Compliance with Sarbanes-Oxley (SOx) presents a real challenge for most if not all enterprises today. Things have become a little easier since SOx was first enacted in 2002, with changes such as the new AS5 rules, discussed in Chapter 3, and our better understanding of control frameworks to define and understand internal Controls, such as Chapter 5's discussion on the importance of the control objectives for IT (CobiT) framework. However, the real key to compliance with legislation, such as SOx, is a strong system of governance within an enterprise. A concept that was seldom even discussed some years ago, corporate governance refers to the rules and procedures that an enterprise will establish to manage itself. A strong system of governance requires that all stakeholders—employees, vendors, and others—understand those rules and follow them. Even more important, all levels of management must actively support and communicate those governance rules and practices.

This concluding chapter looks at SOx and corporate governance from several perspectives. Chapter 7 discussed the current status of some important SOx requirements beyond Section 404, including rules for whistle-blowers that allow persons observing any form of internal accounting control improper practices to blow the whistle and report the matter for resolution. These SOx-based federal rules supporting whistleblower actions lay out a fairly formal process whereby the ...