Loading ...
Sorry, an error occurred while loading the content.

Re: [service-orientated-architecture] Re: WS-* and Sarbanes-Oxley

Expand Messages
  • Todd Biske
    Very well put, Phil. Clearly, since SOX is about oversight of business processes, there s a natural connection between BPM and SOA. The one comment that I d
    Message 1 of 6 , Aug 31, 2006
    • 0 Attachment
      Very well put, Phil.  Clearly, since SOX is about oversight of business processes, there's a natural connection between BPM and SOA.   The one comment that I'd make about WS-* and SOX is that WS-Security is very important, since that's the standard associated with getting identity on the messages.  Where processes can be automated, the identity associated with the invocation of the process will be important.

      -tb


      On Aug 31, 2006, at 10:11 AM, Phil Ayres wrote:

      Dennis,
      My experience of SOX was based on how organizations have been trying to cope with it over the last couple of years (both inside the US and for large overseas companies) - let's meet the letter of the law and what our auditors tell us. This means that they focus on writing down what their business processes are that directly and indirectly affect their financial reports. In every company IT systems are expected to deeply impact financials, and because of this there has been a drive towards using out of the box software managed according to best practices under a framework like COBIT (some companies also look at ITIL for deeper IT management background).

      From a financial internal control side, SOX has been about organizations writing down how their processes look now (often manual processes), and assessing them for errors or risk of failure. Quite a lot of remediation has been done to fix problems, but generally this has led to more manual controls and approval processes - and a lot more paper being printed and signed. Despite the hype, there is nothing in SOX that says anything about technology.

      Some organizations are just getting to the point of taking some of their manual processes and automating them with BPM or simple workflow, and in 'advanced' cases this may involve integration with business systems. By doing this an organization can classify these processes as 'system' processes, pushing them back from routine manual operation, testing and auditing to more efficient IT management (which assumes that a well managed system produces the correct results and does not require routine testing).

      I have written a little about these issues on my blog. This search shows the main posts: show posts

      So in summary, I would be careful trying to push WS-* for SOX. Simplified documentation of processes and auditing is the way the CFO has seen SOX up 'til now. Improvement of business processes is the way it will become sustainable long term - this will require BPM and maybe SOA and associated technologies to make this happen. This post shows how I see companies will progress towards this over time - like CMM for internal controls. This agrees more with where consultants, SIs and companies like CA are going finally.

      I hope this is useful.

      Phil


    • Stefan Tilkov
      One thing to be aware of is that once you open up systems via WS-* or any other technology, you better make sure you have proper security measures in place --
      Message 2 of 6 , Aug 31, 2006
      • 0 Attachment
        One thing to be aware of is that once you open up systems via WS-* or
        any other technology, you better make sure you have proper security
        measures in place -- otherwise you might end up creating SOX-related
        problems instead of solutions.

        Stefan
        --
        Stefan Tilkov, http://www.innoq.com/blog/st/


        On Aug 30, 2006, at 11:46 PM, Dennis Sosnoski wrote:

        > Has anyone looked specifically at the issues involved in Sarbanes-
        > Oxley
        > compliance for systems using Web services? I had a client ask me about
        > that, and didn't have a great answer. It's obvious that the WS-*
        > technologies can be useful here, especially WS-Security to keep data
        > secure and show that it hasn't been modified. It'd be good to see some
        > sort of best practices guide for Web services with SOX, though.
        >
        > - Dennis
        >
        > --
        > Dennis M. Sosnoski
        > SOA, Web Services, and XML
        > Training and Consulting
        > http://www.sosnoski.com - http://www.sosnoski.co.nz
        > Seattle, WA +1-425-296-6194 - Wellington, NZ +64-4-298-6117
        >
        >
        >
      • Michael Poulin
        Phil, if leave WS-* aside for a little and turn to SOA, would it be correct to say that the organizations, which worked out their SOX (and , possibly, Basel II
        Message 3 of 6 , Sep 1, 2006
        • 0 Attachment
          Phil,
          if leave WS-* aside for a little and turn to SOA, would it be correct to say that the organizations, which worked out their SOX (and , possibly, Basel II in financial firms), have prepared the foundation for SOA in the form of their business process descriptions?

