Governance Responsibilities Imposed by Sarbanes-Oxley

The Sarbanes-Oxley Act of 2002 (also called "Sar-Ox" or "SOX") assigns personal responsibility to senior management of public and non-public organizations in the U.S. and is also being applied in various forms by other countries throughout the world. Of particular concern is Section 404 of the Act, which relates to "Management Assessment of Internal Controls." This section requires an internal control report and states "the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting."1

Typical examples of the difficulties that face senior management to ensure they support SOX are the following issues related to internal control over financial reporting of public companies and also in relation to judgments and estimates:

"Management is required to document the system of internal control over financial reporting. As required by the Sarbanes-Oxley Act of 2002 (SOX), section 404 (Management Assessment of Internal Controls), management will be required to assess the effectiveness of these controls. The ASB [Auditing Standards Board] believes that the evidence management uses to support its assertion about the effectiveness of its internal control also should be documented. The ASB believes that a failure to document the system of controls or the evidence used in making the assessment should be considered a weakness in internal control."

"Management must recognize that judgments and estimates are subject to second-guessing, and an assessment can change in a subsequent period if new information becomes available. As a result, the system of internal control over estimates is particularly sensitive because the auditor or a regulator might conclude that the internal control system was either not appropriate or not functioning because it allowed an inappropriate estimate to be booked in the first place. This will be true for any account or control where there is a greater degree of subjectivity."2

The internal controls that are required will vary from enterprise to enterprise. They will need to be tailored to the relevant industry (or industries) within which the organization operates; they are also typically unique for each enterprise. They are determined by its business activities and processes as well as its financial controls. They are closely related to the IT systems and databases that the enterprise uses for financial and other reporting.

For example, a simple test that can be applied in an organization is to ask staff why they carry out a specific business process, financial or otherwise. This is a question that may be asked by an auditor to determine whether internal controls referenced by management do actually work. The question, "why do you do that process?" often elicits the response: "because we have always done it that way." This answer indicates that the reasons -- even if they were once known -- have become lost to history, and it is a warning signal to the auditor and to management that the internal controls are not working in that particular case.

Another example of some of the questions that auditors must ensure are adequately addressed is shown in Figure 1, in relation to multilocation testing considerations.3

Figure 1: Multilocation Testing Considerations

The questions in Figure 1 relate to business units and locations and are generally tested first by auditors. They should be easy for most enterprises to answer. Difficulty in answering these simple questions may indicate more serious deficiencies in internal controls. This can lead the auditor to pose more difficult questions where the detail of the answers is less important to the auditor than the demonstrated fact that senior management does have relevant answers available.

Typical Internal Control Questions

For complete satisfaction that internal controls have not only been implemented but also work in practice throughout the enterprise, senior management needs to show that answers are available for each of the following management and audit questions. Questions should be able to be answered in relation to key resources such as: data; business activities and processes; locations; people and business units; and events. Answers should be available that show how resources relate to strategic and tactical business plans that have been defined by management, such as:

  • For Data: What does the data represent? How is the data processed? Where is it used? Who is responsible for the data? When is the data used? Why is the data needed? Does this data support the strategic and tactical business plans?
  • For Processes: How do we execute them? What data do they use? Where are they processed? Who is responsible for the processes? When are these processes used? Why are the processes needed? Do they support strategic and tactical business plans?
  • For Locations: What data does the location need? How are processes executed in the location? Who is responsible for the location? When is the location involved in key events? Why does the location exist for the enterprise? Do the business plans for each location support the strategic and tactical business plans?
  • For Business Units and People: What data do the business units need? How are key processes executed in each business unit? Where is each business unit located? Who is responsible for the business unit? When is the business unit involved in key events? Why does each business unit exist? Do the business plans for each business unit support the strategic and tactical business plans?
  • For Business Events: What data does each business event need? Which processes are initiated by each business event? Where do business events occur? Who is responsible for these business events? When do they occur? Why do they occur? Do the business events support the strategic and tactical business plans?
  • For Business Plans: What data do the business plans need? How do processes support the business plans? Which locations do the business plans apply to? Who is responsible for these business plans? When does each event that supports the business plans occur? Why do the business plans exist? Do tactical and operational business plans support the strategic plans?

An auditor expects that answers to most of these questions are available to senior management, at least when applied at the strategic level -- and for key financial aspects at the tactical level as well. However, the reality in most organizations is much different. Apart from questions relating to "where" and "who," the answers for many of these questions are extremely difficult to obtain.

