How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

EU Energy Efficiency Directive & UK?s ESOS

In 2012 the European Union passed its EU Energy Efficiency Directive (EED) into law. This aims to reduce overall energy consumption by 20% by 2020. It placed an obligation on member states to pass back-to-back local legislation by June 2014.

EED Guidelines

The EED provides specific guidelines it expects member nations to address. The list is long and here are a few excerpts from it:

Large companies must use energy audits to identify ways to cut their energy consumption

Small and medium companies must be incentivised to voluntarily take similar steps

Public sector bodies must purchase energy-efficient buildings, products and services

Private energy-consumers must be empowered with information to help manage demand

Energy distributors / resellers must cut their own consumption by 1.5% annually

Legislators are free to substitute green building technology e.g. through better insulation

Every year, European governments must audit 3% of the buildings they own

Definition of Energy Audit

An energy-consumption audit is a question of measuring demand throughout a supply grid, with particular attention to individual modules and high demand equipment. While this could be an exercise repeated every four years to satisfy ESOS, it makes more sense to incorporate it into the monthly energy billing cycle.

Because energy use is not consistent but varies according to production cycle, this can produce reams of printouts designed to frustrate busy managers. ecoVaro offers an inexpensive, cloud-based analytic service that effortlessly accepts client data and returns it in the form of high-level graphic summaries.

Potential ESOS Beneficiaries

As many as 9,000 UK companies are obligated to do energy audits because they employ more than 250 employees, have a balance sheet total over ?36.5m or an annual turnover in excess of ?42m. Any smaller enterprise that finds energy a significant input cost, should also consider enlisting Ecovaro to help it to:

Obtain a better understanding of the energy side of their business

Achieve energy savings and share in a estimated ?3bn bonanza to 2030

Reduce carbon emissions to help meet their CRC commitments

More About ecoVaro

We offer web-based energy management software that helps you measure and manage energy costs. This strips data from your meters and generates personalised reports on a dashboard you control. This information helps you accurately zoom in on worthwhile opportunities. With Ecovaro on your side, ESOS truly becomes an Energy Saving OPPORTUNITY Scheme.

How To Get Started with your IT Compliance Efforts for SOX

There’s no question about it. For many of you top executives in the corporate world, all roads leading to a brighter future have to go through SOX compliance. And because the business processes that contribute to financial reporting (the crux of the Sarbanes-Oxley Act) are now highly reliant on IT systems, it is important to focus a good part of your attention there.

It is a long and arduous path to IT compliance, so if you don’t want your company to fall by the wayside due to inefficient utilisation of resources, it is important to set out with a plan on hand. What we have here are some vital information that will guide you in putting together a sound plan for SOX compliance of your company?s IT systems.

Why focus on IT systems for SOX compliance?

We’ll get to that. But first, let’s take up the specific portions of the Sarbanes-Oxley Act that affect information technology. These portions can be found in Section 302 and Section 404 of the act.

In simplified form, Section 302 grants the SEC (Securities and Exchange Commission) authority to come up with rules requiring you, CEOs and CFOs, to certify in each annual or quarterly financial report the following:

that you have reviewed the report;
that based on your knowledge, the report does not contain anything or leave out anything that would render it misleading;
that based on your knowledge, all financial information in the report fairly represent the financial conditions of the company;
that you are responsible for establishing internal controls over financial reporting; and
that you have assessed the effectiveness of the internal controls.

Similarly, Section 404, stated in simplified form, allows the SEC to come up with rules requiring you, CEOs and CFOs, to add an internal control report to each annual financial report stating that you are responsible for establishing internal controls over financial reporting.

You are also required to assess the effectiveness of those controls and to have a public accounting firm to attest to your assessment based upon standards adopted by the Public Company Accounting Oversight Board (PCAOB).

