So far, this book has been a general argument for instituting a Governance, Risk and Compliance regimen within your organization. In this chapter, we discuss the very significant role that IT plays in supporting and managing GRC efforts. IT must be appropriately monitored and up to the task at hand in order for the system to function and to comply with regulations, such as SOX.

What you don't know about IT GRC can and will come and bite you in the tuckus. Why? SOX and other regulatory initiatives, both financial and operational, have set responsibility for protecting the integrity of financial reporting on the shoulders of CEOs and directors, which we are sure is something you have heard ad nauseam.

The reality of this situation is that companies have had to initiate a host of policies, procedures, and internal controls to live up to that mandate. And although corporate officers cannot be expected to know every iota of detail about what is going on under the hood, they must have a depth of understanding of the efficiency of the company's internal controls, policies, and procedures in order to competently certify the company's financial reporting.

Simply saying, "Hey, we got IT all over the place" is not going to be enough if federal regulators and auditors come sniffing around the front door. To meet the requirement that you "competently certify the company's financial reporting," not to mention live up to a whole host of other regulations, such as those requiring ...