Methodologies and Technologies for Rapid Enterprise Architecture Delivery


| Home | Courses | Projects | Papers | Contact Us |


Issue No: 26

Printable PDF Version


PERTH, AUSTRALIA – July 5, 2004. As fallout of the financial failures of Enron, WorldCom and Tyco, the USA Federal Government passed the Sarbanes-Oxley Act of 2002 (also called “Sar-Ox” or “SOX”). This legislation assigns personal responsibility to senior management of public and non-public organizations for corporate governance and financial reporting. In the USA it can result in senior managers (CEOs, CFOs, COOs and others) being sentenced to jail terms, as we have recently seen in the news. Corporate Governance is also being applied in various forms by other countries throughout the world. Of particular concern is Section 404 of the Act, which relates to “Management Assessment of Internal Controls”.

Earlier issues of TEN have separately addressed concepts of Enterprise Architecture or Enterprise Integration. In this issue we will discuss the important role that Enterprise Architecture takes in supporting the needs of senior management for Governance Analysis, as required by Sarbanes-Oxley in the USA and also as required by other countries throughout the world.

Clive Finkelstein
TEN - The Enterprise Newsletter

Back to Contents.



The Sarbanes-Oxley Act of 2002 assigns personal responsibility to senior management of public and non-public organizations in the USA, and is being applied in various forms also by other countries throughout the world. Of particular concern is Section 404 of the Act, which relates to “Management Assessment of Internal Controls”. This requires Internal Control Reporting and states “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.”

A summary of links to key resources on the Sarbanes-Oxley Act of 2002 is located at  The full text of the Act is available from these resource links as “Sarbanes-Oxley Act 072302.pdf”. A Summary of key sections of the Act is available from

Internal Controls will vary from enterprise to enterprise. They need to be tailored to the relevant industry (or industries) that the organization operates within; they are also typically unique for each enterprise. They are determined by its business activities and processes as well as its financial controls. They are closely related to the IT systems and databases that the enterprise uses for financial and other reporting.

Senior management need to show that answers are available in relation to key resources such as: data; business activities and processes; locations; people and business units; and events. Answers should be available that also show how resources relate to strategic and tactical business plans that have been defined by management. These are internal control questions that address: “What”; “How”; “Where”; “Who”; “When”; and “Why”.

These six questions are shown as columns in a matrix, where different perspectives of “Planner”, “Owner”, “Designer”, “Builder” and “Subcontractor” are also shown as rows. This is provided by the Zachman Framework for Enterprise Architecture. While Enterprise Architecture has previously been considered to be an IT responsibility, when it is also used by senior management it enables precise Governance Analysis. It also provides a Business Transformation Enablement capability.

With the legal implications of Sarbanes-Oxley non-compliance, an inability to answer internal control reporting audit questions takes on a new personal meaning for senior managers. A Governance Analysis Framework is needed – that is both easy to create, and easy to use – to obtain answers for relevant internal control reporting questions.

An example is discussed in the White Paper of a Governance Analysis Framework (GAF) that uses matrices to create and maintain relationships between aspects of an enterprise that enable each of these questions to be answered. Some of these matrices, from the Project Management Organization Unit of a typical enterprise, are illustrated in Figures 1 – 3.


  • §Matrix relates Business Plans to People
  • §Indicates “Who” is responsible for Plans
  • §Shows Planning Statements as Rows
  • §Shows Organization Units as Columns

  • §Reading down a column gives Subset of Planning Statements for that Unit
  • §Reading across a row shows Units that should work together for that Statement

Figure 1: Example of Matrix Relating Business Plans to Organization Units

  • Matrix relates Business Plans to Data
  • §Indicates “What” is required by Plans
  • §Shows Planning Statements as Rows
  • §Shows Data as Columns
  • §Reading across a row shows Data that is required for that Statement
  • §Reading down a column gives Subset of Planning Statements for that Data

Figure 2: Example of Matrix Relating Business Plans to the Data Supporting those Plans

  • Matrix relates Activities to Plans
  • Indicates “Why” Activity exists
  • Each Activity is shown as a Row
  • Each Planning Statement is a Column
  • Reading across a row shows Planning Statements for that Activity, or “Why”
  • Reading down a column shows all Activities for that Statement

Figure 3: Example of Matrix Relating Business Activities to Business Plans

The sample GAF matrices in Figures 1 – 3 clearly show the answers to each question by reading across relevant rows, or down particular columns. These matrices, plus many others, are tailored to each enterprise. They can be created in a 25 day Strategic Modeling project within an elapsed duration of 3 months, based on the Strategic Business Plans for the enterprise. This uses an initial facilitated session over two days with active participation of senior management and their direct reports, where a Strategic Map is developed.

