A fundamental expectation of businesses is that they are to be accountable for the goods and services that they provide and for their internal business processes. While there are myriad regulations that apply in practice, the overall need for legal accountability should not be lost. The following subsection is an example of an Act,
albeit from the United States (US), that relates to the primary issue of accountability in IT-based management systems.
3.13.4.1Sarbanes-Oxley (SOX)
The Sarbanes-Oxley Act of 2002, commonly called SOX or Sarbox, legislation establishes new or enhanced standards for all US public company boards, management and public accounting firms. It was enacted in response to a number of major corporate and accounting scandals (for example, the Enron scandal) (Wikipedia 2008c).
The Act contains eleven titles that describe specific mandates and requirements for financial reporting. It covers issues such as auditor independence, corporate governance, internal control assessment and enhanced financial disclosure. The Act also establishes a new quasi-public agency, the Public Company Accounting Oversight Board, or PCAOB, charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies (Wikipedia 2008c).
Severe non-compliance penalties apply. These include financial penalties and the provision for offenders to be imprisoned for up to 20 years. SOX has relevance to organisational IT systems.
The most contentious aspect of SOX is section 404, which requires management and the external auditor to report on the adequacy of the company's internal control over financial reporting (ICFR). The financial reporting processes of many companies depend to some extent on IT systems. Therefore, Information technology controls that specifically address financial risks may be within the scope of a SOX 404 assessment. Chief information officers are typically responsible for the IT organisation and IT personnel may be directly involved in SOX compliance efforts. The SOX 404 guidance requires the usage of an internal control framework, such as the COSO framework. The IT Governance Institute's “COBIT: Control Objectives of Information
and Related Technology” is also used by many companies.
(Wikipedia 2008c)
Important Aspects:
Panko & Ordway (2005) describe the nature of the controls. They point out that the controls are to help organisations achieve their goals, such as producing accurate financial reports, despite the presence of threats. The purpose of the controls is to give reasonable assurance that the organisation will meet its goals.
Kaarst-Brown & Kelly (2005) state that the principal accountability of the Chief Information Officers (CIO) is “to ensure that every step of a company’s business process is documented and audited, and that all systems are in agreement and enforcing appropriate internal controls”.
SOX is concerned with accountability compliance. The fact that each step in the business process needs to be documented and audited aligns to that required to ensure privacy compliance. There is thus the potential to tie privacy and accountability compliance together in some way.
Kaarst-Brown & Kelly also point out that there is a trend towards even more legislation which involves IT. They name the Anti-Spam Act 2004, and Privacy Acts – PIPEDA 2004 in Canada and the European Directive on Data Privacy 2000 in the EU.
3.13.5 Service Contracts
Service Contracts were introduced at 1.7.
In 1.7.1 two contract types relating to the delivery of Services (see Figure 8) are defined. The first is between the Organisation and the Worker and involves a contract to perform work (Client-Services) for the Organisation (that is, an employment contract). The second is between the Organisation and the Client and involves a contract for the delivery of Organisational Services to the Client.
With regard to Organisation/Client contracts, as previously defined, Organisations exist to provide Services to Clients. This involves the Client contacting the organisation (or vice versa) with the intention of utilising one of the Organisation’s Services. Some sort of arrangement or agreement is then reached regarding the provision of the Service. The Service is provided and due payment is made by the Client.
Normally both the Organisation and the Client will be happy about the Service provision, and that will be the end of the matter. However, on occasions there will be some disagreement regarding the provision of the Service. Often this will be resolved by the parties through negotiation. Where a dispute is unable to be resolved by the parties, it may ultimately be adjudicated by a court, which will engage in a close analysis of the terms of the contract, against the backdrop of any relevant statute and case law, to render a judgment in the matter.
When a case is made against an Organisation, it is generally on the basis that the Organisation failed to fulfil its contractual responsibilities. To defend its position it is vital that the Organisation has verifiable and adequate records regarding the provision of the Service. For example, can they prove that the Client gave Informed Consent for the Service to be provided, and can they prove exactly what Services were provided?
3.13.5.1Contract Law Basics
Contract Law is a complex topic, but the following points to the relevant aspects of contracts.
Willmott et al. (2005, pp. 27,28) describe the five elements of a contract as agreement (offer and acceptance), certainty, intention to create legal relations, and
consideration.
Generally, an agreement is evidenced by a meeting of the minds of the contracting parties, stemming from the making of an offer (by the offeror) and its acceptance (by the offeree). The terms contained in the agreement must be sufficiently certain to create clear legal obligations and entitlements. Intention to create legal relations
is seen as the price paid, or value given (whether or not monetary) for the promise(s) contained in the contract.
Important Aspect:
In the management of Services it ought to be possible to ensure that service contracts exist and that the elements of offer, acceptance, certainty, intention and
consideration are clearly defined and documented where practicable.
3.13.5.2Service Contract Requirements
Design Requirements for Service Contracts must be written from the point of the Organisation, as the Model defines the functionality of the Organisation’s IT-based business management System. Managers are charged with the responsibility of offering Service Contracts on the Organisation’s behalf. The Client may accept the Service Contract that is offered.
DR#52: Managerial Offer DR#53: Client Acceptance
Service Contracts will be of various forms, depending on the nature of the Service. Both Managerial Offers and Client Acceptances will also take various forms. These forms mirror the various forms of Consent described at 3.13.3. The Model requires that Client Acceptance be incorporated in Service Consent.
DR#54: Service Consent