How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

Why Spreadsheets can send the Pillars of Solvency II Crashing Down


Solvency II is now fast approaching and while it may provide added protection to policy holders, its impact on the insurance industry is not all a bed of roses. Expect insurance companies to restructure, increase manpower, and raise spending on actuarial operations and risk management initiatives. Those that cannot, will have to go. But what have spreadsheets got to do with all these?

Well, spreadsheets aren’t really the main casts in this blockbuster of a regulatory exercise but they certainly have a significant supporting role to play. Pillar I of Solvency II, which calls for improved supervision on internal control, risk management, and corporate governance, and Pillar II, which tackles supervisory reporting and public disclosure of financial and other relevant information, both affect systems that have high-reliance on spreadsheets.

A little background about spreadsheets might help.

Who needs an IT solution when you can have spreadsheets?

Everyone in any organisation just love spreadsheets; from the office clerk to the CEO. Because they’re so easy to use (not to mention they’re a staple in office computers), people employ them for processing numbers and as an all-around tool for planning, forecasting, reporting, complex modelling, market data analysis, and so on. They make such tasks faster and easier. Really?

You probably haven’t heard of spreadsheet hell

Unfortunately, spreadsheets do have certain shortcomings. Due to their inherent structure and lack of controls, it is so easy to commit simple errors like an accidental copy paste, an omission of a negative sign, an incorrect data input, or an unintentional deletion. Such shortcomings may seem harmless until your shareholders discover a multi-million discrepancy in your financial report.

And because spreadsheet errors can go undetected for a long time, they are constant targets of fraudsters. In other words, spreadsheets are high risk applications.

Solvency II Impact on Spreadsheet-based Financial and IT Systems

Regulations like Solvency II, are aimed at reducing risks to manageable levels. Basically, Solvency II is a risk-based system wherein a company?s capital requirements will depend on its measured riskiness. If companies want to avoid facing onerous capital requirements, they have to comply.

The three pillars of Solvency II have to be in place. Now, since spreadsheets (also known as User Developed Applications or UDAs) are high-risk applications with weak control features and prone to produce inaccurate reports, companies will have a lot of work to do to establish Pillars II and III.

There are at least 8 articles that impact spreadsheets in the directive. Article 82, for example, which requires firms to ensure a high level of data quality and accuracy, strikes at the very core of spreadsheets? weakness.

A whitepaper by Raymond Panko entitled ?Spreadsheets and Sarbanes-Oxley: Regulations, Risks, and Control Frameworks? mentioned that 94% of audited real world operational spreadsheets that were included in his study were found to have errors and that an average of 5.2% of all cells in the audited spreadsheets had errors.

Furthermore, many articles in the directive call for the enforcement of better documentation. This is one thing that’s very tedious and almost unrealistic to do with spreadsheets because just about anyone uses them. Besides, with different ‘versions? of the same data existing in different workstations throughout the organisation, it would be extremely difficult to keep track of them all.

Because of spreadsheets you now need an IT solution

It is clear that, with the growing number of regulations and the mounting complexity of tasks needed for compliance, spreadsheets no longer belong in this era. What you need is a server-based solution that allows for seamless collaboration, data reliability, data consistency, increased security, automatic consolidation, and all the other features that make regulation compliance more doable.

One important ingredient for achieving Solvency II compliance is sound data risk management. Sad to say, the ubiquitous spreadsheet will only expose your data to more risks.

More Spreadsheet Blogs


Spreadsheet Risks in Banks


Top 10 Disadvantages of Spreadsheets


Disadvantages of Spreadsheets – obstacles to compliance in the Healthcare Industry


How Internal Auditors can win the War against Spreadsheet Fraud


Spreadsheet Reporting – No Room in your company in an age of Business Intelligence


Still looking for a Way to Consolidate Excel Spreadsheets?


Disadvantages of Spreadsheets


Spreadsheet woes – ill equipped for an Agile Business Environment


Spreadsheet Fraud


Spreadsheet Woes – Limited features for easy adoption of a control framework


Spreadsheet woes – Burden in SOX Compliance and other Regulations


Spreadsheet Risk Issues


Server Application Solutions – Don’t let Spreadsheets hold your Business back


Why Spreadsheets can send the pillars of Solvency II crashing down

Advert-Book-UK

amazon.co.uk

Advert-Book-USA

amazon.com

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
How SOA can help Transformation

Undoubtedly, today’s business leaders face myriad challenges ranging from fierce market competition to increasing market unpredictability. In addition, the modern consumer is more informed and in control of what, where and how they purchase. Couple these challenges with effects of globalization, and you will appreciate that need for business transformation is more of a necessity than a privilege.

