Sarbanes-Oxley and the IT organization:

A survival guide

White paper

Introduction: Year one of Sarbanes-Oxley............................................................................................... 2

Accounting, auditors and IT............................................................................................................... 2
The effect of Sarbanes-Oxley: Legal liability for the CEO and CFO ........................................................ 3
Where Sarbanes-Oxley auditing standards come from ......................................................................... 3
The role of independent auditors in Sarbanes-Oxley compliance ........................................................... 3
Sarbanes-Oxley and the IT organization: A survival guide ........................................................................ 4
Change management, IT asset management and Sarbanes-Oxley.......................................................... 4
Change management ................................................................................................................... 4
IT asset management .................................................................................................................... 5
The COSO framework: A compliance blueprint ................................................................................... 5
Other IT framework options: COBIT, ITIL and ISO 17779 ..................................................................... 6
Summary ............................................................................................................................................ 8
Research Resources.............................................................................................................................. 8
For more information............................................................................................................................ 9
Introduction: Year one of Sarbanes-Oxley
As enterprise finance and IT organizations are well aware, 2004 was the first year of mandatory
compliance with Sections 302 and 404 of the Sarbanes-Oxley Act. Now, organizations are looking
back at the substantial investments in time, effort and money that were made in order to meet the
regulatory requirements in year onand searching for ways to automate and simplify processes to
mitigate some of the compliance risks and associated costs necessary going forward.
Understanding and efficiently responding to Sarbanes-Oxley requirements has not been easy. When
the act became law in 2002, it spawned an independent organization called the Public Company
Accounting Oversight Board (PCAOB). That group was charged with developing the new set of
auditing standards required for Sarbanes-Oxley. The PCAOB finally published those standards in
April 2004just six months before the first mandatory compliance deadline. This placed many
companies in the difficult position of trying to reshape their financial processes based on regulations
that few people fully understood.
Making this prospect even more daunting were the penalties Sarbanes-Oxley imposed: the CEO and
CFO must attest to the accuracy of the reported financial statements and can potentially go to jail if
they are proven wrong.
Adhering to Sarbanes-Oxley audit standards has been an expensive endeavor. Some analysts
estimate that in 2004, companies typically spent $1 million on Sarbanes-Oxley compliance for every
$1 billion in revenue. To date, much of the spending on Sarbanes-Oxley compliance has focused on
two major areas: auditors (internal and external) and outside Sarbanes-Oxley advisory consultants.
Combine this with the massive commitment of time and energy spent by executive management to
make sure the process worked, and it is easy to see why companies are looking to technology
solutions that reduce the cost of meeting and documenting Sarbanes-Oxley compliance.
This paper provides answers to some basic questions:
How does Sarbanes-Oxley affect the IT organization moving forward?
What are the IT governance issues that come from Sarbanes-Oxley?
What changes does the IT organization need to make?
What are the options?
How does IT make all this happen?
Suggestions are also included for using Sarbanes-Oxley as a springboard for creating significant
process improvements and cost savings across the enterprise.

Accounting, auditors and IT

While Sarbanes-Oxley compliance at first may seem to be an accounting and auditing matter, IT is at
the heart of the issue, because the accuracy of financial reports relies in large part on decisions made
by IT professionals. While CEOs and CFOs sign their names to legal certifications in the annual
report, an increasing number of companies are also requiring their CIOs to sign a sub-certification
regarding the controls, processes and overall accuracy of the IT assets they manage. For the CFO,
having reliable IT people and processes has never been more important. And for the IT professional,
Sarbanes-Oxley is no longer a back-burner issue. The stakes are high, and the consequences can be
devastating.
Fortunately, meeting Sarbanes-Oxley requirements for documenting controls over financial reporting
systems can be accomplished using established IT practices and technologies, such as change
management and IT asset management. These practices can provide the granular level of detail and

2
documentation that Section 404 of Sarbanes-Oxley requires, and they can also lower the cost of
compliance in years to come.

The effect of Sarbanes-Oxley: Legal liability for the CEO and CFO
The goal of the Sarbanes-Oxley Act is to restore confidence in the public markets, following a series
of high-profile accounting scandals. Sarbanes-Oxley does this by:
Requiring that a documented system of checks and balances is in place
Requiring that a companys CEO and CFO formally attest to the accuracy of financial statements
and the systems and processes that underlie them
Mandating complete transparency in corporate governance
Simply put, Sarbanes-Oxley is designed to make company executives legally responsible for the
accuracy of the financial statements in their annual reports. In addition, Section 404 of Sarbanes-
Oxley says that the annual report must contain an internal control report, which documents the
companys control structure and procedures for financial reporting and assesses the effectiveness of
those controls and procedures.
It is Section 404 of Sarbanes-Oxley that has the most relevance for the IT professional.

