From compliance to business success: improving outsourcing service controls by adopting external regulatory requirements

The new generation of general models that refer either to IT or Internal Controls, like COBIT or COSO, are presented with an executive management perspective. Practice shows that this opening is solely not enough to reach a breakthrough, since models became so complicated that they could only be applied with difficulties. The best catalysts of improvement programs are the mandatory rules being issued, mainly from the financial reporting area. The Sarbanes–Oxley Act (SOX) for US SEC registrants and its affiliates, and the 8th Directive on company Law in the EU require strict internal controls for reporting processes. In this article we concentrate on the successful application of these rules in a situation where IT-enabled services have a major effect on the compliance of the user organization. We investigate the effects of a high maturity level on compliance for both the service and the user organizations. The article refers to the applicability of the well-known capability models CMM and eSCM, and some other sources like COSO, BSC, and SAS 70. For presenting implementation practices of the general risk–based control model via key control processes, effectiveness measurement and innovative technologies were used, including the knowledge management platform created in earlier software process improvement experiments. Copyright © 2006 John Wiley & Sons, Ltd.