How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

Field service and improved visibility

A manager is someone who has control over a company. They are given the responsibility of overseeing what the company does and making important decisions. The manager is the most important person in the empire and needs to be in the know at all times. Not what happened a day ago but in real-time and from any place.

Information is necessary for this to happen. It needs to be concise, brief and straightforward. Ideally, access to job status, location information, customer information, notifications and location information should be on the palms of their hands.

To sum it all up, there should be fluid communication among personnel in the field. Information should be accessed easily from one place as it flows to another to maintain steady two-way communication. This is possible with automation meaning that no amount of data will be left unseen or unused because of paperwork that was never handed over or looked into, reducing the chance of misinformation or missing information to a minimum.

Ways improved visibility will help your business through Field Service

Organisations using field services will agree that improved visibility has more business benefits and the real question is what aspect needs improving rather than discussing the benefits.

Real-time visibility

Managers need to be in the know from anywhere at any time. The manager needs information about the company. The need not to be physically present to have an idea of what’s going on. They should know everything at all times, from what was planned for the day to real-time events.

All this information should be easily accessed from one central point and should contain everything about the company and other relevant information.

Extending the back office into the field

This two-way communication is virtually irreplaceable. At any time, the information should flow among technicians in the field and those in the back office. This will help to have a better idea of how to manage the workload and come up with solutions to some work-related issues.

Everyone in the team should be informed and be up to speed about real-time events. Keeping everyone updated improves visibility because they can make updates and decisions based on the kind of information they get.

No more lost paperwork

Managing paper trail can be quite a hassle for organisations. With tons of workload, there can be many delays meaning that some information might be missed or forgotten. People might also choose not to turn up for work for days on end and can affect how much info is processed. Some work can be left undone, and work not invoiced.

When organisations use field service management services, information is fed only once and everything else is done automatically. Say goodbye to lags or relying on last month?s data. Work will move faster because people will have more time to focus on important things rather than chasing an endless paper trail.

Business intelligence

Field service management technology will let you know what is being done in the field and with such an abundance of data, will make sound decisions for the business.

Every decision is hinged on cold facts. Information needs to be easily accessed and filtered into the right categories so that sound business decisions are made from the collected data.

Growing revenue

The abundance of real-time information and improved visibility can determine whether a business will grow or not. Each piece of information can show trends that are critical for any business to improve. Trends show how each sector is doing and sheds more light into specific areas that need a total overhaul. This may include improving customer service, products on retail or hiring more technicians.

Without information, a company is one step closer to going out of business. Every action should be geared to increase the revenue and this starts by making the right choices.

Visibility when working offline

Working offline is an issue that can affect visibility. Sometimes agents will need to work in areas that have little network coverage or are deep down working in tunnels or are around heavy machines and turbines. Field service solutions are built for the mobile environment and for workers who may find themselves in non-connected areas so that they can still use their device while offline. This makes sure that there is no loss of information while working in-field

Time-saving

Certainly, business is constrained to its environments and if the demand changes it should prove to be flexible enough to adjust to changes as they happen. Field service solutions operations like schedule need to update instantly. Once activities start rolling, nothing should create lags in the schedule so that operations flow seamlessly at all time.

Field workers can then make updates and document changes easily on the job site directly on their device by using responsive site menus, drastically saving time while feeding data and complete orders.

Improved customer service

It is not a clich? to say that the customer is always right. With real-time information, both field service and back-office technicians can improve customer relations and satisfaction. With a unified system of sharing information like the ERPs and CRMs, the field officer can know more about specific clients, their history and other data to know more about what should be done in current and future orders. This means that better decisions will be made for each customer.

How improved visibility benefits different parts of the organisation

Improved visibility in all areas of the business makes information more accessible. Here are some of the benefits that various sects of a business can get from improved visibility.

? The business owner
The manager owns the company and can access all information with just a single tap. A lot of data can be used to analyse the health of the venture. This includes revenue, inventory, customer surveys, employee hours, invoices and customer data.
Profitability is increased by putting more emphasis on customer satisfaction and improving the quality of end products and services.

? The service manager
The service manager can see what is going on in the field in real-time, and look into measures that can improve the productivity of staff members in various departments.
And with workflow automation, time-saving is at the maximum because there is less paperwork consequently improving scheduling and job completion rates.

