ITIL and Sarbanes-Oxley (Sarbox)

It’s impossible to talk about I.T. process frameworks without mentioning the Sarbanes-Oxley audit. Publicly traded companies are now required to have tight control over financial reporting and must pass two annual audits substantiating that: one for finance and one for the IT systems that produce and contain financial data. The Securities and Exchange Commission has all but formally endorsed the COSO (Committee of Sponsoring Organizations) framework as the standard for evaluating financial controls. There has been no such SEC guidance, however, for the IT audit. In the absence of specific direction, CIOs have turned to existing IT frameworks, including the IT Infrastructure Library (ITIL), to ensure that their processes for supporting financial data are sound.

Christine Rose, director of global IT at Finisar, a computer hardware manufacturer, says that the best practices in ITIL support some of the processes now required by Sarbox. “Having ITIL in place gives you a solid foundation,” she says. ITIL isn’t a Sarbox solution in and of itself, however. Dave Erickson, a partner at PricewaterhouseCoopers, says Sarbox is about assessing risk. While risk assessment is an element of ITIL, it isn’t the framework’s primary focus. Furthermore, CIOs who put ITIL or any other IT framework in place solely to comply with Sarbox will have gone overboard, says Erickson. The Sarbanes-Oxley Act requires only that companies establish controls over the systems relating directly to financial reporting. ITIL, Cobit and other frameworks for IT help companies put in place general controls for IT—a good thing to have, but much broader than the narrow scope required by law.