Sarbanes-Oxley Act Essay

Implementing Sarbanes-Oxley within an Environment: Understanding the controls used to implement Sarbanes-Oxley within an environment

Recent high-profile corporate dirts ( Enron, WorldCom, Tyco and Arthur Andersen etc. ) have shattered the trust, of stockholders, legislators and governments, in major publically traded companies and have raised concerns for the province of corporate administration, non merely in the United States, but besides in other states of the universe. The United Kingdom is non immune to the moving ridge of concern fraud, corporate dirts, statute law alterations and corporate environment limitations. With the filing of bankruptcies, the US authorities had taken immediate action to forestall fraud in the hereafter by ordaining the Sarbanes-Oxley Act of 2002 ( SOX ) , administered by the Securities and Exchange Commission ( SEC ) . Similar limitations and statute laws have besides been adopted in the UK, in an effort to control deceitful Acts of the Apostless from proliferating to the other side of the Atlantic through transnational public companies merchandising in the UK. SOX is a statute law designed to extinguish fiscal fraud and misstatements by greedy executives, unethical corporate patterns and non-transparent concern minutess.

While SOX has redefined the functions, duties and outlooks of the board of managers, internal and external hearers, it has besides reformed the patterns within organisations. At the bosom of the passage of SOX is the execution of control to supervise senior direction, to procure accurate fiscal coverage information. Two major demands of SOX are revelation of material events and contingent liabilities ( Rasch 2005 ) . For this intent, the function of information engineering security has become enhanced, as it is expected to guarantee transparence in decision-making, dependability and unity in the system of revelation. Yet IT experts are of the position that IT has a obscure function in doing SOX effectual. IT security in SOX context is limited to the extent of heightening dependability and unity in coverage, and it does non lend towards bar of fraud or unethical corporate behavior. It can non forestall senior direction from prosecuting in fiscal misstatements ; neither can it control executives from over-arching organisational controls and procedures. The inquiries that arise so are ‘what is the function of IT under SOX? What are the range, narrative and control matrix for IT professionals within SOX environment? Are the models for SOX execution effectual in accomplishing SOX aims? ’ Before the research worker efforts to reply these inquiries, a brief background to the outgrowth of SOX, and why it is needed, must be explored.

The bend of the century saw a series of corporate dirts of companies such as Enron, WorldCom and Tyco etc. Their executives had been involved in unethical corporate patterns that affected stockholders and stakeholders, likewise. Enron and WorldCom filed for bankruptcies ( which were followed suit by others ) as a consequence of deceitful accounting patterns and executives ‘ greed. Not long before the issues environing Enron and WorldCom were resolved, Arthur Andersen, the auditing house, was charged for malpractice, particularly in non-disclosure of deceitful fiscal minutess and coverage. At the clip, non merely the ethical motives of corporate executives had come under examination, but the gatekeepers of the same companies, viz. the hearers, had besides been questioned of their ethical behavior. The environment of corporate America had become scandalized. The populace had become concerned and demanded immediate reforms for controling more houses from prosecuting in similar patterns. The demand for argus-eyed corporate administration, in the signifier of policies, every bit good as jurisprudence, increased. The collusion of fiscal coverage fraud and audit fraud had led to the demand for commissariats that would maintain tight control over accounting and scrutinizing activities, and to mandate conformity processs that require executive enfranchisement, independent audit, and commissariats for adhering organisations to securities ordinances ( Romano 2005 ) .

The oncoming of the election, every bit good as the dying public, pressured Congress to go through a statute law to indict companies for fraud and to repeat the position of the American economic system. The consequence had been the passage of the Sarbanes-Oxley Act of 2002. The Act, harmonizing to Rasch ( 2005 ) , “ imposes important accounting and control demands on U.S. publically owned companies ( and likely on foreign companies which are either traded on U.S. exchanges or which make up a important portion of a U.S. company ‘s fiscal coverage ) . ” SOX addresses the Enron dirt by set uping controls that would necessitate the demand for paper trails of audit activities ; it mandates auditor independency ; it enhances corporate duty ; it requires executive answerability ; and, more significantly, it establishes control systems by puting a series of conformity policies ( Rasch 2005 ) .

