warehousing, and OLAP tools as
well as reporting that leverages consistent metadata
Transcript 2048
14
Transcript
Section 409 is built around concerns of disclosing to the public on a rapid and current basis any material
changes in terms of financial condition. This is going to require tools that can help identify the problem, so it
would be business intelligence, business performance management, financial modeling tools such as activitybased management, profitability management, to be able to generate compliance dashboards that can
identify thresholds that perhaps can bring in the current contract base and understand if there are any issues
with suppliers, etc., that could impact the firms financial condition. Ultimately, the tools should report outward
to some type of a portal process to communicate to investors as well as the US SEC.
Transcript 2048
15
Transcript
Figure 15 SOX Technology Blueprint
I mentioned a number of business applications. I see that from an effort perspective, for an enterprise SOX
technology blueprint, 10% of the effort is going to be around the risk assessment tools that specifically focus
on internal controls for Section 404, and ultimately are used to provide some assurance around Sections 302
and 906. This is where the CFOs and the CEOs need to sign off on financials and confirm that the financial
statements are correct.
I think 60% of this, though, should be focused around transactional solutions. And that would be enterprise
resource planning (ERP) as well as best-of-breed solutions where the actual financial transactions are
generated and managed until they get to the general ledger. About 10% will be around content management
solutions. And 30% of the effort will be around creating an effective business intelligence/performance
management environment that can help generate compliance dashboards and help lift the organization in
more of the financial management processes, to help identify anomalies before they become material, so that
the firm can act on these inconsistencies and provide more of a consistent approach with financial reporting.
Transcript 2048
16
Transcript
Figure 16 SOX Requirements: Records Management
Charlie Brett: For the next section, we are going to discuss the implications around the records management
aspects of Sarbanes-Oxley, specifically Section 802, which is one of the core sections of the act. And I would
like to state at the beginning that Section 802 should not be seen as a completely separate section that has
no impact or no tight relationship to the other sections. Indeed, it is quite the opposite. Section 802 should be
seen as the language that requires companies to manage the records and the processes and the
management of the documentation, the audit trail that is the product of, say, Sections 302 or 404 or any of the
other sections.
What do we mean by records is one of the bigger questions and concerns that are being raised by a lot of our
customers. Certainly, components of a records management system include the definition of what a business
record is. And I would point out here that there is a distinction between the business records that a company
generates in terms of its daily business for other regulatory requirements, such as for their tax records, or
books and records or other types of recorded content that is already incumbent upon them to contain.
A lot of the records under Section 802 are specifically related to the audit and review process. So the
documents that are generated and distilled, the conversations that are going on throughout the audit and
review process, are where the focus of this is. In a larger SOX framework, the components of a records
management strategy are evolving to include an enterprise repository where this is a centralized location kind
of storage facility for the propagation and the longer-term storage under the requirements for all the content
related to the audit and review process. Currently, this retention guideline is seven years, which has been
going through some differences of opinion and was recently clarified by the SEC that indeed seven years will
be the retention life cycle.
This can include data that comes from integrated workspaces or through process management. So if you
have an integrated workspace where you have a certain level of employee that is participating in the audit and
review process, and there is collaboration, there is authoring going on, this is the type of tool that you would
Transcript 2048
17
Transcript
use to start storing that content, as well as the process. This includes documenting and creating audit trails as
records of what has been going on through the audit and review process, who has authored certain types of
document, what documents have come in, what applications have created them, what users have created
them, etc.
So to sum it all up, the big questions are what a record is and what is expected of us. So the definition of a
record under SOX Section 802 is anything that is created, sent, or received in connection with the audit and
review process, including conclusions, opinions, analysis, or financial data related to the audit and review
process.
Figure 17 SOX and Records Retention
We will get into some of the Section 802 implications looking at some records management standards, and
possibly what and what not to apply to a records management policy under SOX. What is a record? What are
some storage issues that you should be considering? And very importantly, who is responsible in the
organization for creating records, and what is to be expected of them?
A key bottom line on this figure is that, under most of the sections of SOX, records retention and protection
are key elements. So for those of you that are familiar with records management, if you distill it down, Section
802 is really another records management mandate, not unlike many of the other records management
functions that you are already performing within your enterprise. The key is there are new types of content to
be introduced here something we think is extremely critical.
Transcript 2048
18
Transcript
Figure 18 Technology Scenario
The technology scenario that we are seeing especially related to generating content, managing content,
collaborating on content, making content available in a contextual manner is being affected by compliance.
How can content infrastructures be leveraged? How can they be managed to act as a very solid framework
for Sarbanes-Oxley content? And I would add here that we are not making a distinction between physical and
electronic records.
The very strong trend in our marketplace in terms of content, collaboration, and records management is that
records management is indeed becoming a strategic part of companies enterprise content infrastructure.
Typically, this content under enterprise content management is broadly defined as unstructured content,
meaning this is image data, document data such as word documents, spreadsheets, etc. It includes e-mail. It
may include Web content or static output from ERP financial or mainframe systems. All this is generating a
very big top of mind type of scenario for what are we as a corporation doing for our records management. And
typically, Sarbanes-Oxley has been driving a lot of this, but if there is really any good news here, it is that your
organization most likely already has fairly well-qualified records management and IT staff who can be very
instrumental in looking at how we are mapping some of the new content and some of the new records through
the Sarbanes-Oxley process. So it is about the content in context and the collaboration, since there is a very
large part of collaboration through an audit and review process.
Transcript 2048
19
Transcript
Figure 19 Standards and Regulations
There is in the marketplace a lot of alphabet soup going around, a lot of fear, uncertainty, and doubt (FUD).
There are a lot of compliance mandates out there, as you see on this figure. And we are seeing an increase in
helping our clients make sense of what we are really liable for. Are there really standards that we have to be
meeting under Sarbanes-Oxley? A lot of companies are familiar with SEC and NASD regulations around
books and records, around broker/dealers, or registered representative communications with customers.
Certain people are wrestling with new USA PATRIOT Act requirements, and folks in the healthcare industry
are struggling with HIPAA.
To get to the gist of records management standards or requirements under Sarbanes-Oxley, in the language
there is no specifically stated standard that must be adhered to. However, we would firmly suggest that the
DoD 5015.2 standard be taken under serious consideration as part of the standard for managing records.
Sarbanes-Oxley in Section 802 does not require this, but it certainly is seen as a best practice, and indeed is
kind of the de facto records management standard for corporate and commercial enterprises throughout the
US. So we urge taking a look at 5015.2 as the standard for your records management processes.
As I alluded to before, the content that is relevant and core to the Sarbanes-Oxley process will include paper
and physical records, will include electronic records, and will increasingly include transactional records such
as snapshots out of an ERP system or a financial system such as ledgers, subledgers, maybe coming out of
proof-of-delivery systems, maybe coming out of imaging systems where you can see invoices or bills of
lading. It will also include communications, specifically electronic communications in the form of e-mail and
instant messaging. This is something that the SEC has also recently clarified e-mail and instant message
communications are required under this section.
This is giving pause to many organizations out there, specifically as it relates to instant messaging. We urge
that folks looking at potentially deploying any type of infrastructure within the Sarbanes-Oxley process take a
hard look at how financial services firms treat instant messaging within their enterprise. I think you will find
Transcript 2048
20
Transcript
that many of these organizations have locked down or banned many types of instant messaging. Financial
services firms can show some leadership here because they have been faced with the same regulations
under the SEC Rule 17A4 for the management of this type of communications.
Key principles through any records management process, and specific to Sarbanes-Oxley, is the retention life
cycle, the management retention of a minimum of seven years of all the content that is related to and required
under the various SOX sections. Another is immutability. Immutability is just a fancy word for
unchangeableness the ability to lock down content so that it cannot be altered, destroyed, mutilated,
falsified, etc. This has, if you look at it, one of the key underlying components of why we are here now.
Records management, or the lack of records management, has become almost a household topic. Granted
that there has been a fair amount of fraud involved, but without any type of proper or standardized records
management procedures, that fraud is a lot more difficult to perpetrate.
Who has access? Who is the author? Who can retrieve? And audit trails who accessed? Who authored?
Who made changes? Who provided versioning and such? So distilling it down, Section 802 is fundamentally a
records management strategy.
Figure 20 Why Records Retention Now?
Why records retention now? Understanding how you are addressing your SOX-related content is critical. You
will be asked. And this is the type of answer you are going to need to provide to the CFO and the CEO to
ensure that they have the proper controls, transparency, and visibility to sign off that you are indeed
managing the electronic content, including the electronic communications, in a manner that meets Section
802 requirements.
Consider the existing standards, such as the DoD 5015.2 specification, or even the ISO 15489 standard, for
guidance. These are good starting points to learn what goes into a very valid and very stringent records
management strategy. Fully understand the existing market technology. How do the conversions of enterprise
Transcript 2048
21
Transcript
content management, records management, and electronic communications management tie together, and
where can you build a baseline and potentially single source from a single vendor. Additionally important
would be WORM storage or write once, read many. These are storage options that are not specifically
mandated by Sarbanes-Oxley in Section 802.
WORM storage specifically prohibits any alteration of content that is stored in these systems. So this may be
something from magnetic-based spinning disk WORM storage such as an EMC Centera or a Network
Appliance device, or maybe magneto-optical or ultradense optical that is WORM-certified. This is an
additional protection against any unauthorized mutilation, falsification, deletion, etc. Prepare to include the
transactional data, which may be extracts from ERP or financial systems, may be access to image systems,
any type of content that has been used to generate documentation for the audit and review process. And take
a serious look at how electronic communications may play a role here. SOX compliance requires complete,
secure, timely access to the content, managing the availability of that content, and ensuring the immutability
of that content.
Figure 21 Formal RM Program Elements
Here are some formal elements to keep in mind retention schedules for the different content, which is
something where your records management folks will be able to help you. Written policies and procedures are
extremely important how you document the policies and procedures on how you are managing the content
around Sarbanes-Oxley. Executive, legal, and IT approvals are the teams that you need to evaluate and
implement and sign off on the policy as records management is truly a corporate policy. Employee training is
critical their clear understanding of what is expected of them. What is a record? What is required to be
retained? What is not required to be retained? This is a very big issue that we are going to address in the next
section. And lastly, compliance audits must be used for testing and validating the system at least yearly to
maintain compliance and ensure that you are maintaining SOX compliance under Section 802.
Transcript 2048
22
Transcript
Figure 22 Sarbanes-Oxley Overview: New Requirements
Jeff Selman: From a legal perspective, there is much that has not been changed by Sarbanes-Oxley, just as
there is much as we have discussed from a procedural standpoint that has been changed. But looking at this
at a conceptual level, the significant change that Sarbanes-Oxley has wrought on the legal landscape is that
there is much more disclosure that is required at a much faster pace than we have ever seen before. And as
result, it creates the possibility for much more risk and more liability for a larger number of players.
There is already a significant amount of change from a public disclosure standpoint that has taken place and
that will continue to take place. Similarly, there will be the requirement coming into place next year under
Section 404 to have internal controls over financial reporting that again must be certified, and that the
independent auditors will have to attest to the efficacy of.
In addition to the enhanced public disclosure, it is more disclosure and faster regime that Sarbanes-Oxley has
given to the world. We are already looking, beginning next year, a faster pace for which disclosure has to be
made, both by way of the periodic reports such as forms 10-Q and 10-K that get filed by companies that will
be on a quicker time frame than they have been historically.
In addition to the expanded disclosure and the faster time frames for disclosure, another significant impact of
Sarbanes-Oxley is the expansion of the number of players who are responsible for taking part in the
disclosure process taking it beyond the level of senior management up to the board level, to the members
of the audit committee, and to outside players such as the attorneys and the accountants. And from a legal
standpoint, that also means a spreading of the liability among a larger group of players. So what we see
Sarbanes-Oxley doing is creating new responsibilities for the audit committee, such as the requirement that
the audit committee now oversee the auditors and the financial reporting process as well as creating
procedures for whistle blowers, spreading new roles similarly to attorneys where attorneys are now required
when we have evidence of material fraud or breaches of fiduciary duty at the corporate level to report up
the ladder, potentially to the SEC.
Transcript 2048
23
Transcript
We should note that it is not just Congress under SOX or the SEC that has gotten into the act here, but also
groups such as the New York Stock Exchange have undertaken efforts to come up with new roles that are
again aimed at getting out more disclosure on a faster time frame. So the bottom line on this figure is that
there is new stuff that is happening. From a legal perspective, however, there are no new causes of action to
speak of. There are new ways to be able to state causes of actions for things such as breaches of fiduciary
duty and violations of the existing securities statutes. And the reason why we can have new areas of stating
these things is there is so much more that has to be done by the various players that I have named.
Figure 23 Sarbanes-Oxley Overview: New Penalties
Despite the fact that there are no new causes of action that can be stated, there are new penalties that can
arise in the event of violations. For example, the CEO and the CFO are subject to penalties such as having to
forfeit their bonuses and profits from the sale of stock in the event that there is an accounting restatement for
the corporation resulting from misconduct. In addition the certifications that they have to make now do bring
with them criminal penalties in the event that they are false.
There are now criminal penalties in the event that there is a destruction or alteration of records during the
course of a pending federal investigation or bankruptcy. And to make all this easier for people to be able to
state claims, we have lengthened the time frame for the statute of limitations for securities fraud, to give
people a longer opportunity to be able to make determinations that either disclosures have not been made
that should have been made, or that the disclosures that have been made, for example with regard to the
efficacy of disclosure controls and internal controls, are not in fact accurate.
Transcript 2048
24
Transcript
Figure 24 Compliance Overview
Looking at this from the 30,000-foot level, we see that Sarbanes-Oxley creates a system where we have to
have more disclosure in a faster time frame. To make that happen, we have to recognize that it is essential to
have good processes in place that will allow for disclosures that need to now be made. And failure to have
that, as I said, creates a situation where liability can arise whether it is the securities fraud because a
misstatement was made with regard to the disclosure controls, or due to the failure of the disclosure controls,
an omission of a material fact, or a breach of fiduciary duty or the duty of due care from the officers and
directors and the other players. As a result, when the disclosures do come out, there is a drop in the stock
price.
What does this mean? To have good disclosure, it is going to be absolutely essential to have good document
management processes. That includes both the ability to gather information on a documentary basis, to be
able to assess that information, and to attain the documents that are necessary to show that the procedures
were in fact followed. That latter point then points out that the document retention aspect is a critical part of
the document management process.
Transcript 2048
25
Transcript
Figure 25 Document Retention Policies: Why You Need Them
The overarching theme for document retention always has been and should still remain that you retain those
documents that you need to have to be able to serve your operational or business purposes or needs as
well as those that you are going to be required to have from a legal perspective. But you should not be
retaining anything beyond that. So a documentation retention policy that says we save everything clearly is
not going to be a good document retention policy because it will not help meet the needs of being able to
show what you need to have from a compliance standpoint, or be able to implement from a compliance
standpoint to be able to make assessments of the information that you do have, since you will have too much
to go through.
Failure to put a policy in place can be disastrous in that you will not be able to make assessments of the
information if you are just gathering everything or gathering too little, and you will not be able to show that you
are following the processes that you need to be following. On the flip side, there is a corollary to this. In the
event of a governmental investigation or proceeding either by the SEC or the Department of Justice, the US
federal sentencing guidelines provide that leniency will be granted from a penalty standpoint to these events if
there is an effective compliance program in place.
Being able to have a good document management and document retention policy and being able to show that
you are following that policy are considered by the government to be evidence of an effective compliance
program that will allow for the granting of leniency in the event of a governmental proceeding.
Transcript 2048
26
Transcript
Figure 26 Document Retention Obligations in Civil Litigation
Document retention is one of the obligations that a party has in the event of civil litigation. First, there is a
concept in the law called spoliation, and this is not something that is new but has been around for a long
time. The general rule is that, once you enter into litigation, there is an obligation of the parties to preserve the
records, to preserve all documents, and not to allow documents to be altered or destroyed. This gets picked
up as a concept in the Section 802 rules of SOX, but as I said, this is something that is not new, and has been
here for a very long time.
What we see courts undertaking when there is evidence of spoliation is that they have and will continue to
have broad discretion to sanction, including issuing monetary sanctions, evidentiary sanctions, or even endof-case litigation sanctions. Sarbanes-Oxley in Section 802 does however add something new, which is it
does make a new federal criminal penalty for document destruction in the anticipation of litigation being
brought from a governmental standpoint.
Finally, from a political standpoint as opposed to a legal standpoint, there is a lot of political pressure to bring
obstruction-of-justice charges based on document destruction. The expectation is that, as this is now the
politically in thing to do, this will continue for at least the near term.
Transcript 2048
27
Transcript
Figure 27 Document Retention Policy Guidelines
I will pick up a couple of things with regard to document retention policy guidelines that we as lawyers would
regularly recommend to our clients. First, the important thing is to remember that the purpose of document
gathering and retention is to be able to mitigate liability and to be able to improve the disclosure accuracy by
being better able to assess the information that is being gathered. It is not to gather everything and keep
everything for as long as can be.
Another important point here is to remember that documents are not only paper records, but as we have
discussed, electronic records. And when undertaking to destroy documents, it is important that the document
destruction include the electronic records. Furthermore, the document retention policy should be based on
two things: the legitimate and unique business needs or operational needs of the company, and the legal
landscape and requirements. So in terms of putting together a document retention policy, a company should
focus specifically on those types of things, and think about what it is from their standpoint that they need to
have. So it is not necessarily a one-size-fits-all scenario.
Furthermore, the document retention policy should be making determinations as to what documents to keep
and what documents to destroy, based on the business purpose of the document, and not on the content,
whether it is good or bad.
Transcript 2048
28
Transcript
Figure 28 Document Retention Policy Guidelines
The retention periods should be consistent with the industry norms, and should also be as required under
applicable law for those industries where there are actual legal requirements for keeping documents for
specified time frames. The document retention policy should also require clear procedures for contacting the
compliance officer of the company to the extent that there are questions, and there should be audits with
regard to ensuring compliance.
That point becomes particularly crucial to the extent that, from a Sarbanes-Oxley standpoint, you want to be
able to show that you have in fact complied with the various disclosure and internal control requirements that
you need to comply with. One final key point here is that any document retention policy needs to include what
I will call a stop function. In the event that there is foreseeable litigation, actual litigation, pending or about-tobegin governmental investigations, that there is a cessation of document destruction so that we do not run
into the spoliation problems that I have already described.
Transcript 2048
29
Transcript
Figure 29 Beyond Compliance: Or the Joy of SOX
Stan Lepeak: We have gone through a lot today, and there is a lot involved with SOX compliance, with first
gaining compliance and maintaining it. But the point is to also keep in mind the bigger picture of going beyond
compliance, or achieving, as we like to say, the joy of SOX. You look at how you leverage these investments
that you have made, so when you have greater process visibility, operational efficiency, visibility into services,
better capabilities around sourcing, and a sense-and-respond organization, how do you take advantage of
that to improve your competitiveness relative to your peers? These SOX investments are not just the cost of
doing business they help to take your business to the next level.
Transcript 2048
30
Transcript
Figure 30 Transformation Steps
John Van Decker: There are a couple of approaches that can be taken here. One would be tactically looking
at getting some of your applications up to speed to meet SOX compliance. But the other is to look at your
applications as a whole and across your whole set of business applications that are part of the financial
management process. Consider not only complying, but also moving to some best practice and some process
improvement. It is important that folks understand Sarbanes-Oxley, the impact to the business, and to start to
define and implement some more comprehensive Sarbanes-Oxley IT blueprints. Again, it is not just about
internal control documentation solutions. It is about visibility, transparency, financial controls, content
management, etc.
I think it is important that firms know how to effectively engage IT as well as IT service providers and
compliance efforts, and to start thinking about where they are on the maturity curve. They should look at
where they need to be, with the initial assessment around financial controls. Longer term, how can they
leverage this to become a more effective, efficient enterprise? I think it is also important that they understand
and digest a lot of the legal requirements and demands around records management that were discussed
today.
Transcript 2048
31
Appendix B
Transcript 2069
13 January 2004
Sarbanes-Oxley: How Can I Ensure True Success?

