How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

Field service and customer transparency

These days, a business is as good as it is transparent. Businesses are on unsteady ground because of the ever changing face of social media and a never-seen-before demand for information. With many sources of info on the internet, being credible is a sure way of building trust and loyalty among clients.

Here is an example. Customers will always believe what they see. If they see the work you put into furnishing their favourite products, you have a greater chance of getting their approval. They can invest more in what they see. The clothing merchandise Patagonia did this for their Footprint Chronicles line to show how their jackets are made and worked out fine for them.
Transparency is a must. Nowadays, customers never forget when they feel cheated. It is even harder to ensure transparency because many clients are also experts who scrutinise every detail. So, how can you keep transparency at the forefront?

Have transparent workforce management

Customers always look for new information and want to be in the know. There is nothing worse than not being able find a product manual or an easy way to set up appointments. By giving your clients a self-service option, they can pick the services they want. This leaves more time to get stuff done rather than answering unending service calls from dissatisfied customers.

For instance, you could have a field service customer self-service application that allows customers to look for personalised services, a machine manual, book appointments, or solve any other problem. Customers then get feedback anytime. This one-on-one approach can help customers feel like their questions are being answered. They?ll also not go through the hassle of long hold times to reach an available customer service representative.

Create transparency in field service repair projects

If field technicians have access to field service software, it allows technicians to be more open to customers. This gives them vital information like customer history and the ERP, so that they can explain changes that were made after past enquiries and what is being done in current products. Such information can be a guide for future updates or let the techs suggest products that suit a client’s taste. Unlike always staying offline and out of touch with your client, using field service software can allow entry of allowances and mileage, and also let the customer know the delivery time for their products.

Show customers what they’re paying for

With field service automation, billing will also be transparent. By using the available information about your field service solution, the station can send updated service reports to the customer like mileage, allowances, parts, hours worked, and photos of broken parts from the service. After the customer authenticates the transaction with a signature, the field service agent can generate and sent to the customer an invoice based on the agreed upon services. In case allowances and mileage can be forwarded to the customer, it will be shown on the invoice.
Because you use field service automation, it means that the customer will receive the invoice really fast ? in days rather than weeks ? and transparency will skyrocket because the whole experience of the service will leave a permanent mark in their mind.

Mistaking information for transparency

Being honest with your customer is the one thing. Wasting their time with unnecessary information is another. Here is an experience I had with a small retailer. Tracking information is only useful if it has recent updates and is accurate. If the company want to use real time tracking, let them do so under one condition ? updates should be regular and on time so as not to leave the customer frustrated because they also make plans based on the same information. Late updates shed light on the nature of the service command. Everyone hates cooked-up real time information.

A company must not always have a one to one exchange of information with customers to maintain transparency..

  • Use simple language that all customers can understand
  • Don’t use abbreviations that only employees know
  • Never ever air your failures and flaws to your customers

It is interesting that most of the tools we use to keep in touch with our clients and servicing their requests can also be used to gather data and iron out possible errors to improve products and services. This is a good chance for service providers to evaluate and make necessary amendments.

There are some areas that will need improving while others will not, nevertheless, the client needs to always be informed and know why things are the way they are. Not all details should be told, so filter what you share.

5 ways field service supports customer service

Sales organisations are always in motion, working to deliver the right product to their customers. To keep customers smiling all times is hard and only needs close communication and fulfilling promises that were made to them. This is where the field service delivery team comes in. Field service can either meet this demand or fall short plummeting satisfaction rates.
This is a task that relies on right people using various parts and information to get the job done. No matter what, the customer always expects to get exceptional services whether it be over the phone, chats, in the field, online messaging, over email, or social media.

These five field service points are suitable for any business model and guarantee excellent company-client relations.

Proactive service

A proactive service gives more to the customer. More attention is given to the customer so that the right actions, deliveries and repairs are done. By getting everything right the first time, the customer has less to do ensuring that they are satisfied with the services.
However, the field service technician is flooded with a myriad of unpredictable situations; overheating equipment, stalled machines, and insufficient precaution. But through field management software, they get more data about the customer and type of service or parts expected and they easily ride through any storm and prevent future damage.

Transparency

Nothing frustrates a customer more than a schedule that delays repairs. They easily ditch you for better services elsewhere. By offering the customer a service where they book appointments based on their own availability, we can easily sync this to the technicians and manager?s calendar. This not only saves time but also money from otherwise idle equipment.

On-site and off-site collaboration

Having seamless communication between field and office technicians is vital. Field technicians need to know more about parts, repairs, client maintenance history, and predict what should be changed in the long run. The faster they do this the better.

There should be a system that creates and automates communication between field and office technicians. Let each have the upper hand when providing parts, products or services to the customer.

Flexibility

Information is key to field service agents. They make the first impression since they make the initial contact with clients. Regardless of the resources, the field technician must always be armed with mobile tools they will need to access online resources and be ready for any emergency.

Actionable performance improvements

Customers demand excellent service a company could offer. But as the game constantly shifts, the service management technicians must also come up with plans to stay up to par with competition. All these stems from coming up with KPIs, measuring them and turning them into a workable plan for the future.

How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

How Mid-South Metallurgical cut Energy Use by 22%

Mid-South in Murfreesboro, Tennessee operates a high-energy plant providing precision heat treatments for high-speed tools – and also metal annealing and straightening services. This was a great business to be in before the energy crisis struck. That was about the same time the 2009 recession arrived. In no time at all the market was down 30%.

Investors had a pile of capital sunk into Mid-South?s three facilities spread across 21,000 square feet (2,000 square meters) of enclosed space. Within them, a number of twenty-five horsepower compressors plus a variety of electric, vacuum and atmospheric furnaces pumped out heat 27/7, 52 weeks a year. After the company called in the U.S. Department of Energy for assistance, several possibilities presented.

Insulate the Barium Chloride Salt Baths

The barium chloride salt baths used in the heat treatment process and operating at 1600?F (870?C) were a natural choice, since they could not be cooled below 1200?F (650?C) when out of use without hardening the barium chloride and clogging up the system. The amount of energy taken to prevent this came down considerably after they covered and insulated them. The recurring annual electricity saving was $53,000.

Manage Electrical Demand & Power

The utility delivers 480 volts of power to the three plants that between them consume between 825- and 875-kilowatt hours depending on the season. Prior to the energy crisis Mid-South Metallurgical regarded this level of consumption as a given. Following on the Department of Energy survey the company replaced the laminar flow burner tips with cyclonic burner ones, and implemented a number of other modifications to enhance thermal efficiency further. The overall natural gas reduction was 20%.

Implement Large Scale Site Lighting Upgrade

The 24/7 nature of the business makes lighting costs a significant factor. Prior to the energy upgrade this came from 44 older-type 400-watt metal halide fixtures. By replacing these with 88 x 8-foot (2.5 meter) fluorescent fittings Mid-South lowered maintenance and operating costs by 52%

The Mid-South Metallurgical Trophy Cabinet

These three improvements cut energy use by 22%, reduced peak electrical demand by 21% and brought total energy costs down 18%. Mid-South continues to monitor energy consumption at each strategic point, as it continues to seek out even greater energy efficiency in conjunction with its people.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today