As time goes on, auditors will expect organizations to raise the bar with respect to the maturity and reliability of controls. They will expect more rigorous compliance with COSO and COBIT, better integration of business and technical controls, and even more proactive technical controls designed to detect or prevent some of the business activities prohibited by SOX (e.g., loans to officers). As it stands, organizations will have a grace period as they continue to improve their compliance infrastructure. In the coming years, however, we can expect auditors to judge effectiveness of controls by stricter adherence to standards.
The solution is to accept the reality that SOX is here to stay, and that corporate and IT governance are best integrated in a common or consistent framework. The sooner organizations adopt such an approach, the better off they will be.
To learn more:
SOX refers to COSO and its Internal Integrated Control Framework as a method to achieve compliance.
The IT Governance Institute maintains COBIT.
The Information Technology Institute has a wealth of materials on COBIT and application of COBIT in SOX compliance.
Protiviti offers documents regarding audit practices and, in particular, an FAQ regarding SOX section 404 compliance.
Home: Introduction
Step 1: Understanding compliance -- Financial and technical standards
Step 2: Scope of compliance
Step 3: Establishing an IT Control Framework
Step 4: Detailed objectives and policies
Step 5: Measuring compliance
Step 6: Managing and tracking compliance
Step 7: The changing nature of compliance
>> Next: SOX: Taking action
