How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

Job & Staff Scheduling with FieldElite Mobile Service Management Software

Field Service Management (FSM) software systems are designed to enable you to manage your mobile workforce from a central point- and do away with the paperwork involved with the process. They connect your technicians on the ground (via app on their phones), to the staff at the head office- who have an interactive dashboard accessed through their browsers. The office team will have access to all the jobs that are to be handled by the company, simplifying the management process and taking away the risks that come with manual data entry. Here, we will walk you through a quick process of scheduling a job for your personnel with FieldElite.

Say you are a HVAC contractor, licensed, bonded and insured. You’ve made quite a name for yourself in the industry, and have a wide range of clients- in both residential and commercial establishments. Consequently, you also have a large workforce to attend to the different situations- from installing to repair and maintenance. One of your clients- let’s call them ABC Computer Supplies, has an issue with their HVAC unit- perhaps a pipe is leaking. It needs to be fixed, and ABC have booked an appointment.? Your goal here is to get one of your personnel to handle the task as soon as possible, and this field service scheduling software comes in handy.

There are two approaches that you can take:

1. Job Scheduling

From your Dashboard, on the left-hand side you will see the menu option. Clicking on Jobs, will take you to all jobs carried out by your company.

The filters will allow you to view different categories of jobs:

Complaint– This means that there was an issue with on ground during the task delivery, and the client lodged a complaint.
On hold– Here, different aspects can cause a job to be paused- like when spare parts or equipment required for repair jobs have been ordered, and one needs to wait for them to be shipped in from a different location.
Pending– This is basically your in-tray, a list of jobs that are to be carried out.
In Progress– The technicians are on the ground, attending to the client’s needs, and you’re getting routine updates from them.
Incomplete– Though the job had been assigned to the required technician, it was not completed in the set amount of time, thus requiring an additional visit to the site. Given that the FSM solution increases the first-time fix rate, cases of ?incomplete tasks? are reduced.
Complete– The task is successfully done and the customer has appended their e-signature, and now it can be invoiced.
Cancelled Invoice– The head office determines that a particular invoice shouldn’t be paid, and thus cancels it.

Our focus here is the pending tasks, so use this filter. ABC’s HVAC job will be among these. Clicking on its Job ID will open up the details of the task, with such an Update Job window:

This section contains all the information of the job- both past and present, which you can update in real-time. Any changes will be recorded by the system and can be viewed on the “Audit” tab.

As you can see here, the HVAC repair job is both “pending” and “urgent”. No one really likes sitting in an office that feels like an oven. Being the headquarters, it’s likely handles lots of foot traffic, and the damaged HVAC unit will make the working conditions really difficult. It’s best not to keep the client waiting, right?

So, head on over to the Supervisor and Workers section (on the same “Details” tab), and select the personnel suited for the task.

Set the time that the task will take for your technician, and once satisfied with the details of the job, click on Update. Voila! You’re done.

Immediately this happens, the worker received a notification on their app, telling them that they have been assigned the job.

From the app, the technician will be able to view the specifics of the HVAC job, including notes and attachments that you can add directly from your own dashboard, such as schematics of the building and reports from other technicians who installed the air conditioning system for the facility. You also get to add products that will be required for the task- like the pipe and panel mounted socket shown here. As the system also includes an inventory of the products used, their quantity and costs, you will be able to keep an accurate record of the supplies as they as are used.

As such, the field workers will not have to keep coming back to the central office to get documents and reports of new tasks, or walk around with bulky files. When they are carrying out the job, they will also be able to keep the staff at the office updated about its progress, through the chat feature on the mobile app, taking photos and adding notes as required.

2. Staff Scheduling

With this approach, the perspective is basically: ?So I have a couple of jobs- which of my employees has time to handle them?? The FSM allows you to optimise your productivity- by ensuring that you get the most out of the staff work hours, and avoid cases of jobs going into overtime.

