Cobit Control Objective and Sox Compliancy 658

  • Does anyone have a one-pager on which Control Objectives have to be met in order to be SOX compliant?

  • Sorry, but there is no ‘one pager’ that can give you what you are looking for.

  • I have read the IT Control Objectives for Sarbanes-Oxley many times and agree that implementing all these control objectives would probably lead to full compliance.
    However, realistically speaking it is a daunting task to expect any IT department to be fully COBIT compliant. Surely it must be better to narrow down on specific Control Objectives necessary for compliance.
    I would like to know how others went about to determine which COBIT control objectives to include in their scope.

  • It consists of, I think, 12 main sections…%0AIf you find 1 primary control for each one of those sections I think you’re on a good way towards compliance. %0AMy experience is that you don’t need to have 110% of the controls in place.

    The main domains are:
    -and-#61550; PO - Plan and Organize
    -and-#61550; AI - Acquire and Implement
    -and-#61550; DS - Deliver and Support
    -and-#61550; M - Monitor and Evaluate
    PO - Plan and Organize
    -and-#61550; PO1 - Define a strategic IT plan
    -and-#61550; PO2 - Define the information architecture
    -and-#61550; PO3 - Determine the technological direction
    -and-#61550; PO4 - Define the IT organization and relationships
    -and-#61550; PO5 - Manage the investment
    -and-#61550; PO6 - Communicate management aims and directions
    -and-#61550; PO7 - Manage human resources
    -and-#61550; PO8 - Ensure compliance with external requirements
    -and-#61550; PO9 - Assess risks
    -and-#61550; PO10 - Manage project
    -and-#61550; PO11 - Manage quality
    AI - Acquire and Implement
    -and-#61550; AI1 - Identify solutions
    -and-#61550; AI2 - Acquire and maintain application software
    -and-#61550; AI3 - Acquire and maintain technology architecture
    -and-#61550; AI4 - Develop and maintain IT procedures
    -and-#61550; AI5 - Install and accredit systems
    -and-#61550; AI6 - Manage changes
    DS - Deliver and Support
    -and-#61550; DS1 - Define Service Levels
    -and-#61550; DS2 - Manage third-party services
    -and-#61550; DS3 - Manage performance and capacity
    -and-#61550; DS4 - Ensure continuous service
    -and-#61550; DS5 - Ensure system security
    -and-#61550; DS6 - Identify and attribute costs
    -and-#61550; DS7 - Educate and train users
    -and-#61550; DS8 - Assist and advise IT customers
    -and-#61550; DS9 - Manage the configuration
    -and-#61550; DS10 - Manage problems and incidents
    -and-#61550; DS11 - Manage data
    -and-#61550; DS12 - Manage facilities
    -and-#61550; DS13 - Manage operations
    M - Monitor and Evaluate
    -and-#61550; M1 - Monitor the processes
    -and-#61550; M2 - Assess the internal control adequacy
    -and-#61550; M3 - Obtain independent assurance
    -and-#61550; M4 - Provide for independent audit

  • The parts I was talking about was:

    • Acquire or Develop Application Software
    • Acquire Technology Infrastructure
    • Develop and Maintain Policies and Procedures
    • Install and Test Application Software and Technology Infrastructure
    • Manage Changes
    • Define and Manage Service Levels
    • Manage Third Party Services
    • Ensure System Security
    • Manage Configuration
    • Manage Problems and Incidents
    • Manage Data
    • Manage Operations
      Which are the headings in Appendix C in IT Control Objectives for SOx

  • Read Michael Ramos’ book ‘How to Comply with Sarbanes-Oxley’
    Chapter 6 appendix 6D pp 197-205
    good stuff :twisted:

Log in to reply