Governance = SOX (questionmark)by Erik Hoffmann on Jun 9th, 2005
I am attending the HP OpenView Software Forum in Denver this week. The buzz word, if any, this week is “governance”. Customers, software vendors and consulting seem to struggle with the implications of governance i.e. Sarbannes-Oxley. HP OpenView, for example, launched a new product called Compliance Manager. The tool is said to specifically address SOX Section 404, which requires corporate annual reports to include a review of management’s internal control over financial reporting. The tool integrates, of course, with OpenView IT management products. Although this product may give insight in the SOX compliance, it is limited to the OpenView managed world. In my view, SOX controls should also take into account other areas that are not managed by the OpenView suite, and further more it should look at the impact of IT programs and project on SOX controls.
But even in the bigger picture, governance is not only SOX. Governance is about creating transparancy, also for IT departments. Therefore, it should include controls for e.g. performance, business alignment, (information) security, etc. Some of these controls are (also) necessary in the compliance with SOX, others (including some SOX controls) provide essential IT transparancy.
A collegue today commented as follows: “Governance is like eating in a restaurant with an open kitchen. Guests feel assured of the quality of the food being able to watch the preparation process, while for the cooks, the openess is a natural part of their job”.