How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

Operational Efficiency Initiatives

When was the last time you checked your technology spending against your IT infrastructure’s contribution to the bottom line?

Chances are, what’s happening underneath all those automated processes, expensive hardware, and fancy graphical user interfaces is not doing your bottom line any good.

If you don’t keep a watchful eye, your IT operations can easily nurture a lot of wastage and unnecessary costs. Underutilised servers, duplicate processes, poorly managed bandwidths, and too much complexity are among the common culprits.

For minor problems, we can eliminate wastage by setting up some technology enhancements, instilling best practices, and performing a few tweaks. However, if you’re not adequately trained on how to go about with it, your band-aid solutions can add more complexity to the mix.

Of course, there will always come a time when you will have to spend on new technologies to maintain the overall efficiency of your IT infrastructure. Whether you intend to purchase new hardware or software applications or build an entirely new infrastructure, the sheer cost of such undertakings warrants seeking expert advice.

Failure to do so can result in fragmented resources lacking in cohesiveness, which don’t contribute to efficiency at all.

Our solutions for improving operational efficiencies cover the entire spectrum: from planning what to buy, optimising what you’ve already bought, to making your team comfortable with them all. Please find time to view our solutions below and uncover ways to drive those profits up even as you work within your budget.

 

More Operational Review Blogs

 

Carrying out an Operational Review

 

Operational Reviews

 

Operational Efficiency Initiatives

 

Operational Review Defined

 

2015 ESOS Guidelines Chapter 6 – Role of Lead Assessor

The primary role of the lead assessor is to make sure the enterprise?s assessment meets ESOS requirements. Their contribution is mandatory, with the only exception being where 100% of energy consumption received attention in an ISO 50001 that forms the basis of the ESOS report.

How to Find a Lead Assessor

An enterprise subject to ESOS must negotiate with a lead assessor with the necessary specialisms from one of the panels approved by the UK government. This can be a person within the organisation or an third party. If independent, then only one director of the enterprise need countersign the assessment report. If an employee, then two signatures are necessary. Before reaching a decision, consider

  • Whether the person has auditing experience in the sector
  • Whether they are familiar with the technology and the processes
  • Whether they have experience of auditing against a standard

The choice rests on the enterprise itself. The lead assessor performs the appointed role.

The Lead Assessor?s Role

The Lead Assessor?s main job is reviewing an ESOS assessment prepared by others against the standard, and deciding whether it meets the requirements. They may also contribute towards it. Typically their role includes:

  • Checking the calculation for total energy consumption across the entire enterprise
  • Reviewing the process whereby the 90% areas of significant consumption were identified
  • Confirming that certifications are in place for all alternate routes to compliance chosen
  • Checking that the audit reports meet the minimum criteria laid down by the ESOS system

Note: A lead assessor may partly prepare the assessment themselves, or simply verify that others did it correctly.

In the former instance a lead assessor might

  • Determine energy use profiles
  • Identify savings opportunities
  • Calculate savings measures
  • Present audit findings
  • Determine future methodology
  • Define sampling methods
  • Develop audit timetables
  • Establish site visit programs
  • Assemble ESOS information pack

Core Enterprise Responsibilities

The enterprise cannot absolve itself from responsibility for good governance. Accordingly, it remains liable for

  • Ensuring compliance with ESOS requirements
  • Selecting and appointing the lead assessor
  • Drawing attention to previous audit work
  • Agreeing with what the lead assessor does
  • Requesting directors to sign the assessment

The Environment Agency does not provide assessment templates as it believes this reduces the administrative burden on the enterprises it serves.

Spend more to reduce costs?

It is becoming increasingly important to not to analyse energy consumption for all utility types, be it electricity, gas, water, heat, renewables, oil etc. The bottom line is both operational efficiency and utility costs monitoring. In the long run, these are management strategies designed to drive energy costs downwards as a continuous improvement cycle and as a measure of reducing carbon emissions.

It is also getting increasingly easier for organisations reduce energy use and achieve this goal using technology without having to “remember” to do it yourself. Organisations can never go wrong by investing in energy management software. There are varied software options to choose from depending on the organisational objective.
Some of the energy management objectives that organisations may need to meet are:

? Establishing baseline energy use

? Carrying out Energy audits

? Monitoring and measuring energy performance against the energy policies of an organisation and objectives

? Achieving energy certification
Energy management software?s come in handy when an organization wishes to achieve either of the above objectives.

Use of energy management software?s also assists organisations in measurement and verification of energy consumption as well as Monitoring and Targeting. Measurement and verification is where a company quantifies energy consumption beforehand (baseline energy use) and after energy consumption measurements are implemented in order to verify and report on the level of savings actually achieved.

Organisations that wish to verify the energy savings achieved by building retrofits can use energy management software?s. This is an important objective for companies that wish to either satisfy internal financial accounting and reporting requirements, or to meet the terms of third-party contracts for project implementation and management. Monitoring and targeting is also made easier by use of software. This is critical as a management technique, regardless of whether an organisation has specific facility retrofits in order to keep operations efficient and to monitor utility costs.
Overall, an investment in energy management software, is worthwhile in the achievement of management strategies designed to drive energy costs downwards as a continuous improvement cycle.

Ready to work with Denizon?

Contact Us Today