How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

Sources of Carbon Emissions

Exchange of carbon dioxide among the atmosphere, land surface and oceans is performed by humans, animals, plants and even microorganisms. With this, they are the ones responsible for both producing and absorbing carbon in the environment. Nature?s cycle of CO2 emission and removal was once balanced, however, the Industrial Revolution began and the carbon cycle started to go wrong. The fact is that human activities substantially contributed to the addition of CO2 in the atmosphere.

According to statistics gathered by the Department of Energy and Climate Change, carbon dioxide comprises 82% of UK?s greenhouse gas emissions in 2012. This makes carbon dioxide the main greenhouse gas contributing to the pollution and subsequent climate change in UK.

Types of Carbon Emissions

There are two types of carbon emissions ? direct and indirect. It is easier to measure the direct emissions of carbon dioxide, which includes the electricity and gas people use in their homes, the petrol burned in cars, distance of flights taken and other carbon emissions people are personally responsible for. Various tools are already available to measure direct emissions each day.

Indirect emissions, on the other hand, include the processes involved in manufacturing food and products and transporting them to users? doors. It is a bit difficult to accurately measure the amount of indirect emission.

Sources of Carbon Emissions

The sources of carbon emissions refer to the sectors of end-users that directly emit them. They include the energy, transport, business, residential, agriculture, waste management, industrial processes and public sectors. Let’s learn how these sources contribute carbon emissions to the environment.

Energy Supply

The power stations that burn coal, oil or gas to generate electricity hold the largest portion of the total carbon emissions. The carbon dioxide is emitted from boilers at the bottom of the chimney. The electricity, produced from the fossil fuel combustion, emits carbon as it is supplied to homes, commercial establishments and other energy users.

Transport

The second largest carbon-emitting source is the transport sector. This results from the fuels burned in diesel and petrol to propel cars, railways, shipping vehicles, aircraft support vehicles and aviation, transporting people and products from one place to another. The longer the distance travelled, the more fuel is used and the more carbon is emitted.

Business

This comprises carbon emissions from combustion in the industrial and commercial sectors, off-road machinery, air conditioning and refrigeration.

Residential

Heating houses and using electricity in the house, produce carbon dioxide. The same holds true to cooking and using garden machinery at home.

Agriculture

The agricultural sector also produces carbon dioxide from soils, livestock, immovable combustion sources and other machinery associated with agricultural activities.

Waste Management

Disposing of wastes to landfill sites, burning them and treating waste water also emit carbon dioxide and contributes to global warming.

Industrial Processes

The factories that manufacture and process products and food also release CO2 , especially those factories that manufacture steel and iron.

Public

Public sector buildings that generate power from fuel combustion also add to the list of carbon emission sources, from heating to other public energy needs.

Everybody needs energy and people burn fossil fuels to create it. Knowing how our energy use affects the environment, as a whole, enables us to take a step ahead towards achieving better climate.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Saving Energy Step 4 – Breathing Life into the Project

Today we consider the fourth step on the road to energy saving, when we introduce key contributors who will pull it all together. We have been on quite a journey. We started by developing a management system and then followed up with practical improvements, while challenging the assumptions behind the energy bills we may have paid unchallenged in the past.

After we knock off the big-ticket savings, managing energy becomes a process of improvement characterised by smaller increments. Kaizen is the classic model and it includes everybody in the organization from the janitor to the CEO. I inverted the pyramid deliberately, because ideas deserve considering no matter where the originator parks in the company yard.

People ? our people ?are truly central to the process. Energy adds extra leverage to their efforts, keeps them warm in winter, cool in summer and powers up the ovens in the company canteen. They are brimming over with ideas because that is the nature of being human. The best managers are those who release this potential and participate in its flowering,

It is important not to threaten job security. So many savings-driven initiatives have ended in job losses that people on the shop floor automatically suspect another round. Shrinking carbon footprints is about making the world a better place for everyone. We become more effective when we turn ?increasing profit? into making the enterprise sustainable in itself.

Engaging employees is more than office circulars and speeches at the Christmas Party. Organizations are organic places where trust grows slowly but conflict can flare in a moment. Before involving your people in your energy ?kaizan? make sure your words and intentions overlap perfectly. You will be amazed at the power you unlock in your people.

The best way I know of doing this is through your health and safety structure, which then becomes your environment, health and safety structure EHS. As you explore this idea at safety committees you find these things overlap, in the sense of creating people-centric environments at work and home.

That said, there is no magic formula for achieving employee engagement. The fact that people universally want a cleaner planet is the power to tap into. One way to form a team is to create one artificially and give it a task. The other is to work together towards a shared objective. Which one do you prefer?

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Is Your Project Agile, a Scrum or a Kanban?

Few projects pan out the way we expect when starting out. This is normal in any creative planning phase. We half suspect the ones that follow a straight line are the exceptions to the rule. Urban legend has it; Edison made a thousand prototypes before his first bulb lit up, and then went on to comment, ?genius is 1% inspiration, 99% perspiration?. Later, he added that many of life’s failures are people who did not realise just how close they were to success when they gave up.

So be it to this day, and so be it with project planning too. There is no one size fits all approach when it comes to it. Agile, Scrum and Kanban each have their supporters and places where they do well. Project planning often works best when we use a sequential combination of them, appropriate to what is currently happening on the ground.

Of the three, Agile is by far the most comprehensive. It provides a structure that begins with project vision / conceptualisation, and goes as far as celebration when the job is over, and retrospective discussion afterwards. However, the emphasis on daily planning meetings may dent freethinking, and even smother it.

Scrum on the other hand says ?forget all that bureaucracy?. There is a job to do and today is the day we are going to do it. Although the core Agile teamwork is still there it ignores macro project planning, and could not be bothered with staying in touch with customers. If using Scrum, it is best to give those jobs to someone else.

The joker in the pack is Kanban, It believes that rules are there to substitute for thought, and that true progress only comes from responsible freedom. It belongs in mature organisations that have passed through Scrum and Agile phases and have embarked on a voyage towards perfection.

That said, there can be no substitute for human leadership, especially when defined as the social influence that binds the efforts of others towards a single task.

Ready to work with Denizon?

Contact Us Today