Professional Services Strategies;
PricewaterhouseCoopers Sarbanes-Oxley Task Force
Bill Buchler, Stan Lepeak META Group
Randy OHare PricewaterhouseCoopers
Bill Buchler: I would like to welcome you to todays META Group How-To Webcast, titled Sarbanes-Oxley,
How Can I Ensure True Success? As the deadlines for meeting various elements of Sarbanes-Oxley, or
SOX, compliance draw closer, it is no surprise that organizations are at different levels of maturity, comfort,
and progress. To gain true success, organizations must leverage compliance investment benefits (for
example, process visibility, transparency, and controls) into greater gains, including improved
competitiveness. To help organizations balance tactical and strategic components, todays Webcast will
review SOX best-practices compliance processes and supporting IT applications and infrastructure.
Stan Lepeak, vice president of our Professional Services Strategies service, has followed a business and
information technology (IT) services and IT market space for more than 15 years. He is a noted commentator
and frequent speaker on professional services, services procurement and management best practices,
business transformation and organizational change, risk management, and compliance.
Randy OHare, partner and chair of PricewaterhouseCoopers (PwC) Sarbanes-Oxley Task Force, leads
PwCs preparation to support clients compliance with Sections 302 and 404 of the Sarbanes-Oxley Act of
2002. In this role, he brings together PwCs resources focused on policy, methodology, and tool development;
risk management; and work force planning, training, recruiting, and communication. Randy is also PwCs
global leader of advisory services to the technology, infocomm, and entertainment media industries.
Stan Lepeak: Let us set the stage for todays presentation and talk about the current business scenario and
the current environment that we are facing. Obviously, there are various deadlines looming for SarbanesOxley compliance; that is certainly something we are all aware of. But even organizations that are not
specifically required under SOX to adhere to some of its dictates are facing challenges as the SOX umbrella
or SOX-like umbrella stretches across more and more organizations. As we look at what is continuing to
happen in terms of corporate events and with our friends in Europe, it is very likely that there will be similar
SOX-like mandates extended across other economic environments and geographies going forward.
The point is that we are operating in a much more highly regulated environment today than we ever have
before. The challenge for organizations is determining both how to achieve specific compliance to things like
Sarbanes-Oxley as well as looking at how an organization can leverage investments made into something like
Sarbanes-Oxley compliance into greater benefit and gain competitiveness. That is going to be at the heart of
what we talk about today: not only how to achieve compliance, but also how to leverage SOX compliance for
greater gain.
Transcript
When you look at SOX initially, some called this a full-employment act for IT. It was viewed as the next big
boom in terms of spending by organizations. And while organizations are investing a lot in gaining SOX
compliance, it has not turned out to be the type of investment that necessarily has spurred the IT products
market. We will talk more about that going forward. But we see that organizations now are increasingly
shifting the focus as to how can they leverage SOX, versus viewing it just as an event that is going to cause
them to buy more IT stuff.
Additionally it is important to remember that SOX is not the only compliance mandate on most organizations
agendas. There are a variety of other mandates like HIPAA, Gramm-Leach-Bliley Act, and the USA PATRIOT
Act. We want to talk today about how you can coordinate and leverage these multiple efforts into concerted
compliance efforts. We will talk about the SOX information technology blueprint that we are developing at
META Group, again, looking at how you can ultimately achieve the joy of SOX and how you can leverage
these investments into something more.
Again, SOX and related compliance mandates are permanent elements in todays business environment.
They are not going away. The challenge is learning to live with them learning to love them, to the extent
possible. In the box on the right, you will see some of the specific bullets that we will be covering in the
balance of this presentation.
Transcript 2069
Transcript
Figure 2 The Fundamentals
Randy OHare: Let us start with Figure 2. To set the stage (and I presume everybody on this call has heard
something similar in the past, but it cannot be overstated), the Sarbanes-Oxley Act is the biggest thing to hit,
and the biggest change in, corporate America in the past 70 years, since the Securities Act was passed back
in the early 1930s. This is very big, it is new, and it carries with it all the difficulties, troubles, and tangential
issues that any major new legislation brings.
Even though all the final standards are not yet available and we will talk about that in a few minutes as to
where we are the fundamental concepts are not going to change. The fundamental big new things are that
management is required to actually sign, make an annual assertion, and sign an opinion, if you will, on their
own internal control compliance and the effectiveness of their internal controls over financial reporting. This
has never been done and never has been asked to be done in the past. This kicks in for all large companies,
which is the majority of public companies, for their first year ending after June 15, 2004.
So six months from now, or eight months, the first ones will have to be signed and filed. And all calendar-year
companies will have to by the end of this year (2004). There is a one-year delay for both foreign-based SEC
filers (called foreign private issuers) and for the smaller public companies that have float of over $75 million,
and some other technicalities for companies that just have outstanding debt and not equity. For those
companies, they get a one-year delay; 2005 is their first year and technically years that end after April 15,
2005.
The first thing is managers have to make this annual assessment and assertion and opinion on themselves.
Importantly and this is a major change the level of documentation of controls, processes, and systems
has to be greatly enhanced. I have said before there is not a company in America or the world that was
prepared for this in terms of the level of documentation that will be required. Then there is a great deal of
testing of those controls.
Transcript 2069
Transcript
External auditors now, also for the first time, have to give an opinion on the effectiveness of a companys
internal controls, and the effectiveness of managements process for management to make that assertion. It is
a dual-track (related but dual-track) opinion. Those opinions will be included in public filings and be a matter
available to the public. Another major fundamental involved in this, in order for management to make this
assertion regarding internal control, you could say it is in the eye of the beholder, and there certainly is a fair
amount of judgment involved. There is a requirement to have a framework that establishes criteria for
companies to measure against the effectiveness of those controls.
The most popular one is COSO, an acronym for something that was developed nine years ago: the
Committee of Sponsoring Organizations. This gives a definition of internal control and provides a framework
for evaluation. Something that has already been in play for a while after the Sarbanes-Oxley Act came into
being in July of 2002 was the requirement for management to include a CFO and CEO personal certification
into their quarterly filings. That has been ongoing, and that is a significantly different level of involvement. The
point is that CEOs and CFOs have to be engaged to take responsibility for the companys internal controls
in that case, something called disclosure controls and procedures that is, taking responsibility for any of the
information that is disseminated to the public through its 10-Q filings or its press releases.
The biggest change is the one yet to come, and that is the one that is called the 404 requirements, which is
what I have been talking about. It is the annual process, and 404 happens to be the section of the SarbanesOxley Act that refers to this annual process by management and the auditors.
Figure 3 Overview of COSO
Transcript 2069
Transcript
Moving on to Figure 3, this provides a visual and an overview of the COSO framework for internal control.
COSO gives the definition of internal control, and it is defined as a process. It is a process it is a series of
elements that come together as a process to provide reasonable assurance in the achievement of objectives
in three areas. Those three areas are the effectiveness and efficiency of operations (the business operations
of the company), the reliability over financial reporting, and compliance with laws and regulations.
COSO indicates that there are five components of internal control that need to be in place and working
together to achieve those objectives. Internal control has those three areas that I just described. Those five
components are shown on the face of the cube on this figure, and it starts from the bottom up. Control
environment formulates the basis; it is the whole, the environment, the tone set at the top of the organization;
it is the culture and environment of the company. It includes things such as business conduct, ethics all
kinds of things that set the tone for the environment of whether the company is control-conscious or not.
The second component is risk assessment. To have a well-controlled environment, one of the first things you
have to do is make an assessment of your risks and identify where throughout the business, the risk is from
an operations standpoint, from a financial reporting standpoint, and from a compliance standpoint. What are
the areas of risk?
Control activities are the third component, and those are what most of us think of as controls. They are the
specific controls, policies, procedures, and checks and balances that are put in place to either prevent
problems or detect them.
Fourth are information and communication, which is the two-way exchange of information and guidance and
training throughout the organization so that people know what they are supposed to do and can carry out their
activities in a controlled fashion.
Monitoring is the fifth component, which is the system and includes perhaps the internal audit departments. It
is the system of monitoring the procedures and controls that are in place to ensure that they are in fact being
executed as planned.
It is important to note that COSO is a broad definition of internal control. As you can see, these three areas
operations, financial reporting, and compliance cover all aspects of a companys operations. What we are
talking about for the 404 requirement to assess the effectiveness of internal controls is focusing on the
internal controls in that middle segment of reliability of financial reporting. It is control over operating
effectiveness, and compliance with regulations that do not have an impact on the financial statement are not
included in Section 404 requirements.
Transcript 2069
Transcript
Figure 4 The 404 Attestation: The PCAOBs Proposed Standard
Moving on to Figure 4, this outlines some of the topics that are covered by the PCAOB draft standard. For
those that do not know, PCAOB stands for Public Company Accounting Oversight Board, a new government
body, monitored and controlled by the SEC. It was established by law under the Sarbanes-Oxley Act, and its
role is to oversee the auditing standards and the auditing process. The PCAOB works hand in hand with the
Securities and Exchange Commission on Sarbanes-Oxley Section 404 in establishing the rules,
requirements, and standards that both management and external auditors must follow to comply with this
process.
The PCAOB, affectionately called the peek-a-boo, was organized and established last April. Its first task was
to put out standards related to this 404 exercise. The SEC had decided that companies would have to report
under the 404 requirements on both management and external auditor opinion of their systems of internal
control, starting with year-end September 30, 2003, which already passed. Last summer, the SEC delayed
that to the current requirements I described earlier, generally starting in 2004. One of the reasons it delayed
that start date was because the PCAOB took several months to become operational, and the standards that
the PCAOB put out for the rules and guidance were not available, so it would be hard to execute and report
on something with no standards.
We are still fighting a battle with the clock because the PCAOB submitted its proposed, or draft standards, in
October, and the rules or requirements of due process required a 45-day comment period. Anybody who
wanted to individual companies, accounting firms, other trade organizations, etc. had through November
21 to submit comments on the draft standards. That period has now closed, and there were over 180 letters
submitted. The PCAOB is now in the process of digesting those comments and deliberating as to any
changes to be made to the draft standards before providing a final standard. And, unfortunately, there is no
drop-dead date for when it must have the final standards out; it is thought or hoped to be sometime this
month.
Transcript 2069
Transcript
Once the PCAOB has put out its final standards, the SEC must review and approve them, then post them on
the Federal Register for 30 days before they technically take place. I think the reality is that, when the PCAOB
comes out with its final standards, which we hope will be this month, that will give everyone a clear indication
as to what the final rules are. The draft standard is upwards of 135 pages, is fairly comprehensive with a good
deal of material and insight, and certainly provides much of the information that is needed for companies and
their auditors to charge ahead on this process.
Some highlights of topics covered by this draft standard are that it introduces the concept of an integrated
audit. It combines the historical financial statement audit that auditors have issued for years with this separate
but related and integrated new requirement that an opinion be issued purely on the effectiveness of the
internal control systems and processes within the company. It does recognize that internal controls are not
one-size-fits-all, so it does not tie the hands or give rigid requirements and examples of what everyone must
have. It does not have a standard template, which is both the good news and the bad news. It allows
judgment to be brought into the process within guidelines. Sometimes the lack of specific, tangible structure
requirements can cause uncertainty, but that is an ongoing debate. However, it does provide some flexibility.
It also outlines some of both managements responsibilities and the auditors responsibility. Technically the
PCAOBs jurisdiction is only over the auditing profession; that is its role. But since it works very closely with
the SEC, and the SEC technically makes the rules for companies to comply with, there is some bleeding and
blending and overlapping between the two. If you go through this PCAOB draft standard, it contains quite a bit
of guidance as to what managements responsibilities are.
It also establishes criteria for evaluating deficiencies and provides some definitions, including what is a
significant deficiency and what is a material weakness that companies and auditors must address. It deals
with auditor involvement in the quarterly process, earlier referred to as the 302 process that companies must
comply with on a quarterly basis. Auditors do not have much involvement, they just must know that there is
nothing inconsistent with managements approach on a quarterly basis from the annual. It also indicates a few
reminders of independence for example, companies cannot delegate or outsource their responsibility to
their external auditor. Companies must have formed their own point of view and carry out their own
