Will SOX help SOA shine, or SOA help SOX shine?

Sarbanes Oxley requires transparency and agility -- isn't that what SOA is all about?
Written by Joe McKendrick, Contributing Writer

Last week, the big news in business was Enron's Kenneth Lay and Jeffrey Skilling being found guilty of misleading shareholders, and the two will likely face long stays in the big house. Lay and Skilling didn't just enrich themselves, however. They left us a gift that keeps on taking -- the Sarbanes-Oxley Act (SOX).

SOX, passed in reaction to the Enron debacle, dictates that publicly traded companies be able to ante up audible information that says their financial numbers are what they say they are.  Some of these requirements may filter down to companies that aren't publicly traded, but deals with publicly traded organizations.

So, the era of big government is not quite over yet. And the financial people are coming to the IT and data management people and asking, 'is all the information our systems spitting out as accurate as possible? If not, make it so.  (But don't expect an increase in your budget.)'

What's all this have to do with service-oriented architecture? I just had the opportunity to preview a book written by Hugh Taylor entitled The Joy of SOX: Why Sarbanes-Oxley and Service-Oriented Architecture may be the Best Thing That Ever Happened to You. Taylor says the internal controls SOX demands are expensive to put in place, and can strangle a business. But SOX may also be an opportunity to finally gain support for more agile processes from the C-level.

So, SOX can make SOA shine. Or, SOA will make SOX shine. Take your pick.

In my research and writing around SOX and other compliance mandates in recent years, I've come to several conclusions. Namely, there are two types of responses to SOX. The majority are those companies that fork over the money to increase the auditing of their data and processes. Then, there's a smaller group who see SOX as an opportunity to grow, though better streamlining and aligning their processes.

As I put it in an article I wrote for Teradata Magazine, it's about the agility and transparency mandates such as SOX demand. "Many companies—both publicly and privately held—have been hampered in decision making by multiple and often conflicting data sources and applications. Information transparency can help reduce conflicts. Beyond meeting deadlines and delivering proper reports, businesses now have a golden opportunity to uncover data and processes that previously may have been hidden from view. They have the opportunity to simplify, centralize and standardize systems and data from across the enterprise. This is an opportunity to concentrate on achieving a single, comprehensive view of the business."

One view of the truth; lots of agility. Isn't that the goal of SOA, to make enterprise application and data resources available on demand? In his book, Taylor describes how SOA can fill this bill.

"Although SOA is far from the only workable solution to agile compliance, it warrants serious attention because of its potential to enable broad interoperation of systems without the same heavy investment of time and money that traditional application integration methodologies have required... SOA solves some of the cycle time challenges of matching the software change management process to the business agility requirements of a corporate entity... SOA can streamline the process of connecting systems required for maintenance of internal controls." 

Some aspects of SOX, such as making complex transactions more transparent, and therefore auditable, are akin to "finding a needle in a pile of needles," Taylor says. SOX weaknesses can be addressed through the proper use of IT, but this is as broad-brushed a statement as saying a good diet can reduce heart disease. All true, but more specifics are needed to make things happen. Taylor recommends that a "compliance architecture" become part and parcel of an SOA.

Taylor has developed some specific guidelines, including establishment of a compliance portal to server as the nerve center of SOX work, organizational efforts, including training, hiring a chief compliance officer,  and ranking critical processes for SOA conversation using a scorecard system.

Editorial standards