Control Objectives Simplify Approach
Depending on the size of a company, the time requirements for the implementation of CObIT usually amount to about one year. Since the framework originates from the USA, many of the terms cannot be translated directly. Furthermore, many processes must be interpreted so that they fit the company’s own requirements. Nevertheless, the framework is characterized by its closeness to actual practice because the end result is a checklist with 34 processes and 215 control objectives which a company can go through. Typical control objectives check, for example, the requirements for the batch and interface processing, retention periods, the approval process for the user account management, or the receipt of conformity certifications from IT service providers in good time and quality. COSO also demands control activities: for example, criteria such as correct processing releases for order requests, the monitoring of purchasing environments, the clarification of inventory differences, or the correct review of advance payments and currencies can be derived for the process group purchasing. Since COSO also serves as a framework for risk management, it goes further than SOX and also takes into account external risks. Consequently, both COSO and CObIT are suitable not only to secure SOX compliance, but also make the internal control system as a whole more powerful. Generally speaking, Anne Bernzen recommends contacting the potential auditors well in advance and to conclude an agreement so that they recognize CObIT and ITIL as standards for the review of the SOX requirements. “Otherwise, companies run the risk that the auditors will make higher demands than are actually required.” By using CObIT, the expenditures in the IT environment can be clearly limited right from the start. This can also be corroborated when independent consulting companies with CObIT know-how are included. The consulting expenditures and the fees for the audit of the annual financial statements were also identified in the Detecon studies as cost drivers: the share of expenses for auditors and consultants in the total costs for the implementation of SOX averages 42%. In any case, SOX and CObIT do not only cause expenses, but also provide benefits: “In the past, the people in charge only believed they knew their risks. Now the companies are beginning to record actual risks systematically and to alleviate their effects by initiating specific measures,” explains Detecon consultant Wolfram Hohaus. This also sharpens awareness along process lines, and employees call each other’s attention to controls which have been omitted. The need to implement flexible documentation systems is in any case obligatory for future-oriented companies, especially since the 8th EU Directive will demand requirements similar to those of SOX by June 2008. “The expenditures for reviews in future will also rise because the half-life of reorganizations is becoming shorter and shorter. If documentation is not kept up to date, a company will not only fail to be in compliance with SOX, but will also lose control over its own processes.”