How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

The Cloud: Changing the Game for Small Businesses

There is a consensus among cloud experts that the onset of cloud computing will benefit small organisations the most. In fact, many even go as far as saying that the cloud and small businesses are a match made in IT heaven. How much of this is true and how much of this is merely part and parcel of the hype surrounding cloud computing?

The Cloud as the Great?Equaliser

If you closely examine the essential characteristics of cloud computing, particularly public cloud services, you will see why small organisations would be very interested in the cloud, and would eventually flock to it, like moths to a flame. And why not? Cloud computing is turning out to be the weapon that can allow small and medium organisations to compete on a more level playing field against large enterprises.

Here are some cloud computing benefits that may just close the gap between the two.

  • Significantly lower IT spending. With little to no investment at all on hardware infrastructure and practically zero maintenance costs, SMBs that would have required substantial capital for IT are now finding it easy to get a business started from scratch or develop and test out new products by using the cloud as the backbone of their IT set-up. The pay-as-you-go pricing scheme that cloud computing offers allows companies to start small and scale up as needed, or when the revenue starts coming in.
  • Higher employee productivity. Licensing fees for software applications can run high even if you don’t have a large staff. Good thing there are now a host of cloud-based office tools – word processors, spreadsheets, presentations, accounting systems, etc. – that can boost employee productivity without the corresponding costs that small businesses can ill afford. Plus, team members in remote locations can continue to collaborate with the rest through any internet-connected device in real time.
  • Easier, better communication. The easy accessibility of communication apps has also changed the way employees interact with fellow employees and more importantly, with customers. Whether through email, instant messaging, or social networks, cloud services have given individuals and businesses more ways of giving and getting feedback. The best thing about it is that most of these services don’t cost much or are even free, giving SMBs ample tools to create better products and improve service.
  • A Look at the Figures Many small businesses are already seeing the potential in the cloud, with SaaS (Software as a Service) applications most commonly used among the early adopters. These services include email and other communication apps, file sharing, and backup.

In a February 2012 Edge Strategies survey (commissioned by Microsoft) of 3,000 small businesses in the US, the following data came to light:

  • The number of small companies with 2 to 10 employees using paid cloud services will triple in the next three years;
  • Current cloud users report purchasing an average of 4 services in the cloud now and expect to use 6 in the future;
  • Fifty percent agree that cloud computing is going to become more important for businesses such as theirs.

Further, a survey of 323 SMBs recently released by social business site Spiceworks and sponsored by EMC reveals that from 48 percent at the start of 2012 and 28 percent a year ago, 62 percent of the businesses surveyed now use some type of cloud app.

What these numbers show is that cloud adoption among small and medium enterprises is starting to gain ground and for sure, more will do the same as understanding and awareness increase. Yes, these businesses should still perform their due diligence as there is no one-size-fits-all cloud solution. But for those companies who have managed to find the right cloud apps and services for their needs, it’s all sunny skies up ahead.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
What is Servitisation?

In the current generation, innovation has transformed industries, businesses, economies, and livelihoods. Those who’ve accepted to embrace the changes have prospered and remained afloat and relevant in their respective industries.?

However, failure to embrace change has seen companies like Blockbuster pushed out of business by more innovative and technology-oriented companies like Netflix.?

What does this tell you?

That the only way to stay in business, despite the many challenges your business could be facing, is to remain alert to the dynamic demands of customers, many of which are dictated by technological advancements.?

So, if you’re a manufacturer and you’re keen on diving deeper into technology to stay on top of the game and beat your competition, you must also be expectant of the fast-approaching servitisation-centred economy. Companies like Rolls Royce that have already embraced servitisation are making great gains in their areas of expertise.?

What is Servitisation?

Servitisation can be defined as the transformation of a manufacturing firm from the mere offering of products to the market to providing innovative and invaluable services alongside their products. By so doing, the sale becomes an ongoing engagement and not a one-off event. Cranfield University professors call it “the innovation of an organisation’s capabilities and processes to better create mutual value through a shift from selling a product to selling product-service systems.”?

As foreign as it may seem for some professionals, servitisation has been a need that, though not embraced, its demand remains evident. Nonetheless, firms have hesitated to implement it. Shifting from manufacturing products only to incorporating product-centric services alongside the products is not a walk in the park. It boils down to completely changing the company’s entire structure and processes.

All the same, change is never comfortable, and that’s why it’s always best to focus on the positive for motivation.

Servitisation Case Study

Some manufacturing firms have already embraced servitisation, and they’re reaping big from it. They’ve understood the benefits of offering more value to customers at less cost. What Rolls Royce is doing currently with its “power-by-the-hour” program is a good example of servitisation.

Instead of selling Aero Engines and letting customers take charge of maintenance and uptime, Rolls-Royce now offers a full package that includes a product and relevant services.?

Essentially, what the company is creating is an intimate and long-term relationship with its customers.

The total care package by Rolls Royce means it’s essentially renting out its engines to customers and monitoring data for potential maintenance needs. The plan guarantees that maintenance is only done when necessary and avoidable damage detected in good time. As a result, there is a clear reduction in the overall cost.

Initially, Rolls Royce would make money by basically selling and repairing engines. That meant that the worse the engines, the more repairs required and the more the money the company would make.?

However, things changed when the company realised there is no demand for a product that’s constantly in the repair shop. That prompted Rolls Royce to embrace servitisation.

