How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

What is work force management?

For organisations to ensure they provide the right service. In order to do they need to assign the right employees with the right skills to the right job at the right time to meet demand.

Workforce Management Background

Workforce management (WFM) is a strategy used by companies to increase their efficiency and performance. It entails all activities aimed at maintaining a steady output, such as human resource management, forecasting, field service management, budgeting, scheduling, performance and training management, analytics, recruitment and data collection.

Workforce management utilizes a unique set of performance enhancing tools and software to bolster corporate management, workers, and other categories of managers and supervisors in the manufacturing team, distribution, transportation, and retail operators. This is sometimes called HRM systems, or part of ERP systems, or workforce asset management.

Unlike the conventional outlay that only needed staff scheduling to improve time management, workforce management is now all-inclusive and demand-oriented to optimize staff scheduling. Apart from focusing on demand-orientation and optimization, workforce management also incorporates:

Estimating the workload and resource utilisation
Job scheduling
Management of working times and accounts
Monitoring the process of workforce management

Each task should be clearly defined and performed efficiently based on set engineering standards and methods of optimizing each task as much as possible. Out of this framework and demand based forecasts, workers are scheduled and given tasks, performance measured, give feedback, and incentives computed and paid.

Workforce management is an entire scheme aimed at building the capacity of workers, increase productivity and client relations, and where possible reduce labour costs.

What is Mobile Workforce Management (MWM)

Mobile workforce management (MWM) is a software-based service used to oversee employees outside of the institution?s premises; MWM sometimes refers to the field teams. Mobile workforce management encompasses all activities done to monitor and schedule the field workforce.

The entire process includes procurement, management and using mobile devices, applications and computer software. Related support services like tracking, logging, dispatch, productivity management, and other types of communication are also to make it efficient.

Companies do not have the same needs and MWM firms need to fine-tune their software and devices to sufficiently bridge this gap. Some providers are suited only to a specific type of company because of specialization, like managing the electric grid. This experience makes the MWM company suited to provide applications that are relevant to the company for them to continue operating smoothly and efficiently.

With the increase in mobile devices, applications, secured wireless networks and virtual desktop, there comes a stream of opportunities for small and medium-sized businesses (SMB) and other ventures. Nevertheless, a mobile workforce needs better controls, security and support, as well as a functioning mobile workforce management strategy.

MMS (managed mobility services) is often used interchangeably with MWM, but they should not be confused. MWM is related to software and applications used by mobile and computer devices to manage on-field work while MMS focuses on enterprises, and is like a way of keeping in touch with the company, other employees, and linking the mobile while at work to servers and the database.

Benefits of Mobile Workforce Management

MWM allows the utilization of technology to drive productivity. Here are the top five advantages of MWM..

Customer focused. The customer is the backbone of any business. The team needs to keep in touch with up-to-date information about every interaction. In the end, better client relation makes sure that the customer is always happy.
Information has the power to build or destroy. A cloud-based system is easier to manage and can help with collection of data which is used to make business decisions. This can help cut costs, increase the workforce support, and identify areas where polishing needs to be done.
Improved efficiency. Mobile workforce management is majorly used in taskforce allocation. If the company adopts a cloud-based work force management system, allocation is done automatically saving a lot of time.
Increased revenue. Each business seeks to maximize the profit. With cloud-based mobile workforce management some operations like task management, data analysis, customer communication, reporting, and performance monitoring can be automated. This reduces the costs incurred for multiple applications and saves time.
Ease of communication. Communication is vital. Constant communication with customers drives sales rates and everyone loves that. Quick communication will help customers solve their problems faster and get instant feedback.

Additional WFM benefits

Other WFM benefits are:

Operations are made efficient as all complex processes are automated.
Employers learn more about worker engagement, productivity and attendance, allowing them to modify training, coaching and processes aimed at streamlining performance.
Automation and easy manipulation of data to improve HR, productivity and slash administrative costs.
It increases employee productivity by reducing absenteeism and late arrivals.
Boosts the morale of employees by encouraging transparency and facilitating manager-employee communication.
WFM analyzes market and schedule requirements to pick the right employee with the best set of skills for a certain task.

