General discussion


IT Governance

By BR-549 ·
Anybody interested in this topic? SOX has really made this topic mainstream and yet there is nothing about it on TR.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Sarbox in Japan

by Murr In reply to IT Governance

I'm interested.
Sarbox is huge, and it is, or will, affect the way we do our jobs. From the bottom of the trenches to the CIO?s, sox will/is having an effect.

Foreign companies here in Japan are struggling to comply with sox; I heard that Ernst and Young are trying to hire about 30 internal IT auditors just to meet the demand in Tokyo. And even for non-US companies, many other governments are looking at similar legislation.

I recently started studying ITIL, and in my opinion it?s great. Even if you don't have to worry about sox, its just good practice to have a simple, standardized set of processes. Aligning the goals of IT with the business (the basis of IT governance) is such simple premise, but lacking in so many companies (including mine I?m sad to say)

Lets here what other people have to say about IT governance. (sox, ITIL, Cobit, MOF, etc..)

Collapse -

compliance in general

by mattbakeruk In reply to Sarbox in Japan

I think it's not a bad idea but hopefully the cart won't get in front of the horse. In the UK we've already got Turnball on corporate compliance and and Caldicott for Health Service management. Also BS7799 is gathering steam along with PAS56 which is now being used by some of the large utilities firms.
SOX is coming over here and I see legislation srawing on the SOX experience in the future. I'm also seeing a new industry arising in compliance but a lot of it is paper pushing especially by the big consultancies.
however I have seen a good compliancy management programme. It's not cheap but it would help manage a company's route to compliance and in staying current.
have a look at

Collapse -


by DC_GUY In reply to IT Governance

It's an e-zine oriented heavily toward the software testing profession, but its daily news articles cover the whole IT spectrum. I first read about Sarbox (as it was originally nicknamed) on StickyMinds.

As far as I can tell, the general opinion among IT practitioners is that Sox was a knee-jerk reaction to the big corporate scandals, crafted by non-IT people to be applied to IT, and the result is predictable. I've read arguments saying it's so poorly drawn that no matter what you do, you can't help being in violation of SOX.

Collapse -

Not So Difficult

by BR-549 In reply to Check

I have done half a dozen IT SOX enagagements over that past year and all have ultimately passed. I do see alot of people/firms out there trying to do this work who have no idea what they are doing. This does not stop them from charging big fees though.

For most small to mid-sized companies we simply adopt the COBIT framework, document existing pratices as policy and procedure and then test. I should point out that when most small to medium companies say they adopted the COBIT framework they actually adopted "IT Control Objectives for Sarbanes-Oxley" which is a sub-set of the full COBIT framework.

I see too many firms that design tests that do not meet the objectives. They also never really determine in-scope systems, so when they gather evidence for a control their either over test by including systems that are not important, or more often, under test because they found samples to fill out their matrix without considering that the samples only covered one system.

It is frustrating to see so much poor work being performed.

Collapse -

Complain, Complain

by BR-549 In reply to IT Governance

Everyone at the top is complaining about the cost of SOX. Everyone in the trenches complaining about the documenation.

It is hard to say it is not a good thing when you look at how many companies either:
-cannot pass
-have restated financials as a result of what they found
-delayed filing to clean up some mess

It is also noteworthy that in a recent KPMG study the largest area for Significant Deficiencies was IT General Controls.

Related Discussions

Related Forums