Key Components of the Sarbanes-Oxley Act
Sarbanes-Oxley requirements for IT departments are contained in two sections and referenced in a third. Section 302 requires corporate executives to certify that their companies have designed and implemented adequate controls to ensure that financial reports are reliable and compiled according to generally accepted accounting principles. Section 404 requires that the Section 302-controlled processes result in certifiable financial reports. IT managers must take direct responsibility for the integrity of the IT role in the financial reporting process.
The real-time disclosure provision of Section 409, which requires immediate public disclosure of material changes, places further burdens upon the IT organization.
Auditing Frameworks: COSO and Cobit
Corporate auditors have adopted general frameworks for assessing the quality of an organization's control environment, including IT governance. Two prominent and complementary frameworks are Coso (the Committee of Sponsoring Organizations of the Treadway Commission) and Cobit (Control Objectives for Information and Related Technology). Although these frameworks aren't part of Sarbanes-Oxley legislation, they provide auditors with the taxonomy of subject areas and operational requirements that auditors need to assess the quality of IT governance.
The Coso framework is a wide approach to IT governance that auditors follow when looking for evidence of a sound support structure for financial reports. U.S. Securities and Exchange Commission communications on Sarbanes-Oxley audits specifically mention Coso. The framework extends beyond financial reporting and applies to every IT function.
The Information Systems Audit and Control Association and the IT Governance Institute released Cobit, which follows the general Coso structure. It provides a set of high-level control objectives for IT processes grouped into four domains: planning and organization, acquisition and implementation, delivery and support, and monitoring.
These domains are designed to cover all aspects of information and its supporting technology. Auditors and business-process owners can use these control objectives to assess the control system provided for the IT environment.
An organization structured around Cobit control objectives may have an easier time passing an audit. Auditors may still pass an organization that doesn't have the Cobit metrics to display, but the burden is upon them to show evidence of the quality of their governance. This often means Sarbanes-Oxley remediation, which can be expensive and disruptive.
ITIL and Regulatory Compliance
The Information Technology Infrastructure Library (ITIL) is a collection of best practices for managing IT. ITIL practices will aid an organization in achieving high scores on the Cobit metrics. Cobit authors have examined ITIL best practices, and Cobit and ITIL dovetail neatly.
ITIL practices benefit from more than a decade of nonproprietary development and experience. A support structure for ITIL includes consulting and certification groups and the itSMF (IT Service Management Forum). The itSMF is an internationally recognized organization dedicated to IT service management and is the leading international proponent of ITIL.
ITIL originated in the U.K. as a set of guidelines for aligning IT practices with enterprise goals in the British government. Today, ITIL clearly leads in defining best practices for IT management in North America and Europe. Consequently, ITIL best practices, in conjunction with Coso and Cobit, help expedite the achievement of many Sarbanes-Oxley compliance goals.
For many organizations, implementing ITIL has resulted in cost savings through improved management and IT governance. However, organizations should recognize that ITIL isn't an automatic path to good governance. For example, a key element of ITIL is the configuration management database (CMDB) designed to control changes to configuration. The CMDB defines the relationships between configurations to minimize the risk to a business when it plans and implements change. This is an excellent practice, but it won't succeed if the CMDB itself is fragmented and not adequately maintained.
Maintaining a CMDB is impossible without a view of IT enterprise management that touches every IT process. Without this view, the unified database quickly degenerates to a collection of unconnected spreadsheets used by isolated departments. These islands of data don't reflect the true state of the infrastructure and result in a mad scramble to collect data when an audit is imminent.
Governance and Service Management
IT governance discussions often focus on security and data retention. A different kind of vulnerability is present when the enterprise becomes dependent on a service supplied by IT. E-mail is an excellent example. Although e-mail is a critical resource in most corporations, until recently, it has rarely been viewed as mission-critical. Consequently, IT departments have often been late in establishing the kind of control over e-mail service that good governance requires.
E-mail has two important roles for governance. One is data retention, which has been the key to many forensic investigations of corporate governance. E-mail is also critical to daily operations and has become a standard for many types of transactions, from recording sales to personnel reprimands. When e-mail is interrupted, the dating of these events is questionable, and governance breaks down.
Service management can help establish proper governance of e-mail service. The first step in governance is to define the service in terms that are relevant to the business and document it in a service catalog. For example, a business definition of e-mail service will set hours of availability, internal delivery expectations, time-stamp expectations and retention policies. With this business definition, financial control designers can gauge the accuracy and availability of e-mail time stamps and make informed decisions about the reliability of e-mail as a conduit for financial information.
Network or server uptime metrics are hard to relate to business service. In contrast, service levels based on the customer's service definition have true business meaning. The service levels can be metered and displayed, and the customer can interpret the implications to business in true business terms. An example of business metering is to measure the accuracy of e-mail time stamps during normal business hours. This isn't an obscure server management metric or network bandwidth statistic, but a direct measure of a business service with real business value. Without business-related metrics and policies, the business sees reports filled with obscure numbers, not the critical information required to run a business. To a mail server administrator, the accuracy of an e-mail time stamp is almost an afterthought, but for business and financial auditing, the time stamp may be the most important service e-mail provides.
When e-mail service has a business definition, the service desk can log interruption of delivery incidents in terms of the e-mail service definition, respond based on business priorities and tailor responses to restore the business service. Without a support policy based on the e-mail business definition, incidents may be closed, but e-mail service sails out of control as insignificant late-night server glitches fire off pagers and get high-priority responses. Contrast that scenario with a clock that might be off by a day, which would invalidate time stamps and could jeopardize business integrity for days. When clock discrepancies begin to cause technical problems with sorting mail on different servers, a clever systems administrator might change the correct clock to match the incorrect one, perhaps saving himself some trouble, but nullifying e-mail time-stamp service. The result is bad data for correlating time stamps on sales transactions and a corrupt data-retention policy. The mail administrator is happy, but the business manager is unintentionally betrayed.
Service Management and the Big Picture
For a single service like e-mail, service management may be superfluous. Service definitions, service levels and incident response can be implemented without service management tools. Cobit doesn't identify e-mail as a specific control area, although it is usually mission-critical. Instead, Cobit defines general control objectives and key performance indicators for all mission-critical services.
But governance isn't about a single IT service. When all IT services are documented in a service catalog and all of the functions of IT service management are set to work, good IT governance and regulatory compliance enters the basic structure of the IT department. Governance becomes part of the IT DNA. This change in corporate genetics is profound. It promises increasing productivity, usefulness and cost reduction for the IT department, along with corporate governance, compliance and security.
- 信息系统运维预算定额参考标准研究[04-09]
- 第2章 跨文化管理理论和实践[01-14]
- 16:什么是关键成功因素法(CSF)?[06-09]
- 24:eSCM-SP(服务提供商外包能力模型)有哪些…[06-10]
- 第4章 跨文化沟通[01-14]
- 治理评论第一期[01-20]
- 治理评论第二期[01-20]
- 治理评论第五期[01-20]
- 治理评论第三期[01-20]
- 治理评论第六期[01-20]
- 治理评论第四期[01-20]
- 太极凭什么中标12306? [09-26]
- 中国国际航空股份有限公司--书评[11-01]