How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

Understanding Carbon Emissions

Carbon emission is one of the hottest issues in the world of energy and environment today. While it is supposedly an essential component of the ecosystem, it has already become a large contributing factor to climate change. Carbon emission might be good but abuse of this natural process has made it harmful to people across the globe.

This series of articles aims to help people understand the intricacies of carbon emission and what society can do to efficiently manage this natural occurrence.

Natural Carbon Cycle

Two important elements in the carbon cycle are carbon, which is present in every living thing all over the world; and oxygen, which is found in the air that people breathe. When these two bond together, they create a colourless and odourless greenhouse gas known as carbon dioxide, which is then crucial to trapping infrared radiation heat in the atmosphere and also for weathering rocks.

Carbon is not only found in the atmosphere of the earth. It is also an element found in oceans, plants, coal deposits, oil and natural gas from deep down the earth?s core. Through the carbon cycle, carbon moves naturally from one portion of the earth to another. Looking at this scenario, one can see that the natural carbon cycle is a healthy way to release carbon dioxide into the air in order to be absorbed again by trees and plants.

Altered Carbon Cycle

The natural circulation of carbon among the atmosphere is vital to humankind. However, studies show that humans misuse this natural cycle and abuse it instead. Whenever people burn fossil fuels such as coal, oil and natural gas, they produce carbon dioxide ? which is an excess addition to the natural flow of carbon in the environment. The problem is that the release of carbon dioxide is much more than what plants and trees can re-absorb. People are not only adding CO2 to the atmosphere, they are also influencing the ability of natural sinks, such as forests, to remove it from the atmosphere. Humans alter the carbon cycle by contributing doubled or tripled greenhouse gas to the atmosphere, faster than nature can ever eliminate. Worst, nature?s balance is destroyed.

The Result

Greenhouse gases include carbon dioxide, methane, nitrous oxide, fluorinated gas and other gases. Although these gasses contribute to climate change, carbon dioxide is the largest greenhouse gas that humans emit. The reason why people talk about carbon emissions most, is because we produce more carbon dioxide than any other greenhouse gas.

The increasing amount of carbon emissions cause global warming to become more evident. All the extra carbon dioxide causes the earth?s overall temperature to rise as well. As the temperature increases, climate also changes unpredictably. Flood, droughts, heat waves and hurricanes are now widely experienced even in places where these phenomenon never used to happen.

To be able to reduce the risk of more severe weather conditions means burning less fossil fuels and shifting more to renewable sources. This is never easy. But, definitely, it’s worth a try.

Disaster Recovery

Because information technology is now integrated in most businesses, a business continuity plan (BCP) cannot be complete without a corresponding disaster recovery plan (DRP). While a BCP encompasses everything needed – personnel, facilities, communications, processes and IT infrastructure – for a continuous delivery of products and services, a DRP is more focused on the IT aspects of the plan.

If you’re still not sure how big an impact loss of data can have, it’s time you pondered on the survival statistics of companies that incurred data losses after getting hit by a major disaster: 46% never recovered and 51% eventually folded after only two years.

Realising how damaging data loss can be to their entire business, most large enterprises allocate no less than 2% of their IT budget to disaster recovery planning. Those with more sensitive data apportion twice more than that.

A sound disaster recovery plan is hinged on the principles of business continuity. As such, our DRP (Disaster Recovery Plan) blueprints are aimed at getting your IT system up and running in no time. Here’s what we can do for you:

  • Since the number one turn-off against BCPs and DRPs are their price tags, we’ll make a thorough and realistic assessment of possible risks to determine what specific methods need to be applied to your organisation and make sure you don’t spend more than you should.
  • Provide an option for virtualisation to enjoy substantial savings on disaster recovery costs.
  • Provide various backup options and suggest schedules and practices most suitable for your daily transactions.
  • Offer data replication to help you achieve business continuity with the shortest allowable downtime.
  • Refer to your overall BCP to determine your organisation’s critical functions, services, and products as well as their respective priority rankings to know what corresponding IT processes need to be in place first.
  • Implement IT Security to your system to reduce the risks associated with malware and hackers.
  • Introduce best practices to make future disaster recovery efforts as seamless as possible.

We can also assist you with the following:

Business Turnaround Tip for a Successful MBO Turned Awry

When you acquire a company through an MBO, your hopes are always high. You know the business more than anyone else and you’ve got too much at stake to do a sloppy job. So how could things go wrong? Well sometimes they do. And if you don’t make a quick business turnaround, you could end up losing more than just your company.

If that management buyout was financed by a bank, then chances are you were required to invest a sizeable amount from your own pockets. I won’t be surprised if you even remortgaged your house for it.

Regardless of your source of funding, whether it was a bank, a venture capitalist or through a deferred consideration, the mere thought of losing your job and getting buried in enormous debt at the same time might be too much to bear. If you get too overwhelmed by your emotions and can’t think clearly, you’ll have to step out of the driver?s seat and have someone take over.

That someone can’t be a member of the management team that took part in the management buyout. Like you, he/she might be in panic mode as well. You need someone from the outside who has no emotional attachments to the company and hence can view the crisis from a clear perspective.

Here’s what’s needed:

Review and Plan

Take a closer look at all factors affecting your business: governance and organisational structures, employees, suppliers, systems and procedures, roles and responsibilities, etc. Identify potential risks and assess the likelihood of them affecting your business.

This will give a clearer picture of cause-and-effect relationships as well as the specific tasks on hand.

Thus, when it is time to draft a plan, you can do so from a well-informed standpoint. This will enable you to target specific areas of improvement and avoid pointless activities.

Assure all stakeholders

Once a watertight plan has been formulated, you will have to approach your stakeholders. They?ll need to know what your directions are. Once they’re all sold on the plan, you could implement our strategies unimpeded.

This is a very crucial part because a sceptical stakeholder can serve as a major stumbling block in our efforts to improve the situation. You need to convince your banks, sponsors, and investors in order to avoid additional financial obstacles. You need to convince your suppliers too. If they cut off or limit supply, you won’t be able to continue doing business.

Most of all, you need to persuade your staff and employees that the proposed major changes have to be carried out in order for the company to survive. You can’t run your operations without them on board.

Redesign and set up new systems and procedures

Any company requiring a turnaround will certainly have systems and procedures that are no longer working well in the current conditions and hence would require either major changes in key areas or a total revamp. You need to study personnel roles and responsibilities as well as systems and processes, including financial and IT systems, and supervise the implementation of necessary changes.

You will need to evaluate your existing IT architecture and determine how you can best maximise what you already have and propose what you think will work more efficiently for our proposed systems and procedures. Every piece of hardware or software recommended will take into consideration your present resources. There are many solutions out there, you just need to find the best fit.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today