{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T18:01:37Z","timestamp":1754157697452,"version":"3.41.2"},"reference-count":55,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2005,9,1]],"date-time":"2005-09-01T00:00:00Z","timestamp":1125532800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2005,9,1]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-heading\">Purpose<\/jats:title><jats:p>To provide background for senior and middle management in information technology organizations who may be in the implementation phase of compliance for Sarbanes\u2010Oxley (SOX). As the information technology (IT) organization looks forward to additional compliance or other IT control frameworks such as COBIT, the paper can help construct a roadmap. Other audiences include senior management, accountants, internal auditors, and academics who may wish to evaluate the impact of SOX on the information technology organization.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Design\/methodology\/approach<\/jats:title><jats:p>SOX is surveyed to understand the four major compliance areas that must be supported in the IT organization. Recently published works are integrated into an evaluation of enterprise resource planning (ERP) research to identity several ongoing themes that point to practical advice for implementing SOX. The private sector of US business is saturated with ERP applications and provides a useful benchmark of what to expect with SOX compliance. The sections of this report include: SOX and IT governance; ERP systems: recurring themes; after the initial implementation of SOX; frameworks to support SOX compliance; IT governance and SOX: where we go from here; to best practice and competitive advantage; and conclusion.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Findings<\/jats:title><jats:p>Competencies in several related core disciplines including project management, change management, and software integration should be the top priority for SOX implementation. Enterprise architecting and related areas such as security and outsourcing can be managed more effectively with the appropriate competencies.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Research limitations\/implications<\/jats:title><jats:p>The authors' observations are based on several research reports but are not exhaustive, and are not specific to a particular industry.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Originality\/value<\/jats:title><jats:p>The content is a very useful source of information for senior management, IT management, accountants, auditors, and academics to understand the impact of SOX on the IT organization and how to develop a roadmap to respond.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685220510614434","type":"journal-article","created":{"date-parts":[[2005,8,31]],"date-time":"2005-08-31T20:09:33Z","timestamp":1125518973000},"page":"311-327","source":"Crossref","is-referenced-by-count":15,"title":["What ERP systems can tell us about Sarbanes\u2010Oxley"],"prefix":"10.1108","volume":"13","author":[{"given":"William","family":"Brown","sequence":"first","affiliation":[]},{"given":"Frank","family":"Nasuti","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"unstructured":"Alberts, C. and Dorofee, A. (2002), Managing Information Security Risks: The OCTAVE Approach, Addison\u2010Wesley, New York, NY.","key":"key2022030819532622700_b1"},{"unstructured":"Benesh, M. (1999), \u201cManaging your ERP project\u201d, Software Testing and Quality Engineering, July\/August, pp. 38\u201043.","key":"key2022030819532622700_b2"},{"unstructured":"Boehm, B. (1981), Software Engineering Economics, Prentice\u2010Hall, Upper Saddle River, NJ.","key":"key2022030819532622700_b3"},{"doi-asserted-by":"crossref","unstructured":"Cannon, D. and Growe, G. (2004), \u201cSOA compliance: will IT sabotage your efforts?