          I guess, the organizations you know about did not have another task than just to discover their points of financial data processing risks. However, if such descriptions may  be considered as business process definitions in some cases, it puts the organization into advanced positions for considering SOA for their ITs ( and it is not necessary to be based on WS-*). What would you say ?

          - Michael

          Phil Ayres <phil_ayres_boston@...> wrote:
          Dennis,
          My experience of SOX was based on how organizations have been trying to cope with it over the last couple of years (both inside the US and for large overseas companies) - let's meet the letter of the law and what our auditors tell us. This means that they focus on writing down what their business processes are that directly and indirectly affect their financial reports. In every company IT systems are expected to deeply impact financials, and because of this there has been a drive towards using out of the box software managed according to best practices under a framework like COBIT (some companies also look at ITIL for deeper IT management background).

          From a financial internal control side, SOX has been about organizations writing down how their processes look now (often manual processes), and assessing them for errors or risk of failure. Quite a lot of remediation has been done to fix problems, but generally this has led to more manual controls and approval processes - and a lot more paper being printed and signed. Despite the hype, there is nothing in SOX that says anything about technology.

          Some organizations are just getting to the point of taking some of their manual processes and automating them with BPM or simple workflow, and in 'advanced' cases this may involve integration with business systems. By doing this an organization can classify these processes as 'system' processes, pushing them back from routine manual operation, testing and auditing to more efficient IT management (which assumes that a well managed system produces the correct results and does not require routine testing).

          I have written a little about these issues on my blog. This search shows the main posts: show posts

          So in summary, I would be careful trying to push WS-* for SOX. Simplified documentation of processes and auditing is the way the CFO has seen SOX up 'til now. Improvement of business processes is the way it will become sustainable long term - this will require BPM and maybe SOA and associated technologies to make this happen. This post shows how I see companies will progress towards this over time - like CMM for internal controls. This agrees more with where consultants, SIs and companies like CA are going finally.

          I hope this is useful.

          Phil


          Get your own web address for just $1.99/1st yr. We'll help. Yahoo! Small Business.

        • Phil Ayres
          Michael, I would agree that improving business processes related to company s financials is the primary task of SOX, and if a company chooses to use BPM and
          Message 4 of 6 , Sep 1, 2006
          • 0 Attachment
            Michael,
            I would agree that improving business processes related to company's
            financials is the primary task of SOX, and if a company chooses to use
            BPM and SOA then that is their choice. I agree that automation and
            integration for financial processes helps to improve the
            sustainability of the compliance efforts, but it is not essential
            according to the law. Many financial processes are driven manually
            based on Excel spreadsheets, and can continue to do so if they are
            willing to test and audit these processes frequently. And they will
            probably do so.

            As for the organizations I talked to (some large mobile telco,
            software, and media firms), they were struggling enough to actually
            understand what processes to include in their SOX projects. They were
            in no position back in 2005 to even consider the radical efforts
            required to do BPM and SOA correctly. Perhaps they are getting closer
            to doing this now (though I expect they are still in survival mode),
            but it will take the business problems to be wrestled out of the hands
            of the CFO and Controller, and passed to a group that has time to do
            the right thing. That is hard given the focus of SOX, placing the
            blame for failures squarely at the door of the CFO and CEO.

            I would avoid suggesting to the financial teams that SOX is at all a
            technology problem. Even the IT teams that must show good management
            of core systems probably don't consider BPM/SOA an essential component.

            I have seen many vendors claiming SOX as another reason to sell their
            software, so messages are getting confused. Of course, if you have
            different experiences, please shout out.

            Cheers
            Phil
            http://improving-nao.blogspot.com
          Your message has been successfully submitted and would be delivered to recipients shortly.