Holistic Compliance with Sarbanes-Oxley

The theory underlying US securities laws is that investors are helpless without reliable information [Zelizer, 2002]. When Enron's collapse and other corporate frauds made it clear that "practically every element of our system of safeguards failed until it was too late to repair the damage," Congress reinforced those laws by passing the Sarbanes-Oxley (SARBOX) Act [O'Malley, 2002]. This new law demands that C-suite executives confirm their confidence in the quality and integrity of information generated by information systems by signing the figures off personally. Under SARBOX, the Securities and Exchange Commission holds executives accountable for reliable internal controls, record retention, and fraud detection. In turn, executives are looking to information systems and to IS auditors to help them meet their regulatory responsibilities. This article discusses SARBOX mandates and the intent of regulatory agencies. That understanding lays the foundation needed to develop holistic SARBOX compliance programs with information technology and business process improvements. Holistic compliance is an enterprisewide and long-term approach that views the new law as opportunities to improve internal controls and public reporting. Holistic compliance stands in contrast to simply complying with the rules or silo compliance; i.e., efforts scattered throughout business silos. We identify SARBOX requirements ("sections") concerning IS and IS research. Research areas to achieve minimal compliance include methods for IS assurance and auditing, risk management, and electronic records management (ERM). Research in business intelligence, data warehousing and mining, and supply chain management are necessary for holistic compliance that improves competitive position. While research efforts in these areas are not new, regulations have made them more compelling and urgent issues for senior management.