Sarbanes-Oxley

Sarbanes-Oxley (SOX) toughest requirement is Section 404 “Internal Controls”. The SEC decided that COSO guidance on Internal Controls was a good yard stick for companies to use or to improve on. COSO then went on to define Enterprise Risk Management (ERM). Why, because internal controls have a lot to do with RISKS. 
ISO 9001 helps management build good products with minimal quality RISKS,
ISO 14001 includes environmental RISK management. 

As the IT department normally runs both operations and financial systems, then the IT risks also need to be managed. A well-managed IT departments can use:

• ISO 9001:2000 “Quality Management System - Requirements”
• ISO 27001:2005 (BS 7799) "Information Security Management - Specification With Guidance for Use"
• CobiT 2005 "Control Objectives for Information and related Technology"
• SEI CMMI-SW 2002 “Capability Maturity Model Integrated – Software Engineering”

So your management system needs to have enterprise coverage for SOX and depth to include all departments related to finances, including the IT department. This management system should include risk management for all types of risks: quality, environmental, security, fraud, etc.