|
|
|
Features
< Back
Sarbanes Oxley : Technology : Data Center
Supporting SOX Compliance Through IT Architecture Planning
By
Erik Masing
|
|
Erik Masing
CEO
alfabet
|
Though The Sarbanes-Oxley Act of 2002’s major provisions don’t explicitly mention IT controls, SOX has had far-reaching implications for enterprise IT departments. Even audit results don’t reflect the enormous effort spent on IT in order to make enterprises SOX compliant.
SOX provisions having the most relevance for IT call for CEO/CFO certification of financial reports, and assessment and disclosure of internal controls for financial reporting. The processing, storage and harvesting of the data that finds its way into financial reports, as well as the operation of the infrastructure and workflow systems supporting control-targeted business processes are performed under the auspices of IT. Thus IT has the task of scoping SOX-relevant systems, eliminating any risks posed to the systems, continuously monitoring, documenting and assessing the SOX-relevance of system changes and reporting changes to the SOX project management office as well as including the office in system change decisions.
When one considers that 50% of G2000 companies estimate that they spend more than 15 person years annually on SOX compliance activities, according to a Gartner Group report (“Survey on Sarbanes-Oxley Compliance Practices Within IT Organizations and Businesses, 2006), one realizes the dire need for more efficient compliance processes.
Whereas SOX has put major strains on IT organizations, IT professionals are quick to admit that the ‘Clean up your Act’ Act has brought about important improvements, notably:
• Recognition of vulnerabilities in the IT area
• Improved information system security
• Better understanding and improvement of segregation of duties
• Improved access controls and access monitoring
• Improved test procedures and program change management
• Improved processes to document policies, procedures, and controls
It has also given firms the ability to leverage the same technologies used for SOX compliance to support other compliance processes. Additionally, SOX has enhanced IT’s profile through recognition of its importance to business and has raised awareness for IT governance in calling for defined decision-making processes and documented plans; in this context, it has led to a more engaged control environment with active participation by board, audit committee, management and other stakeholders.
There are still benefits to be realized, as companies begin to understand that SOX compliance is not a one-time project, but an on-going exercise in controls assessment in the evolution of a corporation’s IT landscape. In learning to anchor control processes and objectives in the IT architecture, enterprises will be able to identify and assess risk more effectively and achieve greater efficiencies in compliance control.
Solutions to SOX compliance in IT Architecture Planning
Strategic IT architecture planning involves goals, methodologies and processes that relate closely to the framework disciplines and objectives. Indeed, IT planning’s overriding goals are very similar to those of SOX compliance making it a key cornerstone of an enterprise’s IT support in the context of SOX. SOX obligates a company to have a thorough understanding of its business processes -- how they are executed (manually and/or IT supported), how they are interrelated with each other and the impact of changes to business processes – with the goal of being able to identify and stem possible areas of risk.
It also obligates a company to be in complete control of its business processes – definition and documentation of the as-is state, a well-established change management process, communication among all stakeholders, and monitoring – with the goal of detecting non-compliant activity.
Consider how aspects of architecture planning can support an enterprise’s SOX compliance efforts:
Comprehensive Baseline Inventory
The architecture’s baseline inventory forms the foundation for IT planning. It profiles each artifact, describing in detail what the artifact is – technical element, business process, business object, cost, location –and all of its relationships to other artifacts. It shows interdependencies between the business, application and physical layers of the enterprise and enables insight into which processes and organizations are supported by which artifacts. Thus, the inventory provides the enterprise with the means to clearly define and document all SOX-relevant enterprise architecture elements and to easily drill down during planning or assessment phases to understand (possible) root causes of risk-loaded processes.
Additionally, best practice architecture planning foresees an audit trail on each artifact clearly documenting the current level of information and enabling the auditor or user to understand changes to artifacts, providing a greater amount of control over events that could impact SOX compliance.
Business Demand Management
Enterprise Architecture (EA)-based project planning begins with capturing business demands, comprehensive description of the demand, and thorough evaluation of the effects an implemented demand could have on existing business processes and IT elements. This process draws from the baseline inventory so that SOX-relevant objects used to fulfill the demand are immediately evident at an early stage in the IT planning process supporting proactive identification of impact to SOX-relevant processes. This extends to early assessments of the likely impact any change to SOX-relevant objects triggered by the demand may have.
Master Planning
Master Planning, a key strategic EA planning discipline, relates the core artifacts of the business architecture with those of the application architecture. It is a visualization technique as well as a planning platform enabling quick comprehension of the impact of change in the IT environment: for example, the ability to identify that a key financial process (SOX-relevant) will be affected by the introduction of a new order-taking application.
Enterprise Architecture Management
EA Management is essential for developing standards for the enterprise IT. Enterprise architects channel reform programs into the IT as standards and guidelines for the development of local solutions and service offerings. This has great significance for SOX compliance for, as an enterprise begins to take a more standardized approach, potential risks are better understood and mitigation strategies are developed more thoroughly and implemented more swiftly.
Collaboration
A good planning process will be highly collaborative and involve many stakeholders from design, implementation, quality assurance and deployment teams as well as stakeholders from strategic planning, business departments and finance. All of these stakeholders are widely distributed throughout the enterprise, each function having ownership of specific aspects and information of corporate processes. Collaboration attempts to draw all of the disparate parties into the discussion to gather all (SOX-relevant) information and consolidate it, ensuring its consistency. Additionally, collaboration ensures commitment to projects and promotes personal responsibility for risk awareness and control. A broader audience allows firms to optimize the number of controls and eventually increase auditability.
Evaluation / Conflict Analysis
As the IT architecture of an enterprise changes and develops, pending decisions often have a significant impact on the future ability of the enterprise to execute its business according to legal and other requirements. Decisions need to be based on comprehensive assessments that consider all of the relevant aspects of the issue at hand. One-off evaluations and on-going assessments are necessary as management mechanisms. By unveiling the weaknesses of the architecture, threats to the enterprise can be identified and improvements instigated. Some examples for architectural aspects that can be analyzed are:
• Efficiency and effectiveness of control-oriented business processes supported by applications
• Risks associated with various elements in the business and/or IT architecture such as business processes, applications or project proposals
• Standardization levels of applications and their technological underpinnings
• Impact of proposed solutions on legal compliance
• Alignment of submitted demands with corporate compliance goals
Large organizations should design SOX checkpoints if they wish to attain compliance. Integrating these checkpoints into the enterprise architecture planning process using a system that supports automation of compliance maintenance is the most efficient way. By doing so, organizations will ensure that they can proactively identify areas of concern, while maintaining a more controlled IT environment.
Erik Masing
CEO
alfabet
Erik Masing is co-founder and CEO of alfabet, which is headquartered in Cambridge, Mass. Erik has transformed alfabet since its founding in 1997 in Berlin, Germany, into what is today recognized by leading industry experts and analysts as a market leader in enterprise architecture management and planning. alfabet enables companies to see, analyze, control and align IT initiatives with business priorities continuously. Its planningITsoftware is unique in tightly coupling business priorities and IT returns with current and future initiatives.
|
|
|
|
|
