How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

Energy Savings Opportunity Scheme (ESOS): An Overview

Energy management is crucial to most businesses in the UK. This is primarily because energy usage substantially affects all organizations, whether large or small. The good news is that, energy costs can be controlled through improved energy efficiency. And this is exactly why Energy Savings Opportunity Scheme (ESOS) came into being ? to promote competitiveness among businesses.

Energy Savings Opportunity Scheme is the realisation of the UK Government’s ambition towards achieving the maximum potential of cost-effective energy in the economy. ESOS aims to stimulate innovation and growth, cut emissions and support a sustainable energy system.

ESOS at a Glance – Legal Perspective

The EU Energy Efficiency Directive took a major step forward on November 14, 2012 and headed towards establishing a framework to promote energy efficiency across various economic sectors. To interpret Article 8 of the Directive, the government has given birth to ESOS; requiring large enterprises to undergo mandatory energy audits and energy management systems by December 5, 2015 and at least every 4 years thereafter.

Large enterprises include UK companies that have more than 250 employees or those businesses whose annual turnover exceeds ?50 million and whose statement of financial position totals more than ?43 million. With this, over 7000 of the biggest companies in Britain will need to comply with ESOS as an approach to review their total energy use in buildings, business operations, transport and industrial processes.

Generally, ESOS is both an obligation and an opportunity. It is an obligation for the indicated target companies since they need to submit to additional regimes; focus on audit evidences; act in accordance to group structures and compliance; and observe limited penalties and note retention periods. Moreover, it is also an opportunity for companies to strive for more savings on energy projects; attempt to standardise their potential market; and effectively lower debt and legal costs.

ESOS Audits ? Looking Beyond

According to the Department of Energy and Climate Change (DECC), average first audit costs would be estimated at about ?17,000 and subsequent ones at around ?10,000. As expected, these audits will result in energy saving recommendations, of which companies need not proceed for a follow up; and substantially improve businesses in their energy management issues. DECC further states that every business that complies with ESOS could save an average of ?56,400 each year from an initial investment of ?17,000 only.

Currently, up to 6,000 UK businesses are already subject to existing CRC Carbon Reduction Scheme, Mandatory Carbon Reporting, Climate Change Levy and other compliance. This signifies that ESOS may overlap with prevailing energy efficiency legislation and may put additional pressure on energy administration. While this is true, however, ESOS holds extensive benefits. Although the scheme can be viewed as another costly compliance to environmental standards, ESOS goes straight to the bottom line and provides the organisation with competitive advantage. If large businesses act now and comply with it, they will be able to enjoy maximised payback in the long run.

Indeed, Energy Savings Opportunity Scheme is already here. It is mandatory with minimal investment. And all you have to do is act quickly, implement new improvements and earn more.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Denizon’s Business Continuity Services

Disruptions to business operations can be as catastrophic as a Hurricane Katrina or a 9/11 or as relatively trivial as a minor power outage or a planned shutdown. What ever the gravity, scope and duration the disruption has, your company should be able to handle each situation so that you can declare “business as usual” and really mean it. (more…)

2015 ESOS Guidelines Chapter 7, 8 & 9 – Sign-Off, Compliance & Appeals

This is the final chapter in our series of short posts summarising the quite complex ESOS guidelines (click on ?Comply with ESOS? to see the details). This one addresses the legalities to follow to complete your report – and how to appeal if you are not happy with any of the Environment Agency?s decisions.

  1. Director Sign-Off

This is by no means an easy ride. Confirmation of the work at individual or lead assessor level locks the company into the penalty cycle in the event there are significant irregularities. By signing off the assessment, the board level director(s) # agree that they have

  • Reviewed the enterprise?s ESOS recommendations
  • Believe the enterprise is within the scope of the scheme
  • Believe the enterprise is compliant with the scheme
  • Believe the information provided is correct

Having an internal assessor requires a second board-level signature.

  1. Compliance

You report compliance on the internet. This is free and you can do it at any time within the deadline. You can dip in and out of the process as many times as you wish, but must use the link in the receipting email. While this is something a board member must do, there is no reason why the lead assessor should not complete the basics. The online compliance notification addresses the following topics:

  • The ESOS contact person in the enterprise
  • Any aggregation / dis-aggregation during the period
  • The names and contact details of the lead assessor
  • The proportion of energy consumption per compliance route

The Environment Agency will acknowledge receipt. This does not constitute acceptance. You should keep the ESOS evidence pack in a safe place with at least one backup elsewhere.

  1. Compliance & Enforcement Issues

In the event the Environment Agency decides your enterprise has not met ESOS requirements, it may either (a) issue a compliance notice with instructions, or (b) apply one of the following civil penalties:

  • A fine of up to ?5,000 for failure to maintain records
  • A fine of up to ?50,000 for failure to undertake an energy audit
  • A fine of up to ?50,000 for a false or misleading statement

Any enterprise has the right of appeal against government decisions. In the case of ESOS, this is via:

  • The First-Tier Tribunal if your enterprise is England, Wales or off-shore based
  • The Scottish Minister if your enterprise is based in Scotland
  • The Planning Commission if your enterprise is Northern Ireland-based

The notice you appeal against will supply details of the appeal steps to take.

This blog and its companion chapters concerning the ESOS Guidelines as amended 2015 are with compliments of ecoVaro. We are the people who break ESOS data into manageable chunks of information, so that board-level directors have greater confidence in what they sign.

Ready to work with Denizon?

Contact Us Today