Academic journal article JITTA : Journal of Information Technology Theory and Application

The Impact of the Sarbanes-Oxley Act on It Project Management

Academic journal article JITTA : Journal of Information Technology Theory and Application

The Impact of the Sarbanes-Oxley Act on It Project Management

Article excerpt


This case study investigated the impact of the Sarbanes-Oxley Act (SOX) on IT project management within a large, nationwide retail corporation. Using the teleological motor as a framework to evaluate process change, this study observed three primary impacts the SOX mandates had on IT project management: (1) an increase in project management formalization, (2) an increase in project duration, and (3) the need to support project management and audit activities with project management software. The study also observed three secondary effects resulting from the changes made to IT project management practices to support SOX: (1) an increase in process maturity, (2) an increase in the size of the IT staff, and (3) a breaking down of larger projects into more, smaller projects. This dual iteration of the teleological cycle appeared to be a natural action / reaction process to the changes resulting from SOX requirements.


The Sarbanes-Oxley Act (SOX) of 2002 was enacted in response to a number of major corporate accounting scandals that rocked the American business landscape. This Act dramatically raised the standards for financial reporting for all SEC registrants, including all U.S. public companies, some private companies registered with the SEC, and all foreign companies trading on a U.S. exchange (Cohen and Qaimmaqami 2005, Dietrich 2004, SEC 2003). Because of the tight integration between financial reporting and information technology (IT), SOX also requires significantly greater levels of auditing on process controls within IT governance (Damianides 2005). The Act requires auditors to publicly report on corporate control processes pertaining to financial reporting and to report to shareholders exactly what control processes are in place and to what extent they are being followed.

The ultimate impact of SOX on corporate governance will likely not be fully known until the new auditing processes have been in effect for several years. This period is required to allow organizations the time to assess how auditors are reviewing their new internal controls and how SOX audits from other public companies are being reported. In addition, the Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB), the governing bodies controlling the auditing standards of SOX, have been revising the internal control auditing standards since the passage of the Act. Additional time is also needed to allow the auditing standards to stabilize.

The case study presented here contributes to the body of research evaluating how regulatory initiatives, such as SOX, are impacting IT governance (Armour 2005, Brown and Nasuti 2005, Haworth and Pietron 2006, Krishnan, Peters, Padman and Kaplan 2005). Specifically, this study documents how the SOX mandates impacted the procedures for IT project management at a single nationwide retailer. To allow sufficient time for any new policies or practices in IT project management to stabilize, the research into the subject corporation was conducted over a period of 30 months, starting in November, 2003. Although SOX is having significant impact to many areas of IT governance, such as IT operations, IT security, and general IT policies and procedures (Damianides 2005, IT Governance Institute 2004), this study is focusing on the specific impacts to IT project management.

The paper is organized as follows: First, a four part background section containing (1) a summary of the internal control mandates of SOX, (2) an overview of how the Committee of Sponsoring Organizations of the Treadway Commission (COSO) control framework is being used as a guide in adhering to SOX internal controls over financial reporting, (3) an overview of how the Control Objectives for Information and Related Technology (COBIT) framework is used to control IT governance, and (4) an introduction of an IT maturity model. Second, a theoretical foundation section describing the teleological theory used to provide a framework through which the data analysis was conducted. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.