Cobit Control Objective and Sox Compliancy 658
-
Does anyone have a one-pager on which Control Objectives have to be met in order to be SOX compliant?
-
Did you read IT Control Objectives for Sarbanes-Oxley docuement ?
isaca.org/Content/ContentGroups/Research1/Deliverables/IT_Control_Objectives_for_Sarbanes-Oxley_7july04.pdf
-
Sorry, but there is no ‘one pager’ that can give you what you are looking for.
-
I have read the IT Control Objectives for Sarbanes-Oxley many times and agree that implementing all these control objectives would probably lead to full compliance.
However, realistically speaking it is a daunting task to expect any IT department to be fully COBIT compliant. Surely it must be better to narrow down on specific Control Objectives necessary for compliance.
I would like to know how others went about to determine which COBIT control objectives to include in their scope.
-
It consists of, I think, 12 main sections…%0AIf you find 1 primary control for each one of those sections I think you’re on a good way towards compliance. %0AMy experience is that you don’t need to have 110% of the controls in place.
-
COBIT
The main domains are:
-and-#61550; PO - Plan and Organize
-and-#61550; AI - Acquire and Implement
-and-#61550; DS - Deliver and Support
-and-#61550; M - Monitor and Evaluate
PO - Plan and Organize
-and-#61550; PO1 - Define a strategic IT plan
-and-#61550; PO2 - Define the information architecture
-and-#61550; PO3 - Determine the technological direction
-and-#61550; PO4 - Define the IT organization and relationships
-and-#61550; PO5 - Manage the investment
-and-#61550; PO6 - Communicate management aims and directions
-and-#61550; PO7 - Manage human resources
-and-#61550; PO8 - Ensure compliance with external requirements
-and-#61550; PO9 - Assess risks
-and-#61550; PO10 - Manage project
-and-#61550; PO11 - Manage quality
AI - Acquire and Implement
-and-#61550; AI1 - Identify solutions
-and-#61550; AI2 - Acquire and maintain application software
-and-#61550; AI3 - Acquire and maintain technology architecture
-and-#61550; AI4 - Develop and maintain IT procedures
-and-#61550; AI5 - Install and accredit systems
-and-#61550; AI6 - Manage changes
DS - Deliver and Support
-and-#61550; DS1 - Define Service Levels
-and-#61550; DS2 - Manage third-party services
-and-#61550; DS3 - Manage performance and capacity
-and-#61550; DS4 - Ensure continuous service
-and-#61550; DS5 - Ensure system security
-and-#61550; DS6 - Identify and attribute costs
-and-#61550; DS7 - Educate and train users
-and-#61550; DS8 - Assist and advise IT customers
-and-#61550; DS9 - Manage the configuration
-and-#61550; DS10 - Manage problems and incidents
-and-#61550; DS11 - Manage data
-and-#61550; DS12 - Manage facilities
-and-#61550; DS13 - Manage operations
M - Monitor and Evaluate
-and-#61550; M1 - Monitor the processes
-and-#61550; M2 - Assess the internal control adequacy
-and-#61550; M3 - Obtain independent assurance
-and-#61550; M4 - Provide for independent audit
-
The parts I was talking about was:
- Acquire or Develop Application Software
- Acquire Technology Infrastructure
- Develop and Maintain Policies and Procedures
- Install and Test Application Software and Technology Infrastructure
- Manage Changes
- Define and Manage Service Levels
- Manage Third Party Services
- Ensure System Security
- Manage Configuration
- Manage Problems and Incidents
- Manage Data
- Manage Operations
Which are the headings in Appendix C in IT Control Objectives for SOx
-
Read Michael Ramos’ book ‘How to Comply with Sarbanes-Oxley’
Chapter 6 appendix 6D pp 197-205
good stuff :twisted: