• United States



by No Analyst or Consultant

Sarbanes-Oxley: The Role of Technology

Jun 22, 20043 mins
CSO and CISOData and Information Security

By Gartner Research VP Debra Logan

and Research Director Rich Mogull

Sarbanes-Oxley does not regulate technology; however, using technology effectively can reduce the cost, time and risk of an enterprise’s compliance activities.

The U.S. Public Company Accounting Reform and Investor Protection Act of 2002 (the Sarbanes-Oxley Act) is not about technology.

Sarbanes-Oxley is about improving transparency and accountability in business processes and corporate accounting to restore confidence in public markets. It regulates processes and business practices, not technology. In the modern enterprise, however, technology often defines and executes business processes or parts of business processes. The technology and business process regulated by Sarbanes-Oxley are so entwined that it’s impossible to separate them.

You will face two challenges when sorting through this entanglement of business processes and technology.

The first is how to ensure that your IT systems are compliant with Sarbanes-Oxley. The only technology category that the law mentions specifically is “electronic communications,” yet we know that financial accounting systems, enterprise resource planning (ERP), general ledger and supply chain management systems will all be subject to the regulation. Which other systems will be scrutinized by the regulators and will new ones need to be put in place to comply? Sarbanes-Oxley is principally concerned with the financial process, so CIOs should pay the closest attention to ERP and other financial management systems.

Additionally, Sarbanes-Oxley requires that companies keep good records. Our research prior to the passage of the act indicated that, although companies may have had adequate control over paper records, their control of electronic documents was inadequate. There are civil and criminal penalties for destruction and falsification of documents. The truth is that, although good recordkeeping is not specifically mentioned in the act, the implications for records management are clear.

The second challenge is how to leverage technology to reduce the resource burden of compliance. Is there any way to derive business benefit from compliance activities and investments? Are there any strategic technology investments that you can make to stop the seemingly endless cycle of auditing and consulting to deal with the regulation of the month? Is there a way to create a flexible compliance platform?

Sarbanes-Oxley does not directly regulate technology. By understanding the role of different technologies in your business processes, and where established or new technologies can aid compliance, enterprises can reduce the costs of regulatory compliance and derive long-term business value.

Recommended Reading

“Process Management Technology Makes Compliance Easier” – Business process management solutions can ease compliance by documenting and enforcing process controls, the very heart of the Sarbanes-Oxley Act. By Debra Logan and James Sinur

For more information on Sarbanes-Oxley compliance visit,