How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

Saving Energy Step 5 – Bringing it together

We hope you have been enjoying our series of short posts regarding saving energy, so what we use we can sustain. We have tried to make a dry subject interesting. After you read this post please comment, and tell us how it went. We are in the environment together. As the man who wrote ?No Man is an Island? said, ?if a clod be washed away somewhere by the sea, Europe is the less? and Europe was his entire world.

The 4 Steps we wrote about previously have a multiplier effect when we harness them together

  1. Having a management system diffuses office politics and pins accountability in a way that not even a worm could wriggle
  2. This defines the boundaries for senior managers and empowers them to implement practical improvements with confidence
  3. The results feed back into lower energy bills: this convinces the organisation that more is possible
  4. This dream filters through all levels of the organisation, as a natural team forms to make work and home a better place.

None of this would be possible without measuring energy consumption throughout the process, converting this into meaningful analytics, and playing ?what-if? scenarios against each other to determine where to start.

The 5th Step to Energy Saving that brings the other four together can double the individual benefits as innovative power flows between them. The monetary savings are impressive and provide capital to go even further. Why not allow us to help you manage what we measure together.

ecoVaro turns your numbers into meaningful analytics, makes suggestions, and stays with you so we can quantify your savings as you make them. We should talk about this soon.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
What Kanban can do for Call Centre Response Times

When a Toyota industrial engineer named Taiichi Ohno was investigating ways to optimise production material stocks in 1953, it struck him that supermarkets already had the key. Their customers purchased food and groceries on a just-in-time basis, because they trusted continuity of supply. This enabled stores to predict demand, and ensure their suppliers kept the shelves full.

The Kanban system that Taiichi Ohno implemented included a labelling system. His Kanban tickets recorded details of the factory order, the delivery destination, and the process intended for the materials. Since then, Ohno?s system has helped in many other applications, especially where customer demand may be unpredictable.

Optimising Workflow in Call Centres
Optimising workflow in call centres involves aiming to have an agent pick up an incoming call within a few rings and deal with it effectively. Were this to be the case we would truly have a just-in-time business, in which operators arrived and left their stations according to customer demand. For this to be possible, we would need to standardise performance across the call centre team. Moving optimistically in that direction we would should do these three things:

  • Make our call centre operation nimble
  • Reduce the average time to handle calls
  • Decide an average time to answer callers

When we have done that, we are in a position to apply these norms to fluctuating call frequencies, and introduce ?kanbanned? call centre operators.

Making Call Centre Operations Nimble
The best place to start is to ask the operators and support staff what they think. Back in the 1960?s Robert Townsend of Avis Cars famously said, ?ask the people ? they know where the wheels are squeaking? and that is as true as ever.

  1. Begin by asking technical support about downtime frequencies, duration, and causes. Given the cost of labour and frustrated callers, we should have the fastest and most reliable telecoms and computer equipment we can find.
  1. Then invest in training and retraining operators, and making sure the pop-up screens are valuable, valid, and useful. They cannot do their job without this information, and it must be at least as tech-savvy as their average callers are.
  1. Finally, spruce up the call centre with more than a lick of paint to awaken a sense of enthusiasm and pride. Find time for occasional team builds and fun during breaks. Tele-operators have a difficult job. Make theirs fun!

Reducing Average Time to Handle Calls
Average length of contact is probably our most important metric. We should beware of shortening this at the cost of quality of interaction. To calculate it, use this formula:

Total Work Time + Total Hold Time + Total Post Call Time

Divided By

Total Calls Handled in that Period

Share recordings of great calls that highlight how your best operators work. Encourage role-play during training sessions so people learn by doing. Publish your average call-handling time statistics. Encourage individual operators to track how they are doing against these numbers. Make sure your customer information is up to date. While they must confirm core data, limit this so your operators can get down to their job sooner.

Decide a Target Time to Answer Calls
You should know what is possible in a matter of a few weeks. Do not attempt to go too tight on this one. It is better to build in say 10% slack that you can always trim in future. Once you have decided this, you can implement your Kanban system.

Introducing Kanban in Your Call Centre Operation
Monitor your rate of incoming calls through your contact centre, and adjust your operator-demand metric on an ongoing basis. Use this to calculate your over / under demand factor. Every operator should know the value on this Kanban ticket. It will tell them whether to speed up a little, or slow down a bit so they deliver the effort the call rate demands. It will also advise the supervisor when to call up reserves.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
IT Systems Implementation

Are you ready to find out how your newly accepted IT system fares in the real world? Although a rigorous Acceptance testing process can spot a wide spectrum of flaws in a newly constructed IT system, there is no way it can identify all possible defects. The moment the IT system is delivered into the hands of actual end users and other stakeholders, it is effectively stepping out of a controlled and secure environment.

Thus, it is during this phase wherein issues having direct impact on the business can arise.

It is our duty to ensure that the Systems Implementation phase is carried out as thoroughly, professionally, and efficiently as possible.