As recent business trends show, top companies are characterized by organizational and operational agility. Instead of being shaken by rapid technological changes and aftershocks associated with market changes, they are actually invigorated by these trends. In order to survive in these turbulent times, business leaders are opting to implement corporate transformation initiatives to develop leaner, more agile and productive operations. In line with this, service oriented architecture (SOA) has emerged as an essential IT transformation approach for implementing sustainable business agility.

By definition, service oriented architecture is a set of principles and techniques for developing and designing software in form of business functionalities. SOA allows users to compile together large parts of functionality to create ad hoc service software entirely from the template software. This is why it is preferred by CIOs that are looking to develop business agility. It breaks down business operations into functional components (referred to as services) that can be easily and economically merged and reused in applicable scenarios to meet evolving business needs. This enhances overall efficiency, and improves organizational interconnectivity.

SOA identifies shortcomings of traditional IT transformation approaches that were framed in monolithic and vertical silos all dependent on isolated business units. The current business environment requires that individual business units should be capable of supporting multiple types of users, multiple communication channels and multiple lines of business. In addition, it has to be flexible enough to adapt to changing market needs. In case one is running a global business enterprise, SOA-enabled business transformation can assist in achieving sustainable agility and productivity through a globally integrated IT platform. SOA realizes its IT and business benefits by adopting a design and analyzing methodology when developing services. In this sense a service consists of an independent business unit of functionality that is only available through a defined interface. Services can either be in the form of nano-enterprises or mega-enterprises.

Furthermore, with SOA an organization can adopt a holistic approach to solve a problem. This is because the business has more control over its functions. SOA frees the organization from constraints attributed to having a rigid single use application that is intricately meshed into a fragmented information technology infrastructure. Companies that have adopted service oriented architecture as their IT transformation approach, can easily repurpose, reorganize and rescale services on demand in order to develop new business processes that are adaptable to changes in the business environment. In addition, it enables companies to upgrade and enhance their existing systems without incurring huge costs associated with ‘rip and replace’ IT projects.

In summary, SOA can be termed as the cornerstone of modern IT transformation initiatives. If properly implemented great benefits and a sharp competitive advantage can be achieved. SOA assists in transforming existing disparate and unconnected processes and applications into reusable services; creating an avenue where services can be rapidly reassembled and developed to support market changes.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
How an EMS Can Cut Your Carbon Emissions

Your business carbon footprint is directly tied to the efficiency of its energy consumption. From the equipment used in industries, lighting and air conditioning in offices, shopping malls and other commercial buildings, the load used by everyday machines like the coffee makers in the employee breakroom, to hot water boilers in apartment complexes, how much do your processes affect the environment? Standards like the ISO 14001:2015 are being implemented to enable businesses to reduce their impact on the environment, from optimising their energy usage, minimising waste, turning to renewable power sources, all through to preventing pollution and complying with their specific regulatory requirements. How do you handle the volume of data that needs to be obtained and assessed?

Energy management systems come in to enable you to analyse your consumption, identify factors affecting your total energy use – from temperature and humidity conditions, to equipment that is causing spikes, and observe your usage patterns. That way, you can put in measures to minimise wastage while increasing your operational efficiency, reduce your carbon emissions and track your progress all the way. Here, we’ll break down how this is achieved. 

Going Green With An Energy Management System

This is a holistic approach aimed at minimising wastage and optimising energy usage. It includes:

Auditing your energy consumption

The first step is really quantifying how much energy you use, which systems are causing unnecessary load, all through to where there are inefficiencies in the facility. Which equipment has the largest impact on your bill? An energy management system allows you to view it all from one dashboard, such as with the ecoVaro EMS that takes you down to the sub-meter level.

Here, you get real-time data that is collected by the ecoVaro loggers – from electricity use, gas, water, temperature, solar power, humidity, air pressure – the readings can all be monitored. This is done 24/7, and the consumption feeds are recorded. Moreover, ecoVaro pulse data is collected every 15 minutes – which is particularly important when it comes to analysing trends over a time period, be it daily, weekly or monthly. 