Where Sarbanes-Oxley auditing standards come from

Sarbanes-Oxley does not specify the auditing standards necessary for compliance. Instead, the
Securities and Exchange Commission gave that job to the Public Companies Accounting Oversight
Board (PCAOB), an independent non-profit group of industry experts. On April 16, 2004, the
PCAOB published its first set of interim auditing standards for Sarbanes- Oxley compliance. Those
standards continue to be modified and developed as the PCAOB carries on its work.
In defining these standards, the PCAOB has made numerous references to both application-level
controls and general IT controls. For application-level controls, the PCAOB standards specify the need
to demonstrate controls over the actual financial applications, such as a companys ERP application.
This paper specifically addresses general IT controls.
The PCAOBs Section 404 auditing standards relating to general IT controls cover two key areas:
Exhibiting controls over the IT components that make up your financial reporting system
Safeguarding IT assets, particularly if those assets make up a significant percentage of your total
capital assets
In the modern enterprise, financial reporting systems, such as ERP systems, are almost completely
reliant on IT assets: software, servers, workstations, infrastructure and more. The PCAOBs auditing
standards are designed so that proper controls, such as security, license compliance and application
maintenance, can be demonstrated for the IT components that support the ERP and other financial
reporting systems.
The PCAOBs Section 404 standards also address IT assets: hardware, software, peripherals and
other devices. For many companies, IT assets are one of the largest capital asset classes. As such,
their stated value has a significant effect on the balance sheet. Through the PCAOB, Sarbanes-Oxley
mandates that management clearly demonstrates that processes and controls are in place so that IT
assets are properly accounted for.

The role of independent auditors in Sarbanes-Oxley compliance

The objective of a Sarbanes-Oxley audit is to express an opinion on managements assessment of the
effectiveness of internal controls. Thus, the work of the independent auditor begins with an evaluation
of the written review management includes with its Sarbanes-Oxley filings. Next, other sources are
considered, including documentation, interviews, walkthroughs and/or personally auditing a process.

3
Independent auditors evaluate both preventative and detective types of controls in order to validate
that there are no control deficiencies that present more than a remote likelihood that a material
weakness exists. Preventive controls are those designed to keep errors and omissions from happening,
while detective controls are designed to find and correct errors and omissions after they happen.

Sarbanes-Oxley and the IT organization: A survival guide

For the IT professional, getting through a Sarbanes-Oxley compliance audit really comes down to the
two control areas specified in the auditing standards:
The documented controls and processes that are in place for the IT components in financial
reporting system
For those companies where IT assets are material to the financial statements, the documented
controls for those IT assets
By exhibiting proper documentation and control processes, an appropriate foundation is established
for delivering the results required by the PCAOBs auditing standards.
In general, this can be accomplished through defined practices and automated, technology-based
processes. Specifically, change management and IT asset management can provide the technology
foundation to meet the PCAOBs auditing requirements.
As an added benefit, putting these controls in place makes it possible to reduce spending on external
consultants and manual labor in IT, while also reducing capital costs through improved IT asset and
change management control. Greater process automation, and the resulting improvements in
documentation, means further cost savings, as well as reducing auditing risks for next year.
According to the PCAOB, the general IT controls for applications and IT infrastructure that support
financial reporting systems include:
Change management (application maintenance)
IT asset management
Security administration
Data management and disaster recovery (for continuity)
Problem management (technical infrastructure and operations)
These controls must be exhibited for every component that comprises a financial reporting system.

Change management, IT asset management and Sarbanes-Oxley

Lets look specifically at the first two types of general IT controls.
Change management and IT asset management are the two practices that can deliver the biggest and
quickest potential gains, both in terms of Sarbanes-Oxley compliance and reduced costs and
improved efficiency.
Change management
PCAOB standards require that controls are in place to document processes and procedures for
making changes to IT assets, such as applications, databases and servers, and that these changes will
not disrupt the organizations ability to create accurate and timely financial reports.
Implementing these change management processes can have a significant, positive impact:
Assuring that transactions can only be initiated, modified or deleted by appropriate individuals
Authenticating that routine infrastructure changes, such as server maintenance and scheduled
upgrades to financial systems, are defined, documented and secure
Authenticating that unplanned infrastructure changes, such as power outages, are defined,
documented and secure

