Which Cobit Processes Most Relate to SOX 927

  • Hi I’m interested to find out if anyone has experience of which of the COBIT processes relate to SOX.
    Last year we were audited on 12 out of the 34 processes.
    Aquire or Develop application software
    Aquire Technology Infrastructure
    Develop and maintain Policies and Procedures
    Install and Test Application Software and Technology Infrastructure
    Manage Chages
    Define and Manage Service levels
    Manage Third Party Services
    Ensure system security
    Manage the Configuration
    Manage Problems and Invcidents
    Manage Data
    Manage Operations
    Of these 12 processes we had to comply with 30 out of the 60ish Illustrative controls.
    Any feedback on your experiences welcome.

  • Hi
    We’re about to switch from COSO to C4 for IT General Contorls.
    We’ve sifted the Objectives and come up with a candidate list which we are going to start validating.
    You wouldn’t be happy to share your 30 odd list in an electornic format - I’d really like to compare it to our ‘IN/OUT/DUNNO’ list… :?:
    John 🙂

  • Marge
    Those 12 objectives are the standard ones mapped to the PCAOB guidance and COSO by the ITGI in their 2004 paper on IT Control Objectives for Sarbanes-Oxley. In my view it is exactly the right set of objectives to use.
    The paper is available from the ISACA website

  • I was after the 30 odd, not the 12…
    (illustrative controls)

  • Marge,
    Please share those 30 illustrative controls. I have tons of controls (based on my tandem with Big 4 auditors during my consulting days) recommended to be implemented by our IT department. But, our IT department in connivance with the Internal Audit is not implementing those controls calling them Non Sox.
    Best regards,

  • A good presentation that was delivered by The HornMurdock Group found that CobiT contains redundancies so that complying with SOX can still be achieved by using a subset of the 34 processes and ensuring that the IT controls address the business processes leading to the production of the FS.
    Since the Big-4 and other independent auditors assess SOX compliance, the presenter suggested that it might be helpful to view CobiT in a similar context as that generally prescribed by the Big-4:
    COBIT Domain=Big-4 Dimension
    Planning and Organization=Corporate Governance
    Acquire and Implement=Change Management
    Delivery and Support=Disaster Recovery
    Monitor and Evaluate=Oversight/Management
    From the table above, it seems that you can simply map the CobiT processes to determine those that are applicable for SOX and in all likelihood, will be considered by the external auditor. This should enable you to reduce the resource requirement to comply with SOX and focus on addressing the in scope IT processes only.
    This approach might be over simplified, but it is better than to spend time unnecessarily considering all of the CobiT processes and developing process documentation or testing IT controls that may be redundantly addressed or not within scope.
    Hope this helps,

  • So does anyone have any detail to share, or are we doomed to dance around the topic.
    I’m moving from COSO to COBIT 4, and I need some definitive mapping at the Detailed Control Objective level (or lower) in the next few days, or I will have to go to detail myself (a huge effort)

  • Have you read the ITGI paper?

  • The ITGI Paper dated 07/07/2004 identifies 12 COBIT objectives relevant to SOX. This 12 COBIT objectives are considered SacroSanct in scope by Ernst and Young, KPMG and PWC.
    Yesterday, I could convince my IT folks to come up with control activities fulfilling these 12 COBIT Objectives.
    We are still waiting for those 30 controls from Marge.
    Please note that Ernst and Young is also using illustrative control activities in Appendix C from the above ITGI paper as ‘Best Practices’ to educate their client.
    So Appendix C illustrative controls is the safe harbor.

  • Yes. However it is based on V3. Yes, i know I can map the differences. I don’t have time
    I’m after practical experience in the real world, on a list of definitive items, to vet my own observations.
    I’ve been looking at it at a much lower level, so I can get more precise actions out of IT.
    Does #anyone# have a definitive list they would be happy to share?

  • Mapping of Conit 3 to Cobit 4 is in Appendix V of the Cobit 4 Document

  • What I need is a definitive list, based on practical use in a commercial environment, that defines EXACTLY the scope. I don’t want any more ISACA/ITGI documents
    I’m not seeking education or understanding; I’m seeking validation of a position I have already made.
    If someone has gone through this pain, please step forward with my thanks and appreciation.
    Denis - if you’re hiding a light bring it out, else turn your attention elsewhere.

  • That’s pretty much what I thought.
    No-one has done the work independently.

  • There are proprietary controls which Marge and I may not share. But, I have utilized all controls illustrated under Appendix C of the ITGI Paper to come up with sets of our controls for the RACM for our IT Governance for SOX.
    The substance in COBIT4.0 visavis COBIT3.0 has not changed. Therefore, the ITGI paper is still relevant.
    Please try creating control activities. I may share a public document to facilitate your efforts.
    Let us know.

  • Chhaava - thanks for your response.
    I’m nervous about whether Appendix C is complete, for a multinational NYSE listed company with about USD600M turnover in the medical area. I can see a lot more that could be in scope (devil in the detail).
    I’m also interested whether any of the illustrative controls have been shown to be weak or out of scope.
    Becuase I’m doing a transformation from a very ordinary COSO model to C4, I want to see if there are any opportuntiesi for scope reduction. I’ve now got less than a week to get it all done…

  • COBIT 4.0 does not affect SOX efforts. I have utilized those Appendix C illustrative controls on a variety of client in different industries viz. Courier, Franchise, Manufacturing, Transit, Public Transportation, Education etc. They are indeed pervasive.
    So go ahead fine tune those controls to suit your environment.
    All the best.
    Nothing is out of scope in those controls. For e.g. those illustrative controls do not cover disaster recovery, as disaster recovery (business contingency planning) is out of scope for SOX.

  • I’m nervous about whether Appendix C is complete, for a multinational NYSE listed company with about USD600M turnover in the medical area. I can see a lot more that could be in scope (devil in the detail).

    We have applied Cobit in a company 50 times larger than yours, you shouldn’t worry about that.
    I’m also interested whether any of the illustrative controls have been shown to be weak or out of scope.

    The illustrative controls are… well… just illustrative. This may the reason you are getting frustrated with the lack of a firm answer to your questions.
    What is important is the control objectives as these represent the risks that you are expected to control, the ITGI paper narrows down the list of Cobit objectives to the ones that you need to meet for Sox. The illustrative controls represent, typically, how you might control those risks and many companies have sought to include these in their organisational IT standards. However you could implement none of these and still be controlled or all of them and not be. What is required is on a system by system basis to determine what controls are appropriate for that system in your organisation the illustrative controls can help you in this but it ultimately requires judgement.
    I know that life would be much easier if you could just follow a checklist, but sorrylife ain’t like that any more.

Log in to reply