In some of the regulated industries, such as insurance, IT governance was at the forefront of executives' minds prior to Sarbanes-Oxley, points out Jacqueline Olynyk, a partner in the performance improvement group with PricewaterhouseCoopers. For less regulated industries–manufacturing and such–governance was much lower down on the priority list. "With Sarbanes, [companies] were forced to bring [governance] to the fore and start addressing issues they hadn't paid attention to in the past," she says.

All About SOX

During the first year of Sarbanes-Oxley compliance, Olynyk notes, most companies were so concerned with the ability to demonstrate compliance, they didn't always give the issue as much thought as it deserved. Today, in year two, companies are being more thoughtful about the process, considering what will serve them best in the long run. "What struck us [in recent research] was a direct link between the technology, the success of the technology, and the overall success of the [Sarbanes-Oxley] 404 projects," she says. "Companies that felt they were using technology appropriately or particularly well tended to be satisfied with their results from 404 compliance."

Fireman's Fund insurance always has had some form of IT governance in place, according to Linda Richardson, IT product manager. Such areas as change control, asset management, and security already were in place when Sarbanes-Oxley took effect. "A lot of the work we did [prior to SOX] helped us validate our existing controls and processes," she says.

A major part of the effort involved getting the right partnerships together with internal audit, the business side, and all the key individuals in IT, Richardson believes. "We used some 50-plus IT resources to help evaluate all our existing environments," she says.

Discussion of Sarbanes-related technology tools often led to data repositories for internal control documentation. "Certainly in year one, that was the main technology being considered," says Olynyk. In year two and beyond, companies are thinking about technology as a way to be more efficient in both Sarbanes compliance efforts and in how they run their business overall. "They are interested in technology that will help management test whether their internal controls are operating properly and monitor those controls with things such as dashboards–configurable controls, for example–where management will get a report as to whether they are operating it as effectively as it was intended to be," she says. "They want smarter tools, if you will, going forward."

COBIT to the Rescue

One of those tools is known as COBIT (Control Objectives for Information and related Technology), which began as an auditing tool but has evolved into an IT governance tool and is available through the IT Governance Institute.

Allstate was not using COBIT when Lynn Kilroy joined the company, but it was something she instituted as the framework for executing audits when she was named IT audit manager. Its value spread beyond the audit area to enterprise infrastructure, where planning consultant Mike Agar was handed the responsibility of adopting the COBIT structure for Allstate's process redesign.

"We met with some people to try to figure what COBIT was, how to implement it, and what was the best approach," says Agar. "We started the process refinement effort and found out about ITIL (IT Infrastructure Library), a growing best practice. We came up with the idea of combining COBIT and ITIL as a way to structure and imbed COBIT into our processes."

By combining the two best-practices frameworks, Agar contends, Allstate has been able to define the what and the why around its processes. "COBIT really defines the what from our perspective," he says. "It outlines from a high level within these particular processes we're focused on what you should be doing. ITIL adds some of the why and a little of the how. COBIT really got a big boost when Sarbanes-Oxley came into existence. Until then, [COBIT] primarily was thought of as an auditing tool."

Even within the audit world, Kilroy claims, companies weren't using COBIT very often. "When Sarbanes-Oxley came into play in late 2002, my boss brought it to my attention, and our natural response was we were going to leverage the COBIT framework," she says. "What we did at Allstate literally was risk assess the COBIT framework to determine what control objectives are relevant for Sarbanes-Oxley and which ones aren't. From this sub-inventory, which we called SOX-relevant, we developed all our IT key controls for Sarbanes-Oxley."

Consistent Objectives

For its application support areas, Allstate has consistent key control objectives across the entire company with a separate set of key control objectives for infrastructure, reports Kilroy. "What that has done has made things much easier to implement because we had a common language," she says. "I was able to speak to people about control objectives in a consistent, repeatable fashion using an already accepted framework. Now, there are people within Allstate who know COBIT has expanded incrementally because of Sarbanes-Oxley."

Kilroy doesn't even want to think about where Allstate would be without COBIT. "I wouldn't even have known where to start," she says. "We would be nowhere as far along as we are today, or we would have had much more of a struggle to get to this point, without this already established framework."

COBIT has been repositioned as an IT governance tool–an end-to-end look at technology and what companies should do in all aspects of IT. ITIL is one of the best-practice frameworks that was used to create COBIT. "We decided [the two] satisfied a lot of business drivers and also gave us best practice," says Agar. "We decided to adopt them as the high-level way we were going to define processes and what they should be doing. A lot of folks still struggle with how to satisfy [the defining process], but we've made a lot of progress in helping them understand what kind of tangible evidence will show up in the environment and know it satisfies [Allstate's] control objectives. We've provided the control objectives, and it really shows up in documentation and measurement."

Another Voice

One of the governance processes Fireman's Fund used as a guide was COBIT. "It includes control objectives not only for financial controls but operational controls, as well," says Richardson. "A lot of work was done trying to weed out what was operational vs. what was financial. Once we got a fair understanding of that, we started to figure out what we had to do."

Marcia Abbott, IT audit director for Fireman's Fund, reports the IT auditors are responsible for testing key controls once the business units define their processes and what the units identify as their key controls. "For general IT controls, we participated in sessions with IT [personnel] just to help IT on a consulting basis to identify what the key controls were," she says. Many of the controls already were in place, but the terminology for Sarbanes-Oxley was new as was the whole documentation process. "It was our responsibility to test the controls, and they are retested to a certain degree by the external auditors," says Abbott.

