Auditing CMMI Maturity and Sarbannes-Oxley Compliance

Using CMMI and Sarbanes-Oxley together, focusing the auditing on how to use each one to satisfy the other can be a winning combination rather than a double problem.

This article was published in 2007, in the ISACA journal, volume 3.


Within the Belgian subsidiary of a major international financial organization, Sarbanes-Oxley (SOX) requirements for IT developments came concurrently to a CMMI-based process improvement (PI) programme. Rather than considering SOX, and more particularly the IT General Controls, as an additional constraint, the authors saw it as an opportunity to complement the PI programme. In this real case and pragmatic article, you will learn how SOX controls are fully embedded in daily IT management processes. The authors also define the different reference points which can be managed using the CoBIT ® framework and the CMMI model.


Laurent JANSSENS, CISA, Senior Consultant at Altran CIS in Belgium, has 12 years experience in the IT management and IT audit world. He is the leader of the practice "IT Governance" at Altran CIS. He coordinated all SOX testing related matters at the IT Department of a leading financial organization.

Peter LEESON, Q:PIT Ltd, CMMI Appraiser, Instructor and Visiting Scientist with the Software Engineering Institute (Carnegie Mellon University, Pittsburgh) assisted with the implementation of CMMI compliant processes that satisfy and facilitate the business objectives within the organization being considered.

Leave a comment

Make sure you enter the (*) required information where indicated. HTML code is not allowed.

back to top