SOX Compliance Oriented Architecture (COA)

“SOX compliance” and “section 404” are buzz words recently, not only at USA, but also at China, for those companies listed at Nasdaq. They set up special team to build compliance controls for the enterprise, commonly named “Team 404”. For an instance, China Mobile, the largest mobile carrier at China, has assigned a 404 team to be responsible and boost the whole compliance affairs. At the same time, CMCC group assigned 4 trial  province  sites at  Fujian, Tianjin,  Shanxi, Hubei respectively. 

China Telecom, the largest fix line operator at China, has been working on their COTS (Commercially Off-The Shelf) ERP and CRM for around two years to advance the compliance journey. Kunming (by IBM) and Suzhou (by BearingPoint and BEA) are two trial sites for the BPR (Business Process Re-Engineering) approaches.

China Netcom (CNC) has invested a lot of resources to get their ERP online at the earliest time to comply the compliance.

SOX compliance, while generating a gold mine for the “big four”, will disclose financial information of public list companies more trustworthy and stablish the financial and security market.

During recent study and investigation of SOX compliance methodology and architecture, a lot of good documents are found via the Internet. At this moment, here is a good paper by, click to donwload it to your harddisk.

At the risk of reading like a cliché, compliance is a journey not a destination. Rarely is anything completed. Rather, compliance calls for constant attention, tweaking and vigilance combined with a balancing of cost, risk and transparency. Sarbanes Oxley, for example, is very much a living regulation. Upfront costs can be conceived of as similar to corporate year 2000 (Y2K) projects for some organizations, but unlike Y2K, Sarbanes requires ongoing improvements in process controls and reporting.

What is Compliance?
Simply put, compliance is the process of adhering to a set of established guidelines or rules established by external bodies such as government agencies or by internal corporate policies.


2 Responses to SOX Compliance Oriented Architecture (COA)

  1. Why says:

    Compliance 本身是一个过程,也就是说为了避免可能出现的问题和灾难所以“依从”外部(如国家)、内部(如公司)的规则和要求。

    现在很多的(安全)厂商都有 SoX Compliance 的说明,这个从厂商出发点是好的,但从客户自身来说,Team 404 的职责包括如下:

    4、对使用的产品和服务进行 SoX 符合性审核。
    6、通过 Compliance 不断改进全员的思考方式和工作方法。

    个人理解,请 Dr. Zhao 指点。

  2. zhaol says:

    The following is from the website of China telecom:

    it said that China Telecom has kicked off the “Internal Control Program” from Aug. 2003, and completed the first internal policy document at July 2004. Following the rules of COSO compliance framework, China Telecom has been working on a SOX-compliance-oriented internal monitoring and evaluating system.

    【概要】为适应美国《2002年萨班斯——奥克斯利法案》对在美国上市公司新的监管要求,通过对监管法规的实施来提高、规范企业的内部管理,增强财务报告的真实性,中国电信股份有限公司从2003年8月开始启动“中国电信与财务报告相关的内部控制项目”。(2005年11月15日 )



%d bloggers like this: