How COBIT helps you achieve SOX Compliance

First released way back in 1996, COBIT has already been around for quite a while. One reason why it never took off was because companies were never compelled to use it ? until now. Today, many CEOs and CIOs are finding it to be a vital tool for achieving SOX compliance in IT.

Thanks to SOX, COBIT (Control Objectives for Information and related Technology) is now one of the most widely accepted source of guidance among companies who have IT integrated with their accounting/financial systems. It has also gained general acceptability with third parties and regulators. But how did this happen?

Role of control frameworks in SOX compliance

You see, the Sarbanes-Oxley Act, despite having clearly manifested the urgency of establishing effective internal controls, does not provide a road map for you to follow nor does it specify a yardstick to help you determine whether an acceptable mileage in the right direction has already been achieved.

In other words, if you were a CIO and you wanted to find guidance on what steps you had to take to achieve compliance, you wouldn’t be able to find the answers in the legislation itself.

That can be a big problem. Two of your main SOX compliance obligations as a CEO or CIO is to assume responsibility in establishing internal controls over financial reporting and to certify their effectiveness. After that, the external auditors are supposed to attest to your assertions. Obviously, there has to be a well-defined basis before you can make such assertions and auditors can attest to anything.

In the language of auditors, this ?well-defined basis? is known as a control framework. Simply put, once you certify the presence of adequate internal controls in your organisation, the external auditor will ask, ?What control framework did you use??

Knowing what control framework you employed will help external auditors determine how to proceed with their evaluations and tests. For your part, a control framework can serve as a guide to help you work towards specific objectives for achieving compliance. Both of you can use it as a common reference point before drawing any conclusions regarding your controls.

But there are many control frameworks out there. What should you use?

How SOX, COSO, and COBIT fit together

Fortunately, despite SOX?s silence regarding control frameworks, you aren’t left entirely to your own devices. You could actually take a hint from the SEC and PCAOB, two of the lead organisations responsible for implementing SOX. SEC and PCAOB point to the adoption of any widely accepted control framework.

In this regard, they both highly endorse COSO, a well-established internal control framework formulated by the Committee of Sponsoring Organisations of the Treadway Commission (COSO). Now, I must tell you, if you’re looking specifically for instructions pertaining to IT controls, you won’t find those in COSO either.

Although COSO is the most established control framework for enterprise governance and risk management you’ll ever find (and in fact, it’s what we recommend for your general accounting processes), it lacks many IT-related details. What is therefore needed for your IT processes is a framework that, in addition to being highly aligned with COSO, also provides more detailed considerations for IT.

This is where COBIT fits the bill.

How COBIT can contribute to your regulatory compliance endeavors

COBIT builds upon and adheres with COSO while providing a finer grain of detail focused on IT. You can even find a mapping between COBIT IT processes and COSO components within the COBIT document itself.

Designed with regulatory compliance in mind, COBIT lays down a clear path for developing policies and good practice for IT control, thus enabling you to bridge the gap between control requirements, technical issues, and business risks.

Some of the components you’ll find in COBIT include:

IT control objectives

These are statements defining specific desired results that, as a whole, characterise a well-managed IT process. They come in two forms for each COBIT-defined IT process: a high-level control objective and a number of detailed control objectives. These objectives will enable you to have a sense of direction by telling you exactly what you need to aim for.

Maturity models

These are used as benchmarks that give you a relative measurement stating where your level of management or control over an IT process or high-level control objective stands. It serves as a basis for setting as-is and to-be positions and enables support for gap analysis, which determines what needs to be done to achieve a chosen level. Basically, if a control objective points you to a direction, then its corresponding maturity model tells you how far in that direction you’ve gone.

RACI charts

These charts tell you who (e.g. CEO, CFO, Head of Operations, Head of IT Administration) should be Responsible, Accountable, Consulted, and Informed for each activity.

Goals and Metrics

These are sets of goals along with the corresponding metrics that allow you to measure against those goals. Goals and metrics are defined in three levels: IT goals and metrics, which define what business expects from IT; process goals and metrics, which define what the IT process should deliver to support It’s objectives; and activity goals and metrics, which measure how well the process is performing.

In addition to those, you’ll also find mappings of each process to the information criteria involved, IT resources that need to be leveraged, and the governance focus areas that are affected.

Everything is presented in a logical and manageable structure, so that you can easily draw connections between IT processes and business goals, which will in turn help you decide what appropriate governance and control is needed. Ultimately, COBIT can equip you with the right tools to maintain a cost-benefit balance as you work towards achieving SOX compliance.

