Once an organization has compared its policies, procedures and practices to those required by COBIT and described in ISO17799, the issue becomes how closely an organization needs to match the strict controls described in these documents. In SOX audits, the auditor is expected to interpret requirements based on whether the controls are effective in a given environment.
Factors like an organization's size can significantly affect the need for COBIT recommended interdisciplinary committees (in a small company, one person may be responsible for the entire technical environment and may naturally communicate with business "representatives"), separation of duties (there may be insufficient staff to allocate individuals to traditional roles) and multiparty approval chains.
Other requirements are likely to be subject to interpretation, as well. The level of reliability (or maturity) of certain practices and the level of documentation required may be less than the levels described in COBIT. COBIT publications describe multiple stages of reliability of a control as corresponding to the following descriptions, in increasing level of reliability:
- Initial-ad hoc
- Repeatable but intuitive
- Defined process
- Managed and measurable
Assuming that an organization is only assessing the reliability of controls it requires, it's likely that an auditor would only accept controls that are stage 3 (defined process) and above.
One of the most daunting aspects of SOX compliance is its requirement for documentation to prove that the policies and practices are in compliance. Many organizations are competent when running their businesses and IT operations, but do not document their policies, procedures, changes and authorization workflows to the degree SOX compliance requires. Organizations have to improve in this area if they are to maintain compliance.
In Compliance School, guest instructor Richard Mackey shows you exactly what you need to do to meet regulations' ongoing demands and arms you with actionable items to ensure your business remains continuously compliant. Best of all you can attend any of the following on-demand lessons when it's most convenient for you:
Ensuring compliance across the extended enterprise
Compliance improvement: Get better as you go forward
Gauging your SOX progress
SOX compliance basics: Taking Action
Step 1: Understanding compliance -- Financial and technical standards
Step 2: Scope of compliance
Step 3: Establishing an IT Control Framework
Step 4: Detailed objectives and policies
Step 5: Measuring compliance
Step 6: Managing and tracking compliance
Step 7: The changing nature of compliance
Dig Deeper on COBIT