Resources for Sarbanes-Oxley (SOX)

SOX and ITIL: There Is No Dotted-Line Relationship!

www.s-ox.com

Info-Tech Research Group sees strong interest among IT decision makers in the relationship between Sarbanes-Oxley (SOX) compliance and the IT Infrastructure Library (ITIL) framework. There is, however, no straightforward connection between the two, even though certain applications of ITIL can help with SOX compliance.

Designing secure internal controls for financial reporting and establishing auditability for IT systems are important steps in meeting the requirements of SOX and other legislation. However, ITIL does not address governance in a comprehensive way and cannot be used on its own to ensure SOX compliance. This is largely because ITIL is heavily focused on the help desk and “IT as a service” and not on control objectives.

Despite ITIL’s shortcomings for governance, many IT professionals are under the impression that because it is a framework, ITIL must therefore be suitable for compliance as well. Exacerbating the matter are vendor claims of “ITIL compliance” for their software products (e.g. Altiris, Axios, BMC, CA, HP, etc.), giving the impression that ITIL is a standard. However, this is not the case. ITIL is a set of best practices that can be implemented as the user sees fit. In the strictest sense, there is no such thing as compliance with ITIL, much less SOX.

View the Resource

Share or bookmarklet this web page at: