Service Offerings Solutions Clients Employment Management Case Studies News & Events Contact Home
Taos, Inc.
Newsletter
Events

September Issue of the Taos Newsletter: Sarbanes-Oxley (SOX)

Sarbanes-Oxley (SOX) Case Study

Taos Professional Services Team

Best Practices, Documentation and an alphabet soup of COSO, COBIT, ITIL have been baffling IT departments nationwide as they struggle to come to grips with Sarbanes-Oxley. Sarbanes-Oxley, federal legislation implemented in the wake of various financial scandals such as Enron and Worldcom, could be considered just another expensive government regulation that public companies have to bear. But many of Taos’ clients are using Sarbanes-Oxley (SOX) as an opportunity to re-examine their IT processes and procedures, ferret out inefficiencies, remove or replace outmoded and insecure systems, and streamline their organization to take advantage of the benefits of running a mature IT infrastructure. This allows the IT department to, as one CIO put it, “spend four days a week on project work and only one day fighting fires, instead of the old model of four days fighting fires and one day working on projects”.

Since 1989, long before “Sarbanes-Oxley”, Taos has helped companies establish secure and robust IT infrastructures. Through our experience with more than 5,000 successful engagements at more than 1,000 clients, we have developed an insightful understanding of infrastructure technologies, architectures, operating procedures, and documentation standards that work. Recently, our clients have been calling upon us to help improve their processes intelligently in order to maximize the benefits possible in meeting Sarbanes-Oxley requirements.

Depending upon client needs, Taos provides a small team of up to three technical specialists:

  • Senior Technical Consultant
  • Application Specialist
  • Technical Writer

Our team works very closely with the company IT department, financial department, and various business process groups within the company. We also work closely with the internal auditors ensuring that the compliance efforts effectively meet the external auditor requirements. Because of our years of experience in the IT industry and our multiple SOX specific engagements, we have developed a strong methodology that allows companies to put process, tools, and documentation in place to meet SOX requirements year after year.

Case Study #1

Client

A leading applications service provider (ASP) whose main function is to manage global networking, service, support, storage, and security services necessary for delivering high availability enterprise applications such as SAP, Oracle, and Peoplesoft to clients worldwide.

Problem

While the client had excellent high-level policies and procedures, guidance documentation, and an extensive distributed library as well as detailed technical instructions and configuration manuals, they were deficient in a number of areas essential for SOX compliance:

  • No comprehensive middle-tier operational process documentation and guidance procedures to tie everything together
  • No clear chains of authority and responsibilities due to multiple reorganizations
  • No controls to ensure audit trails, repeatability, and security in essential business procedures
  • No organization in the document repository; process documentation was spread throughout a company-wide document and version-control system
  • Missing auditable process and procedure documents for testing and audit trail requirements
  • Much of their existing documentation was incomplete
  • Some procedures were undocumented
  • Some processes needed improvement

Taos Solution

The Taos team forged a close partnership with the client President and Vice President of Operations and the SOX pre - audit consultants. Due to several other business-critical priorities at the company, allocating the appropriate level of resources for the SOX project at mid-level management and staff level was challenging. The solution required developing cooperative relationships with over 25 client business process experts and departments responsible for various aspects of the operations. Working in close coordination with the various process experts, the Taos team implemented a SOX Readiness plan to collect and collate existing documentation, identify deficiencies, prepare improvements, and create a complete set of documentation that included the necessary process improvements. Taos also provided training and education to the client staff so that they were aware of the new procedures that were required to follow.

Results

Relying on the IT expertise of the Taos consultants, the client was able to prioritize the areas essential for the SOX audit. Documentation, procedure, and control efforts were strategically ranked in order of priority to ensure maximum effectiveness over the short time period available. The Taos team assisted in enhancing essential process documents and procedures, allowing the client business process leaders and staff to focus on their core business-critical functions while ensuring that SOX compliance was met. Having an overall knowledge of technology environments as well as a clear understanding of SOX regulations, the Taos consultant was able to translate both SOX and technical jargon into ‘plain English’ suitable for use by busy business process owners and the SOX auditors.

By partnering with Taos to handle all of the IT related SOX issues and the mapping of their IT processes onto their SOX audit controls, the client saved a substantial amount of time. They were also able to save money in consulting fees by using Taos over alternative high priced consultants. The client achieved rapid results tied to concrete deliverables.

Taos continues to work with the client in the next phase of this effort; enhancing and testing the basic processes and audit trails, and making revisions to the processes to ensure alignment with both regulation and business functionality.

Case Study #2

Client

A leading national newspaper publisher with an extensive on-line presence, as well as operations and physical locations throughout the United States.

Problem

The Client was preparing for its upcoming Sarbanes-Oxley (SOX) and although the processes were generally in place, there were several issues; processes were not clearly documented in an auditable framework and there was no central repository for policies, processes, and procedures. There were also deficiencies in their processes, which needed to be identified and corrected. Many Taos clients take advantage of the SOX efforts to clean up and improve process deficiencies.

Taos Solution

Due to lack of SOX experience and lack of resources in-house, the client hired Taos. The Taos team began by gathering and reviewing existing documentation and conducting interviews with key IT staff and management. Using this discovery, Taos performed a detailed process analysis in the context of industry accepted best practices as well as taking advantage of best practices currently in place. Taos was then able to map the client’s processes onto their control objectives and update or, in some cases, create documentation to accurately and completely describe those processes. Because of Taos’ extensive IT experience, we were also able to efficiently identify and correct a number of process deficiencies including implementation of a central document repository as well as document templates.

Results

At the completion of the project, the central repository was in place and it contained all the necessary audit documents including:

  • Network operations procedures
  • Data center operations procedures
  • Change control procedures
  • Physical environmental control procedures

Taos developed a standard SOX framework that allowed the client to enter the formal auditing process with greater peace of mind and assurance that they can meet SOX compliance year after year.

© 2004, Taos Mountain, Inc. Offerings | Solutions | Clients | Employment | Management | Case Studies | News & Events | Contact | Home