How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

Vendor Selection

When shopping for an IT solution for your enterprise, there are two things you should scrutinise: the product (or service) itself and its vendor. Many times, companies overlook the importance of the latter, giving the reason that “it’s only the product we need”.

Wrong.

What about after-sales technical support and training? Ok, so you have an in-house team with the required competency for that IT solution in question… not that I believe it’s reasonable basis to pass up on the expertise that the vendor can provide. How about upgrades, patches, and documentation?

Still unperturbed? Here’s one factor that you may not have started to consider – What happens to your product if the vendor goes bankrupt or gets swallowed by a merger and acquisition? Surely, you no longer believe this is far from possible, do you?

But how are you supposed to know the financial stability of each vendor or whether it is an acquisition target? Well, you can either conduct your own research or you can leave that up to us. Part of our job includes not only establishing linkages in the industry but also being in-the-know on such relevant information.

Evaluation of Business Needs

You can’t separate vendor selection from the process of choosing the desired IT tool. That’s why our vendor selection services starts by defining exactly what your business needs are.

Once we’ve pinned down your needs, we can then narrow down the list of possible IT solutions. Only then can we proceed with the main vendor selection process.

Have you ever been caught in a situation wherein you thought you knew what you wanted, only to end up realising it’s not what you were looking for after all? We’re here to make sure you don’t get caught in that kind of situation when choosing an enterprise-class IT solution.

With the TCO (total cost of ownership) of such solutions typically running up to hundreds of thousands of euros, you can’t afford to arrive at what you really want by way of trial and error.

These are the things you stand to benefit the moment we start working with you:

  • Thorough assessment of your IT needs. We’ll consult the people in your organisation who’ll be affected the most in order to obtain a clear picture of what your specific needs really are. Most IT solution purchases are made with very little consultation that, after installation, many of the end users don’t benefit at all.
  • Minimal interruption during assessment. As with all our other services, we see to it that the interruptions we make are absolutely necessary. So the moment we start with our work, you can still continue with yours.
  • Insightful suggestions of the required IT solution. You still know your business better. So even after we’ve gone through the assessment and given our recommendations, the decision as to what IT tool should be pursued will still be up to you. The difference now is, you’ll be making a decision based on expertly gathered information put forward in an insightful proposal.

Request and Evaluation of Vendor Proposals

With so many IT solutions companies mushrooming, it is becoming more difficult to keep track of them, their specialities, strengths, and weaknesses.

Companies selling best-of-breed products may be relatively easy to spot. But there are also other attributes that are equally important but not as well publicised. For instance, which companies offer better quality management philosophies? Which companies have strategic visions running parallel to yours? Which of them possess implementation capabilities that can cater to your rapidly growing IT requirements?

Vendors who answer positively to these queries need to be given the appropriate importance in the selection process. We see to it that these and other relevant attributes are factored into our scorecards and evaluation processes.

These are the things you can look forward to when you grant us the opportunity to serve you.

  • Experience is a vital item in our vendor selection criteria. Our vast knowledge of the reliable players in the industry will lead you to experienced vendors who can hit the ground running from day one and continue with the same vigour onward.
  • We can help you draw positive response for each of your Request For Proposals (RFPs) or Request For Information (RFIs). Did you expect these vendors to be enthusiastic in sending out proposals each time you asked them to? Think again. You’ll have to persuade them first of your sincerity to become a potential customer. With our help, your RFPs will make preferred vendors see “opportunity” written all over.
  • No need to go “Eany, meeny, miny, moe”. Deciding which vendors should move up in the selection process can take up a lot of time if you don’t know which criterion should be given more weight. Our scorecards are designed to collect the most relevant information and to generate results that will help you decide on these matters at a glance.

Interview, Negotiation, and Monitoring

As soon as you start getting positive response to your Request For Proposals, the interview process should be next. It’s at this point that vendors can present and highlight their strengths while we try to glean as much information of their true capabilities as well as their dedication to the project.

Some companies can provide proof-of-concepts and we may require them as part of the interview process. This will not only give us a better idea as with regards to their product’s capabilities, but also to their level of expertise on the solution in question.

  • We’ll help you set up the interview process and organise the evaluation committee. Members of the committee will typically include representatives from each department that will be affected by the new technology, which we would have already identified during our Evaluation of Business Needs.
  • Since our scorecards are designed to expedite the filtering and selection process, you may eventually be able to choose the finalists yourself. However, in the event that two or more vendors turn out evenly matched, we’ll help you identify the better company.
  • We’re very familiar with the price ranges of various IT solutions, including the effects on price of certain variables. As such, we can tell you whether a product’s price tag is justified or not.
  • Our exceptional familiarity on both the IT industry and the entire negotiation processes itself will give you the edge when it’s time for us to haggle for the best bang for the buck.
  • After the contract is awarded, we’ll even be on hand to monitor whether deliverables are handed over and milestones are achieved as promised.
Finding the Best Structure for Your Enterprise Development Team

An enterprise development team is a small group of dedicated specialists. They may focus on a new business project such as an IoT solution. Members of microteams cooperate with ideas while functioning semi-independently. These self-managing specialists are scarce in the job market. Thus, they are a relatively expensive resource and we must optimise their role.