A Strategic Map is a “picture of the business”, similar in concept to the layout of a city. A city map clearly shows the layout of streets (“where”) and the access routes that define “how” to get there. It also indicates “what” is located in parts of the city. Given a reason (“why”) to take a given route at a certain time (“when”), people (“who”) can use the map to navigate through any city.

What is missing in most enterprises is a similar “map (or picture) of the business”. A city map can be bought from newsagents in that city, but no newsagent sells Strategic Maps for enterprises. In the absence of a Strategic Map for an enterprise, it is hard to answer these questions. As a result, Internal Control Reporting is difficult.

A Strategic Map that is developed and tailored to an enterprise enables senior managers, as well as middle managers, expert business staff and IT staff to see the data, activities and processes, locations, business units and people, the business events and the business plans that all need to be managed effectively for internal control reporting. From the Strategic Map and underlying Strategic Model, the Governance Analysis Framework matrices become dynamic. They are automatically generated.

Given the Strategic Map input from the senior management team and their reports, more detailed analysis by the facilitator in the 25-day Strategic Modeling project period identifies key data, business activities, locations, business units, and business events for the business plans that were used as catalysts. The result of this analysis is documented in a Governance Analysis Framework (GAF) Report, which is the main deliverable from the Strategic Modeling project.  

The GAF Report and its contents provide a documented view of tailored Internal Control Reporting from the strategic perspective for use by senior management. These dynamically-tailored matrices must be then completed by relevant business experts. The strategic GAF matrices are populated by more detailed matrices from key business units. These Tactical Modeling projects – each similar to the Strategic Modeling project – can in turn be undertaken for key business units.

Strategic Modeling projects and Tactical Modeling projects have been completed for large and medium Commercial enterprises throughout the world. Similar Strategic Modeling and Tactical Modeling projects for Government and Defense Departments have also been completed in the USA, Canada, Australia and NZ.

The methods discussed in the White Paper can be applied rapidly in 25 days, within an elapsed 3 month period, in a step-by-step approach as follows:

  1. Establish Plan for Strategic Modeling Project
  2. Capture Initial Business Planning Input as Catalyst
  3. Conduct Strategic Modeling Facilitated Session
  4. Carry out Strategic Model Analysis
  5. Derive Governance Analysis Framework (GAF) Documentation
  6. Review of GAF Matrices and Governance Implementation Plan
  7. Progressive Enterprise Completion of GAF Matrices
  8. Implementation of the Governance Implementation Portfolio

The GAF Reports produced from Strategic Modeling and Tactical Modeling projects provide the documentation and modeling tool capabilities that are needed for Internal Control Reporting for Sarbanes-Oxley. As an added by-product of the Governance Analysis Framework methods described in the paper, similar methods and tools can be also used to implement transformed business activities and processes for Business Transformation Enablement.

Back to Contents.

Download White Paper

Download the PDF White Paper titled: "Governance Analysis using Enterprise Architecture - A Practical Approach for Rapid Enterprise Compliance with Sarbanes-Oxley Driven IT and Business Governance Requirements" and also the PDF Executive Summary that is the source for this issue of TEN from the IES Web Site.

Back to Contents.

Tools for Governance Analysis

Modeling tools are used to develop the dynamically-defined Governance Analysis matrices discussed in this issue of TEN. The matrices in Figures 1 - 3 of this Executive Summary and in the White Paper are based on the use of Visible Advantage. Further details about Visible Advantage Enterprise Architecture Edition and also Visible Analyst Enterprise Framework Edition are available from or A version of the White Paper is also available for download from these two web sites.

Back to Contents.



TEN Archive
Contact Us





Clive Finkelstein is the "Father" of Information Engineering (IE), developed by him from 1976. He is an International Consultant and Instructor, and was the Managing Director of Information Engineering Services Pty Ltd (IES) in Australia. 

Clive Finkelstein's books, online interviews, courses and details are available at

For More Information, Contact:

  Clive Finkelstein
59B Valentine Ave
Dianella, Perth WA 6059 Australia
Web Site:

(c) Copyright 1995-2015 Clive Finkelstein. All Rights Reserved.

| Home | Courses | Projects | Papers | TEN Archive | Contact Us | [Search |

(c) Copyright 2004-2009 Information Engineering Services Pty Ltd. All Rights Reserved.