Through June 30, the IT Governance Institute (ITGI) will be looking for comments from professionals throughout the industry on the second edition of its IT Control Objectives for Sarbanes-Oxley, which is an update on the original version published in April 2004. This enhanced report contains more information on scoping and risk assessment based on lessons companies learned while moving toward compliance with the Sarbanes-Oxley Act of 2002 (SOX) over the past few years.
“I’m not entirely sure about the nature of the comments that will come back,” said Paul Zonneveld, a partner with Deloitte & Touche and co-author of the report. “My focus isn’t on trying to get a vast variety of comments. What we would like folks to do is have a look at what’s been amended in the document since the first version. We’re interested in knowing what’s helpful, and if we’ve provided enough context to the theoretical concepts to allow companies to apply them.”
Zonneveld said the first edition of IT Control Objectives for Sarbanes-Oxley was extremely popular, and added that more than half of all U.S. companies used it in some way. “The principle comments in the initial version are sound. The early guidance kind of sets forth a bit of a road map. Organizations that followed that approach are not going to find the second edition telling them that they missed a bunch of stuff. What it’s really intended to do is show what we’ve learned out of all the thousands of companies that have complied (with SOX). All of the guidance that’s provided in there is based on practical examples from companies that have actually had to apply this stuff.”
This expanded version is designed to help executive managers, IT managers, and IT control and assurance professionals deal with issues that frequently arise in SOX compliance, such as assessing the risk levels involved with all the IT systems in play in a given enterprise. “When people say, ‘You should take a risk-based approach,’ that’s nice to say, but how do you actually do it? And how do you do it in a way that’s defensible to your external auditors? How do we make this a more simplified, risk-based approach, and how would you apply that?”
As with the first edition, this updated publication will be available free as a download from the ITGI Web site and at a nominal fee for the print version.
For more information, see http://www.itgi.org.