How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

Align IT Investments With Organization Goals

While some organisation leaders loathe spending on IT, a growing number are already convinced of the necessity of investing in it. Unfortunately, a substantial fraction of those convinced to pursue IT investments are misguided as to which initiatives are really contributory to reaching their organisation’s goals.

In the end, many of their purchases either end up underutilised or become white elephants altogether. There are also those difficult to spot – IT purchases that do become integrated into daily operations but have little effect on the organisation’s growth, positioning, profitability, or efficiency.

If a purchase is to cost your company a fortune, then its positive impact on established company objectives should reflect accordingly. But how would you know it would? You can’t hope to foresee all its benefits especially if the IT solution is still quite new to you.

Our job is not only to identify the strengths of an IT system but also to determine whether these strengths are at all useful to your organisation’s thrusts.

Basically, here’s what we’ll do:

  • Conduct a rigorous analysis of your organisation to determine the specific and overall impact of certain IT solutions. We’ll be looking for areas where the effects of IT can result in the most rapid reduction of costs and, at the same time, drive the organisation in the direction of its established goals.
  • Propose cohesive best-of-breed solutions in line with the results of our analysis. Our familiarity with the IT landscape and our extensive selection of contacts in the industry will allow us to conduct insightful picks from a vast field of choices.
  • Establish best practices to make sure IT investments are optimally utilised.
  • Perform periodic reviews to ensure practices and processes are still in line with the established goals.

Find out how we can increase your efficiency even more:

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Understanding Carbon Emissions

Carbon emission is one of the hottest issues in the world of energy and environment today. While it is supposedly an essential component of the ecosystem, it has already become a large contributing factor to climate change. Carbon emission might be good but abuse of this natural process has made it harmful to people across the globe.

This series of articles aims to help people understand the intricacies of carbon emission and what society can do to efficiently manage this natural occurrence.

Natural Carbon Cycle

Two important elements in the carbon cycle are carbon, which is present in every living thing all over the world; and oxygen, which is found in the air that people breathe. When these two bond together, they create a colourless and odourless greenhouse gas known as carbon dioxide, which is then crucial to trapping infrared radiation heat in the atmosphere and also for weathering rocks.

Carbon is not only found in the atmosphere of the earth. It is also an element found in oceans, plants, coal deposits, oil and natural gas from deep down the earth?s core. Through the carbon cycle, carbon moves naturally from one portion of the earth to another. Looking at this scenario, one can see that the natural carbon cycle is a healthy way to release carbon dioxide into the air in order to be absorbed again by trees and plants.

Altered Carbon Cycle

The natural circulation of carbon among the atmosphere is vital to humankind. However, studies show that humans misuse this natural cycle and abuse it instead. Whenever people burn fossil fuels such as coal, oil and natural gas, they produce carbon dioxide ? which is an excess addition to the natural flow of carbon in the environment. The problem is that the release of carbon dioxide is much more than what plants and trees can re-absorb. People are not only adding CO2 to the atmosphere, they are also influencing the ability of natural sinks, such as forests, to remove it from the atmosphere. Humans alter the carbon cycle by contributing doubled or tripled greenhouse gas to the atmosphere, faster than nature can ever eliminate. Worst, nature?s balance is destroyed.

The Result

Greenhouse gases include carbon dioxide, methane, nitrous oxide, fluorinated gas and other gases. Although these gasses contribute to climate change, carbon dioxide is the largest greenhouse gas that humans emit. The reason why people talk about carbon emissions most, is because we produce more carbon dioxide than any other greenhouse gas.

The increasing amount of carbon emissions cause global warming to become more evident. All the extra carbon dioxide causes the earth?s overall temperature to rise as well. As the temperature increases, climate also changes unpredictably. Flood, droughts, heat waves and hurricanes are now widely experienced even in places where these phenomenon never used to happen.

To be able to reduce the risk of more severe weather conditions means burning less fossil fuels and shifting more to renewable sources. This is never easy. But, definitely, it’s worth a try.

Directions Hadoop is Moving In

Hadoop is a data system so big it is like a virtual jumbo where your PC is a flea. One of the developers named it after his kid?s toy elephant so there is no complicated acronym to stumble over. The system is actually conceptually simple. It has loads of storage capacity and an unusual way of processing data. It does not wait for big files to report in to its software. Instead, it takes the processing system to the data.

The next question is what to do with Hadoop. Perhaps the question would be better expressed as, what can we do with a wonderful opportunity that we could not do before. Certainly, Hadoop is not for storing videos when your laptop starts complaining. The interfaces are clumsy and Hadoop belongs in the realm of large organisations that have the money. Here are two examples to illustrate the point.

Hadoop in Healthcare

In the U.S., healthcare generates more than 150 gigabytes of data annually. Within this data there are important clues that online training provider DeZyre believes could lead to these solutions:

  • Personalised cancer treatments that relate to how individual genomes cause the disease to mutate uniquely
  • Intelligent online analysis of life signs (blood pressure, heart beat, breathing) in remote children?s hospitals treating multiple victims of catastrophes
  • Mining of patient information from health records, financial status and payroll data to understand how these variables impact on patient health
  • Understanding trends in healthcare claims to empower hospitals and health insurers to increase their competitive advantages.
  • New ways to prevent health insurance fraud by correlating it with claims histories, attorney costs and call centre notes.

Hadoop in Retail

The retail industry also generates a vast amount of data, due to consumer volumes and multiple touch points in the delivery funnel. Skillspeed business trainers report the following emerging trends:

  • Tracing individual consumers along the marketing trail to determine individual patterns for different demographics and understand consumers better.
  • Obtaining access to aggregated consumer feedback regarding advertising campaigns, product launches, competitor tactics and so on.
  • Staying with individual consumers as they move through retail outlets and personalising their experience by delivering contextual messages.
  • Understanding the routes that virtual shoppers follow, and adding handy popups with useful hints and tips to encourage them on.
  • Detecting trends in consumer preferences in order to forecast next season sales and stock up or down accordingly.

Where to From Here?

Big data mining is akin to deep space research in that we are exploring fresh frontiers and discovering new worlds of information. The future is as broad as our imagination.?

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today