SOX Compliance Oriented Architecture (COA)

“SOX compliance” and “section 404” are buzz words recently, not only at USA, but also at China, for those companies listed at Nasdaq. They set up special team to build compliance controls for the enterprise, commonly named “Team 404”. For an instance, China Mobile, the largest mobile carrier at China, has assigned a 404 team to be responsible and boost the whole compliance affairs. At the same time, CMCC group assigned 4 trial  province  sites at  Fujian, Tianjin,  Shanxi, Hubei respectively. 

China Telecom, the largest fix line operator at China, has been working on their COTS (Commercially Off-The Shelf) ERP and CRM for around two years to advance the compliance journey. Kunming (by IBM) and Suzhou (by BearingPoint and BEA) are two trial sites for the BPR (Business Process Re-Engineering) approaches.

China Netcom (CNC) has invested a lot of resources to get their ERP online at the earliest time to comply the compliance.

SOX compliance, while generating a gold mine for the “big four”, will disclose financial information of public list companies more trustworthy and stablish the financial and security market.

During recent study and investigation of SOX compliance methodology and architecture, a lot of good documents are found via the Internet. At this moment, here is a good paper by Redmonk.com, click to donwload it to your harddisk.

At the risk of reading like a cliché, compliance is a journey not a destination. Rarely is anything completed. Rather, compliance calls for constant attention, tweaking and vigilance combined with a balancing of cost, risk and transparency. Sarbanes Oxley, for example, is very much a living regulation. Upfront costs can be conceived of as similar to corporate year 2000 (Y2K) projects for some organizations, but unlike Y2K, Sarbanes requires ongoing improvements in process controls and reporting.

What is Compliance?
Simply put, compliance is the process of adhering to a set of established guidelines or rules established by external bodies such as government agencies or by internal corporate policies.

2 Responses to SOX Compliance Oriented Architecture (COA)

  1. Why says:

    Compliance 本身是一个过程,也就是说为了避免可能出现的问题和灾难所以“依从”外部(如国家)、内部(如公司)的规则和要求。

    现在很多的(安全)厂商都有 SoX Compliance 的说明,这个从厂商出发点是好的,但从客户自身来说,Team 404 的职责包括如下:

    1、理解规则和要求的内容与精髓。
    2、编制符合公司文化的指南和程序。
    3、教育全员遵循。
    4、对使用的产品和服务进行 SoX 符合性审核。
    5、审核指南和程序对应的产生记录。
    6、通过 Compliance 不断改进全员的思考方式和工作方法。

    个人理解,请 Dr. Zhao 指点。

  2. zhaol says:

    The following is from the website of China telecom:
    http://www.chinatelecom.com.cn/20051115/00023244.html

    it said that China Telecom has kicked off the “Internal Control Program” from Aug. 2003, and completed the first internal policy document at July 2004. Following the rules of COSO compliance framework, China Telecom has been working on a SOX-compliance-oriented internal monitoring and evaluating system.

    中国电信强化内控今年第二季度前完成试行工作
    【概要】为适应美国《2002年萨班斯——奥克斯利法案》对在美国上市公司新的监管要求,通过对监管法规的实施来提高、规范企业的内部管理,增强财务报告的真实性,中国电信股份有限公司从2003年8月开始启动“中国电信与财务报告相关的内部控制项目”。(2005年11月15日 )

    为适应美国《2002年萨班斯——奥克斯利法案》对在美国上市公司新的监管要求,通过对监管法规的实施来提高、规范企业的内部管理,增强财务报告的真实性,中国电信股份有限公司从2003年8月开始启动“中国电信与财务报告相关的内部控制项目”。在公司管理层、各级公司项目团队和项目咨询顾问的共同努力下,2004年7月底,中国电信已经完成内部控制纲领性文件——股份公司内部控制手册——的编写,并本着循序渐进的原则,有计划、有步骤地在全公司范围内逐步开展各省级子公司内部控制手册实施细则的编写工作,为下一步在各省级子公司的内控试行工作奠定了坚实的基础。

    中国电信认为:加强企业内控制度建设是公司董事会、管理层及所有部门和员工共同参与的工作,各级公司管理层在内控工作中负首要责任,工作的重点是加快建立内部控制监督评价体系。中国电信将采用COSO控制框架模型构建内部控制监督评价体系。目前,中国电信对所属子公司及分公司已经进行了内控制度建设的系统培训,确定了各个部门在加强内控方面的职责分工,明确了建立评估和责任体系的原则与方法,落实了内控系统架构、职责分工、组织保障等工作。根据内控项目计划,中国电信21个省级子公司在去年底前完成了内部控制手册实施细则的编写工作。中国电信各级项目团队有充分的信心在既定的项目时间计划内,高质量地完成项目工作,达到或超过预期目标,最终在中国电信股份有限公司内建立高水平的与财务报告相关的内部控制体系。

%d bloggers like this: