While perusing a draft of "IT Control Objectives for Sarbanes-Oxley, 2nd Edition" (www.nwdocfinder.com/5178), I discovered several profound statements in the section on compliance and IT governance: "There is no such thing as a risk-free environment, and compliance with the Sarbanes-Oxley Act does not create such an environment. . . . Good IT governance over planning and life-cycle control objectives should result in more accurate and timely financial reporting." This thinking lets today's IT auditors focus on the key controls posing the most risk, rather than those on the fringe.
Stories by Michael Kamens
The Sarbanes-Oxley Act was introduced in 2002 to restore confidence after shareholders lost billions of dollars because of accounting fraud at companies such as Enron, WorldCom and Tyco. In reality, SOX was an attempt to legislate quality control regarding the way publicly traded companies should be managed on a day-to-day basis. The Securities and Exchange Commission (SEC) requires all companies to document -- and an external auditor to confirm -- that adequate controls are in place to ensure that financial statements filed with the SEC paint a realistic picture for investors.