How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

Is Your Project Agile, a Scrum or a Kanban?

Few projects pan out the way we expect when starting out. This is normal in any creative planning phase. We half suspect the ones that follow a straight line are the exceptions to the rule. Urban legend has it; Edison made a thousand prototypes before his first bulb lit up, and then went on to comment, ?genius is 1% inspiration, 99% perspiration?. Later, he added that many of life’s failures are people who did not realise just how close they were to success when they gave up.

So be it to this day, and so be it with project planning too. There is no one size fits all approach when it comes to it. Agile, Scrum and Kanban each have their supporters and places where they do well. Project planning often works best when we use a sequential combination of them, appropriate to what is currently happening on the ground.

Of the three, Agile is by far the most comprehensive. It provides a structure that begins with project vision / conceptualisation, and goes as far as celebration when the job is over, and retrospective discussion afterwards. However, the emphasis on daily planning meetings may dent freethinking, and even smother it.

Scrum on the other hand says ?forget all that bureaucracy?. There is a job to do and today is the day we are going to do it. Although the core Agile teamwork is still there it ignores macro project planning, and could not be bothered with staying in touch with customers. If using Scrum, it is best to give those jobs to someone else.

The joker in the pack is Kanban, It believes that rules are there to substitute for thought, and that true progress only comes from responsible freedom. It belongs in mature organisations that have passed through Scrum and Agile phases and have embarked on a voyage towards perfection.

That said, there can be no substitute for human leadership, especially when defined as the social influence that binds the efforts of others towards a single task.

How Mid-South Metallurgical cut Energy Use by 22%

Mid-South in Murfreesboro, Tennessee operates a high-energy plant providing precision heat treatments for high-speed tools – and also metal annealing and straightening services. This was a great business to be in before the energy crisis struck. That was about the same time the 2009 recession arrived. In no time at all the market was down 30%.

Investors had a pile of capital sunk into Mid-South?s three facilities spread across 21,000 square feet (2,000 square meters) of enclosed space. Within them, a number of twenty-five horsepower compressors plus a variety of electric, vacuum and atmospheric furnaces pumped out heat 27/7, 52 weeks a year. After the company called in the U.S. Department of Energy for assistance, several possibilities presented.

Insulate the Barium Chloride Salt Baths

The barium chloride salt baths used in the heat treatment process and operating at 1600?F (870?C) were a natural choice, since they could not be cooled below 1200?F (650?C) when out of use without hardening the barium chloride and clogging up the system. The amount of energy taken to prevent this came down considerably after they covered and insulated them. The recurring annual electricity saving was $53,000.

Manage Electrical Demand & Power

The utility delivers 480 volts of power to the three plants that between them consume between 825- and 875-kilowatt hours depending on the season. Prior to the energy crisis Mid-South Metallurgical regarded this level of consumption as a given. Following on the Department of Energy survey the company replaced the laminar flow burner tips with cyclonic burner ones, and implemented a number of other modifications to enhance thermal efficiency further. The overall natural gas reduction was 20%.

Implement Large Scale Site Lighting Upgrade

The 24/7 nature of the business makes lighting costs a significant factor. Prior to the energy upgrade this came from 44 older-type 400-watt metal halide fixtures. By replacing these with 88 x 8-foot (2.5 meter) fluorescent fittings Mid-South lowered maintenance and operating costs by 52%

The Mid-South Metallurgical Trophy Cabinet

These three improvements cut energy use by 22%, reduced peak electrical demand by 21% and brought total energy costs down 18%. Mid-South continues to monitor energy consumption at each strategic point, as it continues to seek out even greater energy efficiency in conjunction with its people.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Using Pull Systems to Optimise Work Flows in Call Centres

When call centres emerged towards the end of the 20th century, they deserved their name ?the sweatshops of the nineties?. A new brand of low-paid workers crammed into tiny cubicles to interact with consumers who were still trying to understand the system. Supervisors followed ?scientific management? principles aimed at maximising call-agent activity. When there was sudden surge in incoming calls, systems and customer care fell over.

The flow is nowadays in the opposite direction. Systems borrowed from manufacturing like Kanban, Pull, and Levelling are in place enabling a more customer-oriented approach. In this short article, our focus is on Pull Systems. We discuss what are they, and how they can make modern call centres even better for both sets of stakeholders.

Pull Systems from a Manufacturing Perspective

Manufacturing has traditionally been push-based. Sums are done, demand predicted, raw materials ordered and the machines turned on. Manufacturers send out representatives to obtain orders and push out stock. If the sums turn out wrong inventories rise, and stock holding costs increase. The consumer is on the receiving end again and the accountant is irritable all day long.

Just-in-time thinking has evolved a pull-based approach to manufacturing. This limits inventories to anticipated demand in the time it takes to manufacture more, plus a cushion as a trigger. When the cushion is gone, demand-pull spurs the factory into action. This approach brings us closer to only making what we can sell. The consumer benefits from a lower price and the accountant smiles again.

Are Pull Systems Possible in Dual Call Centres

There are many comments in the public domain regarding the practicality of using lean pull systems to regulate call centre workflow. Critics point to the practical impossibility of limiting the number of incoming callers. They believe a call centre must answer all inbound calls within a target period, or lose its clients to the competition.

In this world-view customers are often the losers. At peak times, operators can seem keen to shrug them off with canned answers. When things are quiet, they languidly explain things to keep their occupancy levels high. But this is not the end of the discussion, because modern call centres do more than just take inbound calls.

Using the Pull System Approach in Dual Call Centres

Most call centre support-desks originally focused are handling technical queries on behalf of a number of clients. When these clients? customers called in, their staff used operator?s guides to help them answer specific queries. Financial models?determined staffing levels and the number of ?man-hours? available daily. Using a manufacturing analogy, they used a push-approach to decide the amount of effort they were going to put out, and that is where they planted their standard.

Since these early 1990 days, advanced telephony on the internet has empowered call centres to provide additional remote services in any country with these networks. They have added sales and marketing to their business models, and increased their revenue through commissions. They have control over activity levels in this part of their business. They have the power to decide how many calls they are going to make, and within reason when they are going to make them.

This dichotomy of being passive regarding incoming traffic on the one hand, and having active control over outgoing calls on the other, opens up the possibility of a partly pull-based lean approach to call centre operation. In this model, a switching mechanism moves dual trained operators between call centre duties and marketing activities, as required by the volume of call centre traffic, thus making a pull system viable in dual call centres.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK

Ready to work with Denizon?

Contact Us Today