Control refers to procedures, in concern or IT environment, whereby, internal controls over fiscal information coevals, entree, aggregation, storage, processes, transmittal and use are governed by a set of counsel. To formalise, the Committee of Sponsoring Organizations of the Treadway Commission ( COSO ) provides guidelines for fiscal coverage procedures and fiscal information recording, storage and entree. Similarly, for IT auditors relevant guidelines, COBIT ( Control Objectives for Information and Related Technologies ) , had been formed to supply an unfastened criterion established by the IT Governance Institute ( ITGI ) , and the Information Systems Audit and Control Association. In the UK, this type of internal controls have been taken up by the IT Infrastructure Library ( ITIL ) , published by the Office of Government Commerce ( Rasch 2005 ) .

The basic premiss for following the SOX criterion ( in the UK or otherwise ) for internal controls over IT substructure, is to guarantee no repeat of the American quandary, should it happen among UK corporations. After the American dirts, the authorities and securities committee realize there is a great demand for internal controls to stress revelation, both in footings of stuff events and contingent liabilities, to forestall bottom-line impact. Furthermore, SOX is chiefly enacted for the intent of puting criterions for accurate fiscal coverage information. Since, in modern organisations, there is a great trust on information engineering for transportation, shop, entree and procedure information, this means IT and its systems have to be dependable and reliable, in order to pitch for crystalline dealing, enfranchisement and conformity.

However, before one can to the full set up IT responsible for effectual SOX conformity, one needs to understand that accurate fiscal coverage entails procedures and elements that do non needfully hold direct nexus to fiscal coverage. For illustration, determinations of board of managers, top company functionaries, every bit good as internal and external hearers, securities exchange governments and so on ( “ Tighter Sarbanes-Oxley Called For ” 2007 ) , may non needfully associate with IT. Similarly, processes of hazard appraisal, control activities, monitoring, information and communications form the footing for accurate fiscal coverage. IT facilitates these activities, but may non be contingent for its truth. For these grounds, SOX has established sets of conformity and controls for companies to follow ( “ Caterpillar and Internal Controls ” 2007 ) . Although, the inside informations of these conformities do non place IT responsible for commanding fraud per Se, however, it does heighten the function of IT sections and professionals within companies as gatekeepers. For illustration, Section 404 requires look intoing of internal controls, which means the execution of COSO Framework is necessary. In Chan ‘s ( 2004 ) work, the writer outlines that the Public Company Accounting Oversight Board ( PCAOB ) , which sets scrutinizing criterions under SOX, refers to IT as impacting company ‘s internal control over fiscal coverage. She writes:

“ Because systems procedure and system-generated entries are an built-in portion of fiscal coverage, general IT and application controls should be documented and evaluated based on a revelation and direction appraisal model that is compatible with business-process function, to heighten consistence and quality. By the same item, the IT environment must be reviewed, along with the overall control environment, for the organisation. Simply put, IT administration is an indispensable constituent and subscriber to fiscal administration. ” ( Chan 2004 ) . In this context, IT becomes the processing environment that holds many cardinal controls critical for SOX conformity. However, before one can measure up an organisation as SOX compliant, its IT control activities need to run into specific standards. Chan ( 2004 ) , for illustration, points to the undermentioned appraisal standards:

a. IT dependent concern environment

B. IT processes important to concern activities

c. lack in IT solutions

d. high hazard due to computing machine operations

e. organisation processes, particularly fiscal studies, dependant on computing machine processing.

f. concern based on enterprise-wide systems

g. fiscal application systems used for minutess, interaction and recording of histories

h. dependance on IT processes for endeavor concern end-to-end procedures

I. IT processes managed by 3rd party outsource

Apart from the above, the ITGI considers direction of IT risks critical for IT administration and conformity. Hazard, harmonizing to its study, exposes organisations to IT failures. IT related hazards impact on concern by exposing the concern to operational clang, security breach or failed undertaking. Technical complexness, dependance on service suppliers, restriction of dependable risk-monitoring information systems consequence in improper administration and hazards. Execution of models, such as COSO, develop readily useable endeavor hazard direction programmes. Furthermore, they provides counsel and way for get the better ofing hazards, and implement corporate administration, new statute laws, ordinances and criterions ( ITGI 2005 ) .

