As a result of the numerous financial scandals at major U.S. Fortune 100 companies in the first years of the new millennium, the U.S. introduced the Sarbanes-Oxley Act of 2002.
Sarbanes-Oxley (SOX) compliance significantly impacted the IT organisation of most public companies. Most companies faced enormous challenges in just determining what impact SOX compliance had on their IT. Why? Well it did not help matters that there is no specific mention of IT in Section 404 of the SOX Act, and strangely, there are no specifics as to what controls had to be established within an IT organisation to comply with SOX. Everyone had to start with a blank canvas and new that they faced creating a masterpiece, if they did not then the penalties were great!
The adoption of COBIT was encouraged as a result of the regulatory compliance required under the Act. COBIT’s guidelines and best practices have almost become the de facto standard for auditors and SOX compliance. This has been helped by the COBIT standards being platform independent and adoption has been widespread.
My earlier blog entry explained that COBIT provides managers, auditors, process owners and IT users with a set of generally accepted measures, indicators, processes and best practices, to assist them in maximizing the benefits derived through the use of IT, and developing appropriate IT governance and control in a company.
Adopting the COBIT framework has helped and continues to help countless organisations meet regulatory compliance challenges. Though the effort required to achieve this should not be underestimated (often organisations do though). For instance, SOX compliance must be viewed as an on-going process, rather than a one-time event.
You can be assured that auditors will return periodically and demand to review evidence of the effectiveness of your on-going controls – not a pleasant experience at the best of times, but using COBIT will help make it less of an ordeal.