Changing the DNA of IT: Sarbanes-Oxley and Service Management

Computerworld - As organizations work toward compliance with the immediate deadlines of the Sarbanes-Oxley Act of 2002 and prepare to meet other requirements within the act, they are discovering the dollar cost of compliance. Organizations need to spend wisely on tools that will meet the basic tenets of Sarbanes-Oxley -- including improved transparency and accountability in business processes and corporate accounting -- while providing the foundation for future compliance. IT service management -- a fundamental tool set for weaving transparency, control and risk mitigation into the fabric of IT -- can help organizations achieve regulatory compliance while promoting IT governance and improved business operations.
Key Components of the Sarbanes-Oxley Act
Sarbanes-Oxley requirements for IT departments are contained in two sections and referenced in a third. Section 302 requires corporate executives to certify that their companies have designed and implemented adequate controls to ensure that financial reports are reliable and compiled according to generally accepted accounting principles. Section 404 requires that the Section 302-controlled processes result in certifiable financial reports. IT managers must take direct responsibility for the integrity of the IT role in the financial reporting process.
The real-time disclosure provision of Section 409, which requires immediate public disclosure of material changes, places further burdens upon the IT organization.
Auditing Frameworks: COSO and Cobit
Corporate auditors have adopted general frameworks for assessing the quality of an organization's control environment, including IT governance. Two prominent and complementary frameworks are Coso (the Committee of Sponsoring Organizations of the Treadway Commission) and Cobit (Control Objectives for Information and Related Technology). Although these frameworks aren't part of Sarbanes-Oxley legislation, they provide auditors with the taxonomy of subject areas and operational requirements that auditors need to assess the quality of IT governance.
The Coso framework is a wide approach to IT governance that auditors follow when looking for evidence of a sound support structure for financial reports. U.S. Securities and Exchange Commission communications on Sarbanes-Oxley audits specifically mention Coso. The framework extends beyond financial reporting and applies to every IT function.
The Information Systems Audit and Control Association and the IT Governance Institute released Cobit, which follows the general Coso structure. It provides a set of high-level control objectives for IT processes grouped into four domains: planning and organization, acquisition and implementation, delivery and support, and monitoring.
These domains are designed to cover all aspects of information and its supporting technology. Auditors and business-process owners can use these control objectives to assess the control system provided for the IT environment.
An organization structured around Cobit control objectives