Chan ( 2004 ) further notes that SOX conformity means “ describing rise from the dealing degree all the manner to its concluding finish in the fiscal statements. ” Processes involved in airing of information related to it, depend on the manual and machine-controlled controls of the IT model. For this ground, IT control weaknesses frequently consequence in hapless conformity and answerability. IT controls, hence, must be business-driven. More significantly, it must follow a standardised model that separates common information from sensitive 1s, to minimise hazards, every bit good as promote harmonisation, of IT, internal auditing, finance and concern units. SOX does non necessitate organisations to merely implement criterion controls, but instead encourages organisations to measure and measure internal controls to invent efficient and least intrusive control information certification, policies and methodological analysiss ( Chan 2004 ) .

Having said that, experts ( Kendall 2007 ; Carter 2007 ; Roth 2007 ) are of the position that SOX conformity is still at its fundamental phase as organisations in America and in other parts of the universe are still hold oning its conformity authorizations. Kendall ( 2007 ) , for illustration, cites organisations as still unsure of an effectual system of control over fiscal coverage. Commissariats within SOX do non supply counsel for successful execution of controls based on SOX authorizations. As a consequence, companies are trusting on their internal controls appraisals and proving, to accomplish control aims relevant to SOX demands, such as scrutiny of hazards, create IT hazard stock list, cut downing controls, consolidating controls, standardising procedures, monitoring alterations and streamlining procedures. Carter ( 2007 ) notes that CSA ( command self-assessment ) techniques are utile in placing chances for betterment. The technique involves conveying together persons from different concern units of the organisation, to garner information on company processes. The session encourages rating and redesigning of procedures to supply accurate and timely certification, fiscal and otherwise. Roth ( 2007 ) notes that the ERM ( endeavor hazard direction ) technique implies that SOX conformity does non needfully ensue in bar of fraud in the IT context. In fact, other models are more effectual in placing, monitoring and measuring hazards associated with IT systems and procedures.

As mentioned earlier, SOX does non truly stipulate any model for implementing internal controls. It simply mentions Internal Control and Integrated Framework. Internal control is merely every bit equivocal, as it means different things for different people. It is likely that miscommunication may happen as a consequence of different outlooks and perceptual experiences of internal control for SOX conformity. For illustration, internal control, harmonizing to COSO, can be defined as, “ a procedure, effected by an entity ‘s board of managers, direction and other forces, designed to supply sensible confidence sing the accomplishment of aims ” ( COSO 2004 ) . However, for different organisations, the composing of these elements and procedures may differ.

Furthermore, harmonizing to Damianides ( 2005 ) , SOX statute law has created a great demand for concern to hold IT internal control in topographic point, to guarantee informations dependability and care of ethical activities. It requires processes to be aligned with the Act ‘s Section 302 and 404. Section 302 entrusts the duty of fiscal statements enfranchisement and revelations to CEOs ( main executive officers ) and CFOs ( main fiscal officers ) , while Section 404 requires internal controls of fiscal coverage without really sketching counsel or processs for implementing them. Indeed, it has been the ITGI that has come up with the COSO international control model for fiscal coverage.

The COSO model is based on the undermentioned aims:

– “ Effectiveness and efficiency of operations

– Dependability of fiscal coverage

– Conformity with applicable Torahs and ordinances

Therefore, internal control is a procedure, affected by people and expected to supply sensible confidence and accomplishment of aims of one or more overlapping classs ( Damianides 2005 ) . The COSO model follows the Public Company Accounting Oversight Board ( PCAOB ) and addresses issues related to:

“ * Segregating accounting responsibilities.

* Developing effectual boards and audit commissions.

* Pull offing with wider spans of control.

* Implementing sound information engineering controls.

* Documenting the design and operation of controls. ” ( Rittenberg, Martens and Landes 2007 ) .

