The business goal of Harley-Davidson Motor Company is to produce and sell high-quality motorcycles. Until the early 2000s, this goal was the sole focus, and limited attention was given to internal audit and controls. Because of increased scrutiny and regulations worldwide, it was important for the company to continue its successful business model and also incorporate new thinking regarding the importance of controls. The challenge was in getting management, information technology (IT) and audit speaking the same language and working toward increased control, while still respecting the company's unique culture. A new department focused on control and risk mitigation needed a framework that focused on key value areas important to the business. This all had to be accomplished by building consensus among varied departments and without affecting quality or slowing production.
Harley-Davidson Motor Company was founded in 1903 in Milwaukee, Wisconsin, USA. It is the oldest producer of motorcycles in the US and has enjoyed 20 consecutive years of record revenue. For the year ended 31 December 2005, Harley-Davidson shipped 329,000 motorcycles (a 3.7 percent increase), had revenue of US $5.3 billion and experienced worldwide growth of 6.2 percent. In 2003, Harley-Davidson had limited IT controls in place and staff had limited control knowledge. There were no standardized user access process, no defined and documented change management process, and no rigor on backup and recovery processes, and there were minimal organizational standards. Although complying with Sarbanes-Oxley was going to be a challenge, the company took strong action, utilized COBIT (Control Objectives for Information and related Technology) and passed Sarbanes-Oxley year one compliance. In ...