Data is only useful if it can be properly analysed, right? So instead of just bombarding you with spreadsheets of numbers, the EMS displays the records into graphs and charts that are easy to comprehend – all from the same interactive interface. So, whether you’re the energy manager in the facility, or you want reports that can be shared with the CFO, owners of the business, or even staff themselves to enable them to understand the energy saving policies that you will put in place – you will be able to carry this out. 

ecoVaro gives you different ways to analyse the data from the readings that have been recommended. For instance, the heat mapping from the interface allows you to see the building’s energy use during different periods at a glance. The site-by-site analysis in particular enables the building or energy manager to assess each individual premises, from checking which block in the school is causing the energy bills to surge, the facility whose performance is falling behind, all through to the office building with the highest carbon footprint. In fact, the carbon and sustainability reports from ecoVaro EMS enables you to see the impact that your operations have. You even get to compare tariffs from the different energy suppliers, that way you can go with the option that is most suited to your situation.

Setting a baseline for your operations

This is essentially a “before/after checkpoint” that you will use to compare the effectiveness of subsequent measures that you will undertake. After making modifications to the systems in your business, you will want a clear picture of whether the new measures are actually benefiting your operations and optimising your energy efficiency, or whether they are deteriorating the performance further. The energy baseline will be critical in analysing your progress. 

Reports like the CUSUM (cumulative sum) charts on ecoVaro show you the energy performance, be it of a boiler in a factory, office building, or chain of hotels – over a set period of time. You can then compare this to the baseline, which will show you if the changes you will implement will make you savings. The heatmaps also come in handy here, showing you the energy consumption at each meter, whether it is low, medium or high compared to the baseline that has been set. The heatmaps give a quick visual to analyse resource usage.  

Creating energy targets

After understanding your energy consumption and seeing how it impacts your business, next is mapping out short- and long-term goals that you want to attain to optimise your usage and reduce your carbon footprint. 

For instance, short-term targets can include the likes of decreasing the night-time lighting load, and adjusting HVAC uptime depending on the level of activity in your business premises for the different hours of the day. 

For the long-term targets, these include setting a specific percentage average kWh reduction for the different industrial sites or buildings under your management; lowering the demand kW throughout the building by a specific range year-on-year; as well as the percentage with which you want the carbon emissions decreased annually. 

Cost efficiency also factors in. For instance, entering your current tariffs into the conversion factoring dashboard on ecoVaro will show you how your consumption translates to the bills that you receive – and even shows you what you stand to save by negotiating for new energy contracts with your utility firm.

Identifying initiatives and implementing energy saving programs

These are geared towards improving your energy efficiency and reducing your carbon footprint. They vary from one industry to the next. For instance, these can include:

Getting motion/occupancy detectors and automatic dimmers installed in the facility

These are lighting controls that enable you to save money and energy by automatically turning the lights off when they are not required (people have left the room), and reducing the light levels for those cases where full-on brightness is not needed. For instance, the dimmer controls enable variable indoor lighting, reducing the wattage and output when dimming the lightbulbs, saving energy in the process. These can be manual, or operated with sensors or timers. 

Motion sensors on the other hand will automatically turn on the lights after they detect motion, then after a short while turn them off – they are typically used for utility and outdoor security lighting. There are also occupancy sensors used in rooms, which turn on the lights when they detect indoor activity, then turn them off or reduce the light output when the particular space is unoccupied. 

Switching to energy-efficient light fixtures such as CFL or LED bulbs

Lighting costs are a major contributor to the energy bills being footed by the business. What kind of systems do you have set up?

Incandescent bulbs are rapidly being phased out due to their inefficiencies. They work by a wire tungsten filament getting heated until it glows – a process that sees almost 90% of its energy being released as heat, instead of light. In addition, with an average lifespan of just 1,500 hours, there is the need for better alternatives – and they have already been around for over a decade: CFL and LED bulbs, which save on energy and have far less carbon emissions. 

Compact fluorescent light bulbs (CFLs) light up when an electric current going through a tube with argon and trace mercury gases generates ultraviolet light, stimulating the fluorescent coating that’s on the inside of the tube, which in turn produces light. As such, a 15-watt CFL will have about the same light output as a 60-watt incandescent bulb. This makes them approximately 4 times more efficient compared to the incandescent bulbs, with a lifespan of 10,000-15,000 hours. This translates into fewer replacements and greater energy savings. However, there are still concerns about the mercury that is in the CFLs, though it is still in small quantities – basically smaller than the tip of your pencil. In addition, the CFLS aren’t; dimmable. They are usually used as a replacement for incandescent bulbs before completely switching to the more efficient LEDs.

