How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

Is the GDPR Good or Bad News for Business

The European Union?s General Data Protection Act (GDPR) is a new data authority coming into force on 25 May 2018. It replaces the current Data Protection Directive 95/46/EC, while extending the remit to include the export of personal data outside the EU. It aims to give EU citizens and residents living there more control over their personal information. It also hopes to make regulatory compliance simpler for participating businesses.

The Broad Implications for Business
The GDPR puts another layer of accountability on businesses falling within its remit. It requires them to implement ?comprehensive but proportionate governance measures? including recording how they make decisions. The long-term goal is to reduce privacy infringements. In the short run, businesses without good governance may find themselves writing new policies and procedures.

Article 5 of the European Union?s General Data Protection Act lays down the following guidelines for managing personal data. This shall be ?
? Processed transparently, fairly, and lawfully
? Acquired for specific, legitimate purposes only
? Adequate, relevant and limited to essentials
? Not used for any other, incompatible purpose
? However it may be archived in the public interest
? Kept up to date with all inaccuracies corrected
? Ring-fenced when the information becomes irrelevant
? Adequately protected against unauthorised access
? Stored in a way that prevents accidental loss
Furthermore, affected businesses shall appoint a ?controller responsible for, and able to demonstrate, compliance with the principles.?

Implementing Accountability and Governance
The UK Information Commissioner?s Office has issued guidelines regarding provisions to assure governance and accountability. These are along the lines of the ?don’t tell me, show me? management approach the office has generally been following. In summary form, a business, and its controller must:
? Implement measures that assist it to ensure demonstrated compliance
? Maintain suitable, relevant records of personal data processing activities
? Appoint a dedicated data protection officer if scale makes this appropriate
? Implement technologies that ensure data protection by design
? Conduct data protection assessments and respond to results timeously

Implementing the General Data Protection Act in Ireland
The Irish Data Protection Commissioner has decided it is unnecessary to incorporate the GDPR into Irish law, since EU regulations have direct effect. The office of the Commissioner is working in tandem with data practitioners, and industry and professional bodies to raise awareness in business through 2017. It has produced a document detailing what it considers the essentials for business compliance. Briefly, these pre-requisites are:
? Ensure awareness among key personnel, and make sure they incorporate the GDPR into their planning
? Conduct an early assessment of quality management gaps, and budget for additional resources needed
? Do an audit of personal data held, to determine the origin, the necessity to hold it, and with whom shared
? Inform internal and external stakeholders of the current status, and your future plans to implement the GDPR
? Examine current procedures in the light of the new directive. Could you ?survive? a challenge from a data subject?
? Determine how you will process requests for access to the data in the future from within and outside your organization
? Assess how you currently obtain customer consent to store their data. Is this “freely given, specific, informed and unambiguous”?
? Find how you handle information from underage people. Do you have systems to verify ages and obtain guardian consent?
? Implement procedures to detect, investigate, and report data breaches to the Data Protection Commissioner within 72 hours
? Implement a culture of always assessing the effect on individual privacy before starting new initiatives

So Is the GDPR Good or Bad for Business
The GDPR should be good news for business customers. Their personal data will be more secure, and they should see their rate of spam marketing come down. The GDPR is also good news for businesses currently investing resources to protect their clients? interests. It could however, be bad news for businesses that have not been focussing on these matters. They may have a high mountain to climb to come in line with the GDPR.
Disclaimer: This article is for information only and not intended as a comprehensive guide.

Contact Us

  • (+353)(0)1-443-3807 (IRL)
  • (+44)(0)20-7193-9751 (UK)
Implementing Large-Scale Complex Business Change

Sometimes, driving your people to work harder is not enough for your organisation to withstand the pressures laying siege to it. With uncertain economic conditions, unpredictable fresh competition, and looming threats from the environment or even pandemic-grade diseases, empowering your people to not only ‘think’ but also to ‘step’ out of the box is currently the name of the game.

However, such initiatives typically require sweeping changes throughout your entire organisation … and to think even the slightest change is often met with hard resistance.

Whether you’re about to undergo an M&A, relocate due to a major catastrophe, scale down to a skeletal workforce, or implement a brand-new company-wide strategy, our systematic approach to large-scale complex business change can help you make the transition as seamless as possible.

We understand the importance of the human aspect in change management. That is why we’ll focus on making your people appreciate the benefits of having to learn new skills, perform new tasks, employ modern technologies, and go through new processes in order to tone down the resistance level.

