How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

Reduce Cost and Improve Productivity

Whether the economy is in a downturn or not, management will always aim for a more cost effective IT solution. If your current IT infrastructure is hurting your profitability, our expertise is both ‘tested and proven”.? Also “bleeding edge” solutions in the industry will enable us to find inexpensive alternatives for you.

For instance, have you started to wonder whether having a constantly growing number of servers, many of which are underutilised, is really the norm? Well, that used to be the case. However, with the advent of virtualisation and replication, that expensive exercise is steadily becoming a thing of the past.

By implementing solutions powered by these two technologies, organisations can now manage excess storage capacities and hardware resources by performing simpler processes at lesser costs. In addition to that, using the same pair of technologies, companies can also decrease the downtime suffered during maintenance and upgrades.

Thus, at the end of the day, not only do companies stand to reduce expenditures, they can also boost revenues as a result of increased productivity time.

Do we still have other IT solutions that tackle a different set of problems but arrive at the same outcome, i.e. reduced costs + improved productivity = higher profits? You bet we do.

Basically, this is how we’ll help your company arrive at the same winning formula:

  • Provide insights as to where and when changes have to be made. Oftentimes, initiatives to reduce cost and improve productivity are not preceded by the appropriate study especially as with regards to their impact on all departments in the organisation. This usually results in unnecessary duplication of resources, a sure way to increase costs instead.
  • Consolidate and automate. We’ll work within your budget in finding ways to consolidate your applications, hardware, storage, databases, and processes. Then we’ll integrate automation practices to simplify management and maintenance of all these assets. This will substantially free not only your IT infrastructure but also your IT staff, giving them more opportunities to innovate.
  • Create an innovative environment. One of the benefits you gain in having room to innovate is the potential to discover new ways to drive costs even further. A fraction of your savings can then be used to develop even better IT solutions, thus creating a productive cycle: IT solutions > savings and innovation > better IT solutions. Our role is to help you harness your potentials to keep that cycle running.
  • Work to reduce carbon footprint in all your procedures. By ensuring that energy consumption is brought to a minimum in every step you take, you can rest assured that costs have only one way to go – down. Check out our Energy Management Software ecoVaro.

Find out how we can increase your efficiency even more:

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Network Security

The easiest way for an external threat to get to your private data is through your network. The easiest way to eliminate that threat? Get your data out of the network. Of course, we know you wouldn’t want to do that. We also know that while you may want to sniff every packet for anything suspicious, you wouldn’t want your network to crawl either.

That’s why we’re offering to put up the most efficient checkpoints on every route that leads into and out of your system.

So what can you expect from our brand of network security?

  • Review of your policies and processes for weaknesses – If we see a loophole, we’ll recommend modifications wherever necessary.
  • Protection for your applications and infrastructure – Since we’re familiar with both software and hardware-based protection systems, we can recommend which type is best suited for your setup.
  • Automated identification of business and mission critical applications – They’ll be given priority in your network to ensure bandwidth allocation is optimised.
  • Automated network audits and vulnerability management – Tired of getting prompted by pesky vulnerability notices and don’t know what to do with them? Well, that’s why we’re here.
  • Customisable security reports that contain only relevant and accurate data.

We can also help you with the following:

Computer Forensics

So you had a customer data security breach last weekend? Do you know you could be held liable in court for failing to implement required security procedures? That’s right. Due to the overwhelming surge in identity theft wherein nearly 20 million Americans have already been affected, most states have enacted laws to curtail this fast rising crime. Therefore, it is important to redefine how your company deals with customer data security.

  • First, you’ll want to know what your obligations are as dictated by law. Some places, for example, require the destruction or deletion of personal data through shredding, erasing, or by rendering them undecipherable.
  • Second, not only do you need to comply with the said requirements, you’ll also have to prove in court that you actually complied if ever a security breach does happen.
  • Third, you need to be aware of your post-breach duties to avoid being dealt additional penalties.

Obviously, such situations now call for individuals who are experts in both the legal and technical aspects regarding data security. Such individuals are practitioners of a relatively new discipline known as computer forensics.

Armed with our computer forensics specialists, we’ll be able to help you deal with the above concerns. As a result, you can be prevented from having to pay fines that can go up to hundreds of thousands of euros.

There are other equally important reasons why you would want to avail of computer forensics services. For example, you’ll need computer forensics specialists because you want to:

  • Catch a person involved in criminal activities such as child porn, stealing of personal data, and destroying intellectual property.
  • Investigate a computer, network, or even a mobile device for clues that may lead to the culprit.
  • Determine the extent and possible causes when you discover your digital data has been damaged.
  • Find and recover damaged, deleted or encrypted data regardless of whether the cause was intentional or not. If the data in question will be used as evidence in a legal action, there are certain procedures that need to be followed during recovery operations to retain the integrity of the data. Computer forensic specialists are highly qualified for such operations.
  • Implement security policies in your organisation. Such policies have to operate within legal bounds if you want to avoid possible sanctions in the future. These policies should also be designed such that future forensic operations can be conducted with a high likelihood of success.

That said, a company that integrates computer forensics into its IT security policies and practices will be better equipped to remedy the situation once data security has already been compromised than a company that doesn’t.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today