Allstate

Abstract

Since the Sarbanes-Oxley Act of 2002, many public companies have faced

challenges while trying to comply due to the high cost and inexperience. After the bill

passed, auditors did not have a set of guidelines to follow when first auditing the

companies. As auditors gain more experience throughout these years, they have

developed more of a routine, or best practice for IT auditing.

One headache for compliance with Sarbanes-Oxley Section 404, is that the

section makes no specific mention of what controls need to be implemented to be in

compliance with SOX. How can companies comply with it, if they do not know what

they need to do to comply? Although there are varying practices within different

organizations, many choose to follow the guidelines of ITIL, ISO 17799, or COBIT.

ITIL, ISO17799, and COBIT are guidelines companies are able to follow to be

compliant with SOX. However, many companies have been able to find significant

benefits in not only complying with SOX, but with adopting one of these guidelines

beyond SOX’s scope.

4

Introduction

This term project is to explore IT auditing framework and general or best

practices. I will focus on the regulatory and compliance issues, namely the Sarbanes-

Oxley Act of 2002. Many companies choose to follow the guidelines of ITIL, ISO 17799,

or COBIT in order to comply with SOX. I will give an overview of each and how their

practices meet the requirements of SOX. These guidelines were not created in order to

specifically comply with SOX. Many companies have found that following these

guidelines not only provide themselves with compliance to SOX, but have also

experienced significant benefits. I will focus more so on COBIT, and include a case study

of Allstate Insurance and how they have adopted COBIT to comply with SOX as well as

provide benefit for the company’s overall strategy.

5

Review of Literatures

Sarbanes-Oxley

The Sarbanes-Oxley Act of 2002 is a United States federal law passed...