Our entire process spans from top to bottom, wherein we’ll start with your sponsors, down to your managers, and then to other stakeholders in making them appreciative of the needed changes and in order to achieve alignment with your organisation’s goals. Our top to bottom approach is also aimed at casting a positive “shadow of the leader” on people down the line, enabling them with an optimistic view despite the gruelling tasks before them.

We invite you to have a look at the steps we take in implementing large-scale complex business change to win over a strong and lasting commitment to it.

Evaluating the Required Change

Large-scale complex business change initiatives can be implemented expeditiously and economically if you’ve clearly defined the scope of the change as well as the forces that shape your organisation. You’ll want to know which areas yield easily and which are hard to change to determine where and how you’re going to focus more of your efforts on.

To arrive at a sound and systematic plan, we first gather as much information as needed and analyse them. We determine whether your departments have the required capabilities and how we can arrive at a clear organisational alignment. That way, we don’t waste time, effort and resources when the moment comes to carry out the plan.

These are some of the diagnostic procedures we perform in evaluating the required change.

  • Change complexity analysis. We’ll assess the contribution of people and task factors to the overall complexity of the change project. This will help us determine how to approach the problem efficiently.
  • Causal analysis. By establishing cause and effect relationships, we can identify root or circular causes. This will allow us to pinpoint problem areas and prevent a repetition of past mistakes.
  • Structural analysis. Any company is propped up by a number of structures: organisational, process, motivational, social, and physical, among others. Understanding the structures that drive, motivate, hamper, connect, and influence your people’s behaviours can provide insights as to how or where structural change can best be executed.
  • Context analysis. We’ll look into market forces as well as political, economic, social, technological, legal, and environmental factors enveloping your business. We’ll also analyse your driving objectives, organisational alignment, and organizational capabilities. By analysing the internal and external environment in which your business currently operates, we can formulate a customised strategic and effective plan of action.

Managing Stakeholders

Change initiatives won’t prosper without total commitment from all stakeholders. Stakeholders refer to people in your organisation who either have interests in the change project or can be affected by it.

We deal with your stakeholders starting from the top because if we can’t gain full commitment from those already in the best position to spur the diverse entities in your company into active cooperation, striving to secure commitment from other areas will be futile.

That is, if you don’t have the full support of your key and principal sponsors, i.e. the people who have the biggest say and have greatest control over resources in your organisation, you can’t hope to sustain the change endeavour, let alone provide the much needed spark to get it started.

Here’s how we carry out our stakeholder management actions.

  • Conduct research to identify all stakeholders: the sponsors, your internal and external partners, the main targets of the change, and all interested parties. That way you can “switch on” implementors of each change action in the proper sequence.
  • Not everyone will offer resistance to your change endeavours. We’ll help you identify those stakeholders and sponsors who are willing to offer support, evaluate the level of support they are willing to give, harness all available supports and utilise them extensively to benefit the change.
  • Gain a deeper understanding as to why certain stakeholders are willing to lend support. In doing so, we can implement the right strategies that will encourage them to continue supporting you.
  • Assemble a leadership team that will champion your change initiatives. We’ll facilitate effective collaboration among its team members, transforming them into a cohesive force designed to carry out plans and motivate everyone else down the line.
  • Upon realisation of the change project, we’ll see to it that all stakeholders get a taste of the carrot at the end of the stick. This will encourage them to continue active cooperation in future change initiatives.

Planning for the Change

Anyone who has experienced having their car stuck in the mud knows that stepping on the accelerator will only get the vehicle trapped even deeper. Without the aid of a towing truck, getting the car out will require careful planning since different combinations of pulling, pushing, lifting, rocking to-and-fro, and stepping on the accelerator may be needed.

Of course, some combinations are just better than others. The same principle holds when effecting change.

Our approach to change management typically varies depending upon the information we obtain from the different analyses performed earlier. For instance, since not all organisations are suitable for a collaborative approach, we will employ either collaborative, consultative, directive, or coercive change management strategies wherever applicable.

A well-planned change will result in a smoother, less costly, and less disruptive transition. Here’s how we’ll help you plan your change initiatives.