Follow these steps:

Select ?Scheduler? from the left-hand side of the window. You will have a view of the workers of your company and how their day is planned out, and a summary of the unassigned jobs.

Here, you can tell whose busy, and who can have a new task assigned to them at the click of a button- which is far more effective than keeping on jotting down points in your diary or going through files of documents.

If the job has yet to be added to the system- like for the cases of new clients, simply click on the ?Add Job? button and key in its details.

2. Scroll down, you will see a list of unassigned jobs.

3. Next, click on the edit button under ?Actions?. This will take you to the same ?Update Job? window described in the first approach, in order to assign the preferred worker to the role.

This real-time dispatching avoids cases of your desk getting cluttered with paper sheets, and prevents duplicate entries as each job has its own ID and task details- from the scheduling to the invoicing. In this case, your HVAC technician will have access to the information needed right at the palm of their hand, to ensure that the task at ABC?s head office goes seamlessly. The optimised schedule will enable the task to be carried out faster- restoring normalcy to your client’s facility.? In case the client’s location is on the route that one of your technicians takes while heading home, you can take advantage of this by giving them the task towards the end of their working day- thus clearing more of your backlog, sorting out your client, and easing your technician?s worries about getting home late.

As you can see, the field service scheduling software enables you to easily and efficiently handle your workflow, avoid the mess that is associated with manual documentation and cases of your employees getting conflicting schedules and overlaps- which would strain them and dampen their morale. Streamlining your workflow and standardising operations ultimately results in increased customer satisfaction.

Benefits Realisation Frameworks – A Useful Handle

One of the greatest challenges of project management is maintaining top-down support in the face of fluctuating priorities. If you elect to take on the role yourself and are peppered by other priorities, it can be a challenge to exactly remember why you are changing things and what your goals are. Sometimes you may not even notice you have reached your goal.

The Benefits Realisation Chart-room

The Benefits Realisation Model is a framework on which to hang key elements of any project. These traditionally include the following, although yours may not necessarily be the same:

Definition of the project goal
Quantification of intended benefits
Project plan versus actual progress
How you know you reached your goal
Quantification of actual benefits

Another way of describing Benefits Realisation Frameworks is they answer four fundamental questions that every project manager should know by heart:

What am I going to do?
How am I going to do it?
When will I know it’s done?
What exactly did I achieve?

The Benefits Realisation Promise

An astounding number of projects fail to reach completion, or miss their targets. It’s not for nothing that the expression ?after the project failed the non-participants were awarded medals? is often used in project rooms. We’re not saying that it is a panacea for success. However it can alert you to warnings that your project is beginning to falter in terms of delivering the over-arching benefits that justify the effort.

When Projects Wander Off-Target

Pinning blame on participants is pointless when project goals are flawed. For example, the goals may be entirely savings-focused and not follow through on what to do with the windfall. At other times realisation targets may be in place, but nobody appointed to recycle the benefits back into the organisation. This is why a Benefits Realisation Framework needs to look beyond the project manager?s role.

Realisation Management in Practice

If the project framework does not look beyond the project manager?s role, then it is over when it reaches its own targets ? and can even run the risk of being an event that feeds entirely off itself. In order to avoid a project being a means to its own end, this first phase must culminate with handover to a benefits realisation custodian.

An example of this might be a project to centralise facilities that is justified in terms of labour savings. The project manager?s job is to build the structure. Someone else needs to rationalise the organisation.

In conclusion, the Benefits Realisation Framework is a useful way of ensuring a project does not only achieve its internal goals, but also remains a focus of management attention because of its extended, tangible benefits.

How to Improve Corporate Efficiency through IT

When revenues are low, what do you do to improve your profit? Obviously, those same revenues should at least remain the same. So, the objective would be to deliver the same products and services for less cost. More for less. Such is the essence of corporate efficiency.

