Re: [service-orientated-architecture] Re: WS-* and Sarbanes-Oxley
- Very well put, Phil. Clearly, since SOX is about oversight of business processes, there's a natural connection between BPM and SOA. The one comment that I'd make about WS-* and SOX is that WS-Security is very important, since that's the standard associated with getting identity on the messages. Where processes can be automated, the identity associated with the invocation of the process will be important.-tbOn Aug 31, 2006, at 10:11 AM, Phil Ayres wrote:
- One thing to be aware of is that once you open up systems via WS-* or
any other technology, you better make sure you have proper security
measures in place -- otherwise you might end up creating SOX-related
problems instead of solutions.
Stefan Tilkov, http://www.innoq.com/blog/st/
On Aug 30, 2006, at 11:46 PM, Dennis Sosnoski wrote:
> Has anyone looked specifically at the issues involved in Sarbanes-
> compliance for systems using Web services? I had a client ask me about
> that, and didn't have a great answer. It's obvious that the WS-*
> technologies can be useful here, especially WS-Security to keep data
> secure and show that it hasn't been modified. It'd be good to see some
> sort of best practices guide for Web services with SOX, though.
> - Dennis
> Dennis M. Sosnoski
> SOA, Web Services, and XML
> Training and Consulting
> http://www.sosnoski.com - http://www.sosnoski.co.nz
> Seattle, WA +1-425-296-6194 - Wellington, NZ +64-4-298-6117
if leave WS-* aside for a little and turn to SOA, would it be correct to say that the organizations, which worked out their SOX (and , possibly, Basel II in financial firms), have prepared the foundation for SOA in the form of their business process descriptions?
I guess, the organizations you know about did not have another task than just to discover their points of financial data processing risks. However, if such descriptions may be considered as business process definitions in some cases, it puts the organization into advanced positions for considering SOA for their ITs ( and it is not necessary to be based on WS-*). What would you say ?
Phil Ayres <phil_ayres_boston@...> wrote:Dennis,
My experience of SOX was based on how organizations have been trying to cope with it over the last couple of years (both inside the US and for large overseas companies) - let's meet the letter of the law and what our auditors tell us. This means that they focus on writing down what their business processes are that directly and indirectly affect their financial reports. In every company IT systems are expected to deeply impact financials, and because of this there has been a drive towards using out of the box software managed according to best practices under a framework like COBIT (some companies also look at ITIL for deeper IT management background).
From a financial internal control side, SOX has been about organizations writing down how their processes look now (often manual processes), and assessing them for errors or risk of failure. Quite a lot of remediation has been done to fix problems, but generally this has led to more manual controls and approval processes - and a lot more paper being printed and signed. Despite the hype, there is nothing in SOX that says anything about technology.
Some organizations are just getting to the point of taking some of their manual processes and automating them with BPM or simple workflow, and in 'advanced' cases this may involve integration with business systems. By doing this an organization can classify these processes as 'system' processes, pushing them back from routine manual operation, testing and auditing to more efficient IT management (which assumes that a well managed system produces the correct results and does not require routine testing).
I have written a little about these issues on my blog. This search shows the main posts: show posts
So in summary, I would be careful trying to push WS-* for SOX. Simplified documentation of processes and auditing is the way the CFO has seen SOX up 'til now. Improvement of business processes is the way it will become sustainable long term - this will require BPM and maybe SOA and associated technologies to make this happen. This post shows how I see companies will progress towards this over time - like CMM for internal controls. This agrees more with where consultants, SIs and companies like CA are going finally.
I hope this is useful.
Get your own web address for just $1.99/1st yr. We'll help. Yahoo! Small Business.
I would agree that improving business processes related to company's
financials is the primary task of SOX, and if a company chooses to use
BPM and SOA then that is their choice. I agree that automation and
integration for financial processes helps to improve the
sustainability of the compliance efforts, but it is not essential
according to the law. Many financial processes are driven manually
based on Excel spreadsheets, and can continue to do so if they are
willing to test and audit these processes frequently. And they will
probably do so.
As for the organizations I talked to (some large mobile telco,
software, and media firms), they were struggling enough to actually
understand what processes to include in their SOX projects. They were
in no position back in 2005 to even consider the radical efforts
required to do BPM and SOA correctly. Perhaps they are getting closer
to doing this now (though I expect they are still in survival mode),
but it will take the business problems to be wrestled out of the hands
of the CFO and Controller, and passed to a group that has time to do
the right thing. That is hard given the focus of SOX, placing the
blame for failures squarely at the door of the CFO and CEO.
I would avoid suggesting to the financial teams that SOX is at all a
technology problem. Even the IT teams that must show good management
of core systems probably don't consider BPM/SOA an essential component.
I have seen many vendors claiming SOX as another reason to sell their
software, so messages are getting confused. Of course, if you have
different experiences, please shout out.