4
 Implementing a process for forwarding significant infrastructure changes to the internal Change
Advisory Board for review and further documentation
IT asset management
A fully-implemented IT asset management practice helps safeguard IT assets that can have a material
effect on financial statements while also representing the financial value of those assets more
accurately. Because IT asset management addresses the full lifecycle of technology assets from both
an operational and financial point of view, asset value can be updated based on key events:
Acquisition
Deployment, particularly in the area of software licensing)
Disposal
General ledger reconciliation
IT asset management provides complete visibility into an enterprise asset portfolio at all times:
location, ownership, status and balance sheet value. IT asset management also provides control over
software compliance, making it easy to eliminate purchasing unnecessary licenses and to spot rogue
applications that pose significant risks to IT operations.
It is important to note that ERP systems typically do not provide the level of operational and financial
granularity required to maintain an accurate view of current asset value. By implementing an IT asset
management practice, IT information and processes can be integrated with existing ERP processes,
creating direct links to fixed assets, procurement and human resources. This integration provides the
detailed financial information and documented processes critical to financial managers.
IT asset management can also help in risk assessment and control activities required by PCAOB. As
such, IT professionals should leverage the capabilities of IT asset management for proper Sarbanes-
Oxley 404 compliance.

The COSO framework: A compliance blueprint

Sarbanes-Oxley auditors have been at work in most companies, yet it still may not be clear how to
use automated processes such as change management and IT asset management to improve
efficiency, reduce the need for outside resources and lower the costs of Sarbanes-Oxley compliance.
This is the IT organizations major objective.
To help in this process, the PCAOB has identified a system called the COSO Enterprise Risk
ManagementIntegrated Framework, which can be used to establish and document internal controls.
The PCAOBs auditing standards define the what of Sarbanes-Oxley compliance, while the COSO
framework describes the how. COSO provides a framework for establishing the necessary controls
and processes mandated by the PCAOBs auditing standards.
COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission, a non-
profit private-sector group of professional accounting associations. COSOs stated goal is improving
the quality of financial reporting through business ethics, effective internal controls and corporate
governance.
The COSO framework is based on establishing a comprehensive and interrelated set of controls that
are fully integrated into the management process and monitor the effectiveness of business operations.
The COSO framework has five basic components:
1. Control environment. Sometimes referred to as the tone at the top, this involves senior
managements consistent communication of a companys integrity and ethical values
throughout the organization and how internal controls map back to those values.
2. Risk assessment. Risk assessment identifies the relative risks to a companys business
objectives. In the case of Sarbanes-Oxley 404 compliance, this means the risks to financial
reporting and the risks to IT assets.

5
 3. Control activities. These are the policies, processes and procedures that address control
weaknesses and mitigate the identified risks.
4. Information and communication. Data gathered by the control activities must be processed
and communicated across the enterprise so that reports can be prepared, individuals can
properly discharge their responsibilities, and the tone at the top can be reinforced.
5. Monitoring. Internal control systems must be monitored and evaluated continuously for
maximum effectiveness. Such monitoring should be an integral part of how these control
systems are designed.
The COSO framework is mentioned extensively in the PCAOBs auditing guidelines. In fact, in many
cases the PCAOB simply refers to it as the frameworkan indication of its perceived importance.
Given the PCAOBs attitude toward COSO, chances are that an auditor will use the framework.
Therefore, IT professionals should be aware of COSO and the framework.
The following table shows some of the specific tasks required for using change management and IT
asset management practices to support the five components of the COSO framework.

Table 1: Using COSO to exhibit IT general controls

COSO Component Activity

Control environment Organize a team of process owners

Provides the foundation for internal control, including
discipline and structure

Risk assessment Determine which IT processes (for example, asset

management or change management) introduce risk
The identification and analysis of relevant risks to
achieve the business objectives, enabling risk Assess process maturity, key success factors, key
management performance indicators, etc.

Control activities Use assessment results to implement new process

Includes approvals, verifications, reconciliations and
reviews for implementing directives and mitigating risk
Other frameworks can be used to help demonstrate
controls in this area, including ITIL, COBIT, ISO17779
controls to mitigate risks
Document new processes, risks, controls
Use repeatable processes throughout the organization

Information and communication Communicate responsibilities for maintaining

The flow of information enables people to carry out processes and controls
control actions and provide feedback to management Communicate new processes throughout the
organization

Monitoring Monitor controls continuously, in near real-time,

Ongoing assessment in which control deficiencies are through KPIs
reported upstream, with serious matters to top Use self assessments annually
management and the board

SO Component Activity

Other IT framework options: COBIT, ITIL and ISO 17779

Although COSO is often used as an overarching framework, IT organizations should also show how
they are using other, IT-specific frameworks as part of managing the business.
COBIT, ITIL and ISO 17779 are other examples of control frameworks for change management and
IT asset management. COBIT (Control OBjectives for Information and related Technology), ITIL (IT

6
Asset Library) and ISO 17779 generally refer to Control Activities (COSO component #3): they help
define the controls that are in place and identify control weaknesses.
These control frameworks are not designed to be alternatives to COSO; rather, they work within the
COSO framework for compliance in their specific areas. COBIT deals with overall IT processes, ITIL
covers IT service and software asset management and ISO17779 addresses security.
For instance, ITIL processes are well-known and accepted, so the implementation of a set of change
management controls specified by ITIL would likely satisfy an auditor checking for Sarbanes-Oxley
404 compliance relating to control activities.
The following table shows the specific objectives, risks and activities involved in implementing COSO-
related controls and documentation using IT asset management.

