SEARCH IT BUSINESS EDGE:

JUMP TO RESOURCE CENTER:

:: Priorities ::

Aligning IT & Business Goals
NEW: 28 | Total: 2271

Integrating the Enterprise
NEW: 22 | Total: 1831

Fortifying Network Security
NEW: 28 | Total: 2449

Leveraging Open Source
NEW: 20 | Total: 1654

Managing Compliance Standards
NEW: 25 | Total: 1841

Maximizing IT Investments
NEW: 90 | Total: 5497

Optimizing Infrastructure
NEW: 52 | Total: 3966

Voice & Data Convergence
NEW: 34 | Total: 2857

From Project to Process

Source: IT Business Edge | Priority: Managing Compliance Standards | Topic: Sarbanes-Oxley
Date Published: 11/23/2005

With Nancy Beacham, a partner at PricewaterhouseCoopers, where she focuses on improving business performance. Beacham is one of the firm's thought leaders regarding Sarbanes-Oxley compliance process sustainability. Much of her recent work has included performing Sarbanes-Oxley Section 404 readiness assessments and improving underlying financial processes.

Question: What should be the difference between Year One and Year Two of Sarbanes-Oxley compliance?
Beacham: Year One was a learning process and involved very much of a project management mentality. Companies have since realized that they can't do Sarbanes-Oxley compliance under a project mode, so they are moving it into a process that is embedded within the organization. Moving to a process mindset involves putting people in place who take ownership of and execute on the controls.

Question: What steps are companies taking to make compliance more of a process and less of a project?
Beacham:One thing they are doing is taking a look at how the organization is structured and figuring out what is the best compliance model to be embedded in the business. There are a number of different options but there is no majority approach to this problem. What we're seeing as most popular is that you have either a chief internal control officer or chief compliance officer take responsibility for the compliance process. They are in charge of handing out controls guidance that the finance, IT and other departments are using to update controls documentation and to execute testing plans. The key here is that this information is being pushed out from the center. The control office then reports up to senior management to provide the status of how these efforts are progressing.
Many companies are still using internal auditors in Year Two to update documentation and execute testing plans. In other cases, we see finance taking the reins while internal control over financial reporting comes from operational units. The business units drive financial reporting, so it's desirable for companies to have business units take more ownership over some of these compliance functions. We've also seen that whoever was the project manager or sponsor in the Year One effort has morphed into the internal controls officer. Often, that person had an internal audit background.

Question: How do compliance tasks differ in Year Two as opposed to Year One?
Beacham: In Year One, many companies identified too many key controls. They took a belt and suspenders approach. Since then, many have gained more insight into what a key control really is and have updated their documentation and testing policies. Companies have also been rationalizing some of the key controls they have in place or consolidating processes or developing uniform standard processes. These efforts reduce the number of key controls and some of the testing that is involved with compliance. Another piece is that Year One included a lot of deferred maintenance. Some companies didn't have process documentation in place, so there was a lot of activity surrounding getting a control environment implemented. In Year Two, that work has already been done, so it's no longer about documenting processes and controls all over again but just updating the changes that have been made since last time.

:: MORE INSIGHTS ON THIS ISSUE ::

Court of Appeals Upholds Sarbox | 8/23/2008 :: Source: The Washington Post

Governance Doesn't Have to be Painful | 8/14/2008 :: Source: Todd Biske: Outside the Box

University Partners with New York State on Governance Framework | 6/21/2008 :: Source: Center for Technology in Government

:: IT Business Edge Also Recommends ::

:: Featured Research ::

Real-time Auditing for Active Directory, Exchange and SQL Server
Review key features needed to establish a robust audit trail, discover which of these features Windows delivers natively, and explore the benefits of third-party auditing capabilities.

Sarbox Turns Six

TAKEAWAY: According to this author, even as Sarbanes-Oxley turn six, it's still fraught with delays and trouble. SMB implementation of Section 404 continues to be pushed back, while the Public Company Accounting Oversight Board is considered to be a flop.

Source: Chase Cooper | Priority: Managing Compliance Standards | Topic: Sarbanes-Oxley
Date Published: 8/4/2008 | Date Reviewed: 8/5/2008

> Read "Sarbanes-Oxley--SOX Is 6" at Chase Cooper

SMBs Get Sarbox Reprieve, SEC to Study Cost Burden

TAKEAWAY: The Securities and Exchange Commission has given small businesses another year to comply with the auditor-attestation requirements of Sarbanes-Oxley Section 404(b), which means SMBs will need to provide attestation reports for fiscal years ending on or after Dec. 15, 2009. In addition, the Office of Management and Budget has given the SEC the green light to study the cost and benefits of compliance for small companies.

Source: CFO.com | Priority: Managing Compliance Standards | Topic: Sarbanes-Oxley
Date Published: 6/20/2008 | Date Reviewed: 6/25/2008

> Read "Small Co. Reprieve: Sarbox..." at CFO.com

Appellate Judge Leans Toward Ditching PCAOB

TAKEAWAY: The comments by Brett Kavanaugh of the U.S. Court of Appeals for the District of Columbia Circuit indicate he favors getting rid of the Public Company Accounting Oversight Board. Kavanaugh says the board is not a government entity and upholding that idea would give the green light to creating independent agencies within independent agencies.

Source: Bloomberg | Priority: Managing Compliance Standards | Topic: Sarbanes-Oxley
Date Published: 5/28/2008 | Date Reviewed: 5/29/2008

> Read "SOX Appeal Judge Offers Peek..." at Bloomberg

:: Hot Research ::

Guide to PCI Compliance for Web Applications
Review the pros and cons of the solutions available under Section 6.6 of the PCI DSS, and decide which approach is best for your organization.

Better Together: Blades, Linux, and Insight Control
Discover the importance of manageability in the selection of a blade platform and examine the needs of managing large volumes of homogeneous Linux platforms.

Information Lifecycle Management for Business Data
Discover how Oracle Database 11g helps you store and manage your growing amounts of data in the most cost effective manner.

:: Subscribe To Our Reports ::