While there is no mention of IT systems, IT systems now play a significant role in financial reporting. Practically all of the data you need for your financial reports are stored, retrieved and processed on IT systems, so you really have to include them in your SOX compliance initiatives and establish controls on them.

Now that that’s settled, your next question could very well be: How do you know what controls to install and whether those controls are already sufficient to achieve compliance?

Finding a suitable guide for IT compliance

The two bodies responsible for setting rules and standards dealing with SOX, SEC and PCAOB, point to a well-established control framework for guidance – COSO. This framework was drafted by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) and is the most widely accepted control framework in the business world.

However, while COSO is a tested and proven framework, it is more suitable for general controls. What we recommend is a widely-used control framework that aligns well with COSO but also caters to the more technical features and issues that come with IT systems.

Taking into consideration those qualifiers, we recommend COBIT. COBIT features a well thought out collection of IT-related control objectives grouped into four domains: Plan and Organise (PO), Acquire and Implement (AI), Deliver and Support (DS), and Monitor and Evaluate (ME). The document also includes maturity models, performance goals and metrics, and activity goals.

A few examples of COBIt’s detailed control objectives are:

DS4.2 – IT Continuity Plans
DS4.9 – Offsite Backup Storage
DS5.4 – User Account Management
DS5.8 – Cryptographic Key Management
DS5.10 – Network Security
DS5.11 – Exchange of Sensitive Data

By those titles alone, you can see that the framework is specifically designed for IT. But the document is quite extensive and, chances are, you won’t need all of the items detailed there. Furthermore, don’t expect COBIT to specify a control solution controls for every control objective. For example, throughout the control objective DS4 (Ensure Continuous Service), you won’t find any mention of virtualisation, which is common in any modern business continuity solution.

Basically, COBIT will tell you what you need to attain in order to achieve effective governance, management and control, but you’ll have to pick the solution best suited to reach that level of attainment.

Articles highly relevant to the one you just read:

Month End Accounting The Way It Should Be Today
Spreadsheet Woes ? Burden in SOX Compliance and Other Regulations
Spreadsheet Woes ? Limited Features For Easy Adoption of a Control Framework
How Internal Auditors Can Win The War Against Spreadsheet Fraud

Top 10 Benefits of Using a Field Service Automation Software

The Field Service Management (FSM) Software market is growing at rates never seen before if the recent statistics are anything to go by. According to the latest estimates, the FSM market is worth $3.5 billion and is expected to hit $5.9 billion by 2024.

It’s understandable why this is happening. Technology is advancing, and we all know it’s every entrepreneur?s dream to optimise the use of the available resources while guaranteeing customer satisfaction. If technology can deliver this through automation, why not? Every business now wants to automate things, and the focus is to maximise resource output. You should, therefore, not be surprised to see the FSM software industry booming. If you just considered the field service industry, you’ll realise that there are so many software applications to help with service automation, whether full or partial.

A good example is FieldElite , which helps with the management of field workers. From your desktop or the palm of your hands, on a tablet or smartphone, you can take full control of your field workers, manage scheduled jobs, and use maps to manage work assignments for the already dispatched field workers. Not only does FieldElite help you handle tasks in an accountable manner but also provides options for accounting and reports, all managed in an easy to use dashboard.

But why would organisations need to invest in a Workforce management app? Below are some of the key benefits of using a Field Service Management software.

Field Service Software: Improves Efficiency

Improved worker efficiency is one of the main advantages of field service software like FieldElite.

Most FSM software programs allow the administrator to send tasks directly to the field worker?s mobile. More often than not, the FSM software provides vital information, including service history, optimal route to the site, the tools required, and contact numbers, among other details.

This improves efficiency by ensuring that the client’s needs are taken care of promptly. Where it’s about machine maintenance, the downtime would be as short as possible.

Field Service Software: Enhances Professionalism

FSM software programs are known for ensuring professionalism in the manner in which business activities are conducted. Of course, professionalism is attained through several factors, including working with a team of professionals. Such a team, using FSM software, results in enhanced efficiency and excellence.