? Service administrator/ dispatcher
For the team in the office, they can assign tasks faster. Scheduling is automatically done and updated in real-time. It eliminates the need for paperwork and leaves more time to be productive on other errands.

? The field technician
Improved visibility for a field worker means that they can do their best in any task. They can share or get critical information about orders and customers. This drastically improves job completion rates and customer satisfaction.

? HR
Live information can be used to track certain orders, the time it takes to complete orders, and the number of staff required in the organisation. Such data can be used in HR to reduce payroll errors and erroneous overtime costs.

? Finance
Field service management software can also benefit the finance team by automation of invoices. A work order can be tracked from start to the end and invoiced immediately to retain faster payments. Relevant data can be used to track revenue and expenditures, and costs.

Real-time visibility gives a company many solutions to manage the workload. In the end, visibility is also useful in increasing revenue and a smooth transition of information for the company.

Advanced Business Management

Our consultants are highly trained to provide complex management solutions and strategy planning for your business. You can count on us to improve performance and your business skills, while cutting costs.

We ensure full support in a broad range of business management areas, such as:

Business Strategy

Knowing how and when to make the right strategic move is critical to your success in today?s dynamic environment. Our Strategic Management Consultants provide solutions for a tighter integration of your vision, values, and mission statements with the strategic management process.

The result is a stronger alignment of your operating activities with your goals, and also an improved internal infrastructure to support and manage the strategic management process.

Business Process Improvements

In our years of activity, we have developed a robust process to ensure Business Process Improvements projects are implemented successfully. To achieve a positive outcome a number of factors must exist and we?ll make sure your company manages to get the right mix of: sponsorship management and commitment, process improvement goals, right motivations, cultural issues management, provision of adequate resources and funding, and availability of standards and procedures.

Performance Management

An effective performance management system integrates all aspects of the organisation from a shared vision, through a common language, and establishes a culture of accountability and results. It provides more of a holistic way of managing your organization that is more powerful than its individual parts, and without forsaking the values of the organisation.

Change Management Services

Economic downturns, fast rising new competitors, and even climate change, can force companies to scale down, engage in mergers & acquisitions, or transfer to a new location. We?ll help you through every step of the change process, from: evaluating the required change by conducting diagnostics such as change complexity, causal, structural, and context analysis, managing stakeholders including your sponsors, top executives, managers, and personnel, planning for the change, and managing the change process itself.

Project Management

Whether you need help for a single project or much more, we’ve got you covered. With us you get a coordinated, presence-of-mind approach to project management that will point all of your projects to an overall strategic direction, no matter how complex or simple these might be. Our services incorporate all project-related activities including: programme management, project risk management, project review and audit, project rescue, and project governance.

Interim Management

Our resources have an MBA and/or professional accounting qualifications with an average of 10 ? 30 years of progressive work experience with public companies, in complex private equity environments, and/or privately-held middle market companies. We not only offer the most highly qualified project / interim resources to our clients, but we also allow for an interim-to-hire provision in our contracts.

It has proved mutually beneficial to our consultants and clients to have the option for longer term employment opportunities after having worked together on a project / interim basis.

How to Reduce Costs when Complying with SOX 404

Section 404 contains the most onerous and most costly requirements you’ll ever encounter in the Sarbanes-Oxley Act (SOX). In this article, we?ll take a closer look at the salient points of this contentious piece of legislation as it relates to IT. We?ll also explain why companies are encountering difficulties in complying with it.

Then as soon as we’ve tackled the main issues of this section and identify the pitfalls of compliance, we can then proceed with a discussion of what successful CIOs have done to eliminate those difficulties and consequently bring down their organisation’s IT compliance costs. From this post, you can glean insights that can help you plan a cost-effective way of achieving IT compliance with SOX.

SOX 404 in a nutshell

Section 404 of the Sarbanes-Oxley Act, entitled Management Assessment of Internal Controls, requires public companies covered by the Act to submit an annual report featuring an assessment of their company?s internal controls.

This ?internal control report? should state management’s responsibility in establishing/maintaining an adequate structure and a set of procedures for internal control over your company?s financial reporting processes. It should also contain an assessment of the effectiveness of those controls as of the end of your most recent fiscal year.

