Control Methodologies

• E

  SOX Compliance and BS7799 Part 2: 2002 150
  • Einstain  

  23
  0
  Votes
  23
  Posts
  1674
  Views

  H

  Nothing left to comment on. Perfectly right.
• S

  No doubt a dumb question that everyone knows the answer to.. 483
  • SOX-Migration  

  8
  0
  Votes
  8
  Posts
  581
  Views

  S

  Sure. Email me at 1193 at marklavender.com and I will send you everything I have already plus anything I discover through this site. Mark
• A

  Resource question. 371
  • angidstro  

  22
  0
  Votes
  22
  Posts
  1302
  Views

  S

  Hi there, What you to do is to look at SoX from a business prospective. you do not need to be an IT guru to implement COBIT. Regards
• L

  COSO, COBIT, ITIL 493
  • lekatis  

  12
  0
  Votes
  12
  Posts
  950
  Views

  L

  Should you discuss it with your external auditors? What do you believe about that? :roll:
• S

  Cobit Control Objective and Sox Compliancy 658
  • SOX-Migration  

  8
  0
  Votes
  8
  Posts
  544
  Views

  S

  Read Michael Ramos’ book ‘How to Comply with Sarbanes-Oxley’ Chapter 6 appendix 6D pp 197-205 good stuff :twisted:
• S

  Mapping COSO to COBIT 695
  • SOX-Migration  

  3
  0
  Votes
  3
  Posts
  344
  Views

  U

  The mapping provided by ISACA of COBIT to COSO doesn’t have all the rows mapped. There are a few that are left blank. Also I am wondering why external auditor request their clients to do the mapping themselves. Why don’t the exernal auditors rely on the mapping done already on the ISACA website? Is it because it is incomplete?
• T

  Wording of Risks, Controls, Control Activities... 893
  • Telco  

  3
  0
  Votes
  3
  Posts
  341
  Views

  M

  We do it the same - one control is one activity only.
• B

  SOX and Risk assessment 891
  • Bhoopendra  

  7
  0
  Votes
  7
  Posts
  446
  Views

  C

  I have also gone through the Q-and-A but i was just wondering how much does it takes( in time) to do Risk Assessement in a mid sized company (3K-4K people in all)with COSO ERM Framework. If anyone had used the framework in RisK Management kindly throw some light into it. The question stems from the consideration of paying money to the consultants. If its a long drawn thing then we can probably train our people and let them do it rather then hiring external consultants. I am also not sure though whether people with diverse background like Finance and IT can be trained to do that. Since Entity level risk assessment and top down approach of testing is going to be central can someone clarify on these things. thanks CH
• B

  ICO and CLQ...what are they......... 899
  • Bhoopendra  

  3
  0
  Votes
  3
  Posts
  342
  Views

  C

  my two cents, After complains from variuos user groups that the control objectives are two numerous the PCAOB has reorganized the CO from ‘Plan and Organize’ and ‘Monitor and Evaluate’ Section of COBIT framework as CLQ. Thats Company Level IT control Environment Questionnaire The other two sections got replaced by ICO or Illustrative control Objectives. Pls correct me if i m wrong. Thanks CH
• M

  Anti-fraud controls 925
  • Mocha  

  3
  0
  Votes
  3
  Posts
  268
  Views

  D

  Fraud is a tricky one as you need not have specific control objectives nor specific controls to address fraud - the requirement of the SOXA is not that specific. Most projects I’ve worked on have addressed fraud in a far more generic way. Sometimes by describing the inherent fraud risk in significant accounts e.g. High for cash and describing how these inherent risks are addressed e.g. segregation of duties plus relevant prevent AND detect controls. Other projects have justified that the exisitng control objectives and process documentation sufficiently address fraud risk without making it explicit.
• R

  CobiT Usage under SOX 949
  • RGSA  

  2
  0
  Votes
  2
  Posts
  206
  Views

  U

  haven’t seen any recent studies on it. It would be interesting to know. there was a survey conducted in 2002 before SOX really hit. COBIT 3rd Edition Usage Survey: Growing Acceptance of COBIT isaca.org/Template.cfm?Section=Journal-and-CONTENTID=16121-and-TEMPLATE=/ContentManagement/ContentDisplay.cfm
• S

  SOX - Company Level Controls - Tone at the Top 810
  • sox404  

  8
  0
  Votes
  8
  Posts
  819
  Views

  S

  Hi Soxbrief, I quite glad to read what you wrote about the company level controls. I went to PCAOB web to find the guidance of May you referred. Could you give me the web address where to find this document? THanks Sorry for the slow response. Here is the website for the guidance. http://www.pcaobus.org/News-and-Events/News/2005/05-16.aspx You can also read about our views on how the guidance should be implemented at our website at soxbriefs.com
• R