procedures.
Transcript 2069
Transcript
Figure 5 The Path to Compliance Is Still Not Clear
Turning to Figure 5, I would say in the interim between the draft standards and the SEC having already done
its rule-making in this area last summer, there is a very large body of requirements available, both for
management and auditors. But in this interim between the finalization of the standards, acceptance of this
new world that corporate America is now living in clearly has occurred or is occurring. But the path to
compliance is still somewhat unclear in several areas.
As companies get into this requirement, there is a quickly growing realization that this effort is significant. It is
not something you can decide to do in March, gather up some resources, and then get this done in the
March/April time frame. A much longer timeline is required, along with a significant and comprehensive effort.
The pervasiveness of this act is also sinking in. All the processes in the company within certain parameters
must be documented. That is a major task in itself. Then, if those processes are identified, those controls will
achieve certain financial statement assertions that are designated in the standards and achieve the objectives
of internal control.
There is also a deepening understanding of the risk posed by technology in all this, particularly from the nonIT people in companies and in the world. There is not a company around that does not have a heavy reliance
on technology for processing its financial information, as well as the related security and controls embedded
in what used to be the data processing department, but now distributed throughout and embedded in all the
applications. The realization of the complexity is also sinking in.
Transcript 2069
Transcript
Figure 6 Moving Forward Means Addressing Areas That Are Problematic for Some
Turning to Figure 6, as I said before, this is all new. It provides many new issues and decisions to be made,
compounded by the fact that this is the first time anyone has gone through it. There are no benchmarks or
comparisons to compare against. A lot of the issues that must be dealt with are new and perhaps problematic
for some individuals. One area is documenting and evaluating the design of controls. The who, what, how,
when, and where questions are decisions that must be made. There is certainly guidance in the standards,
but as I said previously, there is also a fair amount of judgment and some flexibility as long as you arrive at
the same finish line.
There is not any flexibility from the standpoint of making it what I would call superficial it is clear in the
standards that a substantial amount of documentation throughout the process, from the initial documentation
of the processes through documentation of the entire process that management used to make their
assessment of the effectiveness of the controls. Documentation of all the testing, conclusions, and judgments
that were made all must be provided.
Mapping controls to financial statement assertions will be a massive exercise. It is something that typically
has not been done formally and documented. In a lot of these areas, there are a great deal of intuitive,
historical approaches where companies can tell you about their processes and controls but they cannot show
them. The SEC and the PCAOB are now requiring substantiation of these processes and controls.
There are issues regarding the impact of service providers, where there are outsourced processes, lots of
issues and questions regarding those controls. How much is enough? How do you gain comfort from them?
What is the vehicle? Anti-fraud programs are put into the pie with all the corporate problems and reporting
problems that have been out there. There is heightened awareness for anti-fraud programs which are now
baked into the Sarbanes-Oxley requirements.
Transcript 2069
Transcript
Figure 7 Moving Forward: Addressing Areas That Are Problematic for Some
Turning to Figure 7, reporting the relative impacts to the audit committee and to outsiders is a new issue. A lot
of these areas (making judgments on weaknesses and quarterly certifications) require legal advice and input
legal judgments. And creating the whole internal control reporting process with all the documentation,
dashboards, compliance; these are all new issues and all problematic new requirements and judgments to be
made.
Transcript 2069
10
Transcript
Figure 8 PwCs Recommended 404 Audit Readiness Approach
Let us look at Figure 8, which answers, from a high level, how are we going to ensure this readiness? How
are we going to ensure that we are ready, that we are going to make this deadline in the quality fashion? It
requires a phased approach, it requires a timeline, and it requires a comprehensive and diligent projectmanagement or project-support office aspect of this endeavor. It is a multitask, multitentacled process and
chore, and without sufficient project management and setting of timelines and following up, it can be a
disaster.
So one approach that we put out is a bit high level and simplistic, but it covers all the requirements.
Obviously, it is going to start out with the project and initiate it, and as I said earlier, assess the risks. Then a
major task is documenting the control and all the processes that feed into the financial statements and,
importantly, evaluating the effectiveness of that design. Do we have the controls designed to be in place that
we need to give us the comfort that our internal control system is effective?
And where we do not, you get into the third step, and you fix those. So you first evaluate the design, you fix
the gaps and the holes, and then you go back and re-evaluate and make sure you are at least designed
effectively. Then you have to launch into the testing phase, and you have to test to make sure that what you
are thinking is in place for controls actually are operating, and that the operating effectiveness is there. And
when you do tests and you find problems, then you go fix those. And you do not just fix that problem; you
identify the underlying cause, you fix the underlying cause, and then you move on.
And then at the end of that process is when you prepare your report. And shown on this figure is the
attestation and the report that is really for the auditor. That is the last physical step, but as the arrow
indicates at the top, that is involvement from the auditor throughout the process. What you do not want to do
is have management do its process in a vacuum, then have the auditor look at it and say it is not sufficient.
The suggestion is that the auditor is involved throughout, at a minimum as an oversight and a sounding board
to work with management to develop an effective process for going through this evaluation.
Transcript 2069
11
Transcript
Figure 9 Audit Action Plan Timeline
Moving to Figure 9, this is a sample timeline that takes these steps and puts them in perspective. You can
look at this and assess where you think your company is, and there are many different ways to carve this out.
The previous figure had five or six phases, but there are many other ways and obviously a great deal of detail
below that. But usually this is an indication of where companies ought to be at this point in time if you were to
draw a line down as of January 13. And if you are a June 30 year-end, which obviously has a quicker
reporting requirement than a December 31 year-end, or somewhere between then and December, you have
to be on an accelerated timeline. If you are December 31, you can assess, based on this timeline, where you
are and whether you think you are on target or behind in getting this very significant and first-year effort
behind you and done in a quality fashion.
Transcript 2069
12
Transcript
Figure 10 META Group End-User SOX Survey 10/03
Stan Lepeak: Turning to Figure 10, what we would like to do in the next couple of figures is share with you
some findings from recent META Group surveys. Along the same lines as the timelines we just looked at, the
goal is to let you know where you sit relative to your peers in terms of progressing toward SOX compliance,
as well as interpreting what the ultimate benefits are that you will achieve from gaining that compliance.
Figure 10 talks about some end-user polling. And I will go through these next couple of figures pretty quickly;
you can obviously read the numbers, and we do have Deltas written on this. One interesting note on Figure
10 is that 42% of companies that are not covered specifically under SOX mandates are still looking at
evaluating internal controls. So that highlights that the SOX umbrella is broader than just the classes of
companies based on market capitalization that are called out as having to respond to SOX. A large number of
additional companies are responding either because they are being forced to (for example, for bank
covenants or by suppliers) or because they recognize it is a good framework for managing internal controls. I
think over time we will see that number grow.
For those that are targeted by SOX, 35% are relying heavily on external auditors, but 41% are going it on their
own, from the standpoint of still using an auditor to assess actual SOX compliance but in terms of determining
how to get there, pursuing that in and of themselves. And most feel they are on track, some are struggling,
and many are still in the process of defining the blueprint. Probably most important of these findings was that
49% of organizations see SOX as a cost of doing business, but a number very close to that, 39%, feel that it
will improve competitiveness.
That really gets at leveraging SOX for more than just achieving baseline compliance. Other numbers that
came out of this were that only 5% of organizations felt that SOX compliance would make them less
competitive, and only 7% felt it was an unnecessary burden. So while there has been a lot of talk in the press
and among pundits that SOX is the sand in the wheels of the economic recovery, we do not see that reflected
in the organizations that are pursuing SOX compliance.
Transcript 2069
13
Transcript
So the point is to understand your organizations relative maturity to its peers, and what we have illustrated on
the side of the figure is a new SOX maturity model that META Group has developed. We will talk more about
that in the upcoming figures.
Figure 11 META Group Vendor SOX Survey 11/03
Moving on to Figure 11, this is some polling we did of the sell side, of the vendor and service providers that
are selling goods and services into the SOX market. Here the story is a little bit different. The vast majority of
these vendors polled (and vendors would be product vendors [software and hardware] as well as service
providers) thought SOX would improve their sales year over year. But most had, to date, not yet seen that,
and this was as of just two months ago. Many challenges are being faced by these firms attempting to sell
SOX products, more so than services. It has really been more of a struggle for the product and software
vendors than for service providers, particularly audit firms.
But there are a lot of challenges in terms of mapping offerings, gaining adequate visibility, and defining value
propositions. We have highlighted some of those key challenges in the box on the right. The key is that if you
are someone selling SOX products, particularly software, you need to make sure that what you are selling is
targeted at what clients need. It cannot be a rewarmed offering in a SOX wrapper. It needs to be something
that out of the gate will help clients achieve SOX compliance. We will talk about what products might do that.
But from the perspective of the end-user organization, this highlights that the majority of firms today have
most or all the IT stuff they need for SOX compliance. It is more about how you utilize that stuff to do some of
the things that Randy detailed in the previous figure.
So we are reiterating that we do not feel that a significant investment is required in IT software or hardware
today. Over time, that might be the case, but today it is really a function of applying the best practices along
the lines of what Randy was just describing to achieve minimal SOX compliance, then looking to leverage that
over time.
Transcript 2069
14
Transcript
Figure 12 What Are the Top Preferences for SOX Solutions?
Moving on to Figure 12, we will talk about what are some of the top preferences. This came out of some
polling we did earlier in the year, in terms of what organizations are looking at for solving the SOX challenge.
And what is very obvious is there is no one single solution. It ranges from a very, very low number of firms
that were going to use this as the lever and the requirement to swap out a legacy ERP system, up to firms
that were looking at implementing some dashboard technology to help with visibility and reporting and
process controls.
The key point is there are a variety of elements in the SOX IT blueprint, and we will detail those more in the
upcoming figures. But again, most organizations feel they have most of the tools they need, at least for
minimal compliance, and when they looking at building out an IT blueprint, multiple IT elements will fit into that
blueprint.
Transcript 2069
15
Transcript
Figure 13 SOX Investment Timeline
Moving to Figure 13, we will lay out what we see as the SOX investment timeline. What we have illustrated
across the top are some key points in terms of the SOX evolution from the deadline being pushed a little
under a year ago, to the scoping that occurred throughout the balance of last year, to where organizations
now are investing in some of the tactical tools they will need for compliance, primarily 404 tools that can help
with process mapping, reporting, and creating an environment where that reporting can be evidenced back to
the auditor.
We see that the second half of this year is going to be a time when organizations take a breather. Obviously,
if your first deadline is not until the end of the year, your breather will be the first half of 2005. But the point is
that after the initial compliance deadlines are met, organizations are going to start to regroup and look at what
are the longer-term investment requirements? What do we need to invest in to do SOX better or easier the
next time around? What do we need to look at in terms of leveraging some of the investments we have made
in process, visibility, or transparency into our processes? How do we begin to leverage that?
The other piece of that is it is going to take some time when you start to look, for example, at ERP or financial
management system solutions. It takes time for those vendors to truly embed SOX-relevant capabilities into
those products. These are massive applications, and enhancing them to, for example, do a better job at
workflow, reporting, consolidation, and the like is a long-term effort, both to build in those capabilities, and
then obviously those capabilities need to be rolled out in a normal upgrade cycle that is palatable to the client.
We certainly see that it is going to be minimally into 2005, if not a little later, before clients start to upgrade to
new generations of their core enterprise systems. And that could also be CRM or supply chain systems to the
extent that those applications also need to embed SOX capabilities. We are looking at well over a year before
most organizations start to make those changes.
True process transformation (reviewing, re-enhancing, and rebuilding processes in the systems from the
ground up to support and leverage SOX) is a couple of years out. The arrows on the bottom indicate the
Transcript 2069
16
Transcript
relative size of some of the investments that organizations are making, so business and audit services are
something firms have been investing in, looking for outside help, advice, and counsel, and that will continue to
be the case. IT services will start to pick up a little bit later as firms start to invest in new enterprise systems,
either for transaction processing or for content management and document management and collaboration,
another key area.
With the ERP/FMS kick really not starting to happen until later this year, this is laying out, again, not in
scientific terms or specific market size numbers, the general timeline for the investments. So from the