Managing Internal Controls Using Enterprise Architecture

These are simple internal control questions: what, how, where, who, when and why. If controls are in place, these questions should be capable of being answered from the different perspectives of management and staff levels in an enterprise. The answers available to senior management -- as the planners and owners of the enterprise -- are likely to be different from the detail needed by middle managers, business experts and IT staff -- as the designers and the builders -- of the business processes and support systems that are used for financial and other reporting.

These six questions can be represented by columns in a matrix, where the different perspectives of planner, owner, designer, builder and subcontractor are represented as rows. This matrix is provided by the Zachman Framework for Enterprise Architecture, as shown in Figure 2.4 While enterprise architecture (EA) has previously been considered to be an IT responsibility, it also enables precise governance analysis when it is used by senior management. It also provides a business transformation enablement capability.

Figure 2: The Zachman Framework for Enterprise Architecture

The designers, builders and subcontractors (often outsourced) work with business experts who understand the business processes of the enterprise. Based on their business knowledge, IT staff have designed and built systems and databases that support those processes. They provide the data, information and processing needed for day-to-day operational functioning of the enterprise. They are represented by the bottom three rows of the Zachman Framework in Figure 2.

In most enterprises, senior managers have not become involved in enterprise architecture, which has been considered by many to be a computer discipline. While this is true in part, EA is also a business discipline. It enables business experts and IT staff, working together, to establish and define internal controls -- as systems to support key business processes and databases that are needed for internal control reporting. However, when used by senior management, enterprise architecture also provides methods for business transformation using enterprise architecture, as will be discussed in Part 2 of this column.

It is the responsibility of senior management - as planners and owners of business plans, data, processes, locations, business units and events that are used to manage the enterprise - to define the objectives and scope of the internal controls. It is their responsibility also to provide the high-level (conceptual) perspective or view that is needed to manage these controls. These control perspectives are defined in the first two rows of the Zachman Framework in Figure 2.

However, this key definition from the senior management perspective of the controls that are relevant to them for internal control reporting is missing in most enterprises today.

The absence of these controls previously has merely been embarrassing. With legal implications of Sarbanes-Oxley noncompliance, an inability by senior managers - due to the complexity of most enterprises -- to answer internal control reporting audit questions takes on a new personal meaning. What is needed is a governance analysis framework (GAF) that is both easy to create, and easy to use to obtain answers for relevant internal control reporting questions.

A Governance Analysis Framework for Sarbanes-Oxley

The Zachman Framework provides a way to cut through the complexity of today's enterprise and document the relationships that exist between each column for each row. These relationships are typically shown as matrices, as illustrated in Figures 3-6.

Figure 3: Typical GAF Matrix that Relates "Why" and "Who"

The right side of Figure 3 shows a typical organization structure for project management in some organizations. Under the project management business unit are shown three business units: financial management, resource management and schedule management. These business units represent model views of the enterprise.

The left side of Figure 3 is a typical governance analysis framework matrix. This relates business planning statements (goals, objectives, policies, key performance indicators/KPIs, strategies, tactics, etc.) that are shown as rows and address the question "Why." Relevant business units (based on the model views on the right side) are shown as columns of the matrix; they address the question "Who."

Reading across a row in Figure 3 shows ticked business units that are responsible for, or involved in, implementing the relevant planning statement for that row. For example, the "P3 Project Authorization (Policy)" row highlighted shows that the following business units are involved: F0 Strategic Model; F1 Project Management; F2 Financial Management; and F3 Resource Management. This clearly answers the question: "Who" is responsible for managing or involved in implementing this statement.

Reading down a column in Figure 3 indicates the subset of planning statements that the relevant business unit column is responsible for, or involved in, implementing. For example, reading down the column "F2 Financial Management," the ticked planning statement rows together represent the tactical business plan for financial management in the business unit. By referring to the detailed text in those planning statements, these rows clearly answer the financial management question of "Why" for financial reporting.

Figure 4 shows a matrix that lists business activities for financial management as rows, with the relevant business planning statements shown as columns.

Figure 4: Typical GAF Matrix that Relates "How" and "Why"

This matrix is blank, as it has just been created for the particular organization. It provides a governance analysis framework that is still to be completed by knowledgeable business experts. When completed, it can be easily used to answer the questions "How" and "Why."

Reading across a row in Figure 4 with an understanding of the relevant business activity for that row, the financial management business experts refer to the relevant planning statement text for each column. They tick those planning statement columns that require the relevant activity.

