The Sarbanes Oxley Act is a set of rules put together by the US government in an effort to improve a company's audit. These rules came about primarily due to the many corporate scandals that plagued the US not too long ago including some very high-profile cases such as Enron. Initially, Sarbanes Oxley was viewed as a finance issue, but it soon became apparent that IT systems were so integral to the storage and retrieval of financial data, that much of the burden for compliance shifted to the IT department. To make matters worse, companies found that instructions were vague and definitions of compliance could differ between companies. The July 1, 2005 issue of CIO Magazine identified these items as the top 5 IT control weaknesses as reported by auditors:
- Failure to segregate duties within applications, and failure to set up new accounts and terminate old ones in a timely manner.
- Lack of proper oversight for making application changes.
- Inadequate review of audit logs.
- Failure to identify abnormal transactions in a timely manner.
- Lack of understanding of key system configurations.