This is an extract of my university report in ICT Governance at Bond University.

Introduction

Due to several business scandals as Enron or Xerox, the Sarbanes-Oxley Act was enacted as a federal law in the United States in July 2002 in order to restore shareholder credibility in publicly traded companies in the US. This affected German companies that were listed at the US stock market as well as German subsidiaries of US companies.

SOX

SOX was focused on financial reporting and governing but affected financial business processes as well as IT issues, since IT supports business processes, especially the financial processes.

Several frameworks and best practices as ITIL and Cobit provided guidelines to make IT governance SOX compliant, but there was still no clear separation between IT management and IT governance.

ISO 38500

Therefore, the ISO 38500 was released in 2008 in order to clearly define the term “IT Governance” and to distinguish between IT governance and management. It clearly says that the IT is the responsibility of the board. (koeln-bonn.business, 2009)

How SOX and ISO 38500 is applied in IT Governance in German companies, will be outlined in the following paragraphs.

The application of SOX

SOX directly affect German companies that are listed on the US stock market or are subsidiaries of US companies. But, because SOX compliant companies are more attractive to shareholders, several German companies applied SOX to be competitive. SOX became hype, especially for IT companies (ostler, 2005).

IT relevant Sections of SOX

SOX focuses on financial business processes, but there are several sections of SOX that influence IT governance as well.

Section 302 CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS

CEO and CFO certify that the financial statement is true, complete and accurate and that adequate controls over financial reporting and disclosure exist

(Addison-Hewitt-Associates, 2004)

404 Management Assessment of Internal Controls

„Issuers are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement shall also assess the effectiveness of such internal controls and procedures.“

(Addison-Hewitt-Associates, 2004)

802 Criminal Penalties for Altering Documents

Companies and their auditors must maintain accounting documents and work papers for a minimum of seven years.

(Addison-Hewitt-Associates, 2004), (Rasch, 2005)

409 REAL TIME ISSUER DISCLOSURES.

Publicly traded companies must immediately report any changes of financial conditions or reporting to the investors.

These disclosures are to be presented in terms that are easy to understand supported by trend and qualitative information of graphic presentations as appropriate

(SOX-Online, 2003)

The influence of these section on IT

The application of SOX was connected to a lot of risks and high costs to German companies. Some companies considered to withdraw from the US stock market. Because of a lack of skilled personal for internal controls, lack of sufficient risk management and workflow control, high implementation costs and an insufficient degree of maturity of the internal IT, IT outsourcing became a way to try to transfer especially costs and risks to external IT providers (James As. Hall, 2007).

SOX therefore directly affected IT outsourcing decisions.

In order to achieve compliance with these articles, a lot of companies used frameworks as ITIL and Cobit to align their IT with the business goals.

ITIL is very well accepted in Germany. But due to SOX compliance. A survey of serview Germany that included 200 ITIL and NON ITIL users with a turnover of 50 millions stated, that ITIL did not have any significant influence on the companies compliance alignment, IT security or sourcing.

In contrary, all of them stated that ITIL adoption leads to a significant improvement of process quality. 71% of ITIL users in contrast to only 61% of NON ITIL users considered their IT as cost-effective (serview, 2010).

EuroSox

 

Conflicts between existent European laws and US SOX.

The application of the Sarbanes Oxley Act sometimes led to conflicts concerning national law for example in Switzerland. It violated company obligations to maintain confidentiality, data protection acts, bank secrets and stock exchange acts (wildhaber-consulting, 2002).

In Germany, in contrary to SOX, the board of directors could not personally be held responsible for incidents in their businesses.

Therefore, the European Union passed the EuroSox law. By July 2008, the EU law became national law in European countries. It affected European corporate enterprises and companies of public interest (Grün, 2008).

EuroSox was meant to bring European and US reporting standards to the same level. Therefore, EuroSox had similar consequences to the IT Governance of German companies as SOX in the US (Grün, 2008).

For example, there are the following requirements:

IT must always be capable to make all relevant data available and visible to key stakeholders and it must be able to detect any breach of rules regarding SOX.

This meant, that German companies had to introduce control mechanisms and risk management as well as documentations for all processes, that are relevant to the financial statement.

It was therefore important to know where data is created and where application to process touchpoints occur.

