What ERP systems can tell us about Sarbanes-Oxley

Information Management and Computer Security

Volumn 13, Issue 4, 2005, Pages 311-327

  Brown, William ^a   Nasuti, Frank ^b  

^a MINNESOTA STATE UNIVERSITY   (United States)

^b The Institute for Internal Controls Inc   (United States)

Author keywords

Communications technologies; Manufacturing resource planning

Indexed keywords

INFORMATION TECHNOLOGY; PERSONNEL; RISK MANAGEMENT; SECURITY OF DATA; SOCIETIES AND INSTITUTIONS; STRATEGIC PLANNING;

COMMUNICATION TECHNOLOGIES; MANUFACTURING RESOURCE PLANNING;

ENTERPRISE RESOURCE PLANNING;

EID: 24144475007     PISSN: 09685227     EISSN: None     Source Type: Journal    
DOI: 10.1108/09685220510614434     Document Type: Article

References (55)

1. Alberts, C. and Dorofee, A. (2002), Managing Information Security Risks: The OCTAVE Approach, Addison-Wesley, New York, NY.
2. Benesh, M. (1999), "Managing your ERP project", Software Testing and Quality Engineering, July/August, pp. 38-43.
3. Boehm, B. (1981), Software Engineering Economics, Prentice-Hall, Upper Saddle River, NJ.
4. Cannon, D. and Growe, G. (2004), "SOA compliance: Will IT sabotage your efforts?", Wiley Periodicals, Inc, published online in Wiley InterScience, available at: www.interscience.wiley.com.
5. Chan, S. (2004), "Sarbanes-Oxley: The IT dimension", The Internal Auditor, Vol. 61 No. 1, pp. 31-3.
6. Chang, S., Gable, G., Smythe, E. and Timbrell, G. (2000), "A Delphi examination of public sector ERP implementation issues", Proceedings of the Twenty First International Conference on Information Systems, Information System Management Research Centre, Faculty of Information Technology, Queensland University of Technology, Brisbane, pp. 494-500.
7. CIO Insight/Gartner (2004), "EXP research: Sarbanes-Oxley 2004: are you ready to comply?", available at: www.cioinsight.com.
8. Cobb, C.G. (2004), "Sarbanes-Oxley: Pain or gain?", Quality Progress, Vol. 37 No. 11, pp. 48-52.
9. Colbert, J. and Bowen, P. (1996), "A comparison of internal controls: COBIT, SAC, COSO and SAS 55/78", IS Audit & Control Journal, Vol. 4, pp. 26-35.
10. COSO (2005), "FAQs, for COSO's enterprise risk management - Integrated framework", available at: www.coso.org/Publications/ ERM/erm_faq.htm.
11. Damianides, M. (2005), "Sarbanes-Oxley and IT governance: New guidance and IT control and compliance", Information Systems Management, Winter.
12. Decker, S. and Lepeak, S. (2003), Connecting to ERP for SOX 404 Assessments, META Group, Stamford, CT, available at: www.metagroup.com.
13. Deloitte & Touche (1999), "Maximizing the value of ERP enabled processes", The Review, 18 January.
14. Deloitte Consulting (1999), ERP's Second Wave, Deloitte Consulting, Atlanta, GA.
15. Dittmar, L. (2004), "What will you do in Sarbanes-Oxley's second year?", Financial Executive, Vol. 20 No. 8, pp. 17-18.
16. Fedorowicz, J. and Ulric, J. (1998), "Adoption and usage patterns of COBIT: Results from a survey of COBIT purchasers", Information Systems Audit & Control Journal, Vol. 6, pp. 45-51.
17. Garretson, C. (2003), "Under the gun", Network World, Vol. 20 No. 35, p. 38.
18. Gremba, J. and Myers, G. (2005), "The IDEAL model: A practical guide for improvement", Carnegie Melon Software Engineering Institute, available at: www.sei.cmu.edu/ideal/ideal.bridge.html.
19. Guldentops, E., Van Grembergen, W. and De Haes, S. (2002), " Control and governance maturity survey: Establishing a reference benchmark and a self-assessment tool", Information Systems Control Journal, Vol. 6, pp. 32-5.
20. Hagan, S. (2004), "Plenary session: Driving forces in database technology", Proceedings of the 20th International Conference on Data Engineering (ICDE'04), IEEE, New York, NY.
21. Hamerman, P., Markham, R., Orlov, L. and Teubner, C. (2005), Sarbanes-Oxley Solutions - Invest Now or Pay Later Hybrid Applications Emerge for Internal Controls Compliance, Forrester Research, Cambridge, MA, available at: www.forrester.com.
22. Hawking, P., Stein, A. and Foster, S. (2004), "Revisiting ERP systems: Benefit realization", paper presented at the 37th Hawaii International Conference on System Sciences, ACM, available at: http://csdl.computer.org/.
23. Heffes, E. (2005), "FEI CEO's 2005 top 10 financial reporting issues", Financial Executive, Vol. 21 No. 1, available at: www.fei.org.
24. Information Systems Audit and Control Association (2005), "About ISACA", available at: www.isaca.org.
25. IT Governance Institute (2005), "About ITGI", available at: www.itgi.org.
