Beyond Regulatory Compliance for Spreadsheet Controls: A Tutorial to Assist Practitioners and a Call for Research

In the past decade, accounting scandals and financial reporting errors have led to heightened awareness of the need for IT controls and legislation of control regimes. In the United States, the Sarbanes–Oxley Act of 2002 (SOX) was one of the early initiatives to legislate internal controls over financial reporting. Many countries and regions have followed with similar legislation. In this tutorial we present an analysis of the prior work on error prevention and detection in spreadsheets as it relates to SOX and IT governance frameworks, more generally. SOX requires publicly traded companies to address the problem of spreadsheet management and to assume some accountability for generating accurate information from spreadsheets for financial reporting. We attempt to reconcile requirements for SOX with IT spreadsheet research. Gaps in design and implementation of spreadsheet controls are identified. From our review of prior work on spreadsheets, we offer a series of options for controlling the spreadsheet development process. Finally, we provide suggestions to help IT practitioners in organizations look beyond SOX regulations at governance of end-user developed content

Spreadsheets and Sarbanes-Oxley: Regulations, Risks, and Control Frameworks

The Sarbanes-Oxley Act of 2002 (SOX) forced corporations to examine their spreadsheet use in financial reporting. Corporations do not like what they are seeing. Surveys conducted in response to SOX show that spreadsheets are used widely in corporate financial reporting. Spreadsheet error research, in turn, shows that nearly all large spreadsheets contain multiple errors and that errors of material size are quite common. The first round of Sarbanes-Oxley assessments confirmed concerns about spreadsheet accuracy. Another concern is spreadsheet fraud, which also exists in practice and is easy to perpetrate. Unfortunately, few organizations maintain effective controls to deal with either errors or fraud. This paper examines spreadsheet risks for Sarbanes-Oxley (and other regulations) and discusses how general and IT-specific control frameworks can be used to address the control risks created by spreadsheets

An Evaluation Framework for e-Government Services Based on Principles Laid Out in COBIT, the ISO 9000 Standard, and TAM

The evaluation framework for e-Government services proposed in this paper is designed to be a comprehensive guidance. The framework, which is intentionally used to ensure that government services meet the settled objective and citizens’ needs, comprises of leading principles as stated in the Control Objectives for Information and related Technology (COBIT), and the ISO 9000 quality standard, which are then merged into the Technology Acceptance Model (TAM). The resulting framework is aimed at providing management with a direction to better achieve the quality goals of e-Government services and assure citizens about the quality of services provided by government organizations

DT4GITM - A Vision for a Framework for Digital Twin enabled IT Governance

This paper is concerned with the question of how novel digital technologies can be used to enable IT governance to better deal with the need for more agility, flexibility, adaptivity, and connectivity, as brought about by our modern day society. We propose to digitally transform IT governance, in particular making it smart(er) by following a data-driven approach. In line with this, we present a vision for digitally transformed IT governance in the form of the DT4GITM (Digital Twin for Governed IT Management) framework, which exploits the Digital Twin concept as it is already used in other fields to monitor, analyze, simulate, and predict the performance of real-world assets. The purpose of the DT4GITM framework is to serve as a reference architecture for a technological infrastructure based on the Digital Twin concept that connects three interrelated systems -- the IT governance processes, the governed IT management processes, and the managed organizational IT assets