Methodologies and Technologies for Rapid Enterprise Architecture Delivery


| Home | Courses | Projects | Papers | Contact Us |



By Clive Finkelstein [1]

Printable PDF Version




By Clive Finkelstein, Managing Director
Information Engineering Services Pty Ltd

A Practical Approach for Rapid Enterprise Compliance with Sarbanes-Oxley Driven IT and Business Governance Requirements.

A White Paper for Senior Management on Internal Control Reporting for Sarbanes-Oxley that utilizes:

  • A Comprehensive Organizing Framework (Zachman Framework)
  • Proven Methods and Tools (Enterprise Architecture)
  • A Manageable Step-by-Step Governance Analysis Approach


Back to Contents


The Sarbanes-Oxley Act of 2002 assigns personal responsibility to senior management of public and non-public organizations in the USA, and is being applied in various forms also by other countries throughout the world. Of particular concern is Section 404 of the Act, which relates to “Management Assessment of Internal Controls”.

Internal Controls will vary from enterprise to enterprise. They need to be tailored to the relevant industry (or industries) that the organization operates within; they are also typically unique for each enterprise. They are determined by its business activities and processes as well as its financial controls. They are closely related to the IT systems and databases that the enterprise uses for financial and other reporting.

Senior management need to show that answers are available in relation to key resources such as: data; business activities and processes; locations; people and business units; and events. Answers should be available that also show how resources relate to strategic and tactical business plans that have been defined by management. These are internal control questions that address: “What”; “How”; “Where”; “Who”; “When”; and “Why”.

These six questions are shown as columns in a matrix, where different perspectives of “Planner”, “Owner”, “Designer”, “Builder” and “Subcontractor” are also shown as rows. This is provided by the Zachman Framework for Enterprise Architecture. While Enterprise Architecture has previously been considered to be an IT responsibility, when it is also used by senior management it enables precise Governance Analysis. It also provides a Business Transformation Enablement capability.

With the legal implications of Sarbanes-Oxley non-compliance, an inability to answer internal control reporting audit questions takes on a new personal meaning for senior managers. A Governance Analysis Framework is needed – that is both easy to create, and easy to use – to obtain answers for relevant internal control reporting questions.

An example is discussed in the paper of a Governance Analysis Framework (GAF) that uses matrices to create and maintain relationships between aspects of an enterprise that enable each of these questions to be answered. Some of these matrices, from the Project Management Organization Unit of a typical enterprise, are illustrated in Figures 1 – 3.

Figure 1: Example of Matrix Relating Business Plans to Organization Units

Figure 2: Example of Matrix Relating Business Plans to the Data Supporting those Plans

Figure 3: Example of Matrix Relating Business Activities to Business Plans

The sample GAF matrices in Figures 1 – 3 clearly show the answers to each question by reading across relevant rows, or down particular columns. These matrices, plus many others, are tailored to each enterprise. They can be created in a 25 day Strategic Modeling project within an elapsed duration of 3 months, based on the Strategic Business Plans for the enterprise. This uses an initial facilitated session over two days with active participation of senior management and their direct reports, where a Strategic Map is developed.

A Strategic Map is a “picture of the business”, similar in concept to the layout of a city. A city map clearly shows the layout of streets (“where”) and the access routes that define “how” to get there. It also indicates “what” is located in parts of the city. Given a reason (“why”) to take a given route at a certain time (“when”), people (“who”) can use the map to navigate through any city.

What is missing in most enterprises is a similar “map (or picture) of the business”. A city map can be bought from newsagents in that city, but no newsagent sells Strategic Maps for enterprises. In the absence of a Strategic Map for an enterprise, it is hard to answer these questions. As a result, Internal Control Reporting is difficult.

A Strategic Map that is developed and tailored to an enterprise enables senior managers, as well as middle managers, expert business staff and IT staff to see the data, activities and processes, locations, business units and people, the business events and the business plans that all need to be managed effectively for internal control reporting. From the Strategic Map and underlying Strategic Model, the Governance Analysis Framework matrices become dynamic. They are automatically generated.

Given the Strategic Map input from the senior management team and their reports, more detailed analysis by the facilitator in the 25-day Strategic Modeling project period identifies key data, business activities, locations, business units, and business events for the business plans that were used as catalysts. The result of this analysis is documented in a Governance Analysis Framework (GAF) Report, which is the main deliverable from the Strategic Modeling project.  

The GAF Report and its contents provide a documented view of tailored Internal Control Reporting from the strategic perspective for senior management. These dynamically-tailored matrices must be then completed by relevant business experts. The strategic GAF matrices are populated by more detailed matrices from key business units. These Tactical Modeling projects – each similar to the Strategic Modeling project – can in turn be undertaken for key business units.

Strategic Modeling projects and Tactical Modeling projects have been completed for large and medium Commercial enterprises throughout the world. Similar Strategic Modeling and Tactical Modeling projects for Government and Defense Departments have also been completed in the USA, Canada, Australia and NZ.

The methods discussed in the paper can be applied rapidly in 25 days, within an elapsed 3 month period, in a step-by-step approach as follows:

1. Establish Plan for Strategic Modeling Project

2. Capture Initial Business Planning Input as Catalyst

3. Conduct Strategic Modeling Facilitated Session

4. Carry out Strategic Model Analysis

5. Derive Governance Analysis Framework (GAF) Documentation

6. Review of GAF Matrices and Governance Implementation Plan

7. Progressive Enterprise Completion of GAF Matrices

8. Implementation of the Governance Implementation Portfolio

The GAF Reports produced from Strategic Modeling and Tactical Modeling projects provide the documentation and modeling tool capabilities that are needed for Internal Control Reporting for Sarbanes-Oxley. As an added by-product of the Governance Analysis Framework methods described in the paper, similar methods and tools can be also used to implement transformed business activities and processes for Business Transformation Enablement.


Back to Contents


[1]   Clive Finkelstein, the author of this White Paper, is Managing Director of Information Engineering Services Pty Ltd in Australia. He is also Chief Scientist of Visible Systems Corporation in Boston. He can be contacted at The full text of the paper and this Executive Summary is available for download from and also at Modeling tools that support Enterprise Architecture and the development of Governance Analysis Frameworks in the paper are available for download from Training in the methods for rapid delivery of Enterprise Architecture and Governance Analysis Frameworks is available from Clive Finkelstein at and also at and at

[2] Governance Analysis using Enterprise Architecture is presented as part of a one-day seminar for senior management by Clive Finkelstein: “Strategic Business Transformation Planning”. This is Day 1 of the 5-day seminar “Successfully Implementing Enterprise Architecture”. Intervista Institute schedules these seminars regularly throughout North America. For a course description and schedule, visit the Intervista Institute web site at

Back to Contents










TEN Archive

Contact Us




| Home | Courses | Projects | Papers | TEN Archive | Contact Us | [Search |

(c) Copyright 1995-2015 Clive Finkelstein. All Rights Reserved.