26. Kaarst-Brown, M. and Kelly, S. (2005), "IT governance and Sarbanes-Oxley: The latest sales pitch or real challenges for the IT function?", Proceedings of the 38th Hawaii International Conference on System Sciences - 2005, IEEE, New York, NY.
27. Kaisler, S., Armour, F. and Valivullah, M. (2005), "Enterprise architecting: Critical problems", Proceedings of the 38th Hawaii International Conference on System Sciences, IEEE, New York, NY.
28. Kola, V. (2004), "Sarbanes-Oxley section 404: From practice to best practice", Financial Executive, Vol. 20.
29. Kolawa, A. (2004), "Outsourcing: Devising a game plan, what types of projects make good candidates for outsourcing", Queue, Vol. 2 No. 8, pp. 56-62.
30. Krasner, H. (2000), "Ensuring e-business success by learning from ERP failures", IT Pro, January-February.
31. Lepeak, S. (2004), Sarbanes-Oxley: How Can I Ensure True Success?, META Group Services, available at: www.metagroup.com.
32. Leskeia, L. and Logan, D. (2003), "Sarbanes-Oxley Compliance Demands IS Involvement", Gartner, available at: www.gartner.com/.
33. Louwers, T., Ramsey, R., Sinason, D. and Strawser, J. (2005), Auditing and Assurance Services, McGraw-Irwin, New York, NY.
34. Luftman, J., Bullen, C., Liao, D., Nash, E. and Neumann, C. (2004), Managing the Information Technology Resource, Pearson Prentice-Hall, Upper Saddle River, NJ.
35. Marlin, S. (2003), "Rules of the road", InformationWeek, No. 958, p. 40.
36. Mead, N.R. and Mcgraw, G. (2004), "Regulation and information security: Can Y2K lessons help us?", IEEE Security and Privacy, IEEE, New York, NY.
37. Pathak, J. (2003), "Internal audit and e-commerce controls", Internal Auditing, Vol. 18 No. 2, pp. 30-4.
38. Proctor, P. (2004), "Sarbanes-Oxley security and risk controls: When is enough enough?", Stamford, CT, Infusion: Security & Risk Strategies, META Group, available at: www.metagroup.com.
39. Public Company Accounting Oversight Board (PCAOB) (2005), "Center for enforcement tips, complaints and other information", available at: www.pcaobus.org/Enforcement/Tips/index.asp.
40. Public Company Accounting Oversight Board (PCAOB) (2002), "Sarbanes-Oxley act of 2002", Public Law 107-204, 107th Congress, available at: www.pcaobus.org.
41. Ramos, M. (2004), How to Comply with Sarbanes-Oxley Section 404, Wiley, Hoboken, NJ.
42. Reich, B.H. and Nelson, K. (2003), "In their own words: CIO visions about the future of in-house IT organizations", The Database for Advances in Information Systems, Vol. 34 No. 4.
43. Ridley, G., Young, J. and Carol, P. (2004), "COBIT and its utilization: A framework from the literature", Proceedings of the 37th Hawaii International Conference on System Sciences - 2004, Hoboken, NJ.
44. Salle, M. and Rosenthal, S. (2005), "Formulating and implementing an HP IT program strategy using COBIT and HP ITSM", Proceedings of the 38th Hawaii International Conference on System Sciences - 2005, IEEE.
45. SAP (2005), Home page, available at: www.sap.com.
46. SEC (2005), "Regulation S-K, 229.308, Item 308", available at: www.sec.gov/divisions/corpfin/forms/regsk.htm#internal
47. Software Engineering Institute (2005), "Capability maturity models", available at: www.sei.cmu.edu.
48. Somers, T.M. and Nelson, K. (2001), "The impact of critical success factors across the stages of enterprise resource planning implementations", Proceedings of the 34th Hawaii International Conference on System Sciences - 2001, IEEE, New York, NY.
49. (The) Standish Group (2003), "Latest Standish group CHAOS report shows project success rates have improved by 50 percent", available at: www.standishgroup.com.
50. Tas, J. and Sunder, S. (2004), "Financial services business process outsourcing", Communications of the ACM, Vol. 47 No. 5.
51. Tongren, J. and Warigon, S. (1997), "A preliminary survey of COBIT use EDP audit", Control and Security Newsletter, Vol. 25 No. 3, pp. 17-19.
52. Worthen, B. (2003), "Your risks and responsibilities; you may think the Sarbanes-Oxley legislation has nothing to do with you. You'd be wrong", CIO, Vol. 16 No. 15, p. 1.
53. Xia, W. and Lee, G. (2004), "Grasping the complexity of IS development", Communications of the ACM, Vol. 47 No. 5, pp. 68-74.
54. Ziff Davis (2004), "CIO Insight Magazine and Gartner EXP release major study on Sarbanes Oxley compliance", available at: www.ziffdavis.com.
55. Zorz, M. (2003), "Interview with Christopher Alberts, a senior member of the technical staff in the Networked Systems Survivability Program at the Software Engineering Institute", available at: www.net-security.org (accessed 12 March).