The COSO model lineations rules and constituents for effectual hazard direction processes every bit good, which is why it is frequently confused with the ERM ( endeavor hazard direction ) . The execution procedure of COSO involves designation, appraisal, response and controls set up and aligned with its strategic programs. The model emphasizes on endeavor hazard direction duties and activities that would ensue in accomplishing organisational aims. To guarantee that direction procedures are in topographic point and map harmonizing to SOX conformity, an incorporate model can be set up based on COSO counsel. It encourages designation of hazard, appraisal of company ‘s schemes, and ways to put in puting up an internal control model such as investing in effectual ERM, set uping effectual engineering controls and associate it with fiscal coverage. COSO execution differs from other internal control model, as it is broader and incorporates constructs from assorted hazard direction schemes, set up and techniques. It requires external and internal control for fiscal coverage for SOX Section 404 conformity. As a consequence, non merely the board of managers, but direction executives, along with CFO and CIO, become portion of the subjects and processs for set uping internal control model ( COSO 2004 ) . On the other manus, non-compliance of COSO execution may ensue adversely in footings of non-systematic attack for controls or uncomplete controls set up, weak and inefficient control environment, which may ensue in unequal procedures and coverage ( ITGI 2006 ) . Harmonizing to COSO ( 2004 ) , ERM integrated model significantly reduces hazards for all types of industries, as this model recognizes effectual endeavor hazard direction procedures and applies it in the context of strategic development. Harmonizing to Ramos ( 2004 ) , the COSO model divides IT controls into computing machine controls and application particular controls. On the other manus, the ERM model requires “ on-going feedback of information from throughout the company ” ( COSO 2005 ) to back up hazard appraisal.

Similarly, the ITGI besides developed COBIT ( Control Objectives for Information and related Technology ) to turn to the demand for models that address IT issues and supply counsel for IT professionals. COBIT involves commissariats of information for accomplishing organisational aims, IT processes and resources direction. The model provides a standardised counsel resource for structuring IT controls to follow with Section 404 of SOX ( Damianides 2005 ) . Therefore, COBIT represents a aggregation of paperss that provide counsel for IT administration, control and confidence. Harmonizing to the ITGI ( 2006 ) study on COBIT, it is a model for comparing with other models, and supply counsel for procedure conformity and betterment. The function of IT is magnified under this model as it addresses issues related to IT by mapping its activities to concern drivers, and sketching hazards of non-compliance such as:

“ • Misaligned IT services, divergency

• Weak support of concern ends due to misalignment

• Wasted chances due to misalignment

• Persistence of the perceptual experience of IT as a black box

• Shortfall between management’s measurings and outlooks

• Know-how tied to cardinal persons, non to the administration

• Excessive IT cost and operating expense

• Erroneous investing determinations and projections

• Dissatisfaction of concern users with IT services supplied ” ( ITGI 2006 ) .

Under the COBIT model, organisations must fulfill the quality and security demands of their information systems for all appraisals. The direction has the rule function in optimising IT resources through applications, substructure and forces use. The procedure involves intrusting duties and nonsubjective accomplishments throughout the organisation, through an endeavor broad IT architecture. Unlike the COSO model, COBIT provides counsel for good pattern for sphere procedures within the model, including stipulating activities and put to deathing procedures. However, its chief focal point is on internal control, instead than simply on executing, as COBIT identifies control aims for planning and organisation ; acquisition and execution ; bringing and support ; and monitoring and rating to be integrated within the IT substructure. This ensures the internal control system is in topographic point within the IT environment ( ITGI 2006 ) .

In line with the above, ISO 17799 has besides been established to mensurate security controls within an IT environment. ISO 17799 emerged as Information Security Code of Practice from the UK ‘s Department of Trade and Industry and revised by the British Standards Institute in 1995. It underwent many alterations before it adopted its present position. The papers outlines a set of criterions that covers organisational security, plus categorization and control, forces security, physical and environmental security, entree control, system development and care, concern continuity direction and conformity ( ISO 27002 Central 2007 ) . In add-on to ISO 17799, a revised version BS7799-2 / ISO27001 in 2002 has been published to add specification for Information Security Management System ( ISMS ) . This portion takes into history of step, proctor and control of security direction ( ISO 27002 Central 2007 ) . ISO 17799 execution involves organisation of different countries of the concern within its model. For illustration, puting up of aims to guarantee concern activities and procedures are non disrupted by developing system entree control of information, unauthorised entree, web security, unauthorised computing machine entree and guarantee information security is in topographic point for nomadic calculating. Furthermore, ISO 17799 besides have commissariats for system development and care that guarantee operational systems, data application systems, confidentiality and unity models. Under the ISO 17799 model, controls are defined through legal and concern demands, cost of execution and possible impact of security breach ( ITGI 2006 ) . The ISO 17799 model non merely ensures conformity through security, but besides extends external controls to avoid condemnable or civil jurisprudence, statutory, regulative and contractual activities ( ISO 27002 Central 2007 ) . Overall, it is the organisation ‘s security, which is the chief aim of ISO 17799. However, in footings of SOX conformity, this model is limited as it focuses on IT control execution entirely ( ISO 17799 and Computer Security News 2007 ) . Even though it does non associate to SOX wholly, non-compliance unmaskings companies to put on the line of information revelation, such as loss of assurance and trust ; uncomplete hazard appraisal ; deficiency of security consciousness within the organisation, 3rd party interaction and intervention in the organisation ; and flawed processs ( ITGI 2006 ) .