Organisation?Size and Enterprise Development Team Structure

Organisation structure depends on the size of the business and the industry in which it functions. An enterprise development team for a micro business may be a few freelancers burning candles at both ends. While a large corporate may have a herd of full-timers with their own building. Most IoT solutions are born out of the efforts of microteams.

In this regard, Bill Gates and Mark Zuckerberg blazed the trail with Microsoft and Facebook. They were both college students at the time, and both abandoned their business studies to follow their dreams. There is a strong case for liberating developers from top-down structures, and keeping management and initiative at arm?s length.

The Case for Separating Microteams from the?Organisation

Microsoft Corporation went on to become a massive corporate, with 114,000 employees, and its founder Bill Gates arguably one of the richest people in the world. Yet even it admits there are limitations to size. In Chapter 2 of its Visual Studio 6.0 program it says,

‘today’s component-based enterprise applications are different from traditional business applications in many ways. To build them successfully, you need not only new programming tools and architectures, but also new development and project management strategies.?

Microsoft goes on to confirm that traditional, top-down structures are inappropriate for component-based systems such as IoT solutions. We have moved on from ?monolithic, self-contained, standalone systems,? it says, ?where these worked relatively well.?

Microsoft’s model for enterprise development teams envisages individual members dedicated to one or more specific roles as follows:

  • Product Manager ? owns the vision statement and communicates progress
  • Program Manager ? owns the application specification and coordinates
  • Developer ? delivers a functional, fully-complying solution to specification
  • Quality Assurer ? verifies that the design complies with the specification
  • User Educator ? develops and publishes online and printed documentation
  • Logistics Planner ? ensures smooth rollout and deployment of the solution

Three Broad Structures for Microteams working on IoT Solutions

The organisation structure of an enterprise development team should also mirror the size of the business, and the industry in which it functions. While a large one may manage small microteams of employee specialists successfully, it will have to ring-fence them to preserve them from bureaucratic influence. A medium-size organisation may call in a ?big six? consultancy on a project basis. However, an independently sourced micro-team is the solution for a small business with say up to 100 employees.

The Case for Freelancing Individuals versus Functional Microteams

While it may be doable to source a virtual enterprise development team on a contracting portal, a fair amount of management input may be necessary before they weld into a well-oiled team. Remember, members of a micro-team must cooperate with ideas while functioning semi-independently. The spirit of cooperation takes time to incubate, and then grow.

This is the argument, briefly, for outsourcing your IoT project, and bringing in a professional, fully integrated micro-team to do the job quickly, and effectively. We can lay on whatever combination you require of project managers, program managers, developers, quality assurers, user educators, and logistic planners. We will manage the micro-team, the process, and the success of the project on your behalf while you get on running your business, which is what you do best.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
How an EMS Can Cut Your Carbon Emissions

Your business carbon footprint is directly tied to the efficiency of its energy consumption. From the equipment used in industries, lighting and air conditioning in offices, shopping malls and other commercial buildings, the load used by everyday machines like the coffee makers in the employee breakroom, to hot water boilers in apartment complexes, how much do your processes affect the environment? Standards like the ISO 14001:2015 are being implemented to enable businesses to reduce their impact on the environment, from optimising their energy usage, minimising waste, turning to renewable power sources, all through to preventing pollution and complying with their specific regulatory requirements. How do you handle the volume of data that needs to be obtained and assessed?

Energy management systems come in to enable you to analyse your consumption, identify factors affecting your total energy use – from temperature and humidity conditions, to equipment that is causing spikes, and observe your usage patterns. That way, you can put in measures to minimise wastage while increasing your operational efficiency, reduce your carbon emissions and track your progress all the way. Here, we’ll break down how this is achieved. 

Going Green With An Energy Management System

This is a holistic approach aimed at minimising wastage and optimising energy usage. It includes:

Auditing your energy consumption

The first step is really quantifying how much energy you use, which systems are causing unnecessary load, all through to where there are inefficiencies in the facility. Which equipment has the largest impact on your bill? An energy management system allows you to view it all from one dashboard, such as with the ecoVaro EMS that takes you down to the sub-meter level.

