• Recognition of vulnerabilities in the IT area
  
• Improved information system security
  
• Better understanding and improvement of segregation of duties
  
• Improved access controls and access monitoring
  
• Improved test procedures and program change management
  
• Improved processes to document policies, procedures, and controls
  

• Comprehensive Baseline Inventory: The architecture’s baseline inventory forms the foundation for IT planning. It profiles each artifact, describing in detail what the artifact is - technical element, business process, business object, cost, location - and all of its relationships to other artifacts. It shows interdependencies between the business, application and physical layers of the enterprise and enables insight into which processes and organizations are supported by which artifacts. Thus, the inventory provides the enterprise with the means to clearly define and document all SOX-relevant enterprise architecture elements and to easily drill down during planning or assessment phases to understand (possible) root causes of risk-loaded processes. Additionally, best practice architecture planning foresees an audit trail on each artifact clearly documenting the current level of information and enabling the auditor or user to understand changes to artifacts, providing a greater amount of control over events that could impact SOX compliance.


• Business Demand Management: Enterprise architecture (EA)-based project planning begins with capturing business demands, comprehensive description of the demand, and thorough evaluation of the effects an implemented demand could have on existing business processes and IT elements. This process draws from the baseline inventory so that SOX-relevant objects used to fulfill the demand are immediately evident at an early stage in the IT planning process supporting proactive identification of impact to SOX-relevant processes. This extends to early assessments of the likely impact any change to SOX-relevant objects triggered by the demand may have.


• Master Planning: Master planning, a key strategic EA planning discipline, relates the core artifacts of the business architecture with those of the application architecture. It is a visualization technique as well as a planning platform enabling quick comprehension of the impact of change in the IT environment: for example, the ability to identify that a key financial process (SOX-relevant) will be affected by the introduction of a new order-taking application.


• Enterprise Architecture Management: EA management is essential for developing standards for the enterprise IT. Enterprise architects channel reform programs into the IT as standards and guidelines for the development of local solutions and service offerings. This has great significance for SOX compliance for, as an enterprise begins to take a more standardized approach, potential risks are better understood and mitigation strategies are developed more thoroughly and implemented more swiftly.


• Collaboration: A good planning process will be highly collaborative and involve many stakeholders from design, implementation, quality assurance and deployment teams as well as stakeholders from strategic planning, business departments and finance. All of these stakeholders are widely distributed throughout the enterprise, each function having ownership of specific aspects and information of corporate processes. Collaboration attempts to draw all of the disparate parties into the discussion to gather all (SOX-relevant) information and consolidate it, ensuring its consistency. Additionally, collaboration ensures commitment to projects and promotes personal responsibility for risk awareness and control. A broader audience allows firms to optimize the number of controls and eventually increase auditability.


• Evaluation / Conflict Analysis: As the IT architecture of an enterprise changes and develops, pending decisions often have a significant impact on the future ability of the enterprise to execute its business according to legal and other requirements. Decisions need to be based on comprehensive assessments that consider all of the relevant aspects of the issue at hand. One-off evaluations and ongoing assessments are necessary as management mechanisms. By unveiling the weaknesses of the architecture, threats to the enterprise can be identified and improvements instigated. Some examples for architectural aspects that can be analyzed are:
  • Efficiency and effectiveness of control-oriented business processes supported by applications
    
  • Risks associated with various elements in the business and/or IT architecture such as business processes, applications or project proposals
    
  • Standardization levels of applications and their technological underpinnings
    
  • Impact of proposed solutions on legal compliance
    
  • Alignment of submitted demands with corporate compliance goals

In order to achieve compliance, large organizations should design SOX checkpoints. The most efficient means is to have them integrated into the enterprise architecture planning process, using a system that supports automation of compliance maintenance. By doing so, organizations will ensure that they can proactively identify areas of concern, while maintaining a more controlled IT environment.

About the Author

Erik Masing is CEO of alfabet, a software provider of strategic IT planning and enterprise architecture management solutions. For more information about the company, go to www.alfabetinc.com.