Thoroughly, because we need to include all relevant data and other deliverables, eliminate hard-to-detect miscalculated results, and substantially reduce the probability of business and mission critical issues popping up in the future;

Professionally, because it is the best way to address the sensitive process of turning over a new system to users who have gotten used to the old one;

And efficiently, because we want to minimise the duration over which all stakeholders have to adapt to the new system and allow them to move on to the process of growing the business.

Preparation

Louis Pasteur once said, “Luck favours the mind that is prepared.”

While we certainly won’t leave anything to chance, we do put substantial weight on the Preparation stage of Systems Implementation. We’re so confident with the strategies we employ in Preparation, that we can assure you of an utterly seamless Deployment and Transition phase.

By this we mean that issues that may arise during Deployment and Transition will be handled smoothly and efficiently because your people will know exactly what to do.

Here’s how we will prepare your organisation for Deployment:

  • Identify all key players for the Systems Implementation phase and orient them on their specific roles. We’ll make sure they know what possible hitches may come their way and how to deal with them.
  • Identify all end users and their corresponding functions, then assign appropriate access rights.
  • Draw multi-layered contingency plans to capture and address each possible concern that may crop up during Deployment.
  • Prepare a systematic step-by-step procedure and checklist for the entire Deployment stage. Both of them should have been copied from a similar procedure and checklist used in the Acceptance testing phase.
  • Make all stakeholders understand the conditions required before Deployment can commence.
  • Set the appropriate environment so that all stakeholders know what to expect and when to expect them the moment Deployment commences.
  • Prepare Technical Services and Technical Support personnel for the gruelling mission ahead.
  • Make sure all communication processes are well coordinated so that everyone affected will know who to contact and how to get in touch with them when a problem arises.
  • Plan and schedule training sessions so that they can be conducted “just in time”. Training sessions conducted way ahead of Deployment are often useless because the trainees tend to forget about what they learned when the time comes to apply them. Similarly, training sessions conducted way after Deployment also become useless because trainees are seldom able to internalise instructions delivered during crash courses.

Deployment

There are two sets of issues to keep an eye on during Deployment:

  1. Issues directly related to the technology itself, e.g. application functionality and data integrity, and
  2. Issues emanating from the end users, i.e., their unwillingness to use the new system. One reason may be because they find the interface and procedures too confusing. Another would be due to other inconveniences that come with adapting to a new set of procedures.

Despite all the meticulous scrutiny employed during Acceptance testing, there are just some problems that are made obvious only during Deployment. Issues belonging to the first set are dealt with easily because of the plans and procedures we put in place during the Preparation stage. As an added measure, our team will be on hand to make sure contingency plans are executed accordingly.

While the second set of issues is often neglected by many IT consultancy companies, we choose to meet it head on.

We fully understand that end users are most sensitive to the major changes that accompany a new system. It is precisely for this reason why our training activities during Deployment are designed not only to educate them but also to make them fully appreciate the necessity of both the new system and the familiarisation phase they will need to go through.

The faster we can bring your end users to accept the new system, the faster they can refocus on your company’s business objectives.

Here’s what we’ll do to guarantee the smoothest Deployment process you’ve ever experienced.

  • Employ the procedure and checklist formulated during the Preparation stage.
  • Ensure all end users are well acquainted with any additional tasks they would need to perform (e.g. filling up manual logs).
  • Assess which legacy systems can still be used alongside the new technology and which ones have to be retired.
  • Supervise the installation and optimal configuration of all supporting hardware and software to make sure the likelihood of errors originating from them are brought to near-zero levels.
  • Supervise the installation and optimal configuration of the products themselves.
  • Carry out data migration tasks if necessary.
  • Organise and oversee parallel runs to check for data and report inconsistencies.
  • Conduct training sessions in a professional and well-timed manner to eliminate end-users’ feelings of agitation and to take advantage of memory absorption and retention duration as with regards to their assigned duties and responsibilities.

Transition

Do you often feel uneasy whenever the reins to a newly purchased IT system are handed over to you? Perhaps there are some issues that you feel haven’t been fully settled but, at the same time, find it too late to back out, having already invested so much time and resources.

Alright, so maybe the thought of “backing up” never crossed your mind. However, the concern of being “not yet ready” is raised by many organisations towards the tail end of most Deployment stages. This usually drags the Deployment stage into a never-ending process.

Our team of highly experienced specialists will make sure you reach this point with utmost confidence to proceed on your own.

To wrap up our comprehensive IT Systems Implementation offering, we’ll take charge of the following:

  • Verify that all deliverables, including training materials and other technical documentation, are accomplished and expected outcomes are realised.
  • Make sure all technical documentation are placed in a secure and accessible location.
  • Institute best practices to ensure the IT system becomes fully utilised and to reduce its exposure to avoidable risks.
  • Establish open communication lines with the Technical Support team to enable quick resolution of issues.
  • Ensure complete knowledge transfer has been fully achieved so that your people will spend less time calling Technical Support and more on operations contributory to business growth.

Ready to work with Denizon?

Contact Us Today