standpoint of a vendor, address accordingly, but from a user standpoint, again recognize that for the most
part, you probably already have a lot of what you need in terms of software. The question is what you need to
change strategically and long term as SOX becomes part of the fabric of not only your business processes,
but also your underlying IT systems.
Figure 14 SOX Dimensions
Figure 14 calls up how do you look at SOX holistically from the business, and in particular, from the
information technology standpoint? A variety of elements need to be introduced into your core IT systems to
support SOX visibility and transparency not only into your internal systems, but also into those systems
that touch your customers and your business partners. That is where it becomes apparent that SOX is not just
about financial management systems, it is also about customer relationship management, supply chain
sourcing and procurement, and all those other systems that extend outside your organization to touch
customers and partners, and through those touch points create financial transactions and other elements that
fall under SOX control.
Financial controls and record retention are a big piece, particularly when you start to look at Section 802: the
ability to communicate changes both internally as well as to other constituents, such as board members,
auditors, shareholders, and external regulators. It is imperative to build systems that can support your overall
risk-management compliance and governance framework, with the key piece being fraud prevention.
Transcript 2069
17
Transcript
When you look at all the elements that need to be introduced, obviously there are multiple pieces. There is
your enterprise software, there is your business risk management and audit services providers, and there are
your IT services providers. What that creates is a holistic SOX information technology blueprint. As
organizations look strategically, moving beyond short-term compliance, this needs to be the road map for
building up those IT capabilities.
Figure 15 SOX IT Blueprint
Moving on to Figure 15, we are looking at what META Group has defined as a SOX IT blueprint. We are
looking at the blueprint from the standpoint of the software that will be required to ultimately support SOX.
There is a lot more detail that we have written on this, and, in particular, John Van Decker has written several
Deltas that dig into the next level of detail of this.
What this calls out are four classes of products where we feel will be the relative percentages, the criticality,
or the amount of SOX compliance that will be reflected in these products capabilities. If you look at your 404
risk assessment tools as well as 302 and 906, they are going to comprise about 10% of the effort. The vast
majority of the effort, in terms of supporting SOX compliance, will come from transactional solutions, ERP,
financial management systems (either off-the-shelf or homegrown). And what is required is that they enable
better configuration, workflow, and a lot of instant consolidation as well over time.
Enterprise content management is playing a key role, especially with Section 802. The other dominant
software component will be your business intelligence, business performance management, and portal
products that support efforts to cross multiple sections of SOX.
Obviously, this does not get deeply into infrastructure, and there are infrastructure investments that will be
required to do this. And this does not touch at all on security. We want to highlight, particularly with security,
that we are not at all de-emphasizing that piece, or de-emphasizing the technology that will support security
Transcript 2069
18
Transcript
and security best practices relative to SOX. Rather, that is a whole story in and of itself, and rather than not
address it adequately, we are putting that as a placeholder.
The key is that your organization needs to have a version of a SOX IT blueprint in place today, and you need
to use that to start building out your specific SOX road map from the IT perspective.
Figure 16 SOX Maturity Levels 1Q04
Figure 16 starts to detail the SOX maturity model that we have been developing at META Group. Again, there
is much more we can discuss offline, and we have written more on this as well. But this is going to be one of
our key offerings this year to help our end-user clients achieve and evidence their SOX efforts. What we have
developed is a six-stage maturity model starting from exploration through ongoing optimization and support of
SOX efforts. That is across SOX as a whole as well as calling out four key section areas: 404, 409, 302/906,
and 208.
What we have highlighted is where we estimate the market is at today, with the bulk of the organization in
project execution, and that is where we hope everyone is very shortly. Even if you are not required to do this
until the end of the year, there is a lot of work to be done. And some organizations are starting to wrap things
up and finalize that, with the key element being Level 5, the ongoing optimization and support. We encourage
anyone interested to contact us offline to walk through more of the elements that are in these different stages,
the key inflection points to move from one stage to the next, and to determine how we can assist your
organization in assessing where you are today and what steps you must undertake to move to the next level.
Transcript 2069
19
Transcript
Figure 17 SOX Implications on Outsourcing
Turning to Figure 17, one area that we see has been overlooked relative to SOX compliance is how to
address SOX compliance when you have outsourced covered business processes. That could be not only
business processes, but also the underlying IT systems and applications that support those processes. As
you are aware, virtually all organizations currently have outsourced some part of their IT operations and one
or more business functions in some cases, maybe entire business processes. We are also well aware that
there are many very large IT and business services firms out there that are strongly pushing their business
process, business transformation, and functional business outsourcing services on clients.
The key element though is that when you look at SOX, SOX does not differentiate between processes that a
client insources versus those it outsources. This means that any user organization needs to attest to
outsourced process compliance in the same way as it would if that process were not outsourced. That
introduces a degree of complexity in that: a) processes that are not in-house are being managed by a third
party; and b) the client typically does not have the visibility into those processes as it would if they were held
internally. For that matter, in many cases, the outsourcer does not, either.
This was an issue before SOX came to the fore. We were increasingly hearing dissatisfaction from clients as
to the level of visibility into outsourced processes, and SOX has just highlighted that concern. It has created
an issue where users are challenged in getting the degree of assuredness relative to SOX compliance for
these outsourced processes that they can attest to. Historically, you had SAS-70, or Statement of Accounting
Standards 70, audits that were utilized to look at controls in place around outsourced processes. The problem
is that those SAS-70 audits were not designed with SOX in mind; they existed long before SOX.
And the other big problem, also evidenced by some of the things Randy spoke of earlier, is that there has
been no regulator clarification as to what is required to prove outsourced process compliance. The PCAOB is
as we speak looking into this. It is getting feedback from a variety of interested constituencies, but it is not
Transcript 2069
20
Transcript
likely that it will issue a finding until later this year, which will be too late for many organizations. We do not
expect the deadline for SOX compliance to be pushed as it was earlier due to lack of clarification.
A key issue for any organization that has any outsourced processes that are touched by SOX is getting
consensus among its auditor, its board, its executives, and those tasked with meeting SOX compliance about
what is enough relative to SOX compliance. Going forward, keep a close eye on what pronouncements come
out from groups like PCAOB, because they could potentially significantly change the reporting requirement,
management, and the overhead associated with process outsourcing.
Figure 18 When Critical Controls Are Part of Outsourced Processes
Randy OHare: With Figure 18, I would like to reinforce the point that Stan made. Sarbanes-Oxley does not
distinguish between an internally controlled process and outsourced process, to the extent that it affects
information that is in the financial statements, which is most of those processes. So management does have
that responsibility to address the controls over outsourced processes, just like internal processes.
As Stan indicated, typically not for this purpose, but typically when there have been situations or a need to get
some comfort on the adequacy of the controls that are involved in the processing that is done in these
outsourced processes, there has been a mechanism called the SAS-70 exam. And there are certain
requirements to get those done, and there have been basically two types. There was one that just focused on
the design of the controls, and then a second type which was both the design and also covered tests of the
operating effectiveness. This aspect fits right in with what I had described earlier for the definition of internal
control and the requirement in Sarbanes-Oxley to focus both on the effectiveness of the design of the controls
and their operating effectiveness.
For starters, one would say a Type 1 SAS-70 exam does not do any good for Sarbanes-Oxley. A Type 2
could potentially, and probably will, be beneficial (in many cases, satisfactory and sufficient) to cover the
controls of those outsourced processes. But it does raise several issues, and one of the issues is timing. Even
Transcript 2069
21
Transcript
before that, I should preface it by saying the request for the SAS-70 exams in the past and reports has been
on a case-by-case basis, depending on what the users needs were. The need for this type of review and
report is going to be significantly increased, because now virtually all processes that are outsourced that
could potentially have any significant impact on a users financial statement have to be covered in one way,
shape, or form. And the SAS-70 approach is certainly thought to be the most efficient at this point.
So the volume of these is going to increase, and there are issues related to the timing of when the SAS-70
report is issued versus when it is needed, and what period is covered by the various users. Typically, there
would be one SAS-70 report for a myriad of users, and each of those users might have different needs. So
there probably is going to be some modification required to the approach used for these SAS-70 exams. A
company with outsourced processes (which is most companies) should be talking to its service provider as to
how it is going to get the requisite coverage and comfort over the controls in those processes.
Figure 19 Preparing for Recurring Annual Evaluation
Moving to Figure 19, now we are going to move on to the question of, after this first year of compliance with
Sarbanes-Oxley, what do we do and what do companies want to do but are only thinking about in terms of
achieving additional benefits that they could bake into their normal operations? For most companies, the first
time through is going to be a struggle just to get to the finish line and to achieve compliance with the
requirements. Some time after this first year, companies are going to be thinking about issues like how do we
optimize the level of our internal control and our processes? How do we take it to the next level? How do we
build in effectiveness and efficiencies?
One of the benefits of this requirement of having to look at all processes and the controls that are in place that
can be realized in Year 1 is that as you are going through the processes and looking at all the controls, many
companies are going to find that in many areas they are overcontrolled. They have a whole bunch of
redundant controls to achieve the same thing, and they probably do not need all that. So there are some
Transcript 2069
22
Transcript
near-term efficiencies that can be built in, but companies are also going to be looking to how they can build in
some longer-term, permanent efficiencies and benefits.
And what kind of mechanism, systems (IT-enabled, automated systems) can we have that will allow us to
factor in changes on an ongoing basis? Everything is changing all the time, and every time there is a change
in the business, there is a change in the process or systems, and that needs to be factored in, updated, and
incorporated into this ongoing, real-time, dashboard-based type of approach, to optimizing internal control. A
lot of companies are feeling that Sarbanes-Oxley this year is the baseline. As Stan said earlier, it is here to
stay. So the best companies are going to be addressing their 404 compliance in the context of how to achieve
an enterprisewide kind of governance, risk and control process, and the systems that go along with it.
Figure 20 Optimization and Ongoing Support
Stan Lepeak: Moving to Figure 20, and just to echo some of the comments that Randy just made about what
do we do next once we get beyond these initial compliance deadlines, certainly it is considering how SOX
touches virtually all aspects of the business and all aspects of the underlying IT systems. Any system that
touches financial transactions or can impact that will ultimately be affected. That is to the point of
enterprisewide not only governance strategy, but IT strategy relative to Sarbanes-Oxley compliance.
The greater visibility that organizations will have into services, the greater visibility into outsourced processes.
How can an organization leverage these changes to become more competitive? You are going to gain these
benefits as part of going through SOX, but organizations that are most insightful and most aggressive will be
thinking already about how to leverage them to create what we at META Group call the sense-and-respond
set of capabilities, and a sense-and-respond organization.
Transcript 2069
23
Transcript
As part of all that, you must coordinate and integrate SOX efforts and supporting systems with all the other
compliance mandated efforts you are pursuing. Again, it is another reason to look at better alignment across
the organization between the different constituencies as well as between those tasked with business process
and those tasked with supporting IT systems and applications.
Figure 21 Bottom Line
Just to reiterate: Understand the requirements, understand the basics, and understand the baseline and some
of the basic principles around compliance that Randy detailed. Understand the expectations and the position
of executive management of all the relative constituents, including the external auditor. Understand their
perspectives and their needs relative to SOX compliance.
Understand where you are. Obviously there are some specific deadlines, there are certain things that the
auditor will define as compliant or not, but it is very important that you as the user understand where you are,
and work with your external auditors to the extent that is appropriate. Understand what progress is being
made and where you are within this effort, because you cannot understand what more needs to be done
unless you understand where you are today. IT and the IT group is critical not only to SOX, but to all
organizationwide compliance efforts.
Ultimately, develop a mindset and a strategy, and then the tactics to look at leveraging SOX for greater gain.
Achieve and evidence the basic requirements and goals of SOX, but really look at and think about how this
does in fact make you a more nimble, capable, and competitive organization. So organizations must prioritize
gaining SOX compliance; leading organizations will support the benefits that it brings.
Transcript 2069
24
Appendix C
Transcript 2052
6 November 2003
How Do I Capitalize on Compliance?