Companies which embrace workforce management and mobile workforce management have a higher operational efficiency. They have lower operational costs and limit manual work as much as possible

Becoming Nimble the Agile Project Management Way

In dictionary terms, ?agile? means ?able to move quickly and easily?. In project management terms, the definition is ?project management characterized by division of tasks into short work phases called ?sprints?, with frequent reassessments and adaptation of plans?. This technique is popular in software development but is also useful when rolling out other projects.

Managing the Seven Agile Development Phases

Stage 1: Vision. Define the software product in terms of how it will support the company vision and strategy, and what value it will provide the user. Customer satisfaction is of paramount value including accommodating user requirement changes.
Stage 2: Product Roadmap. Appoint a product owner responsible for liaising with the customer, business stakeholders and the development team. Task the owner with writing a high-level product description, creating a loose time frame and estimating effort for each phase.
Stage 3: Release Plan. Agile always looks ahead towards the benefits that will flow. Once agreed, the Product Road-map becomes the target deadline for delivery. With Vision, Road Map and Release Plan in place the next stage is to divide the project into manageable chunks, which may be parallel or serial.
Stage 4: Sprint Plans. Manage each of these phases as individual ?sprints?, with emphasis on speed and meeting targets. Before the development team starts working, make sure it agrees a common goal, identifies requirements and lists the tasks it will perform.
Stage 5: Daily Meetings. Meet with the development team each morning for a 15-minute review. Discuss what happened yesterday, identify and celebrate progress, and find a way to resolve or work around roadblocks. The goal is to get to alpha phase quickly. Nice-to-haves can be part of subsequent upgrades.
Stage 6: Sprint Review. When the phase of the project is complete, facilitate a sprint review with the team to confirm this. Invite the customer, business stakeholders and development team to a presentation where you demonstrate the project/ project phase that is implemented.
Stage 7: Sprint Retrospective. Call the team together again (the next day if possible) for a project review to discuss lessons learned. Focus on achievements and how to do even better next time. Document and implement process changes.

The Seven Agile Development Phases ? Conclusions and Thoughts

The Agile method is an excellent way of motivating project teams, achieving goals and building result-based communities. It is however, not a static system. The product owner must conduct regular, separate reviews with the customer too.

Energy Cooperation Mechanisms in the EU

While the original mission of the European Union was to bring countries together to prevent future wars, this has spun out into a variety of other cooperative mechanisms its founders may never have dreamed of. Take energy for example, where the European Energy Directive puts energy cooperation mechanisms in place to help member states achieve the collective goal.

This inter-connectivity is essential because countries have different opportunities. For example, some may easily meet their renewable targets with an abundance of suitable rivers, while others may have a more regular supply of sunshine. To capitalise on these opportunities the EU created an internal energy market to make it easier for countries to work together and achieve their goals in cost-effective ways. The three major mechanisms are

Joint Projects
Statistical Transfers
Joint Support Schemes

Joint Projects

The simplest form is where two member states co-fund a power generation, heating or cooling scheme and share the benefits. This could be anything from a hydro project on their common border to co-developing bio-fuel technology. They do not necessarily share the benefits, but they do share the renewable energy credits that flow from it.

An EU country may also enter into a joint project with a non-EU nation, and claim a portion of the credit, provided the project generates electricity and this physically flows into the union.

Statistical Transfers

A statistical transfer occurs when one member state has an abundance of renewable energy opportunities such that it can readily meet its targets, and has surplus credits it wishes to exchange for cash. It ?sells? these through the EU accounting system to a country willing to pay for the assistance.

This aspect of the cooperative mechanism provides an incentive for member states to exceed their targets. It also controls costs, because the receiver has the opportunity to avoid more expensive capital outlays.

Joint Support Schemes

In the case of joint support schemes, two or more member countries combine efforts to encourage renewable energy / heating / cooling systems in their respective territories. This concept is not yet fully explored. It might for example include common feed-in tariffs / premiums or common certificate trading and quota systems.

Conclusion

A common thread runs through these three cooperative mechanisms and there are close interlinks. The question in ecoVaro?s mind is the extent to which the system will evolve from statistical support systems, towards full open engagement.