Check our similar posts

How Small Irish Businesses Avoid the GDPR Sting

Accountants providing chartered accounting services and tax advice are alerting smaller Irish companies to the consequences of the pending General Data Protection Regulation (GDPR). They believe these are going to feel the most pain come 25 May 2018, if they do not implement GDPR by then. We are trying our best to help avoid this situation by providing advice.

How to Kick the GDPR Ball into Play

The Irish Information Commissioner?s Office has produced a toolkit regarding where?s best to start. They suggest beginning with an information security assessment to determine the gaps companies need to close. Once quantified, this leads naturally to a plan of action, and resources needed to fulfil it. Here?s how to go about it:

1. Start by assessing your current ability to identify, assess, and manage threats to customer data security. Have you done anything at all to date? You must be holding some customer information surely, and it is highly likely the GDPR applies to you.

2. Next, review your company?s current customer data security policies. Are they documented and approved, or do new employees discover them sitting next to Nellie? Rate yourself on a scale where ten is successful implementation.

3. Now consider how well you have pinned responsibilities on individuals to implement policies and take the lead on GDPR. The latter should be the business owner, or a board member with clout to make things happen.

4. By now, you should have a grasp of the scale of work ahead of you, remembering the EU deadline is 25 May 2018. If this sounds overwhelming, consider outsourcing to your accountant or a specialist provider.

5. Under the General Data Protection Regulation you have only 72 hours to report a breach of customer data security to the Information Commissioner?s Office. Do you have a quality assurance mechanism to oversee this?

Tangible Things to Bring Your Own People on Board

With all the changes going on, there is a risk of your employees regarding GDPR as ?another management idea going nowhere.? Thus, it is important to incorporate the new EU regulations in staff training, particularly with regard to data security generally. They may fully come on board only once they see tangible signs of progress. You should in any case put the following measures in place unless you already have them:

1. A secure area for your servers and for any paperwork your customers provided. This implies access control on a need-to-know basis to protect the information against loss, damage, and theft.

2. A protocol for storage media and record disposal when you no longer require them or something supersedes them. You are the custodian of other people?s information and they deserve nothing less.

3. Procedures to secure customer data on employee mobile devices and computers: This must extend to work done at home, at consultant sites, and by remote workers.

4. Secure configuration of all existing and new hardware to minimise vulnerability and storage media crashes. These quality assurance measures should extend to removable media and remote backups.

So Is This the Worst of the Pain?

We are at the heart of the matter, although there is more to tell in future articles. You may be almost there, if you already protect your proprietary information. If not, you may have key company information already open to malware.We should welcome the EU General Data Protection Regulation as a notice that it is time to face up to the challenges of data protection and security generally. The age of hacking and malware is upon us. The offender could be a disgruntled employee, or your competition just down the street. It is time to take precautions.

Contact Us

  • (+353)(0)1-443-3807 – IRL
  • (+44)(0)20-7193-9751 – UK
Energy Cooperation Mechanisms in the EU

While the original mission of the European Union was to bring countries together to prevent future wars, this has spun out into a variety of other cooperative mechanisms its founders may never have dreamed of. Take energy for example, where the European Energy Directive puts energy cooperation mechanisms in place to help member states achieve the collective goal.

This inter-connectivity is essential because countries have different opportunities. For example, some may easily meet their renewable targets with an abundance of suitable rivers, while others may have a more regular supply of sunshine. To capitalise on these opportunities the EU created an internal energy market to make it easier for countries to work together and achieve their goals in cost-effective ways. The three major mechanisms are

  • Joint Projects
  • Statistical Transfers
  • Joint Support Schemes

Joint Projects

The simplest form is where two member states co-fund a power generation, heating or cooling scheme and share the benefits. This could be anything from a hydro project on their common border to co-developing bio-fuel technology. They do not necessarily share the benefits, but they do share the renewable energy credits that flow from it.

An EU country may also enter into a joint project with a non-EU nation, and claim a portion of the credit, provided the project generates electricity and this physically flows into the union.

Statistical Transfers

A statistical transfer occurs when one member state has an abundance of renewable energy opportunities such that it can readily meet its targets, and has surplus credits it wishes to exchange for cash. It ?sells? these through the EU accounting system to a country willing to pay for the assistance.

This aspect of the cooperative mechanism provides an incentive for member states to exceed their targets. It also controls costs, because the receiver has the opportunity to avoid more expensive capital outlays.

