Manage Learn to apply best practices and optimize your operations.

Business Mentor: SOX Compliance and Good IT Governance

Good governance and SOX compliance go hand in hand.

Some time ago, I got a call from the CIO of a midmarket company. He wanted my advice on complying with the Sarbanes-Oxley Act (SOX), which requires publicly traded companies to have proper controls in place to prevent misstatements of financial results. My immediate reaction was that he should convince his company to go private so that SOX compliance wouldn't be an issue. But since that wasn't an option, we talked seriously about SOX compliance and the processes to get his company there.

SOX has a direct impact on IT processes and procedures because most of us now use accounting systems -- for sales, payroll, etc. -- to collect and report our financial results.

Compliance As a Given

My solution to SOX compliance is this: If we use quality, standards-based processes in IT, compliance becomes a given. Here I'll discuss three aspects of good governance.

Change management. One of the core processes my IT group needs in place is change management: the method by which we migrate a new application, an operating system patch or an upgrade into our production environment. Even if SOX didn't exist, change management is the right thing for IT to do. By implementing formal change review and approval processes, I have been able to dramatically improve system reliability -- and the credibility of IT. And with change management in place, IT controls one of the risks that SOX has identified: that someone can make unauthorized changes to production systems.

User access policies. The same goes for user access. In managing user access, IT should regularly review which users have access to which systems. For example, as an employee changes jobs, IT should ensure that the employee's system access aligns with his new responsibilities and possibly cut off access associated with the employee's old role. Having a user access process in place helps us comply with SOX.

A governance model. In addition to user access policies, we should have a governance model in place that aligns with business strategies and tactics. This model starts at the structural level (centralized, decentralized, federated) and extends to project scoring, portfolio management, and project management and communication. Again, quality governance eliminates the need to do anything special for SOX compliance.

Mind the Gap

As I explained these strategies to the CIO, I suggested he get a head start on his SOX compliance (compliance deadlines differ depending on company size and reporting requirements) by choosing a standard or framework -- Control Objectives and related Information (CobiT), the IT Infrastructure Library (ITIL) or the Microsoft Operating Framework (MOF) -- and then analyzing the gap between his current practices and the standard's recommendations. I am partial to ITIL (and the closely related MOF) because it was created from the best practices of groups of IT leaders. (MOF has the additional advantage of being available for free on the Microsoft Web site.) This gap analysis reveals which IT processes we need to implement and which need to be improved.

Having quality IT processes in place helps an IT department move toward SOX compliance as well as improve performance. When it has documented ways of doing things (i.e., "controls") that are based on best practices, IT can generate tangible, even significant, benefits that improve systems, response times and credibility. For this reason alone, SOX can be a good boost for IT.

Niel Nickolaisen is CIO and vice president of strategic planning at Headwaters Inc. in South Jordan, Utah. To comment on this story, email

This was last published in June 2006

Dig Deeper on Small-business IT strategy

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.