IT Governance and the Sarbanes-Oxley Act

摘要

In 2002, the Sarbanes-Oxley Act was passed into law requiring all U.S. based, publicly traded companies to report on the status of their internal controls governing the reporting of financial information. Because of the close relationship between financial reporting and IT, the internal controls requirement of the Sarbanes-Oxley (SOX) Act has also greatly impacted IT governance. This paper is the result of a grounded theory research study that evaluated written submissions from the public, to the SEC, and the experiences and opinions about how the Act's internal controls requirement has impacted publicly held companies. The grounded theory study resulted in seven propositions that theorize how the implementation of mandatory and auditable internal controls within the IT organization has affected IT governance. The propositions were derived from both considering the primary impact of implementing internal controls and the secondary response from the IT organization and management on how to reduce the perceived negative impact the new regulatory requirements have.