Rapid Enterprise Compliance with Sarbanes-Oxley IT and Business Governance Requirements

By Clive Finkelstein

Executive Summary

The Sarbanes-Oxley Act of 2002 assigns personal responsibility to senior management of public and non-public organizations in the USA, and is being applied in various forms also by other countries throughout the world. Of particular concern is Section 404 of the Act, which relates to " Management Assessment of Internal Controls ".

Internal Controls will vary from enterprise to enterprise. They need to be tailored to the relevant industry (or industries) that the organization operates within; they are also typically unique for each enterprise. They are determined by its business activities and processes as well as its financial controls. They are closely related to the IT systems and databases that the enterprise uses for financial and other reporting.

Senior management need to show that answers are available in relation to key resources such as: data; business activities and processes; locations; people and business units; and events. Answers should be available that also show how resources relate to strategic and tactical business plans that have been defined by management. These are internal control questions that address: "What"; "How"; "Where"; "Who"; "When"; and "Why".

These six questions are shown as columns in a matrix, where different perspectives of "Planner", "Owner", "Designer", "Builder" and "Subcontractor" are also shown as rows. This is provided by the Zachman Framework for Enterprise Architecture. While Enterprise Architecture has previously been considered to be an IT responsibility, when it is also used by senior management it enables precise Governance Analysis. It also provides a Business Transformation Enablement capability.

With the legal implications of Sarbanes-Oxley non-compliance, an inability to answer internal control reporting audit questions takes on a new personal meaning for senior managers. A Governance Analysis Framework is needed - that is both easy to create, and easy to use - to obtain answers for relevant internal control reporting questions.

An example is discussed in the paper of a Governance Analysis Framework (GAF) that uses matrices to create and maintain relationships between aspects of an enterprise that enable each of these questions to be answered. Such GAF matrices are tailored to each enterprise, and can be created in a 25 day Strategic Modeling project in an elapsed duration of 3 months, based on the Strategic Business Plans for the enterprise. This uses an initial facilitated session over two days with active participation of senior management and their direct reports, where a Strategic Map is developed.

A Strategic Map is a "picture of the business", similar in concept to the layout of a city. A city map clearly shows the layout of streets ("where") and the access routes that define "how" to get there. It also indicates "what" is located in parts of the city. Given a reason ("why") to take a given route at a certain time ("when"), people ("who") can use the map to navigate through any city.

What is missing in most enterprises is a similar "map (or picture) of the business". A city map can be bought from newsagents in that city, but no newsagent sells Strategic Maps for enterprises. In the absence of a Strategic Map for an enterprise, it is hard to answer these questions. As a result, Internal Control Reporting is difficult.

A Strategic Map that is developed and tailored to an enterprise enables senior managers, as well as middle managers, expert business staff and IT staff to see the data, activities and processes, locations, business units and people, the business events and the business plans that all need to be managed effectively for internal control reporting. From the Strategic Map and underlying Strategic Model, the Governance Analysis Framework matrices become dynamic. They are automatically generated.

Given the Strategic Map input from the senior management team and their reports, more detailed analysis by the facilitator in the 25-day Strategic Modeling project period identifies key data, business activities, locations, business units, and business events for the business plans that were used as catalysts. The result of this analysis is documented in a Governance Analysis Framework (GAF) Report, which is the main deliverable from the Strategic Modeling project.

The GAF Report and its contents provide a documented view of tailored Internal Control Reporting from the strategic perspective for senior management. These dynamically-tailored matrices must be then completed by relevant business experts. The strategic GAF matrices are populated by more detailed matrices from key business units. These Tactical Modeling projects - each similar to the Strategic Modeling project - can in turn be undertaken for key business units.

Strategic Modeling projects and Tactical Modeling projects have been completed for large and medium Commercial enterprises throughout the world. Similar Strategic Modeling and Tactical Modeling projects for Government and Defense Departments have also been completed in the USA, Canada, Australia and NZ.

The methods discussed in the paper can be applied rapidly in a step-by-step approach as follows:

1. Establish Plan for Strategic Modeling Project
2. Capture Initial Business Planning Input as Catalyst
   
3. Conduct Strategic Modeling Facilitated Session
   
4. Carry out Strategic Model Analysis
   
5. Derive Governance Analysis Framework (GAF) Documentation
   
6. Review of GAF Matrices and Governance Implementation Plan
   
7. Progressive Enterprise Completion of GAF Matrices
   
8. Implementation of the Governance Implementation Portfolio

The GAF Reports produced from Strategic Modeling and Tactical Modeling projects provide the documentation and modeling tool capabilities that are needed for Internal Control Reporting for Sarbanes-Oxley. As an added by-product of the Governance Analysis Framework methods described in the paper, similar methods and tools can be also used to implement transformed business activities and processes for Business Transformation Enablement.

References

Clive Finkelstein, the author of this White Paper, is Managing Director of Information Engineering Services Pty Ltd in Australia. He is also Chief Scientist of Visible Systems Corporation in Boston. He can be contacted at cfink@ies.aust.com. The full text of this paper is available for download from http://www.visiblesystemscorp.com/ . Modeling tools that support Enterprise Architecture and the development of Governance Analysis Frameworks in the paper are available for download from http://www.visiblesystemscorp.com/ . Training in the methods for rapid delivery of Enterprise Architecture and Governance Analysis Frameworks is available from Clive Finkelstein at http://www.ies.aust.com/~ieinfo/ and at http://www.ies.aust.com/~ieinfo/cbfindex.htm .

About Visible Systems Corporation (www.visiblesystemscorp.com)

Headquartered in Lexington, MA, Visible offers end-to-end, model-based solutions for developing and managing large-scale software and database applications. Visible has over 100,000 users of its products worldwide. Besides Visible Analyst, the company's products include: Visible Advantage, an enterprise architecture planning and development tool; Visible Developer, a powerful software code generation tool that supports multiple .NET software application initiatives; Razor, a tool that supports integrated software configuration management; and Razor LCSIS, an Enterprise Product Lifecycle Management (PLM) tool. A growing list of Visible customers include AEA Technology, AT&T, BAE Systems, Boeing, Booz, Allen, & Hamilton, Computer Sciences Corporation, DASA Daimler-Benz Aerospace, Eagle Systems Inc., Federal Aviation Administration, Foster Miller, General Dynamics, Integral Systems, Johnson Space Center, Lockheed Martin, Los Alamos National Labs, Motorola, NASA - Kennedy Space Center, NASA - Goddard Space Flight Center, Naval Air Warfare Center, Naval Surface Warfare Center, Naval Undersea Warfare Center, National Security Agency, National Severe Storms Lab, NLX Corporation, NOAA, Northrop Grumman Information Technology, Orbital Science, Raytheon E-Systems, Robins Air Force Base, SAIC, Sandia National Laboratories, Social Security Administration, Sensis, Shell, Seagate Technology, State of Arizona, Tundra Semiconductors and the US Navy Coastal System Station.

###

©2004 Visible Systems Corporation. All rights reserved. Visible Developer, Visible Analyst and Razor are registered trademarks of Visible Systems Corporation. All other trademarks are the property of their respective owners.