Applying COBIT to New Projects 1808



  • My company is SOx compliant and maintains this on a quarterly/yearly basis. They have given me the challenge of creating a ‘template’ for applying SOx to any new projects that are deemed to have a potentially significant impact on the financials (material, close to cash, etc.).
    We use COBIT 4.0 and have selected 11 of the objectives to apply to major projects. Not all projects will require all of these, for example, the first one is an acquisition where we are receiving a huge amount of data that results in a financial impact.
    Looking for any information on the types of controls to use for these projects, as a start I am using requirements from our IT project office (i.e. AFE, security reviews, testing documentation).
    Thanks



  • Hi and welcome to the forums 🙂
    Some suggested controls that you may or may not be using today might include:

    1. Project Management - Develop formal project plans for all major endeavors. Include SOX requirements as part of your PM methodology, your overall IT standards, etc. – so that this is built into the framework up front.
      please add www and paste into browser
      allpm.com/index.php?name=PNphpBB2-and-file=viewtopic-and-t=205
    2. Security Design Walkthroughs - As SOX 404 standards and COBIT 4.0 requirements must be met for financial systems, design security and workflow controls up front (rather than as an after thought or trying to retrofit them in). Get the blessings of IT Security professionals and audit on the designs.
    3. Change Control - Control and promote even your test libraries (e.g., from alpha to beta to QA testing to production, or as you have this currently defined in your own company). Set up efficient development standards.
    4. Change Management - Set up an email group of all team members, stakeholders, VIPs, etc. and regularly communicate major project milestones, issues, and other events.
    5. Reconciliation - When migrating from an older application give careful attention to what’s required to ensure the new system is on solid ground in migrating financial history over. Work with the users and auditors to plan these requirements thoroughly and what needs to occur to formally validate results in the new system.
    6. e-Library - In one company where I helped develop IT SOX standards, we were required by our SOX compliancy leader to print a ‘forest of paper’ in addition keeping electronic versions 😞 Thus, work with audit and the users in setting up a library to store results with timestamps and other audit trails.
    7. COBIT Development template - Using Excel, MS Project, or other tools you can create an overall template of all COBIT 4.0 standards and then pick-and-choose among them on a project-by-project basis those that will be applicable. This way you can perform ‘due diligence’ by going through the complete set each time and ensuring no important IT financial controls are skipped.
      Good luck and I hope some of these ideas might help 🙂


  • Great discussion here, guys.
    Can anyone point me in the direction of where I can get a copy of COBIT 4.0?
    Thanks. Albie



  • Hi Albie - You’ll need to register with the ISACA, but I’ve just discovered they offer a free PDF version 🙂
    ISACA - Free PDF version of COBIT 4.0
    Please add paste to browser and add www
    isaca.org/cobit/
    COBIT 4.0 is here. … A complimentary PDF of COBIT 4.0 is now available. Use your existing ISACA login or register for free to download the PDF
    Some prior discussions here:
    http://www.sarbanes-oxley-forum.com/modules.php?name=Forums-and-file=viewtopic-and-t=1516



  • As a follow-up, I joined ISACA’s free limited membership program and downloaded a copy of the 2.6MB COBIT 4.0 PDF file, plus some of the 3.0 documents 🙂


Log in to reply