Project on Sarbanes Oxley IT controls Requirement and ITIL 1600



  • I have been allocated a project where i have to find out what are the specific IT controls that are needed for Section 404, 409, and 802. Then after finding the required IT controls, my task is try to map these controls onto what ITIL proposes as best practice. As far as i have Read COBIT is the only framework that have been developed so far that contains COntrol objectives that companies must use in order to be SOX compliant. Now my task here is difficult since i have to use ITIL to demonstrate how some of the SOX IT controls can be met by ITIL. My initial idea about it, is to find IT controls that are required to be compliant with SOX( can anybody guide me where can i find those required IT controls- Including General IT controls, application controls… etc…) and then I will look into COBIT framework to find the high level controls and lower levels and will try to map them onto ITIL. That’s the biggest part of the project. Second part of it, i will have to produce a grid showing the IT controls and the relevant areas that can be addressed by ITIL. Third part of it, is to find out the road map for compliance for SOX (Can be found)-some guidance from you guys is required tho and a roadmap to implement ITIL best practices is respect wth SOX. I will have also to use capability maturity models to show how each technique can be achieved.
    The problem is i have only 2 and 1/2 months to investigate and submit a project on that. I really need help and guidance as my supervisor does not know much about SOX.



  • Hi,
    I believe that as a starting point, you might find a document, ‘CobiT Mapping, Overview of International IT Guidance, 2nd Edition’ helpful to your assignment.
    The link is below:
    Be sure to insert www. in front as this site does not allow hyperlinking.
    isaca.org/Template.cfm?Section=Research2-and-CONTENTID=24812-and-TEMPLATE=/ContentManagement/ContentDisplay.cfm
    isaca.org/AMTemplate.cfm?Section=Deliverables-and-Template=/ContentManagement/ContentDisplay.cfm-and-ContentID=24759
    Good luck,
    Milan



  • Thanks for the Reply, im having a difficulty here, in understanding the following, any comments and good explantions about it would be very useful:
    I have seen the document ‘IT control objectives for sarbanes oxley’ that states the 12 genereal IT control objectives to be compliant with SOX.
    Those high level control objectives are mapped onto COBIT. Then there in COBIT i can see sublevels of control objectives. My question and doubt are:

    1. Are these control objectives IT controls in themselves?
    2. COBIT is a framework for IT governance, a set of best practices that said ‘What should be done to achieve IT governance’ but does not state how to achieve them ITIL tells you how to achieve these objectives?’
    3. Thanks for the COBIT mapping document you sent me, i have got it now, but i need to get a clear idea about COBIT.
      Regards


  • Dear nawazx
    Your questions:

    1. Are these control objectives IT controls in themselves?
      No. First you have business objectives, then you need controls to achieve these objectives. Establishing objectives is a prerequisite to effective internal controls. Objectives provide the measurable targets toward which the entity moves in conducting its activities.
    2. COBIT is a framework for IT governance, a set of best practices that said ‘What should be done to achieve IT governance’ but does not state how to achieve them ITIL tells you how to achieve these objectives?’
      All these are frameworks. A framework is always general, there are no details how to achieve your objectives. Having said that, ITIL is more practical (and more service delivery specific).
      Be careful. You do not have to comply with COBIT or ITIL. You have to comply with SOX using the COSO framework enterprise-wide. Yes, in the IT environment we do use something from COBIT: The objectives.
    3. We follow COSO enterprise-wide
    4. We have to do a risk assessment using COSO
    5. Which is the risk? Not to meet our business objectives - forget hackers, enemies and vulnerabilities
    6. Which are the objectives in IT? We borrow the COBIT objectives, and we use them in our COSO risk assessment


  • Look at the IT sarbanes Controls Objectives for Sarbanes Oxley- Exposure Draft, you can see the control objectives, the control they are mapped to and the test procedure. A single control objective is usually met by multiple controls.
    Once you are set about the control from there, trace them back to COBIT and then map using the COBIT and ITIL mapping document provided in the ISACA website. You may need ISACA membership for it.
    Calvin


Log in to reply