The entire IT landscapes, processes and infrastructures of companies had to be reviewed.

Possibilities of process and data manipulation have to be prevented in the entire IT infrastructure. This includes software maintenance, the integration of new software and change management. (Grün, 2008)

Example: No single user should be able to start a cash-flow process alone. If the size of the company does not permit it, it has to be stated in the process documentation.

To ensure the quality of all relevant data, all business cases with significant impact to financial reporting must be identified. Then, controls have to be defined and implemented, which provide a prompt and accurate image of these business cases.

(ostler, 2005)

The most important EuroSox regulations that German companies had to comply to, were:

· The control of IT infrastructure, organisation, application-development and data administration

· Monitoring and control of the logic security, physical connections and environmental based security

· Planning of a long time preservation of IT operation and creation of an emergency plan

· supervision of system maintenance, further development, change management and data of every day business processes

· Archival storage of relevant data and documents

All these monitoring and control processes are continuous and must always be present.

ISO 38500

The ISO/IEC 38500 is a Corporate governance of information technology standard and has it roots in Australia. It provides a clear line of separation between IT Governance and IT Management. It Governance unfortunately is often used for management domains, rather than board responsibilities.

It seems that ISO 38500 was very welcome in Germany, since it clearly transferred IT responsibility to the management board, which enabled IT to be more clearly aligned to the business goals of the companies (koeln-bonn.business, 2009). However, I could not find any information about its adoption in Germany.

Libraries and Frameworks such as  ITIL and Cobit however clearly support its mentality and provide guidelines of how to structure, run and set up the IT processes itself and align them to the business side.

Unfortunately, ISO 38500 is a standard of guidelines that affects internal structures for which there is no accredited way to certify a company against ISO 38500 (as there is  for ISO 9001 – just an example) (Fischlin, 2009).

 

Literature

Addison-Hewitt-Associates, 2004. Sarbanes-Oxley Act Section 302. [Online] Available at: http://www.soxlaw.com/s302.htm[Accessed 1 February 2010].

Addison-Hewitt-Associates, 2004. Sarbanes-Oxley Act Section 404. [Online] Available at: http://www.soxlaw.com/s404.htm[Accessed 1 February 2010].

Addison-Hewitt-Associates, 2004. SARBANES-OXLEY Section 802. [Online] Available at: http://www.soxlaw.com/s802.htm[Accessed 1 Februar 2010].

Fischlin, R., 2009. xing forum. [Online] Available at: http://www.xing.com/net/itg/it-governance-entwicklungen-chancen-risiken-2147/meinung-und-erfahrungen-zur-iso-38500-corporate-governance-of-information-technology-22044804/23405772/[Accessed 2 february 2010].

Grün, A., 2008. computerwoche. [Online] Available at: http://www.computerwoche.de/management/compliance-recht/1856662/[Accessed 2 february 2010].

James As. Hall, S.L.L., 2007. springerlink. [Online] Available at: http://www.springerlink.com/content/85jxg63w1725222g/[Accessed 2 february 2010].

koeln-bonn.business, 2009. koeln-bonn.business-on.de. [Online] Available at: http://koeln-bonn.business-on.de/begriff-it-governance-standard-iso-iec-_id19909.html[Accessed 2 february 2010].

ostler, u., 2005. silicon.de. [Online] Available at: http://www.silicon.de/cio/wirtschaft-politik/0,39038992,39173435,00/gut+gemeint+und+teuer+sox+in+it+und+organisation.htm[Accessed 2 february 2010].

Rasch, M., 2005. Sarbanes Oxley for IT Security? [Online] Available at: http://www.securityfocus.com/columnists/322[Accessed 2 february 2010].

serview, 2010. serview. [Online] Available at: http://www.serview.de/allgemein/presse/serview-nachrichten/itil-unterschied[Accessed 2 february 2010].

SOX-Online, 2003. The Vendor-Neutral Sarbanes-Oxley Site. [Online] Available at: http://www.sox-online.com/act_section_409.html[Accessed 2 february 2010].

wildhaber-consulting, 2002. wildhaber consulting. [Online] Available at: wildhaber.com/english/files/SOX%20Grundlagenartikel.pdf [Accessed 2 february 2010].