Pull your SOX up with COBIT 5


Even more than a decade on, who can forget the corporate and financial scandals of the early millennium. Most memorable for a global audience were Enron and Worldcom, where financial and audit management systems, and general governance practices, were laid bare and exposed as grossly deficient, ultimately playing contributory roles rather than the preventative ones for which they were designed. In the case of Enron, we saw the demise of one of the US’s esteemed, prominent and renowned audit and advisory firms, Arthur Andersen, amidst the scandal deemed as the biggest audit failure the world had ever seen. As companies collapsed, and investors lost billions of dollars, public confidence in the US securities market both locally and abroad reached level zero.

Corporate good governance, or lack thereof, and (poor) internal controls had been unceremoniously thrust into the limelight, and US regulators were swift to enact measures to avoid any similar catastrophes in the future. And so in 2002 SOX was born, as the “Act to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws, and for other purposes”. At the very heart of SOX was and is of course information and what we know today in this age of information and the pervasiveness of technology, is that technology and information go hand in hand. So with the act directing focus on accuracy and reliability of information, so too was there a shift in focus for information technology, and the regulatory driven needs of Enterprise IT governance and management were set in motion. Which coincidentally is exactly why, still to this day, many believe that SOX is a piece of IT legislation…

From its inception, SOX placed a new level of pressure and demand on auditing entities, who in turn feverishly sought out the best ways and means to ensure compliance with the prescriptions of the new act. Covering a range of issues including corporate governance, internal controls and financial disclosure, SOX compliance for any publicly traded company meant a direct dependency on IT systems, processes and controls, which for many organizations were previously  ‘out of sight, out of mind’. Many IT departments were still in the broom cupboard… so to speak, and actually sometimes literally. But Information technology suddenly had a new role, a fresh mandate straight up to the Boardroom and the reliance on information and technology was now mission critical.

Enterprises turned to Auditors who turned to COBIT, and from then right up to the current day, most of the former and the latter utilize none other than COBIT 5 to assist them in achieving and sustaining their SOX compliance. COBIT 5, the business framework for the Governance and Management of Enterprise IT, introduced in this its latest incarnation, a dedicated and comprehensive focus on Governance. As COBIT 5 Task Force co-chair Derek Oliver noted when the updated framework was released, Sarbanes-Oxley is "about corporate governance, but if you can get IT right, that really drives the compliance requirements for Sarbanes Oxley … One principle of COBIT 5 is working to meet stakeholder needs. When you're looking at COBIT, you say, who is the stakeholder? One stakeholder could be a regulatory body."

Throughout COBIT 5 there are key processes, practices and activities, combined with a cascade of goals from Stakeholders (needs) down to Enterprise and on to IT, to ensure that the organization considers and is positioned to comply with the requirements imposed by external entities like governmental bodies, regulators, industry mandates as well as internal policies. It should come as no surprise that COBIT 5 is the framework of choice when organizations are looking to implement or improve their compliance through effective and efficient governance and management of their Enterprise IT. The internationally recognized COBIT 5 framework helps IT, audit and finance professionals, and enterprise leaders fulfil their IT governance responsibilities while delivering value to the business. COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the whole enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. And in COBIT 5, IT Governance, being a subset of Corporate Governance, ensures that enterprise objectives are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives.

Compliance in COBIT 5 is ingrained in both the Governance and Management areas. Both the Ensure Governance Framework Setting and Maintenance, and Ensure Stakeholder Transparency processes within the Governance area are key in evaluating, setting and monitoring compliance. In the Monitor, Evaluate and Assess domain, within the Management area, there is a dedicated compliance focused process Monitor, evaluate and assess compliance with external requirements designed to:

  • Evaluate that IT processes and IT-supported business processes are compliant with        laws,  regulations and contractual requirements.
  • Obtain assurance that the requirements have been identified and complied with, and integrate IT compliance with overall enterprise compliance.
  • Ensure that the enterprise is compliant with all applicable external requirements.
  • Legal and regulatory compliance is a key part of the effective governance of an enterprise, hence its inclusion in the GRC term and in the COBIT 5 Enterprise Goals and supporting enabler process structure (MEA03).

Further processes such as Manage Strategy; Monitor, Evaluate and Assess the System of Internal Control; Manage the IT Management Framework; Manage Change Acceptance and Transitioning; and Manage Business Process Controls, to name a few, all incorporate practices and activities directly for the purposes of active compliance. In fact all enterprise activities in COBIT 5 include control activities that are designed to ensure compliance not only with externally imposed legislative or regulatory requirements but also with enterprise governance-determined principles, policies and procedures.

But it’s not just processes, practices and activities, COBIT 5 takes it even further, suggesting  accountabilities, and responsibilities for enterprise roles and governance/management structures (RACI charts) for each process which includes specifically a role for Compliance.

Not to mention COBIT 5’s mapping of Enterprise goals (example: Compliance with external laws and regulations) to IT-related goals (example: IT compliance and support for business compliance with external laws and regulations) and on to IT-related processes… (example: Monitor, Evaluate and Assess Compliance With External Requirements)… for ensuring stakeholders compliance needs are being fully satisfied. COBIT 5 is truly compliance comprehensive!

Globalization, worldwide recessions and financial crises, exponential data growth and the invention of Big Data, and a complex, continuously evolving legal, regulatory and compliance landscape for every industry, has created unprecedented information and technology governance challenges for corporate executives. But with COBIT 5 comes a way and a means to leapfrog such challenges and obstacles, utilizing world leading and globally proven governance and management principles to effectively and efficiently ensure compliance by Enterprise IT for the organization. COBIT 5 is able to assist your organization in its compliance challenge today - creating maximum value from your investments in IT by realizing benefits, reducing risks and optimizing costs whilst ensuring the availability, reliability and accuracy of information demanded for compliance purposes.

Some say SOX means ‘Comply or Else’, others prefer to say laws and regulations are ‘Comply or Explain’, but whatever the slogan, the last thing that any C-level executive wants to happen in this millennium, is to get caught with their compliance pants down. So when it comes to compliance, there is never a better time than the present to pull your SOX up, and choose COBIT 5.  That’s one choice that will certainly pay dividends!

Additional reading available at :

  • COBIT 5 for Information Assurance (The planned COBIT 5 for Assurance guide explains how auditors can provide independent assurance of compliance and adherence to internal policies derived from internal directives or external legal, regulatory or contractual requirements, confirming that any corrective actions to address any compliance gaps have been taken by the responsible process owner in a timely manner.)
  • COBIT 5 for Information Security
  • EDM01 Ensure Governance Framework Setting and Maintenance Audit/Assurance Program