SOX Selling Opportunities
Enterprise Analytics Strategies, Enterprise Application Strategies,
Outsourcing & Service Provider Strategies, and Professional Services Strategies
Heather Nance, John Van Decker, Stan Lepeak
Heather Nance: Virtually all Global 2000 organizations will have to invest in third-party software and services
to achieve mandatory Sarbanes-Oxley (SOX) compliance. To help IT vendors better understand what
organizations will invest, how much they will spend, and which vendors they may be considering, todays
teleconference is going to address the various sell-side implications and opportunities around SOX
compliance. Please note that the teleconference is directed toward IT vendors. If you are not a vendor, we
would like to recommend that you consider listening to the teleconference we held last week, How Do I
Achieve and Maintain SOX Compliance?
Stan Lepeak: I would like to extend a welcome to all of our clients and friends out there in the IT product and
service provider world, as well as the business service provider world. What John and I would like to do today
is talk with you about what we see as the key requirements in our end-user client base relative to gaining and
then evidencing SOX compliance, examine some of the tactical requirements around them, and discuss some
of the strategic requirements and strategic opportunities.
Transcript
Figure 1 where we see Mr. Bernie Ebbers posing for his recently snapped mug shot highlights the
importance of SOX legislation to your clients as well as ours. The goal here is to help your clients practice
safe SOX and avoid some of the pitfalls that have come upon Bernie and others. Most recently, as of
yesterday, the indicted former CEO of HealthSouth is now facing 85 counts against him, several of which are
a result of not adhering to SOX requirements. The bottom line is that this is a very serious issue for end-user
clients, and we all want to do what we can to help them.
Depending on your perception and perspective, SOX is seen as a scourge or a necessary evil or, some
say, a full employment act for IT, which might be music to the ears of some on this call. But, in reality, we see
it as both an immense challenge for our end-user clients and also something where, through the benefits
achieved in SOX, organizations can make some significant residual improvements to their operating
processes and, hence, their competitiveness.
The key is to approach this holistically by examining the risk dimension, the IT dimension, and the business
process dimension, and helping clients develop a holistic strategy and a holistic solution blueprint toward their
SOX challenges. It should also be recognized that this is not just a short-term endeavor, like some kind of
Y2K that goes away. Rather, it is laying the groundwork for how organizations are going to have to comply
with these and other regulations for the foreseeable future.
Figure 2 SOX Is on Everyones Agenda
John Van Decker: Moving to Figure 2, one thing Stan has mentioned is that this is like a Y2K project, but it is
really a Y2K project without a January 1 and it does not go away. So what firms need are tools that can help
them provide an assessment of where they are and what their internal controls are around financial
management processes. It is on everyones agenda, meaning there are many secondary implications.
Although officially the act is for publicly traded companies that have a public float of $75 million or greater, we
are seeing that there is a huge secondary impact on private companies.
Transcript 2052
Transcript
META Group just published a research Delta discussing the various categories of private companies that
need to care about Sarbanes-Oxley. Numerous private companies are calling us and asking us how to
prepare for SOX. In fact, I had a discussion with a vendor yesterday that sells a Section 404 tool, and one of
its recent sales was to a large, private company that was considering go public. The thought here is that, to
prepare for going public or being acquired, it is very important for a firm to be able to demonstrate that it has
financial controls in place. So we will start seeing more private firms sign up for SOX services as well as SOXtype products.
In terms of types of companies, firms that perhaps are part of a larger company supply chain or sales channel
may be told that they need to comply with Sarbanes-Oxley by the larger company. Another thing that is
important is that most private companies have board members that are engaged in Sarbanes-Oxley activities
in other firms or in publicly traded firms. So, there is a huge secondary impact, and overall the bar is being
raised. We are starting to talk with financial services firms that, as a requirement for obtaining funding, are
going to require a firm to actually have good financial controls in place and be able to demonstrate it.
In general, Sarbanes-Oxley will impact financial management expectations for all companies, and I think it is
important to note that, as you are selling to companies, you also have a message for the private company.
The inquiry load is becoming fairly consistent for us from private companies around Sarbanes-Oxley.
Figure 3 But SOX Isnt Everything!
Turning to Figure 3, it is very important to remember that while SOX is a critical imperative, it is not the only
imperative on the users plate now. What is illustrated in this figure is the laundry list of other regulatory
mandates that end-user organizations are facing, and an alphabet soup of different acronyms that
organizations are working their way through. Other things come into play, such as the USA PATRIOT Act,
which certainly is a big deal for healthcare and insurance organizations; Basel II in the banking sector; and
various regulations coming out of the European Union. And then you have a whole range of different
Transcript 2052
Transcript
approaches and tools that organizations are grappling to understand as far as addressing these things, such
as COBIT and SAS 70 relative to outsourcing.
The point is, when you are considering help your clients structure an approach to succeeding at SOX is to
recognize that is not the only thing on their agenda. So the degree to which you can help them leverage SOX
investments elsewhere, all the better. But also recognize that while this is critical imperative, there will be
other things that will be distracting them from an attention as well as an investment standpoint. So we are not
implying that you all should become experts in all these areas, but you should recognize where there are
opportunities for overlap and leverage. Also recognize where these other initiatives may be competing with
the attention of those considering achieve success with SOX.
Figure 4 Critical Issues
John Van Decker: We would like to discuss the critical issues that will be covered in the remainder of the
teleconference and give you an update on Sarbanes-Oxley. META Group has been involved in a number of
surveys around Sarbanes-Oxley, spending patterns, who is sponsoring Sarbanes-Oxley projects, etc. We will
give you an update on that. We have published some information on a SOX IT blueprint, and what business
applications can be leveraged for Sarbanes-Oxley compliance. And it is not just Section 404 tools it really
reaches back into ERP and to legacy solutions as well as business intelligence.
We are going to map some of the vendors that are in these various applications areas. The only thing I regret
is that we can not discuss every vendor, and I am sure that there are several vendors on the phone that we
will not mention. Let me apologize for that at the outset. I am going to talk about SOX spending timelines and
when we see organizations start making investments. I think it is a little early for firms to revamp their whole
business intelligence infrastructure, but we are speaking with clients that are considering making some
improvements in their applications. Then we are going to end with some conclusions on how you can best
position your firm to talk with clients about Sarbanes-Oxley opportunities.
Transcript 2052
Transcript
Figure 5 On October 28, 2003, META Group Clients Said
Moving on to Figure 5, which is from a teleconference we had last week and probably one of the most highly
attended teleconferences META Group has had. We presented much of this material, the IT blueprint for
support Sarbanes-Oxley, and a great deal around the current state of Sarbanes-Oxley and the client inquiries
we are receiving. There are some key points that I would like to bring to your attention. Forty-two percent of
non-SOX-targeted companies and these are private companies said they plan to evaluate internal
controls. Again, this is not a primary focus of the act, but provides a huge secondary impact in that almost all
companies are beginning to start thinking about whether they have the appropriate internal controls in place.
For publicly traded firms that are targeted with SOX, 35% say they are relying on a compliance vendor to do a
lot of the work, provide services around business processes, and help evaluate business processes. But it
was interesting that 41% said they were planning on doing it alone. Clearly, this is not consistent with the way
we advise our clients because I think very few clients have the expertise to go this alone. But I think it is
something the folks on the phone that provide compliance focus services should be aware of and perhaps
that is a hurdle you are going to need to overcome or firms that think they can go at this alone.
This was an interesting statistic: 71% said they are on track to meet the required deadline. But what is not in
this figure is that only 8% had said they have begun to move to an IT blueprint, beyond just 404 tools. They
are also looking at how they are going to position their ERP and business intelligence applications to better
support Sarbanes-Oxley. Twenty-one percent said they are going to struggle to make those deadlines.
Fifty-nine percent are in the process of defining a technology blueprint, but they are in the very early stages.
Let me correct myself 8% said they have a technology blueprint in place that will be acceptable. Forty-nine
percent said Sarbanes-Oxley is a necessary evil, but 39% believe it will also improve the enterprise. And I
think that is a very important point to bring to your clients attention. A lot of Sarbanes-Oxley requirements are
also good business sense, and can bring the firm to more of a best-practice paradigm.
Transcript 2052
Transcript
Figure 6 July 7, 2003: META Group SOX Survey Says
Stan Lepeak: In Figure 6, we look at survey results from some work we did a little bit earlier in the year. The
questions are a bit different, but they are also telling, despite the fact that these results are a couple months
old. One of the key findings from this earlier survey is that 88% of organizations view compliance as a global
initiative. Despite the fact that this has primarily been focused on US-based companies, it is really global
initiative for companies that are based out of the US, as well as for global organizations. That echoes some of
Johns comments earlier about the fact that this is not just for large public companies based in North America.
A second key point is that the CFO is typically leading the SOX initiative. It was well above 50%, followed by
the internal audit group. The implications are that this is a different audience than many IT vendors are
typically used to selling into. People rarely sold anything into internal audit except external audit services. And
the CFOs organization involved playing a role in vendor vetting and IT investments, but typically did it only for
select types of investments or got involved more at the contractual stage.
What that implies is that the business case needs to be strong and the business case needs to be slightly
different when you are selling into these audiences. There must be a strong emphasis on the business value
of the service derived and on building real, bulletproof ROIs not dancing-number ROIs that might fool a few
IT people. I think it implies that the selling process is going to be more complex and more rigorous. By the
same token, once you can gain the trust and allegiance of some of these decision makers, particularly in the
CFOs group, you build alliances with very strong advocates within the organization.
Echoing some of the numbers from the more recent survey, in terms of turning outside for help, the bulk of
firms are going toward their external audit partners 59% in this survey, and that was echoed in some of the
recent work. What it points to is that while IT service providers will play a role in SOX compliance, it will
primarily be a longer-term role. It will focus more on product implementation or application customization, and
not climbing for an advisory role, despite the fact that at least some IT services firms do have good domain
Transcript 2052
Transcript
knowledge around SOX by virtue of the fact that they have very solid financial management systems
practices.
I think the IT services vendor needs to recognize that the typical user is not going to turn to it for advice and
counsel on SOX compliance overall, but will be considering it for more technically oriented solutions and
feedback.
Figure 7 Top Preferences for SOX Solutions
John Van Decker: I would like to take us on to the next Figure, because a number of clients are in the midst
of their Section 404 documentation, understanding risk and providing an assessment of where they are with
financial controls. I am getting a sense that most of our clients are going through that and identifying areas of
deficiency and where they can potentially improvement their business application.
This is a result of a survey that I was involved in with Business Finance magazine and PeopleSoft. It was one
of the most highly attended Webinars for Business Finance. It seems that putting out information on
Sarbanes-Oxley draws many end-user organizations because they are trying to make sense out of this, and
trying to understand how to better leverage IT. So we asked them what their three top preferences were for
Sarbanes-Oxley. I thought it was very interesting how some folks are considering consolidating ERP
instances, which would mean additional licenses and additional services to be sold in support of that.
Replace legacy ERP solutions, 2%, upgrade to the latest version of your current ERP solution for buyers. So
let us say that you are operating on an older version of Oracle going up to the current release so you can take
advantage of workflow and more of the leading technologies that would be in the new releases of ERP
solutions. I am not going to go through each of these, but it is important to note that many companies already
own a lot of the software for Sarbanes-Oxley, particularly around transactional processes. They need to
consider going back and turning on existing functionality, or functionality already in the product that perhaps
they have not enabled, such as workflow, to affect the authorization processes.
Transcript 2052
Transcript
And I want to point out that 15% are considering business performance management and business
intelligence solutions, and another 15% will be considering business intelligence solutions to help them
develop compliance-type dashboards to help identify anomalies before they become booked.
Figure 8 Convergence to Corporate Governance
Moving on to Figure 8, earlier Stan mentioned that organizations are not only challenged with SarbanesOxley, but also a number of other regulatory concerns. What we are seeing is that, over time, there will be a
migration from firms examining each of these point acts or point legislations to more of one that brings
together many areas of compliance within the organization, and under the umbrella of corporate government.
For many firms, Sarbanes-Oxley is the initial step toward examining corporate governance across the
organization.
For example, they are looking at bringing together all areas of risk and the management of risk: business risk,
regulatory compliance risk, and performance management. How is the organization going to measure itself?
How is it going to manage key enterprise goals and objectives? Initially, SOX is in the hands of the CFO, but
the CFO really should be focused on adding value in the organization and partnering with the business areas
to help them make some critical business decisions. The CFO will, of course, always care about SOX, but I
do see that this will eventually be moved to the office of risk management. Or let us say a C level in charge
of corporate governance within any enterprise.
SOX will be the first step to driving the enterprise toward corporate governance, and at this point it is
advisable to market your solutions to the CFO as well as the IT group, and help IT educate itself on how it
should partner with the CFO to help the organization achieve SOX compliance.
Stan Lepeak: Just to add one point on this Figure, Sarbanes-Oxley presents a great opportunity for the IT
group and for the CIO to become much more closely aligned with the CFO and the organization, and as a
byproduct of that, typically raise the visibility and stature of the CIO and his or her group. I know from talking
Transcript 2052
Transcript
to some of you on the line with an IT advisory practice that you have active work underway in terms of helping
the CIO as perhaps the traditional client to gain the capabilities, knowledge, and wherewithal to move closer
to the CFOs organization. We feel that is an excellent path to take and an excellent opportunity.
From the services and advisory standpoint, any assistance that can be derived and delivered to help align the
IT organization and the finance organization should make you very well received within both camps.
Figure 9 PCAOB Pumps Up SOX Compliance
Moving on to Figure 9, I want to talk a little bit about the Public Company Accounting Oversight Board