Table 2: Using IT asset management for implementing COSO controls

Business process IT asset procurement Software license IT asset disposal

management

Owner of control VP, IT Asset Management VP, IT Asset Management VP, IT Asset Management

Illustrative IT assets are procured Copies of software are IT assets are disposed of
objective using corporate guidelines procured using corporate using corporate guidelines
and are accounted for guidelines
accurately
Software licenses are
accounted for accurately

Risk Employees procuring assets Employees Software licensing

outside of corporate
guidelines will affect
corporate asset reporting
on the balance sheet
Tax basis for hardware
assets might be
underestimated
procuring/installing
software outside of
corporate guidelines will
likely result in illegally
duplicated software being
acquired
Licenses not accurately
accounted for can result in
fines
Proprietary data
Embedded login
credentials
Environment Protection
Agency regulations
Data privacy regulations

Control activity Documented procurement Documented software Documented disposal

policies license policies policies
Centralized request and Automated software Centralized disposal
procurement system discovery and license request system
reconciliation Automated software license
Routine software audits recycle

Information and Communicate the resulting Communicate the resulting Communicate the resulting
communication data and documentation to data and documentation to data and documentation to
everyone concerned everyone concerned everyone concerned

Monitoring Monitor performance and Monitor performance and Monitor performance and
make necessary make necessary make necessary
adjustments adjustments adjustments

7
Summary
For CIOs and other IT professionals, taking a wait and see attitude about Sarbanes-Oxley
compliance is no longer an option. The time to act is now. Section 404 complianceas defined by
the PCAOB auditing standardsis the most critical Sarbanes-Oxley issue facing large companies and
their IT organizations.
In order to meet the PCAOBs compliance standards, companies must:
Exhibit controls over the IT components that make up financial reporting systems
Safeguard IT assets, particularly if those assets make up a significant percentage of total capital
assets
Sarbanes-Oxley and the PCAOB standards clearly justify implementing strong general IT controls,
such as change management and IT asset management. Implementing these controls delivers benefits
that go far beyond simply surviving a Sarbanes-Oxley audit. They provide opportunities for improving
processes and reducing costs, redundancies, complexity and waste.

As a blueprint for implementing these controls, the PCAOB has virtually mandated using the COSO
framework. Through COSO, companies can establish a comprehensive and interrelated set of
controls that are fully integrated into the management process and monitor the effectiveness of
business operations.
The COSO frameworks five basic components are:
Control environment
Risk assessment
Control activities
Information and communication
Monitoring
Other frameworks, such as COBIT, ITIL and ISO 17779, can work in conjunction with COSO to
demonstrate control activities.
Finally, meeting the Sarbanes-Oxley 404 compliance standards is the most likely way to avoid
auditing issues. But, its also important to follow the spirit of the lawthe government wants to see
proper controls and wants to see that companies are adopting the PCAOB standards as a part of its
culture. This is most clearly reflected by the tone at the top, managements consistent communication
of its commitment to the process.

Research Resources
Sarbanes-Oxley Act of 2002
US Congress
Public Company Accounting Oversight Board Bylaws and RulesStandardsAS2
The Public Company Accounting Oversight Board
Guide to the Sarbanes-Oxley Act: IT Risk and Controls Frequently Asked Questions
Protiviti
The Importance of IT Controls to Sarbanes-Oxley Compliance
IT Governance Institute
Taking Control, A Guide to Compliance with Section 404 of the Sarbanes-Oxley Act
Deloitte & Touche LLP

8
 IT Control Objectives for Sarbanes-Oxley
IT Governance Institute
COBIT Framework3rd Edition July 2000
COBIT Steering Committee & IT Governance Institute
Customer interviews

For more information

www.managementsoftware.hp.com

2006 Hewlett-Packard Development Company, L.P. The information contained

herein is subject to change without notice. The only warranties for HP products and
services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an
additional warranty. HP shall not be liable for technical or editorial errors or
omissions contained herein.
4AA0-6568ENW, June 2006