Servitisation aligns the interests of the customer and those of the manufacturer to ensure everyone benefits. Rolls Royce has been offering this package to airlines since 2010, and the company has seen significant returns as a result.

Benefits

There are several benefits of incorporating servitisation into your manufacturing firm. Below are three of the strongest benefits

  • Financial Stability– Servitisation establishes a more secure revenue stream because of the long term connection between manufacturer and customer. This also translates to loyal customers, meaning more profit.
  • Strong Customer Retention Rate– Being more experienced about the equipment and the constant tracking and monitoring that comes with servitisation; manufacturers are realising that they can keep more customers.
  • Selling a Solution And a Product– Today customers are not just looking to buy a product, instead, they want both the product and the solution to their problem. Meaning you make more money for the product you manufacture and the service you offer to your customers.

Implementation of Servitisation in the Industry

To effectively implement servitisation, there must be an effective two-way flow of information and data in the supply chain. Meaning you may require software like FieldElite for scalable condition monitoring of performance. With FieldElite, for example, servitisation is made easier for you because it enables you to monitor the performance of your assets remotely.

Maintenance and monitoring of assets were traditionally very expensive and time-consuming until the arrival of intelligent software that makes work easier and cost-effective for manufacturers. FieldElite uses advanced learning algorithms to remotely automate the entire process, allowing you to detect, in real-time, the performance and need for maintenance on your asset.

Required Organisational Changes

A few important steps include;

Companies that invest in continuous training and development always have a more competitive edge than their counterparts. Meaning an important step towards servitisation is training the workforce. This is important, considering that the company structure, focus, and process will have to change.

Set up a team that is focused on the challenge, change, and creation. With this, you can easily adjust to industry changes. The team should always work on knowing what should be adjusted and when it should be.?

In the shift to servitisation, adopting a comprehensive service technology is an important step. Such service technology software includes FieldElite. This technology will ensure that you’re able to monitor your product in real-time, meaning you can maintain good performance for as long as possible.

Because servitisation essentially focuses on the customer, take time to study customer behaviour. Knowing what your customers need and want will help you remain relevant in the industry.

Conclusion

As the demand for more benefits and long-lasting relationships with dealers grow, so is the need for manufacturers to adjust. Hence more and more manufacturing companies are leaning towards embracing servitisation as a solution to the growing demand.?

In turn, manufacturers who’re attaching service contracts to their product sales are making more than those who remain stuck in the traditional approach to sales.?

Essentially, servitisation will ensure that, as a manufacturer, you remain relevant to your customers now and in years to come. This is a much better arrangement in terms of saving costs and making more returns. Remember to be successful, you have to be flexible enough to change with demand.

Energy Savings Opportunity Scheme (ESOS): An Overview

Energy management is crucial to most businesses in the UK. This is primarily because energy usage substantially affects all organizations, whether large or small. The good news is that, energy costs can be controlled through improved energy efficiency. And this is exactly why Energy Savings Opportunity Scheme (ESOS) came into being ? to promote competitiveness among businesses.

Energy Savings Opportunity Scheme is the realisation of the UK Government’s ambition towards achieving the maximum potential of cost-effective energy in the economy. ESOS aims to stimulate innovation and growth, cut emissions and support a sustainable energy system.

ESOS at a Glance – Legal Perspective

The EU Energy Efficiency Directive took a major step forward on November 14, 2012 and headed towards establishing a framework to promote energy efficiency across various economic sectors. To interpret Article 8 of the Directive, the government has given birth to ESOS; requiring large enterprises to undergo mandatory energy audits and energy management systems by December 5, 2015 and at least every 4 years thereafter.

Large enterprises include UK companies that have more than 250 employees or those businesses whose annual turnover exceeds ?50 million and whose statement of financial position totals more than ?43 million. With this, over 7000 of the biggest companies in Britain will need to comply with ESOS as an approach to review their total energy use in buildings, business operations, transport and industrial processes.

Generally, ESOS is both an obligation and an opportunity. It is an obligation for the indicated target companies since they need to submit to additional regimes; focus on audit evidences; act in accordance to group structures and compliance; and observe limited penalties and note retention periods. Moreover, it is also an opportunity for companies to strive for more savings on energy projects; attempt to standardise their potential market; and effectively lower debt and legal costs.

ESOS Audits ? Looking Beyond

According to the Department of Energy and Climate Change (DECC), average first audit costs would be estimated at about ?17,000 and subsequent ones at around ?10,000. As expected, these audits will result in energy saving recommendations, of which companies need not proceed for a follow up; and substantially improve businesses in their energy management issues. DECC further states that every business that complies with ESOS could save an average of ?56,400 each year from an initial investment of ?17,000 only.

Currently, up to 6,000 UK businesses are already subject to existing CRC Carbon Reduction Scheme, Mandatory Carbon Reporting, Climate Change Levy and other compliance. This signifies that ESOS may overlap with prevailing energy efficiency legislation and may put additional pressure on energy administration. While this is true, however, ESOS holds extensive benefits. Although the scheme can be viewed as another costly compliance to environmental standards, ESOS goes straight to the bottom line and provides the organisation with competitive advantage. If large businesses act now and comply with it, they will be able to enjoy maximised payback in the long run.

Indeed, Energy Savings Opportunity Scheme is already here. It is mandatory with minimal investment. And all you have to do is act quickly, implement new improvements and earn more.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today