(PCAOB), which some affectionately call peek-a-boo. This is a non-profit group not a government entity
that has been tasked with setting some of the boundaries as to how big a stick some SOX regulators have.
It recently came out with a series of rulings that, if you have not read, I would suggest all of you take a look at.
It is not very exciting reading, so do not do it right before bedtime unless youre an insomniac.
But what it starts to call out, for example, is what do external auditors need to do? What can they rely on or
not rely on in terms of work that the client has done documenting controls and assessing compliance? What it
does is put some teeth into oversight groups, and teeth into the external auditors capabilities to go in and
basically poke around the client organization. They can determine to what degree the client organization has
actually performed accurate testing. To what degree can auditors rely on client testing, or do auditors need to
go and perform some of that testing on their own?
It also reiterates some issues around outsourced business processes and the fact that those processes, from
a SOX compliance standpoint, are no different from an internal process. And it highlights that the auditor
should not rely on typical client testing relative to the compliance of an outsourced process, and in many
cases should not rely on historical documentation and audit efforts such as an SAS 70 document at least
as they are often structured currently. The key with the PCAOB, as a seller of goods and services, is that you
should keep an eye on some of the boundaries this group is putting in place that is, determining to what
degree the SOX regulators have teeth, and as a result, to what degree SOX is clearly an imperative for users.
Transcript 2052
Transcript
We have always stated strongly that this is an imperative, but coming out of the summer we did see that
some started to feel that perhaps SOX did not have teeth, and perhaps some of the enforcement would lag.
The PCAOB has put those issues to rest and reiterated that this is a big deal for user organizations, and they
do face serious threats if they are non-compliant. So keep an eye on this group, because it can start to put
some strength around regulatory efforts and drive client compliant vendors.
John Van Decker: With the next few figures, we would like to talk about some of the key Sarbanes-Oxley
sections, and the business applications that align to those sections. In reality, all enterprise applications that
are involved in the financial management process support the compliance toward each of these sections.
However, what we have done, in an attempt to simplify and help steer our clients toward the appropriate
solution and what they should be thinking about for each section, is that we have segmented it. I just want to
start with the caveat that there is quite a bit of overlap.
Section 404 is where most firms are involved right now. That is, they are involved in documenting internal
controls being able to provide an assessment of how they are mitigating risk and how they are performing
to those internal controls. What is required by SOX is that there be an annual assessment, in which an
external auditor has to attest that the company is following the internal controls.
The solutions we see that can support this documentation effort are risk management tools. What
organizations are using them for is to document the financial management process. Many are going to quite a
low level of detail in support of this. Once it is documented, it needs to be understood where risks are, and a
periodic assessment of how the organization is performing to those internal controls needs to be provided.
What I am seeing is perhaps a standard, though there is no case law and no examples yet because Section
404 does not go into effect until June 15. Organizations are considering provide a quarterly assessment of
how they map and how they are performing to those internal controls. Initially, the service providers firms are
Transcript 2052
10
Transcript
looking to for help with 404 tools are compliance vendors such as Protiviti, Jefferson Wells, and auditing
organizations that have compliance consulting practices.
Many firms are going with complementary tools that are brought to the table by those vendors. But, over time,
I think this will mature into a real business application space where firms will be considering a Web-based
solution with a central database that is accessible to those that participate in the 404 assessment process on
an ongoing basis. So, initially, the compliance vendors and the auditing vendors will be the ones that are used
to bringing these solutions into the organization. However, the next phase will be systems integrators, since
many of these solutions will integrate with ERP and draw control information and assessment results out of
the ERP solution.
The functionality that these 404 tools cover is the documentation of internal controls. And they may use
business process modeling, or provide a repository for an organization to document their controls, such as in
Visio, Word documents, etc. They have a program management component in that, at any given time, you
can track where you are in the documentation process, as well as the assessment of how you are performing
to the internal controls.
In the next phase that I see, firms will be looking for more ERP integration, and I think solutions that provide
integration into ERP will be favored, including Oracle, SAP, and PeopleSoft vendors that are providing a
404 tool that is integrated into the ERP solution.
Figure 11 The SOX IT Blueprint: Section 302/906
Moving on to Figure 11, these sections cover the requirement for the CFO and the CEO to sign off on the
results, saying that yes, these are the results, they are free from fraud, etc., and that there are internal
controls in place to ensure the results are correct. What is interesting is that this requirement was in place last
year, but in many of the conversations I have had with CFOs, they kept their fingers crossed. Without a full
documentation and assessment of internal controls, it was difficult to be 100% sure that the results were
Transcript 2052
11
Transcript
correct. I am not saying that people knowingly signed off on bad results, but we did not have a 404 process in
place yet, and most firms will not have that until June.
But applications that specifically can be leveraged to improve compliance with 302 and 906 are clearly
business intelligence solutions and business performance management solutions tools that can help
consolidate ERP activity, consolidate information from perhaps a multi-ERP environment (which, by the way,
is often the rule rather than the exception), leverage data marks and data warehousing, and have extended
reporting and OLAP capability. By the way, this is not just on a monthly basis, but one should be able to take
a look at the results throughout the month and have multiple users both inside finance and business areas
look at frequent flash reporting.
I think transactional solutions and, in this case, organizations have this already need to be reworked and
perhaps reconfigured. I deal with companies that have not enabled formal purchase orders in their purchasing
solution and do not have three-way match, so there are many efforts involving better and smarter
configuration. In addition, data audit solutions such as ACL will be leveraged and can help a client understand
how data is bridged from one solution to the next, how data moves, and whether it is transformed accurately.
Moving on to Figure 12, this section requires a firm to disclose to the public, on a rapid and current basis,
material changes to the firms financial condition. What organizations will need are tools to help identify
accounting issues and errors, and they need business intelligence and business performance management
tools to provide that insight, that visibility. I think financial modeling solutions can also help. They may
leverage activity-based management and profit management solutions to help them identify if they are not
going to meet results and with a degree of certainty, and that should be communicated to the public.
Compliant dashboards, which I mentioned before, as well as internally focused portals will help route and
identify issues, and externally focused portals will communicate to investors about these changes. So, 409
Transcript 2052
12
Transcript
will require firms to effectively leverage their business intelligence and content solutions, specifically to
provide a repository of issues. Various document trails will be able to centralize content and ensure that
records are retained for the appropriate period.
Figure 13 SOX Requirements: Record Management
Stan Lepeak: In Figure 13, we are talking about SOX requirements relative to records management and
records retention. This really gets at Section 802, which mandates that organizations ensure authentic and
mutable records and their retention. So while records management plays a role relative to capturing, storing,
and managing compliance-related materials to evidence SOX compliance, there is also a whole section that
gets into records management in and of itself for the organization.
If you examine where organizations initially are being challenged over their SOX capabilities, it is in Section
404, which is where the HealthSouth CEO ran into problems. But also relative is Section 802, which gets into
inappropriate destruction of records or lack of policies to address the ongoing management of those records. I
am sure many of you have been having this discussion with META Groups record management guru Charlie
Brett, and we encourage you to continue with that.
But to get into this briefly today, the three main elements of a records management strategy are the technical
element of an enterprise repository, integrated workspaces, and process management. If you look at how or
why records management becomes different relative to SOX, it is in the process management element. This
is another case where virtually all organizations have some sort of investment in records management or
content management and document management systems and repositories, but it is really function of how
those are applied differently. How can they be employed to meet and evidence SOX compliance?
The key message here is that it is not appropriate just to go to market with a records management solution.
Rather, it is going to market with a records management solution and with some domain knowledge that
either you possess internally or have developed through a partnership to help clients understand how to apply
Transcript 2052
13
Transcript
this technology. What are the process management models and mechanisms they need to put into place? We
see this as an opportunity for a records management firm to start to pair up with various organizations
certainly the external audit firms and the risk firms that understand some of the process models. This is also
an area where SOX process alignment starts to get into legal territory.
There are certainly many legal dimensions to SOX compliance, but generally we do not see the IT folks
hanging out with the legal counsel folks that often. But I think when it comes to records management, that is
one area where legal dimensions need to be addressed. If you are a purveyor of records management
solutions, it would make sense to ensure that you have the domain knowledge around the legal requirements
for records management with SOX. Also consider targeting within the organization their legal counsel and
others who can appreciate the additional domain knowledge of records retention that you could bring to bear.
Figure 14 SOX Technology Blueprint
Figure 14 is a bit of a review, so I am not going to spend too much time on this one. It is a review of the
business applications in support of the various Sarbanes-Oxley sections. But again, I think it is important to
note that a Sarbanes-Oxley solution is not just 404 tools. It comprises your ERP processes, your content
management processes, and your business intelligence. It is how you are leveraging all these applications to
support financial controls and financial management. It is taking a look at the components of a SarbanesOxley solution.
It is about 10% of risk assessment tools, to provide an understanding of internal controls as we mentioned
before. About 60% of the effort will be associated with ERP best-of-breed tools, to provide better control over
financial processes, content management solutions to support both 409 as well as Section 802. And we see it
from an effort perspective, about 30% business intelligent performance management of portals to provide that
visibility and transparency that is required for Sarbanes-Oxley.
And I would like to refer you to a series of research Deltas that all start with The Joy of SOX. I am sure that
when Mr. Sarbanes and Mr. Oxley came up with their act, they did not think analysts would be conjugating
Transcript 2052
14
Transcript
their names into SOX, but we do and sometimes we have fun with it. There is a series of research Deltas
available to our clients which, if you would like to read through, will help you get a sense of what a total
Sarbanes-Oxley solution is. What should an IT organization be doing to better position the business
applications portfolio for this?
Figure 15 The SOX Dimensions
Moving on to Figure 15, we believe solutions used for Sarbanes-Oxley and financial management processes
need to have several critical dimensions. They must possess visibility and transparency so firms can have a
view into the activity coming out of that business application. They need to ensure financial controls. Can they
support authorization processes? Are they workflow enabled so the system can ensure that the
authorization/approval process is functioning correctly? Records retention is key so that organizations can go
back and understand the documents, the invoices, and the contracts that support the transactional financial
management activity.
Communication is key. Again, that is done through some type of a workflow process or a portal process to be
able to identify issues and bring them to the appropriate attention. Risk management is key, as is fraud
prevention, to be able to have ongoing views of data in the activities to understand anomalies. Users will need
to evaluate each of their applications to ensure that the previously mentioned dimensions are supported in the
applications that are used for financial management.
Transcript 2052
15
Transcript
Figure 16 SOX IT Blueprint: Vendor Mapping
John Van Decker: Moving on to Figure 16, we attempted to map vendors to the different parts of a SOX IT
technology blueprint. Again, this is not intended to be all-inclusive, and by merely doing something like this I
am afraid I may annoy some of the vendors on the call today if they are not listed, but that does not mean we
do not love you.
From a document records management perspective for risk assessment tools, which again is 10%, we are
seeing solutions from Documentum, Hummingbird, Optika, and Open Text. We are seeing solutions from the
business process program management vendors Fuego, Movaris, and Primavera. The Big Four are providing
tools for organizations to assess their risk. What is not mentioned here, and I do not want to fail to mention it,
are the solutions that are coming from the ERP vendors Oracle, PeopleSoft, and SAP. Oracle has brought a
tool to market; it was the first ERP vendor to do that, and PeopleSoft and SAP now have tools.
From transactional solutions, clearly the ERP vendors PeopleSoft, Oracle, SAP, Lawson, and Microsoft all
play in the financial management area, as do many best-of-breed vendors such as Concur, Ariba, Softrax,
and iMany. Again, in terms of content records management, we are seeing these vendors start to position
their solutions in support of Sarbanes-Oxley for the records management requirements IBM, Documentum,
Open Text, Hummingbird, Stellent, Mobius, and FileNet.
Transcript 2052
16
Transcript
Figure 17 SOX IT Blueprint: Vendor Mapping (cont.)
The business intelligence and business performance management vendors all have an important message
around providing visibility and transparency in financial management activity (Cognos, SAS, MicroStrategy,
Hyperion, PeopleSoft, Geac, which had acquired Comshare, SAP, SEM, Oracle, Longview, and portal
vendors that can help get the transparency and get more folks involved in the financial management process
through portals, Plumtree, PeopleSoft, SAP, Cartesis, etc.).
Ultimately, all IT applications and infrastructure must be shaken to a SOX IT blueprint, and we are seeing
many organizations start to put together their perspectives on the overall cost of SOX. I believe it is going to
create a lot of spending in business applications areas, and we will go through a timeline in a couple of
figures.
Transcript 2052
17
Transcript
Figure 18 Business/IT Services SOX Checklist
Stan Lepeak: Moving on to Figure 18, we are going to talk a little bit about the business and IT services
dimension of SOX compliance. As John indicated, we are starting to see a groundswell of pending
investments relative to products both software as well as infrastructure. And wherever there are products,
there certainly are services firms close behind, or in some cases leading the charge. But services relative to
SOX are a bit broader in that a key piece of SOX is business services particularly risk management and
assessment and external audit services.
It is somewhat ironic if you look at how we came to have the SOX requirement. In some cases, the auditors
did not do quite as good a job as they could have at places like Enron. As a result, some audit firms,
particularly Andersen, no longer exist. There were ramifications of what were perceived as inadequacies