The ITIL is another model based on a series of publications of eight books that outline best pattern for IT service direction. It has been established by the Central Computer and Telecommunication Agency ( CCTA ) ( or British Office of Government Commerce ) ( ITGI 2006 ) . ITIL defines service procedures, quality, nonsubjective and execution of control for IT organisation. The books are ushers for turn toing effectual IT map through operation and care of bing systems ; development of new systems, and accommodation of service bringing for germinating demands of the concern. The cardinal constructs that ITIL references are holistic IT service direction and client orientation. The procedures involve incident, job, constellation, alteration, and release direction, apart from best patterns, such as service degree direction, fiscal direction for IT services, capacity direction, concern continuity and handiness direction Non-compliance consequences erring support procedures ( ITGI 2006 ) .

Despite the presence of these models ( and many others ) , there are no warrants for fiscal coverage exposure to data hazards. Harmonizing to Brown and Nasuti ( 2005 ) , these models do non needfully intend SOX conformity, as they are dependent on the company ‘s ability to place, take and implement peculiar model ( s ) . They are of the position that the models adopted contribute towards scheme, architecture and planning of IT processes and enables executives to pull off, anticipate and assemble engineerings and methodological analysiss for continuously bettering IT environment, but they do non assist prevent fraud. SOX commissariats are applicable non merely in publically traded companies, but besides in internal control environment of private companies, though their procedures may differ from house to tauten. The pick for following peculiar model, therefore, depends on the efficaciousness of IT substructure alliance with the concern aims, the challenges it poses to IT administration, systems development and competences and alteration direction enterprises. It besides depends upon the execution of hazard direction attacks and ways organisations identify success factors for execution.

SOX complexness does non stop in the pick of model or effects of non-compliance. SOX audit is an country that has raised major concerns among hearers. Hearers are responsible for clerking, fiscal information systems, rating services, investing services, legal services and actuarial services that are related to managerial maps and investing activities. Yet SOX commissariats, harmonizing to Tackett, Wolf and Claypool ( 2006 ) , prohibit confer withing activities by independent hearers. The limitation includes direction appraisal and attestation on effectivity. The basic premiss for puting these restrictive commissariats is to control independent hearers from helping direction in set uping internal controls for direction procedures, deputation and duties. SOX conformity, though, allows for disciplinary feedback, proving of activities, and aid in blessing of procedures, it does non supply intervention from independent hearers. As a consequence, SOX audit commissariats mandate self-audit by non-audit consulting service suppliers. It besides mandates hearers to supply one study on fiscal statements, and 3 associating to ICOFR ( internal controls over fiscal coverage ) , so as to guarantee studies are independent and may incorporate unqualified sentiment over internal control of fiscal coverage.

SOX passage has demonstrated that there is a great demand for bettering corporate duty and reconstruct investor assurance in the US public companies. The reverses by corporate dirts have intensified the demand to set up ordinances that would use rigorous regulations for answerability, revelation and coverage ( ITGI 2004 ) . The accent on Section 404 requires senior direction and concern proprietors to reconsider their present internal control construction. As conformity to SOX means redesign of internal control construction, where IT plays a critical function presents, for fiscal coverage procedures, organisations are bit by bit appreciating the authorizations outlined by SOX. However, for the bulk, there is still a spread which SOX has non addressed: IT’s function in SOX. Since SOX has non clearly place IT control as portion of SOX conformity, however, IT has become an evident critical internal control, as without IT systems, informations and substructure constituents fiscal describing would hold been uncomplete. This differentiation leads the research worker to understand that IT has the critical function of puting the foundation for internal control for SOX conformity. This is built-in in the fact that modern organisations use information engineering and their system for set uping control over fiscal coverage. IT internal control is synonymous with gate maintaining and, in kernel, meets the demands of SOX.