\u201d, Wiley Periodicals, Inc, published online in Wiley InterScience, available at: www.interscience.wiley.com.","key":"key2022030819532622700_b4","DOI":"10.1002\/jcaf.20035"},{"unstructured":"Chan, S. (2004), \u201cSarbanes\u2010Oxley: the IT dimension\u201d, The Internal Auditor, Vol. 61 No. 1, pp. 31\u20103.","key":"key2022030819532622700_b5"},{"unstructured":"Chang, S., Gable, G., Smythe, E. and Timbrell, G. (2000), \u201cA Delphi examination of public sector ERP implementation issues\u201d, Proceedings of the Twenty First International Conference on Information Systems, Information System Management Research Centre, Faculty of Information Technology, Queensland University of Technology, Brisbane, pp. 494\u2010500.","key":"key2022030819532622700_b6"},{"unstructured":"CIO Insight\/Gartner (2004), \u201cEXP research: Sarbanes\u2010Oxley 2004: are you ready to comply?\u201d, available at: www.cioinsight.com.","key":"key2022030819532622700_b7"},{"unstructured":"Cobb, C.G. (2004), \u201cSarbanes\u2010Oxley: pain or gain?\u201d, Quality Progress, Vol. 37 No. 11, pp. 48\u201052.","key":"key2022030819532622700_b8"},{"unstructured":"Colbert, J. and Bowen, P. (1996), \u201cA comparison of internal controls: COBIT, SAC, COSO and SAS 55\/78\u201d, IS Audit & Control Journal, Vol. 4, pp. 26\u201035.","key":"key2022030819532622700_b9"},{"unstructured":"COSO (2005), \u201cFAQs, for COSO's enterprise risk management \u2013 integrated framework\u201d, available at: www.coso.org\/Publications\/ERM\/erm_faq.htm.","key":"key2022030819532622700_b10"},{"doi-asserted-by":"crossref","unstructured":"Damianides, M. (2005), \u201cSarbanes\u2010Oxley and IT governance: new guidance and IT control and compliance\u201d, Information Systems Management, Winter.","key":"key2022030819532622700_b11","DOI":"10.1201\/1078\/44912.22.1.20051201\/85741.9"},{"unstructured":"Decker, S. and Lepeak, S. (2003), Connecting to ERP for SOX 404 Assessments, META Group, Stamford, CT, available at: www.metagroup.com.","key":"key2022030819532622700_b12"},{"unstructured":"Deloitte & Touche (1999), \u201cMaximizing the value of ERP enabled processes\u201d, The Review, 18 January.","key":"key2022030819532622700_b14"},{"unstructured":"Deloitte Consulting (1999), ERP's Second Wave, Deloitte Consulting, Atlanta, GA.","key":"key2022030819532622700_b13"},{"unstructured":"Dittmar, L. (2004), \u201cWhat will you do in Sarbanes\u2010Oxley's second year?\u201d, Financial Executive, Vol. 20 No. 8, pp. 17\u201018.","key":"key2022030819532622700_b15"},{"unstructured":"Fedorowicz, J. and Ulric, J. (1998), \u201cAdoption and usage patterns of COBIT: results from a survey of COBIT purchasers\u201d, Information Systems Audit & Control Journal, Vol. 6, pp. 45\u201051.","key":"key2022030819532622700_b16"},{"unstructured":"Garretson, C. (2003), \u201cUnder the gun\u201d, Network World, Vol. 20 No. 35, p. 38.","key":"key2022030819532622700_b17"},{"unstructured":"Gremba, J. and Myers, G. (2005), \u201cThe IDEAL model: a practical guide for improvement\u201d, Carnegie Melon Software Engineering Institute, available at: www.sei.cmu.edu\/ideal\/ideal.bridge.html.","key":"key2022030819532622700_b18"},{"unstructured":"Guldentops, E., Van Grembergen, W. and De Haes, S. (2002), \u201cControl and governance maturity survey: establishing a reference benchmark and a self\u2010assessment tool\u201d, Information Systems Control Journal, Vol. 6, pp. 32\u20105.","key":"key2022030819532622700_b19"},{"unstructured":"Hagan, S. (2004), \u201cPlenary session: driving forces in database technology\u201d, Proceedings of the 20th International Conference on Data Engineering (ICDE'04), IEEE, New York, NY.","key":"key2022030819532622700_b20"},{"unstructured":"Hamerman, P., Markham, R., Orlov, L. and Teubner, C. (2005), Sarbanes\u2010Oxley Solutions \u2013 Invest Now or Pay Later Hybrid Applications Emerge for Internal Controls Compliance, Forrester Research, Cambridge, MA, available at: www.forrester.com.","key":"key2022030819532622700_b21"},{"doi-asserted-by":"crossref","unstructured":"Hawking, P., Stein, A. and Foster, S. (2004), \u201cRevisiting ERP systems: benefit realization\u201d, paper presented at the 37th Hawaii International Conference on System Sciences, ACM, available at: http:\/\/csdl.computer.org\/.","key":"key2022030819532622700_b22","DOI":"10.1109\/HICSS.2004.1265554"},{"unstructured":"Heffes, E. (2005), \u201cFEI