  How to Perform Test of Design for hysical Segreg of Duties 936
  • Ramonb5  

  3
  0
  Votes
  3
  Posts
  316
  Views

  K

  Ther are two ‘tests’ to be performed - Design effectiveness and Control operational effectiveness. Design effectiveness is as simple as concluding that if the control is working as intended, the identified risks are reduced to an acceptable level. Operational effectiveness is the physical test to determine whether or not the control is working. In some cases, this is through inquiry and observation - what is necessary to gain access to the building? who grants this access? what systems are involved? who has security to access those systems? are there reports to show who has been granted / denied access? who reviews them? what are they used for? It seems like you should be able to test these controls by asking the right questions and then, if systems or reports are involved, following the trail to see where it leads.
• W

  SOX and BS7799 part 2 345
  • wills  

  7
  0
  Votes
  7
  Posts
  483
  Views

  P

  Generally, If COBIT is use to audit the IT general controls, then I would say you are pretty much in line with ISO/IEC17799. However, to achieve BS7799 Part 2 certification, there may be some re-alignment of document and of course lets not forget what is the scope.
• M

  COSO: Guidance for Smaller Public Companies 1123
  • milan  

  2
  0
  Votes
  2
  Posts
  250
  Views

  N

  Do anyone know the guideline or sample of test plan? Do anyone or any website post on website,if yes , could you please let us know? Share experience together [/quote]
• A

  COBIT 4.0 with sox 1243
  • amit_awestruck  

  2
  0
  Votes
  2
  Posts
  241
  Views

  L

  Amit, In order to comply with Sarbanes Oxley, you need to understand the COSO framework. The most important message from COSO: Before speaking about risks, have business objectives. The real risk is not to meet these objectives. MISSION… STRATEGY… ENTITY WIDE OBJECTIVES… ACTIVITY WIDE OBJECTIVES… RISKS (not to meet these objectives)… CONTROLS (what you do for these risks). This is the COSO risk assessment. We do not speak about risks from hackers and enemies… we speak about the risk not to meet our business objectives. COBIT (version 3 and 4) has ready IT objectives. You do not have to comply with COBIT, you only ‘borrow’ these IT objectives and use them in your COSO documentation
• R

  ERM 1241
  • RJ  

  5
  0
  Votes
  5
  Posts
  365
  Views

  R

  Calvin, I hadn’t thought of that magazine either. I’ll check out magazines for verification. I may also try to contact the companies directly to verify if ERM is in place. Thanks, RJ
• S

  COBIT version 4 675
  • SOX_Monster  

  2
  0
  Votes
  2
  Posts
  261
  Views

  A

  Yes, Please read the COBIT 4.0 Manual available on ISACA.org This was released on 16th Dec 2005; Refer to Page 181 : Detailed Control Objectives It states that the Components have been reduced by almost one third from 318 to 215 ; The reasons are also specified
• R

  Draft copy of _and_quot;Guidance for Smaller Public Companies.._and_ 1334
  • rm81  

  4
  0
  Votes
  4
  Posts
  338
  Views

  R

  Hi, Just a quick message to thank you guys for replying. Has been an enormous help - it’s reassuring to know that there are people out there who are willing to help one another. Once I’m up and running, I’d love to be able to return the favour. Thanks again, Roshni
• M

  Which Cobit Processes Most Relate to SOX 927
  • marge  

  17
  0
  Votes
  17
  Posts
  846
  Views

  D

  I’m nervous about whether Appendix C is complete, for a multinational NYSE listed company with about USD600M turnover in the medical area. I can see a lot more that could be in scope (devil in the detail). We have applied Cobit in a company 50 times larger than yours, you shouldn’t worry about that. I’m also interested whether any of the illustrative controls have been shown to be weak or out of scope. The illustrative controls are… well… just illustrative. This may the reason you are getting frustrated with the lack of a firm answer to your questions. What is important is the control objectives as these represent the risks that you are expected to control, the ITGI paper narrows down the list of Cobit objectives to the ones that you need to meet for Sox. The illustrative controls represent, typically, how you might control those risks and many companies have sought to include these in their organisational IT standards. However you could implement none of these and still be controlled or all of them and not be. What is required is on a system by system basis to determine what controls are appropriate for that system in your organisation the illustrative controls can help you in this but it ultimately requires judgement. I know that life would be much easier if you could just follow a checklist, but sorrylife ain’t like that any more.