The Joy of Sox: Why Sarbanes-Oxley and Service-Oriented Architecture May Be the Best Thing That Ever Happened to You

How can you resist a book with a title like "The Joy of SOX"? I liked the book - it was the first intelligible or helpful summary of Sarbanes-Oxley I have come across. Using an imaginary scenario it laid out both a plausible current state and accurately described the way in which business change might put the company's IT systems, and SOX compliance, at risk because they could not be changed quickly or accurately enough to respond. The book goes on to lay out how SOA is a key ingredient to building a profitable business that is also highly controlled and where processes are visible both to management and to regulators. Most of the chapters are very readable, even some dealing with an alphabet soup of standards and standards bodies. A couple were heavier going and a few seemed like they needed to be longer - there was a certain amount of "and then magic occurs" that I am sure Hugh could have addressed in a longer book. These complaints are, however, minor. For those of you interested in Sarbanes-Oxley or COBIT but not willing to wade through a lot of material, this book is a nice introduction.

Here's a new case for business compliance: a review of the Sarbanes-Oxley Act and how compliance has the power to both make demands on American business and advance its purposes. Chapters in THE JOY OF SOX: WHY SARBANES-OXLEY AND SERVICE-ORIENTED ARCHITECTURE MAY BE THE BEST THING THAT EVER HAPPENED TO YOU provide sample company experiences in compliance, covering both painful changes and positive results which can evolve from new business directions. From changes in the IT field which reorganize its purposes to maintaining control under new IT systems and understanding tolerance levels, data integrity, and the review process, THE JOY OF SOX is a 'must' for any forward-thinking business. Diane C. Donovan California Bookwatch

I teach at UC Berkeley's School of Information and write about "document engineering" and "information architecture." The essence of SOX for someone with my perspective is that a firm needs accurate information about anything that affects its financial statements, and the best way to capture and maintain that information is by automating business activities and internal operations. Much of the writing about SOX is impenetrable, filled with accounting and business jargon. But "The Joy of SOX" reads almost like a novel, because Hugh Taylor has brilliantly written it as a comprehensive case study of a fictitious company's efforts to deal with SOX. So Taylor's CFO character explains aspects of financial controls and reporting, his CEO and COO characters explain the interdependence of business strategy and controls, and his CIO character explains how computing infrastructure and software development practices shape and are shaped by the controls and strategy. I especially enjoyed (and so will my students, because now my lectures on SOX will be more concrete) the many examples of how controls, business models, and information technology come together. For example, the case study firm doesn't have a uniform product coding standard, which makes it hard to track inventory and transactions, and this problem is made worse by its practice of buying closeout inventory from suppliers. Another example shows how a good policy for managing employee passwords and access privileges is worthless without policy enforcement and change management processes. This book enabled me to finally understand some of the arcane details of compliance, just as accountants and business people who read this book will be able to understand service-oriented architecture, enterprise integration, and business process specification languages. In addition to being hard to read, most of the writing about SOX presents it as a necessary evil to prevent worse evils from being done to unsuspecting investors or other stakeholders in a business. No question that SOX is causing increased spending (some say excessively so) in document and records management, security, business process management and document engineering as companies define, document, and automate the processes that are needed to run the company while enabling auditing and timely reporting. Some of my former students who are working for IT consulting firms are saying that SOX is like "Y2K that won't go away" or a "full employment act" for them. Again, here's where The Joy of SOX is unique. Taylor argues against the standard "lose-lose-lose" proposition that most people see in SOX: - If you comply, you may harm your ability to be agile and stay competitive - If you don't comply, you could go out of business (or go to jail) - If you make an empty effort at compliance, you may pass through the process but merely bury company-killing problems (and spend a lot doing so). Instead, Taylor argues for "agile compliance," urging f

Let's face it. In the current business environment, SOX sells. No, not the Boston Red Sox winning the World Series, but the Sarbanes-Oxley Act of 2002. Yet people find little joy on the whole process, and when I show people the Hugh Taylor's new book called The Joy of SOX: Why Sarbanes-Oxley and Service-Oriented Architecture May Be the Best Thing That Ever Happened to You (2006, J Wiley and Sons, 312 pages, ISBN 0471772747), they roll their eyes and say "What Joy?". What they do not realize with this first impression is that Taylor does something I have not seen in a book on Sarbanes-Oxley. He presents the content as a unified case study from start to finish. In doing so, the author makes available a reference of real world examples addressing SOX, COSO, COBIT, and the use of service-oriented architectures to facilitate what he calls "agile compliance". Taylor introduces the reader to a rather small cast of characters by design. There is the overly ambitious, new CIO who totally wants to reinvent the company without any consideration for the SOX activities that are on-going. There is his trusty, military trained deputy. Then there is the CFO and the CIO, who do not get along at all. This should sound familiar to people from many organizations. The mission is to reinvent the company into an agile organization, without losing any of their compliance gains to date. To do so, the author must take the reader on a journey. The first stop along the way is to give an overview of the fictional company, the good, the bad and the ugly. Taylor touches upon both organizational and product challenges, risks, and an introduction to the company's financial statements. It is into this environment that the corporate board ousts one CEO in favour on new blood. The new blood has his own set of bold, visionary ideas on how to turn the company around, but is clueless as to how what he wants will impact their compliance with the Sarbanes-Oxley Act. In fact, the new CEO has to persuade the CFO to stay on board. It is here that he gets his first whiff of Section 404 of SOX. It is at this point where the journey takes another stop, as the author introduces concepts surrounding risk, COSO, control objectives, and control components. The journey then ventures in discussions of the relationships between internal controls and business processes, and their impacts on financial reporting data. The reader is then introduced to COBIT, with specific emphasis on a specific subset of COBIT for illustrative (and real life) reasons. The author does an excellent job of explaining COBIT and the challenges of implementation. There is an important emphasis made that is would be cost prohibitive to implement COBIT 100%. It would also be unrealistic. At this point of the journey, the author talks about the pain of SOX. It is here that the discussion moves onto what needs to happen for a company to be truly agile without compromising compliance. This culminates in discussions of how SOA c

Joy of Sox conveys a complex topic in a fun way through a story. I'm a business person not a technologist. Yet I was able to understand the technology issues raised in this book.