There are many things that can make a company inefficient. There are outdated procedures, poor coordination between departments, managers? lack of business visibility, and prolonged down times, to mention a few. As a company grows, these issues get more severe.

You can overcome all these by deploying the right IT solutions. But don’t IT solutions increase spending instead? Au contraire. The last couple of decades have seen the rise of IT solutions that help companies’realise obvious cost savings in no time.

Streamline processes and keep departments in-sync

Company inefficiencies are largely due to outdated systems and procedures. These systems and procedures were not built for the dynamic and complex business environments of today that are being shaped by increasingly onerous regulations, fierce and growing competition, significant economic upswings and downturns, new battlefronts (like the Web) and logistical strategies (like outsourcing), and IT-savvy crooks.

So when your employees force outdated systems to meet today?s business demands, they’re just not able to deliver. At least not efficiently.

Another major cause of inefficiency is the discordance among departments, business units, and even individual staff members themselves. There are those who still use highly personalised spreadsheets and other disparate applications, which make data consolidation take forever and the financial close a perennial headache.

Costly devices like mobile phones, netbooks, and tablet PCs, which are supposedly designed to provide better communication, are not fully maximised. If these are subsidised by the company, then they also contribute to company inefficiency.

One way to deal with these issues is to deploy server based solutions. By centralising your IT system, you can easily implement various improvements that can pave the way for better communication and collaboration, stronger security, faster processes and transactions, and shorter down times for troubleshooting and maintenance. All these clearly translate to cost savings.

Gain better visibility

Corporate efficiency can be improved if your decision makers can make wise and well-informed decisions, faster. But they can only do this if reports they receive from people down the line are timely, accurate, and reliable. Basically, data should be presented in a way for managers to gain quick insights from.

If your people take too much time scrutinising, interpreting, and reconciling data, you can’t hope to gain a significant competitive advantage. Equally important to managing an ongoing project is the speed at which you make a go/no go decision to start or stop a project. A wise, quick decision will help you avoid wastage.

The same holds true when making purchases and investment decisions. It’s all about quickly eliminating waste and investing only on those that will give you fast, positive returns.

Clear business visibility will allow managers to allocate resources where they are most effective, to pinpoint what products and services being offered are more profitable, and to identify which customers are giving better business from an overall perspective.

These are all possible with business intelligence. We know, we know. You’ll say BI solutions will force you to break the bank. Not anymore. At least, not all. There are already two main types of BI solutions: on-premise and SaaS. The latter will generally cost you less.

Of course, each type has its own advantages, and you’ll really have to look into the size of your organisation, the number of source systems your decision-making platform is connected to, integration requirements, budget, etc. to make sure you get the most out of your investment.

But IT solutions cost an arm and a leg

Again, not anymore. These days, you can find IT products that are faster, more functional, and more powerful than their predecessors at a fraction of the cost. When it comes to getting more affordable IT products and services, you now have many options.

For example, you can turn to open source solutions to save on license costs. These solutions are typically backed by vibrant and helpful communities where you can find an extensive source of technical support – many of which are for free. With popular open source products, you can easily tap from a large pool of developers with affordable rates any time you want to make system enhancements or customisation.

On another front, virtualization solutions allow you to save on CAPEX and OPEX by eliminating certain expenses normally used for setting up infrastructure or buying hardware and maintaining them. Server virtualisation, for instance, will allow you to consolidate servers and put them together into just one machine, while desktop virtualisation will enable you to eliminate unproductive hours associated with desktop down times by allowing you to redeploy a malfunctioning desktop very quickly.

Closely related to those are cloud-based solutions like SaaS (Software as a Service), IaaS (Infrastructure as a Service), and DCoD (Data Center on Demand). SaaS and IaaS will help you realize savings in acquisition and maintenance costs for software and hardware, while DCoD?s scalable services allow you to request for additional capacity, power and storage only as you need them, thus making you spend only according to your current infrastructure requirements.

Like we said, there are many, many options out there just waiting to be tapped.