Joint Support Schemes

In the case of joint support schemes, two or more member countries combine efforts to encourage renewable energy / heating / cooling systems in their respective territories. This concept is not yet fully explored. It might for example include common feed-in tariffs / premiums or common certificate trading and quota systems.

Conclusion

A common thread runs through these three cooperative mechanisms and there are close interlinks. The question in ecoVaro?s mind is the extent to which the system will evolve from statistical support systems, towards full open engagement.

Why Predictive Maintenance is More Profitable than Reactive Maintenance

Regular maintenance is needed to keep the equipment in your facility operating normally. All machinery has a design lifespan, and your goal is to extend this as long as possible, while maintaining optimal production levels. How you go about the maintenance matters, from routine checks to repairing the damaged component parts?all before the whole unit needs to be tossed away and a new one purchased and installed. Here, we will break down the different approaches used, and show you why more industries and businesses are turning to proactive maintenance modes as opposed to the traditional reactive approaches for their?field service operations.?

Reactive Maintenance: A wait and see game

Here, you basically wait for a problem to occur, then fix it. It’s also commonly referred to as a “Run-to-Failure” approach, where you operate the machines and systems until they break. Repairs are then carried out, restoring it to operational condition.?

At face value, it appears cost-effective, but the reality on the ground is far much different. Sure, when the equipment is new, you can expect minimal cases of maintenance. During this time, there?ll be money saved. However, as time progresses there?ll be increased wear, making reliance on a reactive maintenance approach a costly endeavour. The breakdowns are more frequent, and inconsistent as well. Unplanned expenses increase operational costs, and there will be lost productivity during the periods in which the affected machinery won’t be in operation.?

While reactive maintenance makes sense when you’re changing a faulty light bulb at home, things are more complicated when it comes to dealing with machinery in industries, or for those managing multiple residential and commercial properties. For the light bulb, it’s easier to replace it, and failure doesn’t have a ripple effect on the rest of the structures in the household. For industries, each time there is equipment failure, you end up with downtime, production can grind to a halt, and there will be increased environmental risks during equipment start-up and shutdown. If spare parts are not readily available, there will be logistical hurdles as you rush the shipping to get the component parts to the facility. Add this to overworked clients in a bit to complete the repair and to make up for lost hours and delayed customer orders.

For field service companies, more time ends up being spent. After all, there?s the need of knowing which parts needed to be attended to, where they are, and when the servicing is required. Even when you have a planned-out schedule, emergency repairs that are required will force you to immediately make changes. These ramps up the cots, affecting your operations and leading to higher bills for your client. These inconveniences have contributed to the increased reliance on?field service management platforms that leverage on data analytics and IoT to reduce the repair costs, optimise maintenance schedules, and?reduce unnecessary downtimes?for the clients.

Waiting for the machinery to break down actually shortens the lifespan of the unit, leading to more replacements being required. Since the machinery is expected to get damaged much sooner, you also need to have a large inventory of spare parts. What’s more, the damages that result will be likely to necessitate more extensive repairs that would have been needed if the machinery had not been run to failure.?

Pros of reactive maintenance

  1. Less staff required.
  2. Less time is spent on preparation.

Cons of reactive maintenance

  1. Increased downtime during machine failure.
  2. More overtime is taken up when conducting repairs.
  3. Increased expenses for purchasing and storing spare parts.?
  4. Frequent equipment replacement, driving up costs.?

This ?If it ain’t broke, don’t fix it? approach leads to hefty repair and replacement bills. A different maintenance strategy is required to minimise costs. Proactive models come into focus. Before we delve into predictive maintenance, let’s look at the preventive approach.?

Preventive Maintenance: Sticking to a timetable

Here, maintenance tasks are carried out on a planned routine?like how you change your vehicle?s engine oil after hitting a specific number of kilometres. These tasks are planned in intervals, based on specific triggers?like a period of time, or when certain thresholds are recorded by the meters. Lubrication, carrying out filter changes, and the like will result in the equipment operating more efficiently for a longer duration of time. While it doesn’t completely stop catastrophic failures from occurring, it does reduce the number of failures that occur. This translates to capital savings.??

The Middle Ground? Merits And Demerits Of Preventive Maintenance

This periodic checking is a step above the reactive maintenance, given that it increases the lifespan of the asset, and makes it more reliable. It also leads to a reduced downtime, thus positively affecting your company?s productivity. Usually, an 80/20 approach is adopted,?drawing from Pareto’s Principle. This means that by spending 80% of time and effort on planned and preventive maintenance, then reactive maintenance for those unexpected failures that pop up will only occur 20% of the time. Sure, it doesn’t always come to an exact 80/20 ratio, but it does help in directing the maintenance efforts of a company, and reducing the expenses that go into it.?