Given the above principle and background, the research worker proposes research in the undermentioned contexts:

– What are the range, narrative and control matrix for IT professionals within SOX environment?

– Are the models for SOX execution effectual in accomplishing SOX aims?

– How can organizations place, take, create and implement a control matrix that is congruous with SOX conformity maintaining IT ‘s function in head.

– And in conclusion, how can organizations heighten the function of IT internal control in SOX conformity?

The research worker understands that there is a critical nexus between SOX conformity and IT, as it has been emphasized by the assorted models recommended by SOX. Even though SOX does non stipulate which frameworks to take, the research worker assumes that current models established by ITGI, CCTA and ISO are the 1s accepted by the jurisprudence, organisations and professionals. The research worker besides assumes that SOX conformity has become a authorization, instead than an option. In the research that ensues, the research worker shall presume that organisations that adopt SOX conformity have defined IT infrastructures and are keen on edifice upon IT internal control, contributing to transparent, accurate and dependable fiscal information.

However, these premises place certain restrictions in the research. They exclude organisations, which may non hold adopted IT substructure for fiscal coverage, such as little private endeavors, which are non required by jurisprudence to unwrap fiscal information to the populace. They besides limit the survey to organisations that are non affected by SOX, for illustration, foreign houses that do non trust on IT systems for fiscal coverage and are non affected by US Torahs. However, the research worker is of the position that IT internal control is non merely a SOX conformity authorization presently, but besides a demand for successful organisations. It is of import for organisations to hold internal control in topographic point, irrespective of SOX conformity, in order to stay competitory in concern. For these grounds, the research worker shall short-circuit the restrictions and presume that organisations, whether big or little, require SOX internal control models for conformity.

The intent of the research is to research SOX in the context of IT internal control models. As outlined in the above literature this is critical for SOX conformity every bit good as for puting the foundation for IT substructure edifice. Therefore, the research shall be relevant to legislative functionaries and SOX compliant translators who need to understand the spread, if any, for conformity. Furthermore, it is relevant for IT professionals who are involved in researching, set uping and alining IT control within the SOX context. They would happen the survey enumerative in understanding IT relevancy under SOX every bit good as how they could break its aims. For pupil research workers, the survey may move as a platform for fostering research in the countries of IT internal control matrix, frameworks creative activity and competitory advantage through SOX conformity, which shall be touched upon briefly. Academicians shall happen the research enumerative as it explores assorted options for SOX internal control frameworks through a survey of dimensions in execution.

The pick for research methodological analysis mostly depends upon the constructs being explored. The cogency of the pick of research methodological analysis besides depends on the issues rationale adopted for discoursing the subject. In the class of the research conducted for the proposal the research worker has found that understanding SOX conformity may necessitate a theoretical geographic expedition and at the same clip measuring for its effectivity and efficaciousness. In this context, the research worker may follow a quantitative or qualitative attack. Quantitative attack refers to quantitative steps based on primary observations and empirical findings ( Stenbacka 2001 ) . On the other manus, a theoretical geographic expedition requires a qualitative attack. Qualitative research involves extended research based on constructs, theories and thoughts studied by other experts before the research worker can make to his/her ain decisions ( Sykes 1991 ) .

This is non all ; research attack pick besides depends on concluding. Critical thought requires that one understands the principle behind the consequences acquired. Rationale pick can be categorized into inductive or deductive. Deductive concluding refers to a procedure of generalisation before contracting it down to the research job or issue. Alternatively, inductive concluding refers to enquiries that is based on specific job or issue, and research it to set up generalisations. Whichever the rationale attack adopted the research worker must find it in the context of its relevancy to the research job ( Hyde 2000 ) .

In the context of the above proposal, the research worker shall take to follow a combination attack of quantitative and qualitative methods so as to comprehensively prove the cogency of the inquiries proposed. The combination of deductive and inductive logical thinking on the other manus shall enable the research worker to understand the job issue of SOX conformity within the IT environment dynamically.