Here, you get real-time data that is collected by the ecoVaro loggers – from electricity use, gas, water, temperature, solar power, humidity, air pressure – the readings can all be monitored. This is done 24/7, and the consumption feeds are recorded. Moreover, ecoVaro pulse data is collected every 15 minutes – which is particularly important when it comes to analysing trends over a time period, be it daily, weekly or monthly. 

Data is only useful if it can be properly analysed, right? So instead of just bombarding you with spreadsheets of numbers, the EMS displays the records into graphs and charts that are easy to comprehend – all from the same interactive interface. So, whether you’re the energy manager in the facility, or you want reports that can be shared with the CFO, owners of the business, or even staff themselves to enable them to understand the energy saving policies that you will put in place – you will be able to carry this out. 

ecoVaro gives you different ways to analyse the data from the readings that have been recommended. For instance, the heat mapping from the interface allows you to see the building’s energy use during different periods at a glance. The site-by-site analysis in particular enables the building or energy manager to assess each individual premises, from checking which block in the school is causing the energy bills to surge, the facility whose performance is falling behind, all through to the office building with the highest carbon footprint. In fact, the carbon and sustainability reports from ecoVaro EMS enables you to see the impact that your operations have. You even get to compare tariffs from the different energy suppliers, that way you can go with the option that is most suited to your situation.

Setting a baseline for your operations

This is essentially a “before/after checkpoint” that you will use to compare the effectiveness of subsequent measures that you will undertake. After making modifications to the systems in your business, you will want a clear picture of whether the new measures are actually benefiting your operations and optimising your energy efficiency, or whether they are deteriorating the performance further. The energy baseline will be critical in analysing your progress. 

Reports like the CUSUM (cumulative sum) charts on ecoVaro show you the energy performance, be it of a boiler in a factory, office building, or chain of hotels – over a set period of time. You can then compare this to the baseline, which will show you if the changes you will implement will make you savings. The heatmaps also come in handy here, showing you the energy consumption at each meter, whether it is low, medium or high compared to the baseline that has been set. The heatmaps give a quick visual to analyse resource usage.  

Creating energy targets

After understanding your energy consumption and seeing how it impacts your business, next is mapping out short- and long-term goals that you want to attain to optimise your usage and reduce your carbon footprint. 

For instance, short-term targets can include the likes of decreasing the night-time lighting load, and adjusting HVAC uptime depending on the level of activity in your business premises for the different hours of the day. 

For the long-term targets, these include setting a specific percentage average kWh reduction for the different industrial sites or buildings under your management; lowering the demand kW throughout the building by a specific range year-on-year; as well as the percentage with which you want the carbon emissions decreased annually. 

Cost efficiency also factors in. For instance, entering your current tariffs into the conversion factoring dashboard on ecoVaro will show you how your consumption translates to the bills that you receive – and even shows you what you stand to save by negotiating for new energy contracts with your utility firm.

Identifying initiatives and implementing energy saving programs

These are geared towards improving your energy efficiency and reducing your carbon footprint. They vary from one industry to the next. For instance, these can include:

Getting motion/occupancy detectors and automatic dimmers installed in the facility

These are lighting controls that enable you to save money and energy by automatically turning the lights off when they are not required (people have left the room), and reducing the light levels for those cases where full-on brightness is not needed. For instance, the dimmer controls enable variable indoor lighting, reducing the wattage and output when dimming the lightbulbs, saving energy in the process. These can be manual, or operated with sensors or timers. 

Motion sensors on the other hand will automatically turn on the lights after they detect motion, then after a short while turn them off – they are typically used for utility and outdoor security lighting. There are also occupancy sensors used in rooms, which turn on the lights when they detect indoor activity, then turn them off or reduce the light output when the particular space is unoccupied. 

Switching to energy-efficient light fixtures such as CFL or LED bulbs

Lighting costs are a major contributor to the energy bills being footed by the business. What kind of systems do you have set up?

Incandescent bulbs are rapidly being phased out due to their inefficiencies. They work by a wire tungsten filament getting heated until it glows – a process that sees almost 90% of its energy being released as heat, instead of light. In addition, with an average lifespan of just 1,500 hours, there is the need for better alternatives – and they have already been around for over a decade: CFL and LED bulbs, which save on energy and have far less carbon emissions. 

Compact fluorescent light bulbs (CFLs) light up when an electric current going through a tube with argon and trace mercury gases generates ultraviolet light, stimulating the fluorescent coating that’s on the inside of the tube, which in turn produces light. As such, a 15-watt CFL will have about the same light output as a 60-watt incandescent bulb. This makes them approximately 4 times more efficient compared to the incandescent bulbs, with a lifespan of 10,000-15,000 hours. This translates into fewer replacements and greater energy savings. However, there are still concerns about the mercury that is in the CFLs, though it is still in small quantities – basically smaller than the tip of your pencil. In addition, the CFLS aren’t; dimmable. They are usually used as a replacement for incandescent bulbs before completely switching to the more efficient LEDs.

