How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

Uncover hidden opportunities with energy data analytics

What springs to mind when you hear the words energy data analytics? To me, I feel like energy data analytics is not my thing. Energy data analytics, however, is of great importance to any organisation or business that wants to run more efficiently, reduce costs, and increase productivity. Energy efficiency is one of the best ways to accomplish these goals.

Energy efficiency is not about investment in expensive equipment and internal reorganization. Enormous energy saving opportunities is hidden in already existing energy data. Given that nowadays, energy data can be recorded from almost any device, a lot of data is captured regularly and therefore a lot of data is readily available.

Organisations can use this data to convert their buildings’ operations from being a cost centre to a revenue centre through reduction of energy-related spending which has a significant impact on the profitability of many businesses. All this is possible through analysis and interpretation of data to predict future events with greater accuracy. Energy data analytics therefore is about using very detailed data for further analysis, and is as a consequence, a crucial aspect of any data-driven energy management plan.

The application of Data and IT could drive significant cost savings in company-owned buildings and vehicle fleets. Virtual energy audits can be performed by combining energy meter data with other basic data about a building e.g. location, to analyse and identify potential energy savings opportunities. Investment in energy dashboards can further enable companies to have an ongoing look at where energy is being consumed in their buildings, and thus predict ways to reduce usage, not to mention that energy data analytics unlock savings opportunities and help companies to understand their everyday practices and operating requirements in a much more comprehensive manner.

Using energy data analytics can enable an organisation to: determine discrepancies between baseline and actual energy data; benchmark and compare previous performance with actual energy usage. Energy data analytics also help businesses and organisations determine whether or not their Building Management System (BMS) is operating efficiently and hitting the targeted energy usage goals. They can then use this data to investigate areas for improvement or energy efficient upgrades. When energy data analytics are closely monitored, companies tend to operate more efficiently and with better control over relevant BMS data.

The Cloud: Changing the Game for Small Businesses

There is a consensus among cloud experts that the onset of cloud computing will benefit small organisations the most. In fact, many even go as far as saying that the cloud and small businesses are a match made in IT heaven. How much of this is true and how much of this is merely part and parcel of the hype surrounding cloud computing?

The Cloud as the Great?Equaliser

If you closely examine the essential characteristics of cloud computing, particularly public cloud services, you will see why small organisations would be very interested in the cloud, and would eventually flock to it, like moths to a flame. And why not? Cloud computing is turning out to be the weapon that can allow small and medium organisations to compete on a more level playing field against large enterprises.

Here are some cloud computing benefits that may just close the gap between the two.

  • Significantly lower IT spending. With little to no investment at all on hardware infrastructure and practically zero maintenance costs, SMBs that would have required substantial capital for IT are now finding it easy to get a business started from scratch or develop and test out new products by using the cloud as the backbone of their IT set-up. The pay-as-you-go pricing scheme that cloud computing offers allows companies to start small and scale up as needed, or when the revenue starts coming in.
  • Higher employee productivity. Licensing fees for software applications can run high even if you don’t have a large staff. Good thing there are now a host of cloud-based office tools – word processors, spreadsheets, presentations, accounting systems, etc. – that can boost employee productivity without the corresponding costs that small businesses can ill afford. Plus, team members in remote locations can continue to collaborate with the rest through any internet-connected device in real time.
  • Easier, better communication. The easy accessibility of communication apps has also changed the way employees interact with fellow employees and more importantly, with customers. Whether through email, instant messaging, or social networks, cloud services have given individuals and businesses more ways of giving and getting feedback. The best thing about it is that most of these services don’t cost much or are even free, giving SMBs ample tools to create better products and improve service.
  • A Look at the Figures Many small businesses are already seeing the potential in the cloud, with SaaS (Software as a Service) applications most commonly used among the early adopters. These services include email and other communication apps, file sharing, and backup.

In a February 2012 Edge Strategies survey (commissioned by Microsoft) of 3,000 small businesses in the US, the following data came to light:

  • The number of small companies with 2 to 10 employees using paid cloud services will triple in the next three years;
  • Current cloud users report purchasing an average of 4 services in the cloud now and expect to use 6 in the future;
  • Fifty percent agree that cloud computing is going to become more important for businesses such as theirs.

Further, a survey of 323 SMBs recently released by social business site Spiceworks and sponsored by EMC reveals that from 48 percent at the start of 2012 and 28 percent a year ago, 62 percent of the businesses surveyed now use some type of cloud app.

What these numbers show is that cloud adoption among small and medium enterprises is starting to gain ground and for sure, more will do the same as understanding and awareness increase. Yes, these businesses should still perform their due diligence as there is no one-size-fits-all cloud solution. But for those companies who have managed to find the right cloud apps and services for their needs, it’s all sunny skies up ahead.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Eck Industries Sheds Fresh Light

William Eck began his business in 1948 in a 650m2 garage building. The aluminium foundry prospered, and now has an 18,500m2 factory in Manitowoc, Wisconsin employing 250 people casting a variety of casings. Like high-tech industries around the globe it needs effective illumination. After it measured its carbon footprint, it realised it needed energy efficient lighting too.

When Eck Industries began its review it had around 360 high-pressure sodium lights throughout the plant. Their operating cost was substantial. After taking independent advice from an independent agency they realised they needed to replace these with more energy-efficient fluorescent lights that consume half as much energy.

The feasibility team conducted performance tests to determine the optimum solution. After selecting enclosed, gasketed and waterproof T8 fluorescents (available in G13 bipin, single pin and recessed double contacts) they collaborated with the supplier to calculate the best combination of 4 and 6 bulb fixtures.

The fittings they chose cost $60,000 plus $10,000 installation. However a $33,000 energy rebate wrote down 47% of this immediately. They achieved further energy savings by attaching motion sensors to lights over low-traffic walkways.

The retrofit was a huge success, with an 8 month payback via a direct operating saving of $55,000 a year. Over and above enhanced illumination Eck Industries slashed 674,000 kilowatt hours off its annual lighting bill. During the 20 year design life, this equates to a total 13.5 million kilowatt hours. Other quantifiable benefits include 443 tons less carbon, 2 tons less sulphur dioxide, and 1 ton less nitrogen oxide per year.

Many companies face similar opportunities but fail to capitalise on them for a number of reasons. These may include not being aware of what is available, lacking technical insight, being short of working capital and simply being too busy to focus on them.

Eck Industries got several things right. Firstly, they consulted an independent specialist; secondly they trusted their supplier to provide honest advice, and thirdly they accepted that any significant saving is worth chasing down. Other spin-offs were safer, more attractive working conditions and an opportunity to take their foot off the carbon pedal. This is an excellent example of what is possible when you try.

If you have measured your illumination cost and are concerned about it (but are unsure what the metric means within the bigger picture) then Ecovaro offers online reports comparing it with your industry average, and highlights the cost-benefits of alternative lighting. 

Ready to work with Denizon?

Contact Us Today