What ERP systems can tell us about Sarbanes-Oxley

Purpose – To provide background for senior and middle management in information technology organizations who may be in the implementation phase of compliance for Sarbanes-Oxley (SOX). As the information technology (IT) organization looks forward to additional compliance or other IT control frameworks such as COBIT, the paper can help construct a roadmap. Other audiences include senior management, accountants, internal auditors, and academics who may wish to evaluate the impact of SOX on the information technology organization. Design/methodology/approach – SOX is surveyed to understand the four major compliance areas that must be supported in the IT organization. Recently published works are integrated into an evaluation of enterprise resource planning (ERP) research to identity several ongoing themes that point to practical advice for implementing SOX. The private sector of US business is saturated with ERP applications and provides a useful benchmark of what to expect with SOX compliance. The sections of this report include: SOX and IT governance; ERP systems: recurring themes; after the initial implementation of SOX; frameworks to support SOX compliance; IT governance and SOX: where we go from here; to best practice and competitive advantage; and conclusion. Findings – Competencies in several related core disciplines including project management, change management, and software integration should be the top priority for SOX implementation. Enterprise architecting and related areas such as security and outsourcing can be managed more effectively with the appropriate competencies. Research limitations/implications – The authors’ observations are based on several research reports but are not exhaustive, and are not specific to a particular industry. Originality/value – The content is a very useful source of information for senior management, IT management, accountants, auditors, and academics to understand the impact of SOX on the IT organization and how to develop a roadmap to respond.