CEO's 2005 top 10 financial reporting issues\u201d, Financial Executive, Vol. 21 No. 1, available at: www.fei.org.","key":"key2022030819532622700_b23"},{"unstructured":"Information Systems Audit and Control Association (2005), \u201cAbout ISACA\u201d, available at: www.isaca.org.","key":"key2022030819532622700_b24"},{"unstructured":"IT Governance Institute (2005), \u201cAbout ITGI\u201d, available at: www.itgi.org.","key":"key2022030819532622700_b25"},{"unstructured":"Kaarst\u2010Brown, M. and Kelly, S. (2005), \u201cIT governance and Sarbanes\u2010Oxley: the latest sales pitch or real challenges for the IT function?\u201d, Proceedings of the 38th Hawaii International Conference on System Sciences \u2013 2005, IEEE, New York, NY.","key":"key2022030819532622700_b26"},{"unstructured":"Kaisler, S., Armour, F. and Valivullah, M. (2005), \u201cEnterprise architecting: critical problems\u201d, Proceedings of the 38th Hawaii International Conference on System Sciences, IEEE, New York, NY.","key":"key2022030819532622700_b27"},{"unstructured":"Kola, V. (2004), \u201cSarbanes\u2010Oxley section 404: from practice to best practice\u201d, Financial Executive, Vol. 20.","key":"key2022030819532622700_b28"},{"doi-asserted-by":"crossref","unstructured":"Kolawa, A. (2004), \u201cOutsourcing: devising a game plan, what types of projects make good candidates for outsourcing\u201d, Queue, Vol. 2 No. 8, pp. 56\u201062.","key":"key2022030819532622700_b29","DOI":"10.1145\/1036474.1036501"},{"doi-asserted-by":"crossref","unstructured":"Krasner, H. (2000), \u201cEnsuring e\u2010business success by learning from ERP failures\u201d, IT Pro, January\u2010February.","key":"key2022030819532622700_b30","DOI":"10.1109\/6294.819935"},{"unstructured":"Lepeak, S. (2004), Sarbanes\u2010Oxley: How Can I Ensure True Success?, META Group Services, available at: www.metagroup.com.","key":"key2022030819532622700_b31"},{"unstructured":"Leskeia, L. and Logan, D. (2003), \u201cSarbanes\u2010Oxley Compliance Demands IS Involvement\u201d, Gartner, available at: www.gartner.com\/.","key":"key2022030819532622700_b32"},{"unstructured":"Louwers, T., Ramsey, R., Sinason, D. and Strawser, J. (2005), Auditing and Assurance Services, McGraw\u2010Irwin, New York, NY.","key":"key2022030819532622700_b33"},{"unstructured":"Luftman, J., Bullen, C., Liao, D., Nash, E. and Neumann, C. (2004), Managing the Information Technology Resource, Pearson Prentice\u2010Hall, Upper Saddle River, NJ.","key":"key2022030819532622700_b34"},{"unstructured":"Marlin, S. (2003), \u201cRules of the road\u201d, InformationWeek, No. 958, p. 40.","key":"key2022030819532622700_b35"},{"doi-asserted-by":"crossref","unstructured":"Mead, N.R. and Mcgraw, G. (2004), \u201cRegulation and information security: can Y2K lessons help us?\u201d, IEEE Security and Privacy, IEEE, New York, NY.","key":"key2022030819532622700_b36","DOI":"10.1109\/MSECP.2004.1281248"},{"unstructured":"Pathak, J. (2003), \u201cInternal audit and e\u2010commerce controls\u201d, Internal Auditing, Vol. 18 No. 2, pp. 30\u20104.","key":"key2022030819532622700_b37"},{"unstructured":"Proctor, P. (2004), \u201cSarbanes\u2010Oxley security and risk controls: when is enough enough?\u201d, Stamford, CT, Infusion: Security & Risk Strategies, META Group, available at: www.metagroup.com.","key":"key2022030819532622700_b38"},{"unstructured":"Public Company Accounting Oversight Board (PCAOB) (2005), \u201cCenter for enforcement tips, complaints and other information\u201d, available at: www.pcaobus.org\/Enforcement\/Tips\/index.asp.","key":"key2022030819532622700_b39"},{"unstructured":"Public Company Accounting Oversight Board (PCAOB) (2002), \u201cSarbanes\u2010Oxley act of 2002\u201d, Public Law 107\u2010204, 107th Congress, available at: www.pcaobus.org.","key":"key2022030819532622700_b40"},{"unstructured":"Ramos, M. (2004), How to Comply with Sarbanes\u2010Oxley Section 404, Wiley, Hoboken, NJ.","key":"key2022030819532622700_b41"},{"doi-asserted-by":"crossref","unstructured":"Reich, B.H. and Nelson, K. (2003), \u201cIn