Which Cobit Processes Most Relate to SOX 927



  • Marge,
    Please share those 30 illustrative controls. I have tons of controls (based on my tandem with Big 4 auditors during my consulting days) recommended to be implemented by our IT department. But, our IT department in connivance with the Internal Audit is not implementing those controls calling them Non Sox.
    Best regards,
    Ari



  • A good presentation that was delivered by The HornMurdock Group found that CobiT contains redundancies so that complying with SOX can still be achieved by using a subset of the 34 processes and ensuring that the IT controls address the business processes leading to the production of the FS.
    Since the Big-4 and other independent auditors assess SOX compliance, the presenter suggested that it might be helpful to view CobiT in a similar context as that generally prescribed by the Big-4:
    COBIT Domain=Big-4 Dimension
    Planning and Organization=Corporate Governance
    Acquire and Implement=Change Management
    Delivery and Support=Disaster Recovery
    Monitor and Evaluate=Oversight/Management
    From the table above, it seems that you can simply map the CobiT processes to determine those that are applicable for SOX and in all likelihood, will be considered by the external auditor. This should enable you to reduce the resource requirement to comply with SOX and focus on addressing the in scope IT processes only.
    This approach might be over simplified, but it is better than to spend time unnecessarily considering all of the CobiT processes and developing process documentation or testing IT controls that may be redundantly addressed or not within scope.
    Hope this helps,
    Milan



  • So does anyone have any detail to share, or are we doomed to dance around the topic.
    I’m moving from COSO to COBIT 4, and I need some definitive mapping at the Detailed Control Objective level (or lower) in the next few days, or I will have to go to detail myself (a huge effort)



  • Have you read the ITGI paper?



  • The ITGI Paper dated 07/07/2004 identifies 12 COBIT objectives relevant to SOX. This 12 COBIT objectives are considered SacroSanct in scope by Ernst and Young, KPMG and PWC.
    Yesterday, I could convince my IT folks to come up with control activities fulfilling these 12 COBIT Objectives.
    We are still waiting for those 30 controls from Marge.
    Please note that Ernst and Young is also using illustrative control activities in Appendix C from the above ITGI paper as ‘Best Practices’ to educate their client.
    So Appendix C illustrative controls is the safe harbor.



  • Yes. However it is based on V3. Yes, i know I can map the differences. I don’t have time
    I’m after practical experience in the real world, on a list of definitive items, to vet my own observations.
    I’ve been looking at it at a much lower level, so I can get more precise actions out of IT.
    Does #anyone# have a definitive list they would be happy to share?



  • Mapping of Conit 3 to Cobit 4 is in Appendix V of the Cobit 4 Document



  • What I need is a definitive list, based on practical use in a commercial environment, that defines EXACTLY the scope. I don’t want any more ISACA/ITGI documents
    I’m not seeking education or understanding; I’m seeking validation of a position I have already made.
    If someone has gone through this pain, please step forward with my thanks and appreciation.
    Denis - if you’re hiding a light bring it out, else turn your attention elsewhere.



  • That’s pretty much what I thought.
    No-one has done the work independently.



  • There are proprietary controls which Marge and I may not share. But, I have utilized all controls illustrated under Appendix C of the ITGI Paper to come up with sets of our controls for the RACM for our IT Governance for SOX.
    The substance in COBIT4.0 visavis COBIT3.0 has not changed. Therefore, the ITGI paper is still relevant.
    Please try creating control activities. I may share a public document to facilitate your efforts.
    Let us know.



  • Chhaava - thanks for your response.
    I’m nervous about whether Appendix C is complete, for a multinational NYSE listed company with about USD600M turnover in the medical area. I can see a lot more that could be in scope (devil in the detail).
    I’m also interested whether any of the illustrative controls have been shown to be weak or out of scope.
    Becuase I’m doing a transformation from a very ordinary COSO model to C4, I want to see if there are any opportuntiesi for scope reduction. I’ve now got less than a week to get it all done…



  • COBIT 4.0 does not affect SOX efforts. I have utilized those Appendix C illustrative controls on a variety of client in different industries viz. Courier, Franchise, Manufacturing, Transit, Public Transportation, Education etc. They are indeed pervasive.
    So go ahead fine tune those controls to suit your environment.
    All the best.
    Nothing is out of scope in those controls. For e.g. those illustrative controls do not cover disaster recovery, as disaster recovery (business contingency planning) is out of scope for SOX.



  • I’m nervous about whether Appendix C is complete, for a multinational NYSE listed company with about USD600M turnover in the medical area. I can see a lot more that could be in scope (devil in the detail).

    We have applied Cobit in a company 50 times larger than yours, you shouldn’t worry about that.
    I’m also interested whether any of the illustrative controls have been shown to be weak or out of scope.

    The illustrative controls are… well… just illustrative. This may the reason you are getting frustrated with the lack of a firm answer to your questions.
    What is important is the control objectives as these represent the risks that you are expected to control, the ITGI paper narrows down the list of Cobit objectives to the ones that you need to meet for Sox. The illustrative controls represent, typically, how you might control those risks and many companies have sought to include these in their organisational IT standards. However you could implement none of these and still be controlled or all of them and not be. What is required is on a system by system basis to determine what controls are appropriate for that system in your organisation the illustrative controls can help you in this but it ultimately requires judgement.
    I know that life would be much easier if you could just follow a checklist, but sorrylife ain’t like that any more.


Log in to reply