On completion of the matrix in this way, some internal controls for financial management have now been documented for later reference. For example, reading down a planning statement column in the matrix answers the question "How" the planning statement is implemented or managed based on the activity rows that are ticked. Reading across an activity row answers the question "Why" the activity is carried out for all of the planning statement columns that are ticked.

Figure 5 provides a further internal control matrix. It relates business plans (shown as planning statement rows) with data (shown as data object columns). When this governance analysis framework matrix has been completed, it can be used to answer "What" and "Why."

Figure 5: Typical GAF Matrix that Relates "Why" and "What"

For example, reading across a planning statement row in Figure 5 - such as the "T1 Project Financial Reporting" row - each data object column that provides data in support of the full text of that planning statement is ticked.

On completion of the matrix, by reading down a data column, each ticked row shows the planning statements that the data supports, answering the question "Why" the data is needed. Reading across a planning statement row indicates the data that is available to support that statement and associated management decision making. This answers the question "What;" it shows the data that supports the relevant statement.

A fourth governance analysis framework matrix is also very important. This is shown in Figure 6. It lists business activities as rows, with data objects as columns (shown as entities).

To complete this matrix, business experts who are knowledgeable in a listed business activity row will tick each data column that the activity requires. The resulting completed matrix enables the questions "What" and "How" to be answered. Reading down a data column, each activity row that has been ticked indicates "How" the data is used. Reading across an activity row, each column that has been ticked indicates "What" data is required.

Other matrices are also needed to be able to answer each of the internal control questions posed earlier. Relevant matrices are identified next, with reference (in parentheses) to earlier figures where appropriate:

  • Data Matrices: Data to Processes (see Figure 6); Data to Locations; Data to People and Business Units; Data to Events; Data to Business Plans (see Figure 5).
  • Process Matrices: Processes to Data (see Figure 6); Processes to Locations; Processes to Business Units; Processes to Events; Processes to Business Plans (see Figure 4).
  • Location Matrices: Locations to Data; Locations to Processes; Locations to People and Business Units; Locations to Events; Locations to Business Plans.
  • People and Business Unit Matrices: People and Business Units to Data; People and Business Units to Processes; People and Business Units to Locations; People and Business Units to Events; People and Business Units to Business Plans (see Figure 3).
  • Business Event Matrices: Business Events to Data; Events to Processes; Events to Locations; Events to People and Business Units; Business Events to Business Plans.
  • Business Plan Matrices: Business Plans to Data (see Figure 5); Business Plans to Processes (see Figure 4); Business Plans to Locations; Business Plans to People and Business Units (see Figure 3); Business Plans to Business Events.

When senior managers use Governance Analysis Framework Matrices as described, they are able to demonstrate they have a powerful management tool for internal control reporting as required by the Sarbanes-Oxley Act of 2002.

Figure 6: Typical GAF Matrix that Relates "How" and "What"

Part 2 of this column will discuss how to develop governance analysis frameworks tailored to an enterprise by using enterprise architecture. Both parts of this column are of interest also to senior management.

1. A summary of links to key resources on the Sarbanes-Oxley Act of 2002 is located at The full text of the Act is available from these resource links as "Sarbanes-Oxley Act 072302.pdf". A summary of key sections of the Act is available from
2. These two quotations are from "Key Issues Document -- FINAL.pdf." This PDF document is in "," which can be downloaded from The Zip file contains many recommendations from the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants submitted for the consideration of the Public Company Accounting Oversight Board. The subject matter of these recommendations is amendments to various standards included in the Board's Interim Professional Auditing Standards and a new standard to reflect certain provisions of the Sarbanes-Oxley Act of 2002 ("Act") and the final Securities and Exchange Commission (SEC) rules entitled "Retention of Records Relevant to Audits and Reviews and Strengthening the Commission's Requirements Regarding Auditor Independence."
3. This figure is from "2003_0822_Sarbanes-Oxley_Omnibus_Final_rev.pdf," also in ""
4. The Zachman Framework for Enterprise Architecture, developed by John Zachman, is used worldwide for the management of internal controls and alignment of information systems with business and IT resources of government, defense and commercial enterprises. The Zachman Framework is the enterprise architecture foundation used by U.S. Department of Defense (as DoDAF -- the DoD Architecture Framework) and by U.S. Federal Government Departments (as FEAF -- the Federal Enterprise Architecture Framework). The DoDAF and FEAF are based on enterprise architecture, as mandated by the Clinger-Cohen Act of 1996.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access