Light-emitting diode bulbs (LEDs) Take things a notch higher. Here, electrons moving through a semiconductor emit the light, and you can get the LEDs for visible light, ultra-violet, and infrared spectrums. Here, the lifespan is 25,000–35,000 hours, which is more than double that of CFLs, and leagues beyond the standard incandescent bulb. Moreover, with a 16.5W LED bulb you’ll be getting the same lighting as a 20W CFL, or a 75W incandescent bulb. 

You will notice that when you touch LEDs, they feel cool, and this is because less energy is getting converted into heat. With the energy efficient bulbs, you won’t have to run your AC harder during those hot months, further adding to your cost savings. You can be able to see such consumption trends over the months through the energy management system, getting to the root cause of the problem. For instance, seeing the changing trends in the AC energy consumption over different weeks will enable you to assess what is causing it to be pushed harder, and address the root cause of the problem. 

Acquiring energy-efficient office equipment

This is broad, with the changes being made here depending on your particular niche. Take printers for instance. Simply going for printers with sleep and automatic shut-off modes will ensure that the units are not consuming energy when they are not in use. The same case applies to copier machines. Energy saving surge protectors on the other hand are beneficial for allowing you to “unplug” multiple devices that use standby power even when switched off – what’s usually called “vampire power” or “phantom energy“. 

The need for energy savings cuts across the board, from the computers and monitors used, to the coffee makers and kettles. For instance, working with an electric kettle to heat water for tea beats using a microwave or stove. Go further by opting for a kettle that allows you to set the particular temperature you want for the water – since you don’t really need the water for tea to be boiling hot for the tea to properly steep. Taking such steps further contributes to your business’ efforts to go green and reduce your carbon footprint. 

Turning to renewable energy sources

Switching to renewable sources to power your operations will simultaneously reduce your energy bills and cut your carbon emissions. From solar panels to wind turbines and the like, they are cleaner sources of energy, and the installations that you go with will depend on your kind of business. Moreover, this will protect you from the fluctuations in energy prices, since the bills are affected by the availability of fuel, electricity demand, costs that go into generating and distributing it – all of which end up hitting your business in the long run. On the other hand, going off the grid with your own supply of power protects you from this. In fact, if you end up producing surplus energy, you can sell it back to the grid, earning your business extra revenue. 

Sure, the upfront costs of setting up the systems will take a sizable chunk out of your budget, but the savings allow you to recoup the costs over time. In addition, there will be savings from the incentives being provided by the government, such as tax rebates and grants. These are the likes of the Solar PV Grant from SEAI (Sustainable Energy Authority of Ireland) which is at €900 per kWp, capped at €2400 for each business. Funding is available for homes, community programs and commercial buildings such as  Collinstown Park School that was able to slash their lighting costs by a whopping 90% after securing 50% of the funding for their energy upgrade project from SEAI. The ecoVaro EMS comes with support for solar power installations in its firmware, that way you can continue assessing the changes that your solar power system will bring to your overall energy usage.

Spread awareness

You should also carry out energy conservation training for your staff. The reports generated by the EMS will make it easy for them to get a picture of their energy consumption trends, and the effects that it has on both the performance of the company, and the carbon footprint as a whole. It also gives them more awareness of the impact that they each have at an individual level. 

Assessing Key Performance Indicators

The energy analytics tools from the EMS will show you whether you are actually meeting your goals. Since it works with the different metered connections, from getting electricity and temperature readings, checking radiation levels, humidity data all through to gas meters, you will be able to assess the progress that your business is making across the board. 

For ecoVaro in particular, the performance of your systems can be seen through reports like Consumption Charts – from the different offices, tenants and equipment energy usage, peak -and off-peak data, as well as Regression Charts that allow you to compare building’s actual energy consumption to its expected performance, and how they are affected by variables such as temperature. 

With the site-by-site data and the monitoring being down to the sub-meter level, you will be able to identify an issue when it crops up and narrow it down to the specific instant and location where it occurred. This enables you to address the problem quicker.   

Conducting a compliance audit

A comprehensive audit can then be undertaken to ensure that your company meets internationally-recognized standards that have been stipulated regarding implementing energy management systems and enhancing the energy efficiency of your operations. The compliance audits are carried out by certified auditors.

Through the EMS, you are able to position your business appropriately to meet the standards for your particular niche, measuring and observing the performance of energy-saving projects that have been implemented. This extends to acquiring and presenting data that will be used to show the business’s compliance to industry regulations and obtain the relevant certification. You are able to report on your carbon footprint, and verify it. This information can also be disseminated amongst your employees and customers, raising awareness about your business green initiatives, boosting your brand in the process.

Ready to work with Denizon?

Contact Us Today