SOX has a direct impact on IT processes and procedures because most of us now use accounting systems -- for sales, payroll, etc. -- to collect and report our financial results.
Compliance As a Given
My solution to SOX compliance is this: If we use quality, standards-based processes in IT, compliance becomes a given. Here I'll discuss three aspects of good governance.
Change management. One of the core processes my IT group needs in place is change management: the method by which we migrate a new application, an operating system patch or an upgrade into our production environment. Even if SOX didn't exist, change management is the right thing for IT to do. By implementing formal change review and approval processes, I have been able to dramatically improve system reliability -- and the credibility of IT. And with change management in place, IT controls one of the risks that SOX has identified: that someone can make unauthorized changes to production systems.
User access policies. The same goes for user access. In managing user access, IT should regularly review which users have access to which systems. For example, as an employee changes jobs, IT should ensure that the employee's system access aligns with his new responsibilities and possibly cut off access associated with the employee's old role. Having a user access process in place helps us comply with SOX.
A governance model. In addition to user access policies, we should have a governance model in place that aligns with business strategies and tactics. This model starts at the structural level (centralized, decentralized, federated) and extends to project scoring, portfolio management, and project management and communication. Again, quality governance eliminates the need to do anything special for SOX compliance.
Mind the Gap
As I explained these strategies to the CIO, I suggested he get a head start on his SOX compliance (compliance deadlines differ depending on company size and reporting requirements) by choosing a standard or framework -- Control Objectives and related Information (CobiT), the IT Infrastructure Library (ITIL) or the Microsoft Operating Framework (MOF) -- and then analyzing the gap between his current practices and the standard's recommendations. I am partial to ITIL (and the closely related MOF) because it was created from the best practices of groups of IT leaders. (MOF has the additional advantage of being available for free on the Microsoft Web site.) This gap analysis reveals which IT processes we need to implement and which need to be improved.
Having quality IT processes in place helps an IT department move toward SOX compliance as well as improve performance. When it has documented ways of doing things (i.e., "controls") that are based on best practices, IT can generate tangible, even significant, benefits that improve systems, response times and credibility. For this reason alone, SOX can be a good boost for IT.
Niel Nickolaisen is CIO and vice president of strategic planning at Headwaters Inc. in South Jordan, Utah. To comment on this story, email firstname.lastname@example.org.
This was first published in June 2006