Governance Model

Richardson indicates the COBIT governance model has approximately 300 control objectives, so the process Fireman's Fund went through was to identify which of those processes were financial. "In the sessions we held, we walked through each of those financial control objectives to identify how Fireman's Fund currently addresses them," she says. "As we went through the process, we identified which ones were key controls for the organization to be tested further down the line by internal audit. We assembled all the documentation–a paragraph or two about each of the control objectives–and for those for which we had prime processes in place, we identified them and modified them with where the key control would take place. If we did not have a process control diagram, we determined which ones we should have diagrams for and went out and created them."

Once the documentation and process flows were put together, the results were validated. "We had to do some remediation because we wanted to tighten up on some of the controls we had in place, or where controls were ineffective, we developed plans for remediating those controls and followed through on them," says Richardson. "When the testing by internal audit took place, if it felt something was ineffective, we remediated against those [results]."

Testing Controls

Section 404 is the heart of the Sarbanes-Oxley law, according to Olynyk. It requires a company to attest to having adequate internal controls and to having its external auditors attest to those controls, as well. "That's where the meat of the law most significantly resides," she says. "IT governance probably is broader than Sarbanes, but Sarbanes is the one that has been most on people's minds in the U.S. because of its effect on the SEC registrants."

Out of all the controls and processes Fireman's Fund reviewed, there are a total of 39 key controls in place for general IT usage. "Those are the controls internal audit went through and tested," says Richardson. "At the beginning of this process, we had some 80 controls in place, and as a result of looking at the processes, we were able to scale back. As we speak today, we're at 39."

The audit group performed two types of tests, according to Maria Brandenburg, IT audit manager. "We tested the design where we reviewed the control and made sure it covered the financial risk it was going to mitigate. We walked through it with the owner of the control to make sure it was understood how the control worked," she says. Then the audit group tested the effectiveness of change control. "We took samples and made sure the key elements of the controls were there, such as: Was the change defined? Was it approved? Were the right approvals there? If those criteria were met through the sample, the control was passed," Brandenburg adds.

There is a group of controls within a business function, and the executive in charge of that function has to sign off on the controls within that function, states Brandenburg. "With IT general control, the IT group went through a narrative that explained all the processes within IT, identified what were the key controls within IT, and created a package," she says. "This was presented to the CIO, who reviewed it and signed off these are the controls within IT that govern Fireman's Fund. That is presented to the internal audit department, and our function is to validate the controls perform as they are documented. From an operations standpoint, there also is an advantage in defining your controls. You may be able to eliminate duplicate and redundant controls. We either could change a process so it would be more uniform or eliminate extra controls that weren't needed."

Imbedding Governance

The biggest challenge for most organizations, Saull believes, involves finding a way to imbed governance within the organization's structure, planning processes, and control processes–in both business and IT–and whether processes are done in a complementary way. "If you look at the major supporting systems of an organization–its organization structure and processes, how it charges for IT services, who is accountable for producing value and controlling risk, the culture of an organization–that's the right way to do it," he says. "It's programmed into the environment. Quite often, though, what happens is people say that's something else we have to do and they try to bolt something onto the side that kind of looks after [governance]."

Such efforts never are sustained, suggests Saull. If IT governance is not viewed as primarily a manager's accountability, Saull doubts it can be effective. "In our organization, all of the business owners are responsible for their own systems and determining the kind of investments they want to make in either new systems or enhancing existing systems," he says. "[Business owners] build the business case, and they are accountable for risk and compliance. We're there to assist and support them. We hold the systems as stewards on their behalf, and we enforce corporate guidelines. They tell us what, and we do the how. It's a split of responsibilities that is very clear, but it's a partnership, and they are responsible for those investments."

Several factors have to be in place, Saull continues, including clear ownership and accountability; someone to answer to regarding what the money is being spent on; and an accountability loop to make sure value is delivered. He believes where a lot of companies fail is they don't close the accountability loop in terms of generating benefits and management of risks. Some companies, he adds, fail to charge back IT budgets to the business line.

"The major part of our alignment process is if you successfully ask for the service, you pay for it," says Saull. "If you are a business guy and you are producing a bottom line and suddenly you have to show one of your objectives is a return on equity and you are charged for the IT services, that's going to make you think about exactly how you are going to get the benefit [from IT]. If it just comes out of a great big corporate pot and you argued for your share of the pot and it's charged against the IT budget, there is no accountability."

Room for Improvement

One of the findings from Olynyk's research is there is much room for improvement. "That's what we think a lot of companies had as their perspective after year one," she says. "They met their requirements, they took a deep sigh of relief, and at the end of the day, they got a passing grade, which is what mattered. But for year two, they are much more interested in optimizing the process and the controls–getting real value out of it."

For a lot of companies, she maintains, Sarbanes-Oxley compliance was viewed as an empty exercise of documentation and testing without real value, but if businesses can find ways to make those internal controls a part of how they do business every day, the hope is there will be real value from the compliance efforts.

"They will be running their businesses better and more effectively, and they'll be protecting the shareholders assets more effectively," says Olynyk. "Most companies already are seeing their year-two compliance efforts are going much more smoothly than year one, and as a result, they are able to think about ways to make [compliance] even better in year three and beyond. Companies are starting to see they can internalize this and make it part of day-to-day business."