Sarbanes-Oxley Compliance Through EA
Use enterprise architecture documentation to help you adhere to Sarbanes-Oxley provisions.
by Vineet S. Rajput

December 13, 2004

Developed economies have a continual cycle of correction that maintains a balance between corporate greed and governmental control. Too much control can stifle innovation and kill private enterprise, and too little of it allows the greedy corporations and their executives to become corrupt and consequently compromise public trust.

The cycle starts with corporate greed/need for profits. As this need grows, some corporations push the envelope of existing law. This might involve "innovative" accounting, unethical (although not necessarily illegal) marketing practices, and so on. This seemingly increases their profits for the time being. However, the long-term effects are usually disastrous. If the behavior is allowed to continue, public trust will erode and the whole basis of the free market will be threatened. To prevent this, the government has enacted rules that mandate controls.

We have already witnessed this cycle many times. Some examples of this cycle of correction include: prohibition of "pyramid" schemes in response to the Ponzi scandal, a ban on internal trading, and protection against false advertising.

The Sarbanes-Oxley Act (SOX) is the culmination of a recent cycle in which some corporations used a combination of schemes to boost their reported bottom line and rewarded their executives with hefty bonuses for doing so. However, when caught, the executives pleaded ignorance about these activities. SOX is aimed at creating corporate accountability and taking it to next level to hold senior executives personally accountable.

Overview of Sarbanes-Oxley
SOX has three basic components:

• Increased supervision by an independent Public Company Accounting Oversight Board: This board dictates the rules governing the accounting practices for public companies and any violation of its rules will amount to violation of SEC rules.
• Independence of corporate audit, analysis, and governance: This is aimed at ensuring that the auditors, analysts, and the company's governing board are independent of its management and don't have any conflicts of interest. This is needed to ensure that these stakeholders truly represent the interests of the shareholder. The goal is also to create increased openness and transparency in corporate functions.
• Increased corporate and personal accountability: This is perhaps the most significant aspect of the act. The act holds the corporate management "personally responsible" for any incorrect/inaccurate financial reporting. This portion of the act has created unprecedented need for improved visibility into the processes and systems responsible for corporate financial reporting. This has also created a high degree of corporate will behind implementing proper procedures.

Enterprise Architecture
EA is often misunderstood as the process of designing IT systems. In fact, EA is the art/science of "architecting" the enterprise, i.e., it is the process of documenting all aspects of the enterprise to ensure that people, processes, technology, data, locations, and timelines are all aligned with the enterprise goal.

A white paper for government organization CIOs defined EA as follows: "Enterprise Architecture (EA) links the business mission, strategy, and processes of an organization to its IT strategy. It is documented using multiple architectural models or views that show how the current and future needs of an organization will be met."

Once one understands the true nature of EA, it is easy to see how useful a documented architecture could be to SOX compliance, especially analysis and certification of all processes, systems, and controls.

Mapping Sarbanes-Oxley Act Needs to Enterprise Architecture
The first provision of SOX is primarily in the government domain and hence out of corporate control. The second provision is a simple matter of compliance to government guidelines to ensure auditor and director independence. However, the personal and corporate accountability is likely to create severe headaches to many business leaders.

IT systems form the backbone of accounting and reporting systems in almost all businesses. In the past, most organizations developed accounting systems by patching together disparate IT and manual processes and systems with little concern about its traceability and visibility. This spaghetti of processes and systems is now creating nightmares for IT managers as corporations rush to increase visibility necessitated by the act. This makes it seem like an IT problem.

Most of the corporations are tackling this issue in an ad-hoc manner by creating the required as-is documentation of the systems and processes. However, in absence of an integrated strategy to keep it current, this documentation is bound to get out of sync soon. In some ways, this strategy is akin to the work that was done for Y2K, when a lot of valuable information was gathered about corporate systems and processes, only to be promptly forgotten once the crisis was over. The same information is now being rediscovered for enterprise application integration (EAI), SOX, Basel II (see "Strategies for Operational Risk Management") and other similar needs.

Several IT vendors are also using this opportunity to peddle their wares as a panacea to the SOX woes. I have recently seen everything from accounting packages to document management packages to specialized systems claiming to solve the SOX issue. However, organizations need to realize that this is a business issue. A pure technology-based Band-Aid might help for the time being, but ultimately, one needs to find a business-technology combination solution with well-thought-out goals, strategies, plans, technology, and information all properly identified and documented. This will create a solution that not only addresses the tactical issues but will also generate a strategic advantage. As a corollary, if new technologies are introduced without a proper strategy and plan, it will only add to the mess you attempt to clean up.

Enterprise architecture documentation is aimed at establishing visibility and traceability for all aspects of the enterprise. The organizational practices needed to develop and maintain EA are the same that are needed to create visibility and traceability required by SOX. Proper EA documentation and maintenance can help with SOX compliance and other areas such as risk management or EAI.

You can map specific SOX provisions to the ways in which you can leverage EA (see Table 1).

The seeming mystery around the IT systems used to operate, manage, and audit corporations are posing severe challenges to business leaders, who need increased visibility in order to "certify" the outputs of those systems. Enterprise architecture can play a major role in helping to create this kind of visibility. The same documentation can also create an ongoing business advantage through better understanding of the corporation, resulting in improved ability to manage change.

About the Author
Vineet S. Rajput is a senior IT professional with more than 20 years of global experience in IT and business strategy planning. Throughout his career, he has focused on maximizing IT value and managing business and IT risks. He is a certified PMP and has helped many organizations in business and IT process improvement.