Writer non available ( 2007 ) “ Caterpillar and Internal Controls ”Sarbanes-OxleyUnited kingdom.Online accessed on 22 June 2007 from: hypertext transfer protocol: //

Writer non available ( 2007 ) “ Tighter Sarbanes-Oxley Called For ”Sarbanes-OxleyUnited kingdom.Online accessed on 22 June 2007 from: hypertext transfer protocol: //

Brown, W. and Nasuti, F. ( 2005 ) What ERP systems can state us about Sarbanes-Oxley.Information Management & A ; Computer SecurityVol. 13 No. 4, pp. 311-327

Carter, C. ( 2007 ) Conformity Through Self-assessment. The Internal Auditor64 no. 2 pp. 69-72

Chan, S. ( 2004 ) Sarbanes-Oxley: the IT dimension: information engineering can stand for a cardinal factor in hearers ‘ appraisal of fiscal coverage controls.Internal Auditor,February Issue.

COBIT Mapping: Overview of International IT Guidance, 2nd EditionITGI2006.

COSO ( 2005 ) , “FAQs, for COSO’s endeavor hazard direction – integrated framework” ,COSO.Online accessed on 22 June 2007 available at:

Damianides, M. ( 2005 ) Sarbanes-Oxley and IT Governance on IT Control and Compliance.Information System Management77 Winter Issue.

Fletcher, M. ( 2006 ) Five Spheres of Information Technology Governance for Consideration by Boards of Directors.Capstone Report.

Hyde, K. F. ( 2000 ) , Recognizing deductive procedures in qualitative research.Qualitative Market Research: An International Journal,Volume: 3 Issue: 2 pp. 82 – 90

ISO 27002 Central ( 2007 ) The A-Z Guide for BS7799 AND ISO17799.ISO 27002 Central.

ITGI ( 2000 ) Aligning COBIT® , ITIL® and ISO 17799 for Business Benefit.A Management Briefing from ITGI and OGC.

ITGI ( 2004 ) IT Control Objectives for Sarbanes-Oxley: The Importance of IT in the Design, Implementation and Sustainability of internal Control Over Disclosure and Financial Reporting.ITGI.

ITGI ( 2005 ) Information Hazards: Whose Business Are They?IT Governance Institute Report.

Kendall, K. ( 2007 ) Streamlining Sarbanes-Oxley Compliance.The Internal Auditor64 no.1 pp. 38-42, 44

Patterson, E. R. and Smith, J. R. ( 2007 ) The Effects of Sarbanes-Oxley on Auditing and Internal Control Strength.The Accounting ReviewVol. 82, No. 2. pp. 427-455.

Ramos, M. ( 2004 ) ,How to Comply with Sarbanes-Oxley Section 404, Wiley, Hoboken, NJ.

Rasch, M. ( May 3, 2005 ) Sarbanes Oxley for IT security? Security Focus.The Register.Online accessed on 22 June 2007 from: hypertext transfer protocol: //

Hazard Associates ( 2007 ) ISO 17799 and Computer Security News.Hazard Associates.Online accessed on 22 June 2007 available at: hypertext transfer protocol: //

Rittenberg, L. E. , Martens, F. and Landes, C. E. ( 2007 ) Internal Control Guidance.Journal of Accountancy203 no.3 pp. 46-7, 49-50

Romano, R. ( 2005 ) The Sarbanes-Oxley Act and the Making of Quack Corporate Governance.Yale Law Journal.Vol. 114. Issue: 7 pp. 1521+

Roth, J. ( 2007 ) MYTH V. World: Sarbanes-Oxley and ERM.The Internal Auditor64 no. 2 pp. 55-60

Stenbacka, C. ( 2001 ) Qualitative Research Requires Quality Concepts of Its Own.Management Decision39/7 pp. 551

Sykes, W. ( 1991 ) Taking stock.Journal of the Market Research Society, Vol. 33, No. 1, pp. 3

Tackett, J. A. , Wolf, F. and Claypool, G. A. ( 2006 ) Internal control under Sarbanes-Oxley: a critical scrutiny.Managerial Auditing Journal, Volume 21 Number 3 pp. 317-323