A field service software like FieldElite helps you to consolidate all your business information into a single central database. With different access levels, your employees will access only as much information as is relevant to their respective duties.

An FSM software is ideal because the stored information can be accessed from any location, meaning field workers can pick new tasks while in the field, provided they’ve got the requisite tools. Instead of having to come back to the office, the employee would access all the information and execute the necessary task.

Field Service Software: Enables Resource Optimization

Resource optimization is one of the key determinants of a company?s profitability. While businesses vary in size and purpose, they all share one thing in common ? the desire to increase productivity while ensuring the optimal usage of resources.

Besides productivity, field service software also allows for efficient utilization of the available resources to cut down on costs.

Field Service Software: Ensures Better Coordination

FSM software facilitates improved coordination with the workforce. The software streamlines the management of the entire field service life cycle, ranging from labour to work orders, returns, contracts, warranties, and equipment.

The idea is to bring all the company?s field-related operations to a central point. And now, with easy data accessibility from a central platform, improved coordination is easily achievable.

Field Service Software: Guarantees Higher Accuracy

Adopting the field service management software is more than just a way to improve efficiency. It goes a long way towards improving a company?s accuracy. When a field service management software is used to trace a company?s activities, all the tasks are tracked on the mobile device, keeping the managers informed of every step.

Besides, the technicians also have a free reign to record the diagnostics, quality information, test results, and the parts consumed. All the information can be captured using text, audio, videos, and still photos. This guarantees minimal to no instances of data manipulation.

Field Service Software: Improves Customer Satisfaction

Field service management software improves customer satisfaction. How does that happen? Well, using a field service software like FieldElite allows for quick response to customer queries. If there?s one thing that quickly turns your customers off, it’s delayed response to their requests. With the field service management software, however, you can respond to such requests quickly and effortlessly.

Moreover, your customers can also track the service engineer to ensure they’re well informed of any anticipated delays. With quick response time, customer machines have more reliable uptime, which is the desire of every client.

Field Service Software: Provides Flexibility

If there?s one thing that customers like when dealing with a company, it’s flexibility. Instinctively, customers will always want different options to choose from when using a service without appearing to be confined to one provision. Having limited options would also appear boring.

To this extent, it would be wiser to adopt advanced FSM software. Advanced FSM software is compatible with mobile phones, meaning users can easily manage their tasks from isolated locations. FSM software can either be device-agnostic or device-specific. The device-specific type supports Android, Windows, and Apple iOS. This guarantees mobile-friendly tasks where users can easily manage the assignments via mobile application..

Field Service Software: Stores Client History

The mentioned software stores client history precisely. All the past data, including order history, are stored separately and accurately. In so doing, the field technician gets easy access to the tools, specifications, and technician instructions that aid them in their operations. The result is increased productivity and on-time service delivery.

Field Service Software: Enables Asset Management

Naturally, companies offering different repair services have plenty of assets to store. Accordingly, retrieving a specific part out of the large collection would be daunting.

With a field service application like FieldElite, the staff members can track down all the products effortlessly using the GPS. Furthermore, the FSM software ensures excellent maintenance of assets.

Field Service Software: Improves Oversight of Field Workers

The FSM software comes with many useful tools, including a built-in GPS tracker. The GPS tracker oversees the operations of the on-field workers, providing precise details about their geographical location, actual arrival time, and most importantly, the distance from the job site.

While this might not be useful at all times, it comes in handy when you need to assign an urgent task to the nearby technician. Call it a classic example of dynamic scheduling.

Final Thoughts

With so much at stake, it’s increasingly compelling to include the Field Service Management Software in your business. With every industry moving towards automation, your business cannot afford to lag.

Quick and efficient service delivery through FSM software may be the difference between you and your competitors.

The FSM software is no longer the cherry on the cake but a must-have tool for your survival in the highly competitive market.