Sarbanes-Oxley, IT Governance and Enterprise Change Management

Based on MKS Research Results

This paper focuses on one framework, COBIT, which has been developed by the IT Governance Institute as a generally applicable and accepted standard for good IT security and control practices. Enterprise Software Change Management (ESCM) is recommended as a solution to combine process methodologies such as COBIT, with the infrastructure necessary to manage and store process workflows and then measure the results of those processes. ESCM can play an integral part in achieving compliance through automation of any business process, including all software development processes, and by providing full audit trails.

Is Your IT Organization Ready for Compliance?

The Sarbanes-Oxley Act (SOA) has reset the responsibilities of organizational senior management and boards of directors, and the expectations of investors, regulators and external stakeholders. Compliance to regulatory issues is now one of the most dominant business challenges facing corporations today. As technology is now at the core of business operation, governance rigor now absolutely applies to the CIO and his/her Information Technology organization. As companies move rapidly toward SOA compliance, there are many questions that arise about the appropriate measures required to improve IT governance.

Which framework to follow?

What support can my vendors offer me? Are there tools and solutions available to help me?

Risk Reduction and Mitigation

One of the principle concerns facing IT departments is providing process and policies that help their organizations prepare for all business challenges. To accomplish this task, many teams choose a process methodology that satisfies all requirements while at the same time reducing the risks associated with non-compliance. Risk management includes evaluations and assessments that are often measured using IT audits. The results of the audits are designed to assess each area of the methodology to discover all potential areas of risk. Having well-defined and repeatable processes helps to mitigate risk and achieve audit compliance.

Defining COBIT

In answering the questions above, this paper focuses on one framework, COBIT, which has been developed by the IT Governance Institute as a generally applicable and accepted standard for good Information Technology (IT) security and control practices. Developed in 1996, COBIT is relatively small in size so it can be independent of any technical platforms while still maintaining a high degree of responsiveness to an organization’s business values.

COBIT provides maturity models similar to the leading process methodologies in the industry (CMM, ISO, ITIL, COSO, Six Sigma) to help control the development of IT processes. For regulatory needs today, COBIT soundly manages the gaps around business risks, corporate
governance issues and other technical issues in an organization.

Look at COBIT for:

• Expressing IT control practices through Maturity Models for benchmarking measurements
• Measuring outcome and performance of IT processes through Key Performance Indicators (KPI’s)
• Getting processes under control using Critical Success Factors (CSF’s)
• Process Initiatives

Another business challenge combines process methodologies with Enterprise Software Change Management (ESCM) technology solutions to provide the infrastructure necessary to manage and store process workflows and to measure the results of those processes. Process-centric ESCM canbe leveraged to help with Sarbanes-Oxley compliance.

By using the issue management and workflow support provided by ESCM systems directly, any existing business process including all
software development processes could be automated, with direct tracking and integration of all work completed, and with full audit trails.

This definitely affects companies with strategic governance initiatives, or that have to meet regulatory and auditory compliance. Some
methodologies used by corporations today include:

SEI Capability Maturity Model (CMM, CMMI)
IT Infrastructure Library (ITIL) for service management
ISO (International Standards Organization) 9xxx for quality management
COBIT (Control Objectives for Information and Related Technology)

The Sarbanes-Oxley Act

In July of 2002, at the heels of some major US corporate accounting scandals, legislation was drafted to create new or enhanced standards for corporate accountability. Initially targeted for June of 2004, the current date for initial compliance is November 15, 2004. The act effects US public companies with a market capitalization over $75 million and the main purpose is to prevent future accounting scandals and rebuild trust of the investing public. Failure to comply to the legislation requirements results in penalties against the corporation.

The Effect of Sarbanes-Oxley on IT

Many of the artifacts necessary to prove SOA compliance include all the documents and work papers used to create financial reports and other publications produced for the general public. Certain sections of the act deal specifically with the internal controls a company has in place to ensure the accuracy of their data. It is even mandated that each annual report contain a separate internal report stating that management is responsible for the adequate internal control structure and that at periodic intervals that structure is assessed and modified as necessary.

Usually the IT organization is directly responsible for management and control of the systems and technology in place to collect, store and manage the data and information contained in the company’s financial reports. But studies indicate that many IT groups are not prepared for the insurgence of activities facing their departments with SOA legislation. AMR research found that as many as 85% of companies predict that the SOA will require them to make changes to their IT infrastructure. And Gartner research found that many CIO’s are just now realizing the impact the legislation has on their operations and that:

CIO’s must have a strategy and the resources to respond
CIO’s have to learn what technologies will help
CIO’s must enhance their knowledge of internal control
CIO’s have to develop a compliance plan to specifically address IT controls

To this end, IT professionals, especially in executive positions, need to be wellversed in internal control theory and practice to meet the requirements of the Act.

Even though the direct impact of Sarbanes-Oxley with regards to IT is on systems used for financial control, it is just a lot more efficient for most organizations to carry out a complete review of their entire IT structure. Why spend time trying to figure out what may be irrelevant
when so much is at stake?

The diagram below provides a look at the various audiences involved in the overall corporate governance structure. The audiences are then linked to the particular business challenges faced at each level. Finally, links are provided into some of the solutions available to satisfy the
business challenges at each audience level. The solutions involve ESCM technology and process recognized as industry standards and best practices.

Once the need for compliance is accepted, and the CIO has determined a strategy, the course of action may become clear. The ESCM technology must be put in place if it is not there already, and the process methodologies chosen by the company must be implemented. The rest of this paper identifies the CobIT methodology and maps at a high level the various processes within the methodology to the ESCM technologies. All technologies are different, so the mapping of the processes is explained through the MKS technology solution.

Laying out COBIT

There are 34 processes in COBIT broken out into 4 main categories. There is one high-level control objective that relates to each of the 34 processes, and there are a total of 318 specific control objectives broken out across the 34 processes. The 34 processes are broken out into four domains:

Planning and organization
Acquisition and implementation
Delivery and support
Monitoring