With the dawn of the 21st century, a new era of corporate governance began—following the Enron and WorldCom scandals—focusing on accountability, responsibility, transparency and behaviour. The US Sarbanes-Oxley Act was created with the intent to certify that the financial statements are reliable by placing increased personal responsibility on management and ensuring that their behaviour matches the responsibilities they have accepted. As information technology (IT) supports the business processes, IT is, once again, a major player for the survival of the organisation. IT management processes, through IT general controls (ITGC), must provide reasonable assurance that undesired events will be prevented or detected.
This article first explains at a high level how Sarbanes- Oxley was satisfied at one company. Then, it describes how a Capability Maturity Model Integration (CMMI)-based process improvement (PI) programme facilitates a Sarbanes-Oxley project and reduces its cost. It also reviews how the Sarbanes- Oxley project had positive impacts on the PI programme.
Many of the experiences in this article are based on the implementation of CMMI and Sarbanes-Oxley within the framework of a Belgian subsidiary of one of the largest European financial institutions. This financial institution is described in this article as Company X. Company X had to overcome the fact that the company was split into several sites with different languages, and people who joined the company through a succession of mergers had different priorities and different businesses (including banking and insurance). The requirement for compliance with Sarbanes-Oxley and CMMI focused the improvement effort and allowed a better collaboration and understanding among these different units. However, before this could be accomplished, a serious effort was required to overcome the 'not invented here' feeling'.