Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools [With CD-ROM]

Are you a CFO, CIO, CEO, VP, Director of IT, IT Operations Manager, and/or IT Consultant? If you are, then this book is for you! Authors Christian Lahti, Roderick Peterson, and Steve Lanza, have done an outstanding job of writing a practical book that gives you the reader, an understanding of how open source technology and tools might be applied to your individual requirements. Lahti, Peterson, and Lanza, begin by discussing why the Sarbanes-Oxley (SOX) experience promises to be quite different in terms of depth, cost, and resources. Then, the authors discuss how Congress enacted the Sarbanes-Oxley Act of 2002 in an effort to prevent financial scandals such as those that occurred at Enron and MCI. Next, they explore the need for SOX compliance and the possible consequences of noncompliance--lawsuits, negative publicity for the company, and fines for executive management. The authors then investigate the entire open source phenomenon and the fundamental differences between it and nonfree software. They continue by covering the difference between SOX and COBIT. Then, the authors discuss automation and why it should be a key component of any small to medium-sized company's SOX compliance activities. Next, they cover the COBIT Delivery and Support Delivery and Support Domain and why it is important, not only to SOX compliance activities, but also from an IT Department repositioning perspective. The authors then discuss Deming's continuous quality improvement process, specifically how it was predicted on a closed-loop process. Finally, they show you how to reposition an IT Department, by utilizing COBIT for SOX. In this most excellent book, you will find a lot of applicable content--basically as much as the authors could muster by way of open source technologies and how they fit into the SOX sphere of influence. More importantly, this book illustrates the many Open Source cost-saving opportunities that public companies can deploy in their IT organizations to meet the mandatory compliance requirements of SOX.

Compliance with the Sarbanes-Oxley Act is a legal requirement for publicly traded companies. The problem with the Act is that it requires things like adequate internal control structure and a report on the effectiveness of the internal control structure and procedures while not providing any guidance or any specific mention of information technology implications. Luckily there are several other more specific standards to follow, with the most common among auditors being COBIT (Control Objectives for Information and Related Technology). This book concentrates on using various open source tools (included on a CD with the book) to audit and document your system for compliance with COBIT. The authors take the reader through a detailed walk through the COBIT components and explain each one as well as how to implement it successfully. If it is followed the result is a sustainable system that is well documented, has set policies to prevent problems, has solid controls, and establishes responsibilities for change and improvements. Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools is highly recommended for anyone preparing to undergo and Sarbanes-Oxley audit but is also highly recommended to others because it is so useful for documenting your system and setting responsibility for changes to it.

As a Program Manager on goverment contracts, being audited for many different areas is a way of life and always painful. Most times these audits take up a lot of time and if we are lucky we get a pass. Needles to say, any credible tool I can get my hands on to help us through gets my attention. Lord knows I don't have the time to get certified and become an expert to get me through an audit. I need something easy to read, uderstand and not filled with fluff. Any more books on the way for the IT Professional?

As the authors of this book, we'd like to respond to Christopher Byrne's review of our book. We appreciate Christopher's time and attention paid to our book, but would like to respond to a couple of criticisms presented in the review.... The first paragraph of the review states "The only justification for buying it might be to get the CD with the open-source toolkit which might help smaller organizations get something in place quickly, but that is it." As the authors of the book we find this statement very gratifying as it tells us we were able to accomplish one of the main goals of the book. It tells us we accurately identified our target audience, small to medium size companies and it tells us that we presented the right mix of information and CD content to enable the reader to easily take the book from concept to practical application for SOX compliance. The next section of the review "Why Do I Not Like This Book contains various sections we'd like to address. 1."Backgrounds of the authors "- As the authors we never stated, conveyed, nor inferred that we were auditors and/or had any certifications in audit related disciplines. What we did however state was that we were IT professionals who had successfully been through the SOX certifications process. A process that yielded no material weaknesses or significant deficiencies, and that is what we endeavored to shared and convey with our readers. The review attempts to support this logic by quoting responses to a question posed to colleagues. Although on first look that might appear to be the case, the majority of the responses actual state or convey that certifications aren't always necessary and practical experience is more important. Also, these quotes are from people who have not even seen the book. 2.Understanding COBIT - On one hand the review criticizes us for ... publishing information on COBIT, in some cases verbatim." and on the other hand "In addition, the authors fail to provide the entire context and understanding of COBIT". So again, we will simply say we passed our audit with no material weaknesses or significant deficiencies. 3.And The List Goes On and The Sarbanes-Oxley FUD Factor - These sections are very subjective. Based on our experience and discussions with our colleagues, the stated subject matter was not relevant to the objectives of the book. As for the title it conveys the main components of the book - Open Source, COBIT and SOX compliance. 4."Sox and COBIT Defined" - It was not our intent to advocate the implementation of COBIT but merely to provide, based on our experience, criteria and a mechanism for extracting from COBIT the components needed for SOX compliance. As for the importance of risk the following quote from the book illustrates how we feel risk and risk assessment should be handled ""Risk assessment from an IT perspective is also an important subject to undertake as a normal course of capacity planning and disaster recovery.". 5.SOX Compl

I found this book to be refreshingly straight forward in its approach to the often artificially over-complicated morass of SOX compliance. Mr. Lahti and Mr. Peterson do an excellent job in simplifying the processes and steps necessary to meet the Sarbanes-Oxley requirements. Additionally, the inclusion of applicable Open Source tools is a bonus as it saved me the time of having to identify and collect them myself. I would recommend this book for any small to medium sized IT organization.