What ERP systems can tell us about Sarbanes-Oxley

Purpose – To provide background for senior and middle management in information technology organizations who may be in the implementation phase of compliance for Sarbanes‐Oxley (SOX). As the information technology (IT) organization looks forward to additional compliance or other IT control frameworks such as COBIT, the paper can help construct a roadmap. Other audiences include senior management, accountants, internal auditors, and academics who may wish to evaluate the impact of SOX on the information technology organization.Design/methodology/approach – SOX is surveyed to understand the four major compliance areas that must be supported in the IT organization. Recently published works are integrated into an evaluation of enterprise resource planning (ERP) research to identity several ongoing themes that point to practical advice for implementing SOX. The private sector of US business is saturated with ERP applications and provides a useful benchmark of what to expect with SOX compliance. The sections of...

[1]  Mathias Sallé,et al.  Formulating and Implementing an HP IT Program Strategy using CobiT and HP ITSM , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[2]  Blaize Horner Reich,et al.  In their own words: CIO visions about the future of in-house IT organizations , 2003, DATB.

[3]  Toni M. Somers,et al.  The impact of critical success factors across the stages of enterprise resource planning implementations , 2001, Proceedings of the 34th Annual Hawaii International Conference on System Sciences.

[4]  Marios Damianides Sarbanes–Oxley and it Governance: New Guidance on it Control and Compliance , 2005, Inf. Syst. Manag..

[5]  Andrew Stein,et al.  Revisiting ERP systems: benefit realization , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[6]  Larry E. Rittenberg,et al.  Auditing and assurance services , 2012 .

[7]  Stephen H. Kaisler,et al.  Enterprise Architecting: Critical Problems , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[8]  Jeffery E. Payne Regulation and information security: can Y2K lessons help us? , 2004, IEEE Security & Privacy Magazine.

[9]  She-I Chang,et al.  A Delphi examination of public sector ERP implementation issues , 2000, ICIS.

[10]  Jagdish Pathak,et al.  Internal Audit and E-commerce Controls , 2004 .

[11]  D. Cannon,et al.  SOA compliance: Will IT sabotage your efforts? , 2004 .

[12]  Roel Wieringa,et al.  A requirements engineering framework for cross-organizational ERP systems , 2006, Requirements Engineering.

[13]  Charles G. Cobb Sarbanes-Oxley: Pain or Gain? , 2004 .

[14]  Weidong Xia,et al.  Grasping the complexity of IS development projects , 2004, CACM.

[15]  Cathy Brighton,et al.  Rules of the road. , 2003, Rehab management.

[16]  Gail Ridley,et al.  COBIT and its utilization: a framework from the literature , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[17]  H. Krasner,et al.  Ensuring e-business success by learning from ERP failures , 2000 .

[18]  Shyam Sunder,et al.  Financial services business process outsourcing , 2004, CACM.

[19]  Steven Hagan Driving Forces in Database Technology , 2004, ICDE.

[20]  Michael Ramos How to Comply with Sarbanes-Oxley Section 404: Assessing the Effectiveness of Internal Control , 2004 .

[21]  Barry W. Boehm,et al.  Software Engineering Economics , 1993, IEEE Transactions on Software Engineering.

[22]  Janet L. Colbert,et al.  A Comparison of Internal Controls: COBIT®, SAC, COSO and SAS 55/78 , 2005 .

[23]  John Tongren,et al.  A Preliminary Survey of Cobit Use , 1997 .

[24]  George Black,et al.  Under The Gun , 1985 .

[25]  Michelle L. Kaarst-Brown,et al.  IT Governance and Sarbanes-Oxley: The Latest Sales Pitch or Real Challenges for the IT Function? , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[26]  Adam Kolawa Outsourcing: Devising a Game Plan , 2004, ACM Queue.

[27]  Christopher J. Alberts,et al.  Managing Information Security Risks: The OCTAVE Approach , 2002 .

[28]  Steven De Haes,et al.  Control and governance maturity survey: establishing a reference benchmark and a self assessment tool , 2002 .