  • When put in a predicament similar to the car-in-the-mud, the basic strategy entails identifying the current resisting forces and predicting what other resisting forces may be encountered along the way. After researching and pointing out your organisation’s resistance forces, we’ll lay out the most appropriate facilitation, education, and negotiation techniques.
  • To bring down wastage to the lowest possible levels, we’ll engineer a change delivery plan that involves the most cost-effective sequence of driver, process, technology, organisational, and people alignment.
  • To win and maintain a high level of trust, confidence and commitment from all sponsors and stakeholders, we’ll present a clear road map of the change process as well as landmarks that will prove how far we will have gone. These landmarks will then be brought to each sponsor’s and stakeholder’s attention each time they are arrived at in order to build up assurance and continued commitment.
  • We’ll design measurement tools and schedule reporting deadlines so that you’ll know what to look forward to and when to expect them.

Managing the Change

Your company will hold a better chance of maintaining a sizeable lead over the rest of the pack if you constantly establish a rally point and instil in your stakeholders the drive to rally to that point from the get-go. To make this happen, your company must undertake the unfreezing, transition, and refreezing phases of change skilfully in order to bring all stakeholders into the right mindset.

Our specialists’ systematic and efficient methods for each of these phases are designed to simplify the management of each phase as well as provide a seamless shift from one phase to the next. This is what we’ll do:

  • Set up a change project management office to ensure that everything associated with the change initiative is given the needed attention and resources even while all the other usual processes in your organisation run concurrently.
  • To unfreeze your people and get them started on the road of change, we’ll employ unfreezing techniques wherever they are most appropriate. We’ll resort to different kinds of methods ranging from presenting persuasive evidence justifying the need for change to showing a motivational vision for inspiring your people to embark on the change process.
  • Since it is during the transition phase when your people can find themselves groping in the dark, we’ll offer executive coaches for your senior managers; facilitators to provide guidance during team meetings and other change activities; coaches to educate and inspire them to meet the change with the right attitude; trainers to teach new systems, procedures, and technologies; as well as employ a variety of other techniques in order to make the transition phase as seamless as possible.
  • Although your people should always be ready to undertake the next major change after a previous one, there should be points in between where they can taste the spirit of success, establish a temporary base to rejuvenate, and immediately gain a deeper understanding of the nearby terrain so as to envision the next rally point. We’ll see to it that this vital phase of change is carried out completely.
How Armstrong World Industries is going Cradle-to-Cradle

The Cradle-to-Cradle concept holds that human effort must be biometric, in other words enrich the environment within which it functions as opposed to breaking it down. This means manufacturing must be holistic in the sense that everything is reusable and nothing is destroyed. Armstrong World Industries was the first global mineral ceiling tile manufacturer to achieve Cradle-to-Cradle certification. We decided to take a closer look at how they achieved this.

Armstrong Worldwide Industries has five plants in the UK alone. These produce an annual turnover of ?2.7 billion. They have been making ceilings for more than 150 years. Fifteen years ago and way ahead of the curve it started recycling, and has maintained a policy of not charging contractors for waste ever since. Along the way, it developed a product that can be re-used indefinitely.

The Challenge

Going green must also be commercially sustainable. In Armstrong?s case, it faced a rise in landfill tax from ?8 per tonne per year to ?80 per tonne per year. This turned the financial cost of waste from a nuisance to a threat. It calculated that recycling one tonne of ceiling materials would:

  • Eliminate 456kg of CO2 equivalents by saving 1,390 kWh of electricity
  • Preserve 11 tons of virgin material and save 1,892 gallons of potable water

They hoped to extend their own recycling project by asking demolition and strip-out contractors to join it, so they could reprocess their scrap as new batches of tiles too.

The Achievement

As things stand today, an Armstrong ceiling tile now contains an average of 82% recycled content. Indeed, if they could find more ceilings to recycle this could reach 100%. In the past two years alone, Armstrong Worldwide Industries UK has saved 130,399m? of greenfield from landfill, being the equivalent of 520 skips that would otherwise have cost contractors over ?88,000 to dispose of.

The Broader Context

Armstrong Worldwide Industries is a global leader in water management, and is bent on minimising its reliance on fossil for energy. It has implemented online measurement systems that feed data to its corporate environmental, health and safety system. This empowers it to produce reports, track corrective actions and measure progress towards its overall goal of being carbon neutral.

Next time you sit beneath an Armstrong Worldwide Industries panelled ceiling, spare a thought for how much ecoVaro consumption analytics could contribute to your bottom line (and how it would feel to be lighter on carbon too).

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today