relative to its audit work, and it is important to highlight that was certainly the exception in Andersen rather
than the norm. But the result was that the whole firm suffered.
However, audit firms currently play a critical role relative to SOX compliance. They are the firms that sign off
on whether their clients are, in fact, compliant. In addition, given some of the recent dictates from the PCAOB,
the auditors have great leeway in determining how compliant is compliant, and how good the clients efforts
are. Again, it is a bit ironic that, if you look at auditor revenues, they are booming. Deloitte recently announced
record revenues, and it is not just in SOX-related work that these auditors are performing well. It is also in the
traditional audit work that they do that has become much deeper and more intimate, which is good. So it is
okay that they are making some money on this.
But the point to product firms is that you need to work closely with and make these external audit firms, as
well as some of the risk management firms like Protiviti, your friend. You need to understand what they are
advising their clients to do or not do. You also need to work with them to gain some of the domain knowledge
and expertise that they possess relative to what constitutes compliance and what is enough. Then, when you
Transcript 2052
18
Transcript
develop your broader story around how your technologies should be applied, you are doing so in a way that
synchs up with the advice these clients are receiving from their external advisory firms.
Even if you are an IT services firm, it makes sense to consider partnering with these audit firms in that again,
IT services need to be complemented and extended by the process and domain knowledge relative to specific
SOX compliance issues. Just as we see a need and a requirement for some product firms to work with legal
experts, I think there is also a requirement to consider developing partnerships and relationships with those
performing the audit and services work. But it should be understood that there are very stringent regulations
as to what these firms can and cannot provide to their clients.
It should also be recognized that, ultimately even if you are not an audit firm other types of services
firms are going to be pulled under this regulatory umbrella. There is going to be no way that you can
implement a financial management system, modify it to meet SOX compliance, or in an outsourcing scenario,
manage a clients financial systems and not be caught under this regulatory umbrella. From that standpoint, it
is important to recognize that other services firms are going to be caught in similar though perhaps not as
stringent regulations.
Figure 19 Service Provider Landscape
Moving on to Figure 19, we will talk about some specific recent developments. As John mentioned, audit firms
are often some of the first to provide tools to their clients, particularly for 404 work. We are starting to see the
audit firms exiting the role of ISV. Most recently, KPMG announced a deal with IBM. KPMG is going to be
porting over some of its process control models to IBM, which will build them into a Lotus Notes environment.
This is basically productizing, as an ISV should, what was once KPMGs internal homegrown tool. And we
certainly expect that the other Big Four vendors Deloitte, E&Y, and PwC sooner rather than later will
announce alliances with third-party ISV firms to take over management of their product, limiting the auditors
role to being just the domain expert.
Transcript 2052
19
Transcript
This is good, but it also means that there is a transition opportunity as clients move from a homegrown auditor
tool to a third-party tool. Also, and I am sure these discussions are already in the works, there are
opportunities for those with tools to partner up with these audit firms and the risk management firms to create
a joint offering. Deloitte is making a lot of progress in this respect in terms of developing their integrated
service offerings, which are a byproduct of having not spun out Deloitte consulting. Now they have this hybrid
set of capabilities that they can bring to bear, such as bringing risk and IT-related domain expertise in terms of
helping clients with Sarbanes-Oxley. And while they will not allow us to say how much, their SOX practice, if
you can imagine that, is booming as well.
We have mentioned other key players, such as Protiviti and Jefferson Wells. Another interesting firm with
which auditors in particular should be developing some working relationships is SAS 70 Solutions. This is the
group that performs the majority of the SAS 70 audits of outsourced business processes in the marketplace
now. This is the old Andersen consulting risk management contingency that now does well above 50% of the
SAS audits. It is looking at defining the appropriate scope, and defining but also advising its clients on the
appropriate scope for the SAS 70 audit to meet SOX compliance.
Other key players here, IBM and BearingPoint, are doing a lot of good work as well. There is also a hole here
with the offshore firms that really are going to be impacted by SOX compliance, particularly as they get into
business process outsourcing. But to date, they have not had a good story as to how they are addressing this
on behalf of their clients. The key bottom line issue is that a SOX needs to be holistic. There are business
dimensions, IT dimensions, and obviously product and infrastructure dimensions. We encourage those of you
selling this to take the holistic view in terms of what your clients need.
Figure 20 Putting a Cost to SOX
In Figure 20, we get into a little bit around putting a cost to SOX. We encourage all of you to talk in more
detail with John and me about this. This is a very critical yet complex solution situation, and it really depends
on what you are selling. Is it a taxable solution or a point solution? Is it a suite? Or is it selling a long-term
Transcript 2052
20
Transcript
perspective and partnership relative to helping clients achieve SOX solutions? A couple of points to bear in
mind are that there are some short-term investments that clients need to recognize they have to make. But no
one is taking the approach that we are going to throw money around on this.
Many organizations recognize, and rightly so, that they have many of the tools already. What they need is to
apply them better. So it is a process issue, not a product issue. They do not necessarily need to buy one of
each. They have learned a lot from overinvesting in Y2K, in some cases certainly overinvesting in e-business,
and in many cases overinvesting in some of the complexities around ERP. Be aware that you need to build a
solid business case relative to the type of solution that you are providing.
Figure 21 SOX Investment Timeline
That gets us into Figure 21, where we lay out an investment timeline based on what we are seeing from our
end-user clients. We have laid out this timeline from 1H03 through the 2H05. Initially, when the SOX deadline
was pushed out, the 404 deadline for most firms was pushed from 2003 to 2004. Clients gave a sigh of relief,
put their feet up for a couple of weeks, and then got back at it. But primarily what they have been doing since
that point is scoping their technology requirements. And most of the work that has been done has either been
through investment and point solutions, or more specifically, in investing and help from their external auditors
and other services firms. So there have not been many product sales to date. Clients are doing a lot of good
documentation work, which does not necessarily require much in the way of products, and they also are
scoping out their technical needs.
We are starting to see that toward the end of 4Q03 and into 1Q04 is where there are going to be investments.
Initially, it is going to be around the content and collaboration products, Business intelligence, business
performance management portals, and then some of the point solutions that are required to meet those
tactical compliance goals. I would say that if you do not have a solution base by now that is targeted at
tactical compliance, you are too late. And I think what you need to start to look at is what is going to happen
after June 2004.
Transcript 2052
21
Transcript
We expect a lull as firms regroup, but then we will start to see the more serious investments and ERP
upgrades adding the capabilities that will be delivered through those products over the course of the year.
Again, this is a multiyear process to go through that upgrade cycle. We start to see that organizations will be
looking more at strategic compliance dimensions, which could be deploying more broadly some of the
capabilities they deliver to achieve tactical compliance. That is also where the businesses will start to kick in
for the IT service providers that will be more involved with the implementation of the broader enterprisewide
solutions.
Again, this is not an exact chart, but I think the key points to note are tactical compliance, the investment
being made there, and the investments that will be made through the next quarter. Beyond that, it is a very
strategic play that is looking at enterprise solutions and some business process domain expertise.
John Van Decker: There is one point I wanted to add, in that I think Sarbanes-Oxley and the need to have
global financial management process will breathe life into many best-of-breed vendors. Since firms may have
multiple ERP solutions, they may consider consolidating, but I do think that if you look at expense
management, for instance, there could be a good opportunity for organizations to standardize across a multiERP environment with best-of-breed tools. I think Sarbanes-Oxley will breathe life into many of these best-ofbreed vendors in providing better financial management solutions those that have visibility and
transparency, financial controls, and the other dimensions we discussed earlier.
Figure 22 Rock-Hard SOX Solutions: IT Alone Is Not Enough
We are going to start concluding this teleconference. It just so happens we are going to do it over five figures.
It is probably more observations, and it also is a summary of many of the items we discussed. Clearly, if you
provide financial management applications or you provide solutions that may originate financial transactions,
it is important to be SOX-fluent. It is important to understand what Sarbanes-Oxley is, the pain points
organizations are going through, how you can address Sarbanes-Oxley compliance, and how you map to
those dimensions that we discussed earlier.
Transcript 2052
22
Transcript
I think it is also important to note that, for many firms, there is a laundry list of things to do. Most firms will not
have the budget to do them all. Communicating value and your Sarbanes-Oxley position, as well as how
organizations can leverage those tools, is key and something you need to ensure that your sales forces can
adequately address. It is important to find a services vendor to partner with, particularly if you are a product
vendor and you are selling software. Maybe you want to have one or multiple services vendors that can also
be educated on the message and help clients bring these solutions in to add value.
Firms are going through their 404 processes, and in many cases, you will be competing with perhaps an
expense management vendor or with a contract management vendor to bring the solution in. It is important to
understand how you map to those critical dimensions. The cost of Sarbanes-Oxley may be huge, depending
on how it is leveraged. We are seeing many wish lists being developed by Global 2000 companies. They are
this not only as an opportunity to become SOX compliant, but also to become more efficient, effective
enterprises with better competitive advantage.
So, if a vendor provides a SOX-niche value proposition, it is important that you communicate it. I believe
some of it may appear as a stretch, but if you can provide value and better financial controls, then I think you
should be telling your prospects about that. I think it is important to monitor competitor communications but
focus on unique value propositions. Do not come at it just from a me too perspective, but from how you can
help the organization achieve compliance if it brings the solution in, and at the same time become a more
effective firm.
Figure 23 Beyond Compliance: The Joy of SOX
Stan Lepeak: In Figure 23, as part of being SOX-fluent, it is important that, even if you are selling a tactical
solution, you recognize that clients increasingly are becoming aware that there is more than just the
compliance dimension of SOX. SOX cannot just be viewed as the cost of doing business. Organizations must
Transcript 2052
23
Transcript
go beyond compliance to really, truly achieve the joy of SOX. This means you are leveraging the investments
that you are making for ultimate competitive differentiation and strategic gain.
This is evidenced in the survey we did last week. There are very few firms when it comes down to it, despite
what we hear in the press from the pundits and some of the legislators that SOX is bad and the course that
is throwing sand in the gears of commerce. Most user organizations recognize that, ultimately, they will be
better, more nimble firms when they come out of this. They also recognize that, ultimately, they will be able to
leverage the investment, and in some cases, leverage the excuse for the investment in greater strategic gain.
Obviously, an organization has to gain compliance short term, and that is where a tactical solution might
come in.
That compliance needs to be maintained over time, which is a function of technology as well as process.
Ultimately, that compliance needs to be leveraged. As a byproduct of SOX, organizations are going to have
greater process visibility. They are going to have the potential to have greater operational efficiencies. They
are going to have much greater visibility into their services spend and the quality of the services they are
procuring. They are going to develop greater sourcing expertise to buy and manage goods, and particularly
services. There will be significantly greater scrutinization around audit services, services from auditors, and
outsourcing services.
They are going to be developing what we have been calling here at META Group the capabilities to become
sense-and-respond organizations. Your messages need to be in sync with that. And even if you are not
playing a big part in the strategic role, if you do not have a strategic story, if you can not sit in strategically,
you are going to be viewed either as a throwaway or a tactical point solution that is really not worth the clients
investment. Again, this does not mean you need to become McKinsey-esque strategic wizards. Rather, you
need to look at the strategic dimension of SOX and where you fit in. As with many things, SOX will not go
away like Y2K did. On the contrary, SOX will get better with age.
Figure 24 Transformation Steps
Transcript 2052
24
Transcript
John Van Decker: Moving on to Figure 24, I am not going to go through each of the transformation steps in
detail since this is a review. I think it is important that you have a SOX message. Now is the time to get it on
the table and get it in the SOX IT project queue. And you should be able to communicate not just the ability to
support Sarbanes-Oxley, but also to show an ROI and how these solutions can help the firm evolve to be
more efficient. I think it is also important to recognize that SOX compliance is a way of life. It is ongoing not
just a quick fix. You may want to consider some tactical approaches but look at more of the strategic
dimensions of SOX compliance.
Figure 25 META Groups Deep Dive Into the SOX Pool
Stan Lepeak: In Figure 25, we will give you a little preview of what we will be working on here at META
Group during the coming year. As you can guess, at least with John and me and Charlie Brett and some
others, it will certainly be heavily weighted toward SOX compliance. In terms of taking the deep dive into the
SOX pool, we are certainly going to continue to provide leading research on SOX compliance and best
practices.
We are going to be focusing very intently on the end-user audience, but in particular how that audience
expands to move beyond the IT organization to incorporate legal, the CFOs organization, and the enterprise
risk management offices that are being put together, and to extend out to the supply chain and the
procurement organization. So we will be looking at defining the holistic SOX solutions that we have been
talking about here today.
A key part of that will be some very good research we will be performing in particular, a SOX multiclient
study that we know some of you have signed on board for. We still have a few slots open on that, so if anyone
is interested, give John or me a call. Also, we have the results for some earlier work John was doing on
business performance management, and we have an enterprise analytic study underway. So, other pieces of
research are going to contribute to filling out the SOX profile of what people will need to buy when, and how
Transcript 2052
25
Transcript
much they will cost. In addition, SOX is going to be one of the main track teams at METAmorphosis next year.
And in April 2004 there is going to be an entire conference dedicated to risk management and compliance, of
which SOX will obviously play a big part. John is the co-chair of that event.
John Van Decker: I have one more point I would like to mention. We are not taking a build it and they will
come attitude, or writing a research Delta and then expecting that people will start moving and mobilizing
around Sarbanes-Oxley. All of our research is being driven by our end-user organization clients demand. So
Sarbanes-Oxley will continue to be a hot inquiry area for us, and that is why we are responding with this
multifaceted approach to research.
Transcript 2052
26

