How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

Top 3 reasons to get into Multi-Channel Retail

Multi-channel retail, which nowadays understandably includes online channels, is something you just have to do this year. Every single day you put off doing it, the competition gobbles up market share that should have been yours. There are a number of reasons why even successful retailers are now going into multi-channel retailing. Here?s three of the most important ones.

1. You’ll get a BIG jump in sales

Not counting this year, which could be getting a big boost from major activities like the Queen?s Diamond Jubilee and the 2012 Olympics, sales of UK retailers have been experiencing tremendous growth particularly from their online channels. Already two years ago (2010), a number of UK retailers boasted significant increases in sales as a result of multi-channel retail initiatives. These retailers included:

  • Argos, which got a whopping ?1.9bn from multichannel sales back then;
  • House of Fraser, which reported a 150% jump in its online sales in just 6 months; and
  • Debenhams, whose profits rose by 20%

There were many others. Now, the reason I?m showing you 2010 figures is because online retail sales increased by 14% in 2011 and those same businesses still added to that growth. So, if only you had enough foresight and started expanding your business to the Web two years ago, you could just imagine what your sales would have been today.

The good news is that, it’s not yet too late if you start now. Here?s why…

2. Those numbers are going to keep on growing

We’re getting all sorts of predictions from leading researchers regarding the possible growth of the Internet economy. All these predictions have one thing in common. They all have a positive outlook. The Boston Consulting Group (BCG), for instance, predicts an average growth of no less than 10% per year in the G-20 nations.

3. Most online retailers aren’t doing it right yet

Although many retailers have already started bringing their business to the Web, most of them are doing it the wrong way. For example, many of them fail to integrate their offline and online channels. This is a serious shortcoming because it leads to customer dissatisfaction.

When a customer goes to your website and sees something he likes, you wouldn’t want him to drive all the way to your store only to find out that the item isn’t available there or, if the item is there, that it isn’t priced as he expected. The lack of multi-channel integration is very common among multi-channel retailers.

These inadequacies are actually good news because it means there are still many areas you can improve on. After improving on them, you can then highlight those areas as your key differentiators.

If you’re still looking for more reasons on why you should go into multi-channel retailing, read this post:

5 Numbers Showing Why the Time to Invest on eCommerce in the UK is Now

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
2015 ESOS Guidelines Chapter 1 ? Who Qualifies

The base criteria are any UK undertaking that employs more than 250 people and/or has a turnover in excess of ?50 million and/or has a balance sheet total greater than ?43 million. There is little point in attempting to separate off high polluting areas. If one corporate group qualifies for ESOS, then all the others are obligated to take part too. The sterling equivalents of ?38,937,777 and ?33,486,489 were set on 31 December 2014 and apply to the first compliance period.

Representatives of Overseas Entities

UK registered branches of foreign entities are treated as if fully UK owned. They also have to sign up if any overseas corporate element meets the threshold no matter where in the world. The deciding factor is common ownership throughout the ESOS system. ecoVaro appreciates this. We have seen European companies dumping pollution in under-regulated countries for far too long.

Generic Undertakings that Could Comply

The common factor is energy consumption and the organisation’s type of work is irrelevant. The Environmental Agency has provided the following generic checklist of undertakings that could qualify:

Limited Companies Public Companies Trusts
Partnerships Private Equity Companies Limited Liability Partnerships
Unincorporated Associations Not-for-Profit Bodies Universities (Per Funding)

Organisations Close to Thresholds

Organisations that come close to, but do not quite meet the qualification threshold should cast their minds back to previous accounting periods, because ESOS considers current and previous years. The exact wording in the regulations states:

?Where, in any accounting period, an undertaking is a large undertaking (or a small or medium undertaking, as the case may be), it retains that status until it falls within the definition of a small or medium undertaking (or a large undertaking, as the case may be) for two consecutive accounting periods.?

Considering the ?50,000 penalty for not completing an assessment or making a false or misleading statement, it makes good sense for close misses to comply.

Joint Ventures and Participative Undertakings

If one element of a UK group qualifies for ESOS, then the others must follow suit with the highest one carrying responsibility. Franchisees are independent undertakings although they may collectively agree to participate. If trusts receive energy from a third party that must do an ESOS, then so must they. Private equity firms and private finance initiatives receive the same treatment as other enterprises. De-aggregations must be in writing following which separated ESOS accountability applies.

How Bombardier Inc. scored a Bulls Eye

When travelling anywhere in the world on land, sea or air, chances are, you will travel courtesy of something made by aerospace and transportation company Bombardier based in Montreal, Canada. In 2009, it set itself the goal of carbon neutrality by 2020. In other words, it hoped to remove as much carbon dioxide from the atmosphere as it was putting in.

By 2012, Bombardier concluded it was not going to become carbon neutral by 2020 at its current rate of progress. It discounted purchasing carbon offsets because it believed it would serve its interests better by introducing new energy-saving products to market faster. That way, it would achieve its objectives vicariously through the decisions of its customers. But that was not all that forward-thinking Bombardier did. It also set itself the following inward-facing objectives:

  • Reduce carbon footprint through efficient use of energy and less emissions
  • Involve the Bombardier workforce to raise awareness of behaving responsibly
  • Implement sustainable initiatives to further reduce the company carbon footprint

Specific Examples

At its Wichita site, Bombardier (a) fitted a white roof and insulation reducing summer energy consumption by 40%, (b) added an energy recovery wheel to balance air circulation, and (c) introduced skylights with integrated controllers to lower energy consumption by lighting.

At Mirabel, it enhanced the flue-gas management system by adding a pressure differential damper.

At Belfast, Bombardier (a) optimised HVAC systems to reduce pressure on chilling and air-handling plants, (b) installed solar panels on the roof, and (c) obtained approval for a waste-to-energy plant that will convert 120,000 tonnes of non-recyclable waste material annually.

By the end of 2013, Bombardier had already beaten its immediate targets by:

  • Reducing energy consumption by 11% against 2009
  • Reducing greenhouse gas emission by 23% against 2009
  • Reducing water consumption by 6% against 2012

Future Plans

Bombardier will never stop striving to reach its goal of carbon neutrality by 2020. It has a number of other projects in the pipeline waiting for scarce resources to fund them. During 2014, it continued with energy efficient upgrades at its French, Hungarian, Polish, Swiss, and UK plants.

These include consumption monitoring systems, LEDs for workshop lighting, new heating systems, and outdoor energy-saving tower lighting. The monitoring is important because it helps Bombardier focus effort, and provides measured proof of progress.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today