How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

EU Energy Efficiency Directive & UK?s ESOS

In 2012 the European Union passed its EU Energy Efficiency Directive (EED) into law. This aims to reduce overall energy consumption by 20% by 2020. It placed an obligation on member states to pass back-to-back local legislation by June 2014.

EED Guidelines

The EED provides specific guidelines it expects member nations to address. The list is long and here are a few excerpts from it:

  • Large companies must use energy audits to identify ways to cut their energy consumption
  • Small and medium companies must be incentivised to voluntarily take similar steps
  • Public sector bodies must purchase energy-efficient buildings, products and services
  • Private energy-consumers must be empowered with information to help manage demand
  • Energy distributors / resellers must cut their own consumption by 1.5% annually
  • Legislators are free to substitute green building technology e.g. through better insulation
  • Every year, European governments must audit 3% of the buildings they own

Definition of Energy Audit

An energy-consumption audit is a question of measuring demand throughout a supply grid, with particular attention to individual modules and high demand equipment. While this could be an exercise repeated every four years to satisfy ESOS, it makes more sense to incorporate it into the monthly energy billing cycle.

Because energy use is not consistent but varies according to production cycle, this can produce reams of printouts designed to frustrate busy managers. ecoVaro offers an inexpensive, cloud-based analytic service that effortlessly accepts client data and returns it in the form of high-level graphic summaries.

Potential ESOS Beneficiaries

As many as 9,000 UK companies are obligated to do energy audits because they employ more than 250 employees, have a balance sheet total over ?36.5m or an annual turnover in excess of ?42m. Any smaller enterprise that finds energy a significant input cost, should also consider enlisting Ecovaro to help it to:

  • Obtain a better understanding of the energy side of their business
  • Achieve energy savings and share in a estimated ?3bn bonanza to 2030
  • Reduce carbon emissions to help meet their CRC commitments

More About ecoVaro

We offer web-based energy management software that helps you measure and manage energy costs. This strips data from your meters and generates personalised reports on a dashboard you control. This information helps you accurately zoom in on worthwhile opportunities. With Ecovaro on your side, ESOS truly becomes an Energy Saving OPPORTUNITY Scheme.

The Future is Smarter with a Smart Meter

Traditionally, electricity and water meter consumption was measured via analogue meters. Utility billing was based on actual consumption units obtained from the meter by meter readers. This entailed physical visits to the metering point. Lots of challenges came with meter reading; talk of customers feeling their privacy is intruded, meter readers encountering hostile customers, dogs, closed gates. The result was estimated bills that were most often than not very high.

Smart meters can be dubbed as the ?next generation? type of meters. Smart meters send wireless electronic meter readings to one?s energy supplier automatically. There are both gas smart meters and electricity smart meters. Smart meters come with in-home displays, which give someone real-time feedback on their energy usage and the associated cost.

Smart meters communicate meter readings directly to utility companies therefore no one has to come to your home to read your meter; and neither are you required to submit meter readings yourself. This not only reduces costs, but leads to more accurate electricity bills practically eliminating estimated bills. Smart meters signal the end of estimated bills, and the end of overpaying or underpaying for energy.

Whereas a smart meter in itself does not save you money, the add-ons (in-home displays) that come with the smart meters and which give someone real-time feedback on their energy usage helps them to reduce the unnecessary energy use and this ultimately leads to better oversight into how to lower utility bills hence better management of one?s energy use.

In summary, a smart meter is a technology that enables energy consumers to see their energy as they use it, a technology where energy is displayed as it is being used and wireless ratings sent. Adoption of smart meters would mean the end of estimated energy bills.

Smart meters are also promising a smart future where all energy consuming devices can be connected to the internet and centrally controlled using computers or smartphones. This means one is able to switch off lights and other energy consuming devices from a central point, hence make savings and this will enable them to have greater control of their energy use, hence more comfort, convenience and life will be cheaper for all. This is the smarter future we are all looking forward to.

How Armstrong World Industries is going Cradle-to-Cradle

The Cradle-to-Cradle concept holds that human effort must be biometric, in other words enrich the environment within which it functions as opposed to breaking it down. This means manufacturing must be holistic in the sense that everything is reusable and nothing is destroyed. Armstrong World Industries was the first global mineral ceiling tile manufacturer to achieve Cradle-to-Cradle certification. We decided to take a closer look at how they achieved this.

Armstrong Worldwide Industries has five plants in the UK alone. These produce an annual turnover of ?2.7 billion. They have been making ceilings for more than 150 years. Fifteen years ago and way ahead of the curve it started recycling, and has maintained a policy of not charging contractors for waste ever since. Along the way, it developed a product that can be re-used indefinitely.

The Challenge

Going green must also be commercially sustainable. In Armstrong?s case, it faced a rise in landfill tax from ?8 per tonne per year to ?80 per tonne per year. This turned the financial cost of waste from a nuisance to a threat. It calculated that recycling one tonne of ceiling materials would:

  • Eliminate 456kg of CO2 equivalents by saving 1,390 kWh of electricity
  • Preserve 11 tons of virgin material and save 1,892 gallons of potable water

They hoped to extend their own recycling project by asking demolition and strip-out contractors to join it, so they could reprocess their scrap as new batches of tiles too.

The Achievement

As things stand today, an Armstrong ceiling tile now contains an average of 82% recycled content. Indeed, if they could find more ceilings to recycle this could reach 100%. In the past two years alone, Armstrong Worldwide Industries UK has saved 130,399m? of greenfield from landfill, being the equivalent of 520 skips that would otherwise have cost contractors over ?88,000 to dispose of.

The Broader Context

Armstrong Worldwide Industries is a global leader in water management, and is bent on minimising its reliance on fossil for energy. It has implemented online measurement systems that feed data to its corporate environmental, health and safety system. This empowers it to produce reports, track corrective actions and measure progress towards its overall goal of being carbon neutral.

Next time you sit beneath an Armstrong Worldwide Industries panelled ceiling, spare a thought for how much ecoVaro consumption analytics could contribute to your bottom line (and how it would feel to be lighter on carbon too).

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today