Light-emitting diode bulbs (LEDs) Take things a notch higher. Here, electrons moving through a semiconductor emit the light, and you can get the LEDs for visible light, ultra-violet, and infrared spectrums. Here, the lifespan is 25,000–35,000 hours, which is more than double that of CFLs, and leagues beyond the standard incandescent bulb. Moreover, with a 16.5W LED bulb you’ll be getting the same lighting as a 20W CFL, or a 75W incandescent bulb. 

You will notice that when you touch LEDs, they feel cool, and this is because less energy is getting converted into heat. With the energy efficient bulbs, you won’t have to run your AC harder during those hot months, further adding to your cost savings. You can be able to see such consumption trends over the months through the energy management system, getting to the root cause of the problem. For instance, seeing the changing trends in the AC energy consumption over different weeks will enable you to assess what is causing it to be pushed harder, and address the root cause of the problem. 

Acquiring energy-efficient office equipment

This is broad, with the changes being made here depending on your particular niche. Take printers for instance. Simply going for printers with sleep and automatic shut-off modes will ensure that the units are not consuming energy when they are not in use. The same case applies to copier machines. Energy saving surge protectors on the other hand are beneficial for allowing you to “unplug” multiple devices that use standby power even when switched off – what’s usually called “vampire power” or “phantom energy“. 

The need for energy savings cuts across the board, from the computers and monitors used, to the coffee makers and kettles. For instance, working with an electric kettle to heat water for tea beats using a microwave or stove. Go further by opting for a kettle that allows you to set the particular temperature you want for the water – since you don’t really need the water for tea to be boiling hot for the tea to properly steep. Taking such steps further contributes to your business’ efforts to go green and reduce your carbon footprint. 

Turning to renewable energy sources

Switching to renewable sources to power your operations will simultaneously reduce your energy bills and cut your carbon emissions. From solar panels to wind turbines and the like, they are cleaner sources of energy, and the installations that you go with will depend on your kind of business. Moreover, this will protect you from the fluctuations in energy prices, since the bills are affected by the availability of fuel, electricity demand, costs that go into generating and distributing it – all of which end up hitting your business in the long run. On the other hand, going off the grid with your own supply of power protects you from this. In fact, if you end up producing surplus energy, you can sell it back to the grid, earning your business extra revenue. 

Sure, the upfront costs of setting up the systems will take a sizable chunk out of your budget, but the savings allow you to recoup the costs over time. In addition, there will be savings from the incentives being provided by the government, such as tax rebates and grants. These are the likes of the Solar PV Grant from SEAI (Sustainable Energy Authority of Ireland) which is at €900 per kWp, capped at €2400 for each business. Funding is available for homes, community programs and commercial buildings such as  Collinstown Park School that was able to slash their lighting costs by a whopping 90% after securing 50% of the funding for their energy upgrade project from SEAI. The ecoVaro EMS comes with support for solar power installations in its firmware, that way you can continue assessing the changes that your solar power system will bring to your overall energy usage.

Spread awareness

You should also carry out energy conservation training for your staff. The reports generated by the EMS will make it easy for them to get a picture of their energy consumption trends, and the effects that it has on both the performance of the company, and the carbon footprint as a whole. It also gives them more awareness of the impact that they each have at an individual level. 

Assessing Key Performance Indicators

The energy analytics tools from the EMS will show you whether you are actually meeting your goals. Since it works with the different metered connections, from getting electricity and temperature readings, checking radiation levels, humidity data all through to gas meters, you will be able to assess the progress that your business is making across the board. 

For ecoVaro in particular, the performance of your systems can be seen through reports like Consumption Charts – from the different offices, tenants and equipment energy usage, peak -and off-peak data, as well as Regression Charts that allow you to compare building’s actual energy consumption to its expected performance, and how they are affected by variables such as temperature. 

With the site-by-site data and the monitoring being down to the sub-meter level, you will be able to identify an issue when it crops up and narrow it down to the specific instant and location where it occurred. This enables you to address the problem quicker.   

Conducting a compliance audit

A comprehensive audit can then be undertaken to ensure that your company meets internationally-recognized standards that have been stipulated regarding implementing energy management systems and enhancing the energy efficiency of your operations. The compliance audits are carried out by certified auditors.

Through the EMS, you are able to position your business appropriately to meet the standards for your particular niche, measuring and observing the performance of energy-saving projects that have been implemented. This extends to acquiring and presenting data that will be used to show the business’s compliance to industry regulations and obtain the relevant certification. You are able to report on your carbon footprint, and verify it. This information can also be disseminated amongst your employees and customers, raising awareness about your business green initiatives, boosting your brand in the process.

Ready to work with Denizon?

Contact Us Today