Because SOX also requires the public accounting firm that conducts your audit reports to attest to and report on your assessments, you can’t just make baseless claims regarding the effectiveness of your internal controls. As a matter of fact, you are mandated by both SEC and PCAOB to follow widely accepted control frameworks like COSO and COBIT. This framework will serve as a uniform guide for the internal controls you set up, the assessments you arrive at, and the attestation your external auditor reports on.

Why compliance of Section 404 is costly

Regardless which of the widely acceptable control frameworks you end up using, you will always be asked to document and test your controls. These activities can consume a considerable amount of man-hours and bring about additional expenses. Even the mere act of studying the control framework and figuring out how to align your current practices with it can be very tricky and can consume precious time; time that can be used for more productive endeavours.

Of course, there are exceptions. An organisation with highly centralised operations can experience relative ease and low costs while implementing SOX 404. But if your organisation follows a largely decentralised operation model, e.g. if you still make extensive use of spreadsheets in all your offices, then you’ll surely encounter many obstacles.

According to one survey conducted by FEI (Financial Executives International), an organisation that carried out a series of SOX-compliance-related surveys since the first year of SOX adoption, respondents with centralised operations enjoyed lower costs of compliance compared to those with decentralised operations. For example, in 2007, those with decentralised operations spent 30.1 % more for compliance than those with centralised operations.

The main reason for this disparity lies in the disorganised and complicated nature of spreadsheet systems.

Read why spreadsheets post a burden when complying with SOX and other regulations.

Unfortunately, a large number of companies still rely heavily on spreadsheets. Even those with expensive BI (Business Intelligence) systems still use spreadsheets as an ad-hoc tool for data processing and reporting.

Because compliance with Section 404 involves a significant amount of fixed costs, smaller companies tend to feel the impact more. This has been highlighted in the ?Final Report of the Advisory Committee on Smaller Public Companies? published on April 23, 2006. In that report, which can be downloaded from the official website of the US Securities and Exchange Commission, it was shown that:

Companies with over $5 Billion revenues spent only about 0.06% of revenues on Section 404 implementation
Companies with revenues between $1B – $4.9B spent about 0.16%
Companies with revenues between $500M – $999M spent about 0.27%
Companies with revenues between $100M – $499M spent about 0.53%
Companies with revenues less than $100M spent a whopping 2.55% on Section 404

Therefore, not only can you discern a relationship between the size of a company and the amount that the company ends up spending for SOX 404 relative to its revenues, but you can also clearly see that the unfavourable impact of Section 404 spending is considerably more pronounced in the smallest companies. Hence, the smaller the company is, the more crucial it is for that company to find ways that can bring down the costs of Section 404 implementation.

How to alleviate costs of section 404

If you recall the FEI survey mentioned earlier, it was shown that organisations with decentralised operations usually ended up spending more for SOX 404 implementation than those that had a more centralized model. Then in the ?Final Report of the Advisory Committee on Smaller Public Companies?, it was also shown that public companies with the smallest revenues suffered a similar fate.

Can we draw a line connecting those two? Does it simply mean that large spending on SOX affects two sets of companies, i.e., those that have decentralised operations and those that are small? Or can there be an even deeper implication? Might it not be possible that these two sets are actually one and the same?

From our experience, small companies are less inclined to spend on server based solutions compared to the big ones. As a result, it is within this group of small companies where you can find a proliferation of spreadsheet systems. In other words, small companies are more likely to follow a decentralised model. Spreadsheets were not designed to implement strict control features, so if you want to apply a control framework on a spreadsheet-based system, it won’t be easy.

For example, how are you going to conduct testing on every single spreadsheet cell that plays a role in financial reporting when the spreadsheets involved in the financial reporting process are distributed across different workstations in different offices in an organisation with a countrywide operation?

It’s really not a trivial problem.

Based on the FEI survey however, the big companies have already found a solution – employing a server-based system.

Typical server based systems, which of course espouse a centralised model, already come with built-in controls. If you need to modify or add more controls, then you can do so with relative ease because practically everything you need to do can be carried out in just one place.

For instance, if you need to implement high availability or perform backups, you can easily apply redundancy in a cost-effective way – e.g. through virtualisation – if you already have a server-based system. Aside from cost-savings in SOX 404 implementation, server-based systems also offer a host of other benefits. Click that link to learn more.

Not sure how to get started on a cost-effective IT compliance initiative for SOX? You might want to read our post How To Get Started With Your IT Compliance Efforts for SOX.?