IT? What's the Connection?
Most of the resources discussing Sarbanes-Oxley lead in by citing recent debacles, such as Enron, which may have been the catalyst, but certainly were not precedents by any stretch of the imagination. For a precedent in which IT did finally turn in corporate misdeeds you have to go back to 1972 and review the Equity Funding scandal. The following excerpts from an excellent series of articles by M. E. Kabay, published in Network World Security Newsletter (01/21/02 and 01/23/02) spells out why IT always has been an important part of the auditing process, and why the requirements for ethics and whistleblower programs in the the Sarbanes-Oxley Act touch everyone in IT:

"The computer problems occurred just before the close of the financial year in 1964. An annual report was about to be printed, yet the final figures simply could not be extracted from the mainframe. In despair, the head of data processing told the president the bad news; the report would have to be delayed. Nonsense, said the president expansively (in the movie, anyway), simply make up the bottom line to show about $10 million in profits and calculate the other figures so it would come out that way. With trepidation, the data processing chief obliged. He seemed to rationalize it with the thought that it was just a temporary expedient, and could be put to rights later anyway in the real financial books.

The expected profit didn't materialize, and some months later, it occurred to the executives at Equity that they could keep the stock price high by manufacturing false insurance policies which would make the company look good to investors. They therefore began inserting false information about nonexistent policyholders into the computerized records used to calculate the financial health of Equity.

By late 1972, the head of data processing calculated that by the end of the decade, at this rate, Equity Funding would have insured the entire population of the world. Its assets would surpass the gross national product of the planet. The president merely insisted that this showed how well the company was doing.

The scheme fell apart when an angry operator who had to work overtime told the authorities about shenanigans at Equity. Rumors spread throughout Wall Street and the insurance industry. Within days, the Securities and Exchange Commission had informed the California Insurance Department that they'd received information about the ultimate form of data diddling: tapes were being erased. The officers of the company were arrested, tried and condemned to prison terms."

[The above is by M. E. Kabay in the 01/21/2002 issue of Network World Security Newsletter]

From the above IT's responsibilities in conjunction with directly supporting Sarbanes-Oxley compliance is clear - and it goes well beyond mere IT auditing.

Where to Start?
'Manager's Guide to the Sarbanes-Oxley Act : Improving Internal Controls to Prevent Fraud' is a good starting point for understanding what Sarbanes-Oxley entails at a high level. Another basic book is 'What is Sarbanes-Oxley?'. You'll see the term internal audit repeatedly when researching Sarbanes-Oxley, and a good starting point for learning the basics of this function is 'The Internal Auditing Pocket Guide'. If you find yourself assigned as a newly minted IT auditor 'Core Concepts of Information Technology Auditing' will get you going in the right direction. Another book that covers IT auditing is 'Information Technology Control and Audit'. The latter goes into more detail and is more suited for the working practitioner through to intermediate level.

Once you have a basic understanding, I strongly recommend visiting 'Information Systems Audit and Control Association' and downloading the free 84-page document titled "IT Control Objectives for Sarbanes-Oxley." This document will focus on IT's role and responsibilities.

For more general information, there is a commercial site that provides news and updates on Sarbanes-Oxley issues 'sarbanes-oxley.com/', as well as the Public Company Accounting Oversight Board 'pcaobus.org/', which provides rule making information and a means to comment on proposed rules.

Where Next?
Section 404 of the Act contains much of what is going to concern IT. I recommend reading 'How to Comply with Sarbanes-Oxley Section 404 : Assessing the Effectiveness of Internal Control' to drill down into the gory details. Another useful resource is 'Internal Audit's Role in Corporate Governance: Sarbanes-Oxley Compliance', which tersely covers each of the Sections of the Act, and comes with a CD ROM with editable templates that will save time. This book is aimed more at the professional auditor, but will also give IT professionals outside of the audit and internal controls domain excellent insights.

'AuditNet' is a highly useful resource with a great deal of valuable material in the Sarbanes-Oxley Audit Resource Center section of the site.

Rounding out the general Sarbanes-Oxley resources is 'Sarbanes-Oxley and the New Internal Auditing Rules', which does specifically cover IT issues, including ITIL and CObIT. 'Information Systems Audit and Control Association', previously mentioned, is an excellent source of CObIT information.

This is a web-enabled world, so I strongly recommend reading 'Testing Web Security: Assessing the Security of Web Sites and Applications', which takes an auditing approach to web security. This book directly supports portions of Sarbanes-Oxley from an audit perspective (although SOA is not mentioned in the book, the approach is completely consistent with requirements.)

If you are an Oracle shop I strongly recommend getting a copy (or, better, copies) of 'Oracle Privacy Security Auditing: Includes Federal Law Compliance with HIPAA, Sarbanes Oxley & The Gramm Leach Bliley Act GLB'. This book directly addresses how to use Oracle 9i facilities to achieve compliance with parts of Sarbanes-Oxley.

End Notes
The following books will also indirectly support compliance efforts, and are short reads that are thought-provoking:

- 'The Building Blocks Approach to Organization Charts', 'RoadMap: How to understand, diagnose, and fix your organization', and 'Decentralization: Fantasies, Failings, and Fundamentals' will get you thinking about how to most effectively build a healthy organization. Healthy organizations foster ethics in the workplace.

- 'The Internal Economy: How to Apply Market Principles within Organizations to Make Sense of Budgeting, Rate-Setting, Project-Approval, and Accounting Processes', used in conjunction with the above three books, will show how to build accountable organizations at the department level.

- 'Outsourcing: How to Make Vendors Work for Your Shareholders' will aid in critical decision making at the CxO level, which supports - to a degree - corporate governance.