Note that there will need to be a significant investment?especially of time, in order to plan a preventive maintenance strategy, plus the preparation and delegation of tasks. However, the efforts are more cost effective than waiting for your systems and machinery to fail in order to conduct repairs. In fact, according to the US Dept. of Energy, a company can save between 12-18 % when using a preventive maintenance approach compared to reactive maintenance.

While it is better than the purely reactive approach, there are still drawbacks to this process. For instance, asset failure will still be likely to occur, and there will be the aspect of time and resource wastage when performing unneeded maintenance, especially when technicians have to travel to different sites out in the field. There is also the risk of incidental damage to machine components when the unneeded checks and repairs are being carried out, leading to extra costs being incurred.

We can now up the ante with predictive maintenance. Let’s look at what it has to offer:

Predictive Maintenance: See it before it happens

This builds on preventive maintenance, using data analytics to smooth the process, reduce wastage, and make it more cost effective. Here, the maintenance is conducted by relying on trends observed using data collected from the equipment in question, such as through vibration analysis, energy consumption, oil analysis and thermal imaging. This data is then taken through predictive algorithms that show trends and point out when the equipment will need maintenance. You get to see unhealthy trends like excessive vibration of the equipment, decreasing fuel efficiency, lubrication degradation, and their impact on your production capacities. Before the conditions breach the predetermined parameters of the equipment’s normal operating standards, the affected equipment is repaired or the damaged components replaced.??

Basically, maintenance is scheduled before operational or mechanical conditions demand it. Damage to equipment can be prevented by attending to the affected parts after observing a decrease in performance at the onset?instead of waiting for the damage to be extensive?which would have resulted in system failure. Using?data-driven?field service job management software will help you to automate your work and optimise schedules, informing you about possible future failures.

Sensors used record the condition of the equipment in real time. This information is then analysed, showing the current and future operational capabilities of the equipment. System degradation is detected quickly, and steps can be taken to rectify it before further deterioration occurs. This approach optimises operational efficiency. Firstly, it drastically reduces total equipment failure?coming close to eliminating it, extending the lifespan of the machinery and slashing replacement costs. You can have an orderly timetable for your maintenance sessions, and buy the equipment needed for the repairs. Speaking of which, this approach minimises inventory especially with regards to the spare parts, as you will be able to note the specific units needed beforehand and plan for them, instead of casting a wide net and stockpiling spare parts for repairs that may or may not be required. Repair tasks can be more accurately scheduled, minimising time wasted on unneeded maintenance.??

Preventive vs Predictive Maintenance?

How is predictive different from preventive maintenance? For starters, it bases the need for maintenance on the actual condition of the equipment, instead of a predetermined schedule. Take the oil-change on cars for instance. With the preventive model, the oil may be changed after every 5000?7500 km. Here, this change is necessitated because of the runtime. One doesn’t look at the performance capability and actual condition of the oil. It is simply changed because “it is now time to change it“. However, with the predictive maintenance approach, the car owner would ideally analyse the condition of the oil at regular intervals- looking at aspects like its lubrication properties. They would then determine if they can continue using the same oil, and extend the duration required before the next oil change, like by another 3000 kilometres. Perhaps due to the conditions in which the car had been driven, or environmental concerns, the oil may be required to be changed much sooner in order to protect the component parts with fresh new lubricant. In the long run, the car owner will make savings. The US Dept. of Energy report also shows that you get 8-12% more cost savings with the predictive approach compared to relying on preventive maintenance programs. Certainly, it is already far much more effective compared to the reactive model.?

Pros of Predictive Maintenance

  1. Increases the asset lifespan.
  2. Decreases equipment downtime.
  3. Decreases costs on spare parts and labour.
  4. Improves worker safety, which has the welcome benefit of increasing employee morale.
  5. Optimising the operation of the equipment used leads to energy savings.
  6. Increased plant reliability.

Cons of Predictive Maintenance

  1. Initial capital costs included in acquiring and setting up diagnostic equipment.
  2. Investment required in training the employees to effectively use the predictive maintenance technology adopted by the company.

The pros of this approach outweigh the cons.?Independent surveys on industrial average savings?after implementing a predictive maintenance program showed that firms eliminated asset breakdown by 70-75%, boosted production by 20-25%, and reduced maintenance costs by 25-30%. Its ROI was an average of 10 times, making it a worthy investment.

Ready to work with Denizon?

Contact Us Today