The Sarbanes-Oxley Act of 2002 resulted from the outrage that was experienced from the unethical behaviour of business organizations through financial frauds. The Sarbanes-Oxley Act of 2002 was enacted to prevent such unethical behaviour of business enterprises (Has Sarbanes-Oxley Made a Dent in Corporate America’s Armor?). Complying with the Sarbanes-Oxley Act has not been easy for business organizations, as it has turned out to be expensive, as well as time consuming (Callaghan, 2004). Though the Sarbanes-Oxley Act targets financial unethical behavior, complying with the Act in essence focuses on how financial information is recorded, tracked, and disclosed, placing a large onus on information technology, and its management in a business organization (Worthen, 2003).
Complying with the Sarbanes-Oxley Act is of critical importance, as failure to do so contain the risk of high financial penalties, and severe damage to the standing of a business enterprise. These factors have made compliance with the Sarbanes-Oxley Act an essential objective of the business enterprises and its information technology (IT) arm (Cote, 2008). According to Worthen 2003, the changes that managers of IT face, as a result of the Sarbanes-Oxley Act lies in how the It department “manages data, ensures security, and protects privacy”. This means that effective IT controls and compliance initiatives have to be put in place by the IT managers to ensure that the required standards to prevent inaccurate financial information is in place (Cote, 2008).
Preventing inaccuracies calls for the reduction of the human element, and so IT managers will have to increase the level of automation in the handling of information, to mitigate inaccuracies arising from human error. Evaluation of the IT controls, adjusting the controls, and functioning of the dissemination of information will other continual changes for IT managers. The next required management input in the IT department is the self-assessment of the critical control processes to ensure that they remain on track for effective compliance. Compliance needs to be looked upon as an opportunity for effecting necessary changes (Cote, 2008). For example, IT has remained under the remote control of other departments like finance, and compliance provides an opportunity to shake these shackles off, and for IT to become their own masters (Nash, 2007). Complaints that compliance involves large costs lay the onus on the IT managers to be cost-effective in putting in place the required infrastructure, which means being practical rather than idealistic. For example, the use of metric tools becomes necessary, as what needs to be measured should be visible and measurable. The use of other measuring tools is only a waste of money. Finally, IT managers must realize that additional benefits accrue from the changes brought about for compliance that offer better overall security in the environment, enhanced operational efficiency, and improved system performance (Cote, 2008).
Some of the key grey areas that continue to exist in the impact of the Act on the IT department are whether the controls should be manual or automated, oversight for making application changes, and the creation of audit logs. The grey control in control is on the processes that have to be put in place, like when people in the organization change divisions, and require access to applications in keeping with their new job responsibilities. As per the Act, oversight is the responsibility of quality control and not the systems administrator, leading to confusion on the control of oversight. Finally, it is not easy to prove that audit has been performed, though maintaining audit logs may be a solution (Worthen, 2005).
Callaghan, D, (2004). Sarbanes-Oxley: Road to Compliance. Web.
Cote, B. (2008). Failed Audit?
Nash, K. S. (2007). Why, Five Years After Sarbanes-Oxley Became Law, IT Executives Are Better Off. Web.
Worthen, B. (2003). Sarbanes-Oxley: The IT Manager’s New Risks and Responsibilities. Web.
Worthen, B. (2005). The Top Five IT Control Weaknesses. Web.