MetaGroup SOX PDF

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

MetaGroup SOX PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Sarbanes-Oxley and

Regulatory Compliance Issues

Sarbanes-Oxley and Regulatory

Chapter 2 Gauging SOX Compliance Maturity ...................... 15

Chapter 3 Developing Controls ................................................ 27

Chapter 4 Creating a Technology Blueprint ............................ 45

All rights reserved.

Sarbanes-Oxley and Regulatory

The Compliance Technology Blueprint ...................................................................................... 51

Chapter 6 Risk Management ..................................................... 77

Chapter 7 Architecture .............................................................. 89

Chapter 8 Records Management ............................................ 101

All rights reserved.

2004 META Group, Inc.

Sarbanes-Oxley and Regulatory

Conclusions ................................................................................................................................... 111

Chapter 9 Asset Management ................................................. 113

Strategic Asset Management ....................................................................................................... 123

Conclusions ................................................................................................................................... 125

Chapter 10 Other Compliance Mandates

Chapter 11 Compliance Issues for Vendors ............................ 143

Appendix A .................................................................................... 168

Appendix B .................................................................................... 199

Appendix C .................................................................................... 223

2004 META Group, Inc.

All rights reserved.

Sarbanes-Oxley and Regulatory

All rights reserved.

2004 META Group, Inc.

The SOX Landscape

Sarbanes-Oxley and Regulatory

Chapter 1 The State of SOX

2004 META Group, Inc.

All rights reserved.

Sarbanes-Oxley and Regulatory

All rights reserved.

2004 META Group, Inc.

The State of SOX Compliance Efforts

Key Areas for IT Organizations

Management is required to make an annual assertion regarding the effectiveness of

Section 404: This mandates that corporations provide an annual assessment as to

2004 META Group, Inc.

All rights reserved.

Sarbanes-Oxley and Regulatory

Effectiveness and efficiency of operations

All rights reserved.

2004 META Group, Inc.

The State of SOX Compliance Efforts

2004 META Group, Inc.

All rights reserved.

Sarbanes-Oxley and Regulatory

Top Preferences for SOX Solutions

Consolidate ERP instances: 6%

Replace legacy ERP solution: 2%

Upgrade to latest version of current ERP solution provider: 8%

Turn on existing (already purchased) functionality: 11%

Implement commitment control: 7%

Enable workflow: 14%

Examine security: 13%

Move from point solutions to integrated enterprise apps: 7%

Evaluate/implement BPM: 15%

Evaluate/implement internal compliance dashboards: 15%