their own words: CIO visions about the future of in\u2010house IT organizations\u201d, The Database for Advances in Information Systems, Vol. 34 No. 4.","key":"key2022030819532622700_b42","DOI":"10.1145\/957758.957763"},{"doi-asserted-by":"crossref","unstructured":"Ridley, G., Young, J. and Carol, P. (2004), \u201cCOBIT and its utilization: a framework from the literature\u201d, Proceedings of the 37th Hawaii International Conference on System Sciences \u2013 2004, IEEE, New York, NY.","key":"key2022030819532622700_b43","DOI":"10.1109\/HICSS.2004.1265566"},{"unstructured":"Salle, M. and Rosenthal, S. (2005), \u201cFormulating and implementing an HP IT program strategy using COBIT and HP ITSM\u201d, Proceedings of the 38th Hawaii International Conference on System Sciences \u2013 2005, IEEE.","key":"key2022030819532622700_b44"},{"unstructured":"SAP (2005), Home page, available at: www.sap.com.","key":"key2022030819532622700_b45"},{"unstructured":"SEC (2005), \u201cRegulation S\u2010K, \u00a7229.308, Item 308\u201d, available at: www.sec.gov\/divisions\/corpfin\/forms\/regsk.htm#internal.","key":"key2022030819532622700_b46"},{"unstructured":"Software Engineering Institute (2005), \u201cCapability maturity models\u201d, available at: www.sei.cmu.edu.","key":"key2022030819532622700_b47"},{"unstructured":"Somers, T.M. and Nelson, K. (2001), \u201cThe impact of critical success factors across the stages of enterprise resource planning implementations\u201d, Proceedings of the 34th Hawaii International Conference on System Sciences \u2013 2001, IEEE, New York, NY.","key":"key2022030819532622700_b48"},{"unstructured":"(The) Standish Group (2003), \u201cLatest Standish group CHAOS report shows project success rates have improved by 50 percent\u201d, available at: www.standishgroup.com.","key":"key2022030819532622700_b50"},{"doi-asserted-by":"crossref","unstructured":"Tas, J. and Sunder, S. (2004), \u201cFinancial services business process outsourcing\u201d, Communications of the ACM, Vol. 47 No. 5.","key":"key2022030819532622700_b49","DOI":"10.1145\/986213.986238"},{"doi-asserted-by":"crossref","unstructured":"Tongren, J. and Warigon, S. (1997), \u201cA preliminary survey of COBIT use EDP audit\u201d, Control and Security Newsletter, Vol. 25 No. 3, pp. 17\u201019.","key":"key2022030819532622700_b51","DOI":"10.1080\/07366989709452322"},{"unstructured":"Worthen, B. (2003), \u201cYour risks and responsibilities; you may think the Sarbanes\u2010Oxley legislation has nothing to do with you. You'd be wrong\u201d, CIO, Vol. 16 No. 15, p. 1.","key":"key2022030819532622700_b52"},{"doi-asserted-by":"crossref","unstructured":"Xia, W. and Lee, G. (2004), \u201cGrasping the complexity of IS development\u201d, Communications of the ACM, Vol. 47 No. 5, pp. 68\u201074.","key":"key2022030819532622700_b53","DOI":"10.1145\/986213.986215"},{"unstructured":"Ziff Davis (2004), \u201cCIO Insight Magazine and Gartner EXP release major study on Sarbanes Oxley compliance\u201d, available at: www.ziffdavis.com.","key":"key2022030819532622700_b54"},{"unstructured":"Zorz, M. (2003), \u201cInterview with Christopher Alberts, a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute\u201d, available at: www.net\u2010security.org (accessed 12 March).","key":"key2022030819532622700_b55"}],"container-title":["Information Management &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09685220510614434","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220510614434\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220510614434\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:08:55Z","timestamp":1753402135000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/13\/4\/311-327\/171333"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2005,9,1]]},"references-count":55,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2005,9,1]]}},"alternative-id":["10.1108\/09685220510614434"],"URL":"https:\/\/doi.org\/10.1108\/09685220510614434","relation":{},"ISSN":["0968-5227"],"issn-type":[{"type":"print","value":"0968-5227"}],"subject":[],"published":{"date-parts":[[2005,9,1]]}}}