>enterprise special interests
>smb special interests
>industry special interests
home > guidance > smb special interests


In 2005, Ernst and Young* found that 76 percent of organizations planned to employ a strategy of self assessing controls relevant to section 404 of Sarbanes Oxley (SOX) to sustain hard-won compliance results. Only about one-third of organizations planned to employ data analytics and IT-based continuous control monitoring to remain in compliance with SOX.

Benchmarks completed by the IT Policy Compliance Group with more than 1,000 organizations show that the firms implementing frequent monitoring and reporting of controls were the ones with the least number of compliance deficiencies and the lowest number of IT security incidents resulting in financial harm.

Continuous Controls Monitoring: A Critical Success Factor

Ninety-seven percent of the compliance leaders - those organizations with two or fewer compliance deficiencies - measured and monitored controls on at least a monthly basis. The average frequency between measurements of controls among the compliance leaders is 21 days, with some of these firms conducting IT security monitoring on a daily and weekly basis. In contrast, the compliance laggards - firms with tens to hundreds of compliance deficiencies and IT security events resulting in financial damage are measuring and monitoring controls only once every nine months (Figure 1).

Figure 1: Frequency of Controls Monitoring





























Source: ITPolicyCompliance.com,2006

The benchmarks conducted by the IT Policy Compliance Group reveal the same pattern and results. Firms monitoring controls on an almost continuous basis are the organizations with the lowest levels of compliance deficiencies, the lowest number of IT security events resulting in financial harm, and the organizations reporting the most benefits from enhanced market reputation, company and product brand associations.

Guidance Recommendations:

Guidance for all enterprises, based on fact-based benchmarks, include:

  • 70 percent of compliance deficiencies are in IT security
  • Conduct monitoring and audit of IT controls, policiies and logs at least monthly, if not more frequently
  • Look to leverage technologies that can deliver continuous controls monitoring without increasing labor costs or constraints.

* Ernst and Young: Emerging Trends in Internal Controls, Fourth Survey, May 2005

© IT Policy Compliance Group, 2006









Seventy-three percent (73%) of organizations are merging internal controls, IT security, risk and audit functions to more effectively demonstrate compliance with regulatory mandates. more...



Latest Blog Topics:

Topic : Policy Shapes Outcomes
Topic : Who’s sets objectives: Legal, Business lines or IT?
Topic : Who Manages Information Security?

© 2008 IT Policy Compliance Group, USA, All Rights Reserved.privacy policy | terms of use | contact us