IT GOVERNANCE COURSES FOR CIO

What is COBIT?

Sarbanes Oxley compliance will significantly impact the IT organization of most public companies. However, there is one enormous problem: there is no specific mention of IT in Section 404, and more importantly, there are no specifics as to what controls have to be established within an IT organization to comply with Sarbanes Oxley legislation.

If there is no specific mention in Section 404 as to what IT needs to do to comply with Sarbanes Oxley, the logical question would be, "How can I comply with something without knowing what I need to do to comply?" Although there are various standards a company can use for defining and documenting its internal controlsITIL (IT Infrastructure Library), Six Sigma, and COBITthe majority of auditors have adopted COBIT.

ITIL is an international series of documents used to aid the implementation of a framework for IT Service Management. The intent of the framework is to define how Service Management is applied within specific organizations. Given that the framework consists of guidelines, it is agnostic of any application or platform and can therefore be applied in any organization.

In many organizations, Six Sigma simply means a measure of quality that strives for near perfection. Six Sigma is a disciplined, data-driven approach and methodology for eliminating defects (driving toward six standard deviations between the mean and the nearest specification limit) in any processfrom manufacturing to transactional and from product to service.

COBIT stands for Control Objectives for Information and Related Technology. While the COBIT guidelines have been around since 1996, the guidelines and best practices have almost become the de facto standard for auditors and Sarbanes oxley  compliance, mostly because the COBIT standards are platform independent. There are approximately 300 generic COBIT objectives, grouped under six COBIT Components. When reviewing and applying the COBIT guidelines and best practices, keep in mind that they will need to be tailored to your particular environment.

COBIT Components

COBIT consists of six components:

• Executive Summary Explains the key concepts and principles.

• Framework Foundation for approach and COBIT elements. Organizes the process model into four domains:

  • Plan and organize

  • Acquire and implement

  • Deliver and support

  • Monitor and evaluate

• Control Objective Foundation for approach and COBIT elements. Organizes the process model into the four domains (discussed in a moment).

• Control Practices Identifies best practices and describes requirements for specific controls.

• Management Guidelines Links business and IT objectives and provides tools to improve IT performance.

• Audit Guidelines Provides guidance on how to evaluate controls, assess compliance, and document risk with these characteristics:

  • Define "internal controls" over financial reporting

  • Internally test and assess these controls

  • Support external audits of controls

  • Document compliance efforts

  • Report any significant deficiencies or material weaknesses

In conclusion, although an IT organization is free to select any predefined standards, or even one they develop to assist them in obtaining Sarbanes Oxley compliance, the mostly widely accepted standard is COBIT. Subsequently, you may find that selecting COBIT will be the path of least resistance to Sarbanes Oxley compliance

 

---

 

COBIT Domains

 

Planning and Organization

Planning is about developing strategic IT plans that support the business objectives. These plans should be forward looking and in alignment with the company’s planning intervals; that is, a two-, three-, or five-year projection.

Acquisition and Implementation

Once the plans are developed and approved, you may need to acquire new applications, or even acquire or develop a new staff skill set to execute the plans. Upon completion of the Acquisition phase, the plans now need to be enacted in the Implementation phase, which should include maintenance, testing, certifying, and identification of any changes needed to ensure continued availability of both existing and new systems.

Delivery and Support

This phase ensures that systems perform as expected upon implementation, and continue to perform in accordance with expectations over time, usually managed via service level agreements (SLAs). In this regard, systems can be related to infrastructure components or third-party services.

Monitoring

The monitoring phase uses the SLAs or baseline established in subsequent phases to allow an IT organization to gauge how they are performing against expectation, and provides them with an opportunity to be proactive.

What is Sarbanes Oxley?

As a result of the financial scandals at major Fortune 100 companies in 2001, Congress enacted the Sarbanes Oxley Act of 2002. This act affects how public companies report financials, and significantly impacts IT. Sarbanes Oxley compliance requires more than documentation and/or establishment of financial controls; it also requires the assessment of a company’s IT infrastructure, operations, and personnel. Unfortunately, the requirements of the Sarbanes Oxley Act of 2002 do not scale based on the size or revenue of a company. Small to medium-sized companies (IT department) will face unique challenges, both budgetary and with personnel, in their effort to comply with the Act of 2002.

What Will Sarbanes Oxley Accomplish?

There continues to be much controversy and debate about the effectiveness of Sarbanes Oxley. Although most people who are aware of the requirements to comply with Sarbanes Oxley (Section 404) believe the intention was good, there exists controversy over whether the existing 302 reporting requirements are sufficient.

If you read Sections 302 and 404, you may see similarities, and subsequently, why a controversy may exist as to whether (Section 404) Sarbanes Oxley requirements and compliance were necessary. The next two sections in this chapter include an example of Sections 302 and 404 as they pertain to a company’s executive management assertions.

Section 302

In accordance with Section 302, executive management of a public company:

Section 404

In accordance with Section 404, executive management of a public company:

The initial response to Sarbanes-Oxley may be as yet another drain on your already understaffed, overtaxed IT department; however, this does not necessarily have to be the case. Whether Sarbanes Oxley compliance is viewed as just another project, or a strategic opportunity for the IT department to reduce the project backlog, will be determined by how the CFO, CIO, or IT Director positions Sarbanes Oxley compliance with executive management. However, because a majority of companies will view Sarbanes Oxley compliance as a Finance initiative and may not involve IT, or limit IT’s involvement to the project’s periphery, this may be easier said than done. Because of this "limited" perception of SOX compliance, the process of positioning with executive management to include IT within this initiative may require significant effort, but will be well worth it.

If properly executed, the Sarbanes Oxley compliance process gives CFOs, CIOs, and IT Directors an opportunity to address antiquated systems, personnel resource issues, and documentation/process issues. It will also provide them the opportunity to forge stronger alliances with the business units. IT will be critical to the success of Sarbanes Oxley compliance, and the support of the business units will be critical to the success of IT.