Factors like an organization's size can significantly affect the need for COBIT recommended interdisciplinary committees (in a small company, one person may be responsible for the entire technical environment and may naturally communicate with business "representatives"), separation of duties (there may be insufficient staff to allocate individuals to traditional roles) and multiparty approval chains.
Other requirements are likely to be subject to interpretation, as well. The level of reliability (or maturity) of certain practices and the level of documentation required may be less than the levels described in COBIT. COBIT publications describe multiple stages of reliability of a control as corresponding to the following descriptions, in increasing level of reliability:
- Initial-ad hoc
- Repeatable but intuitive
- Defined process
- Managed and measurable
One of the most daunting aspects of SOX compliance is its requirement for documentation to prove that the policies and practices are in compliance. Many organizations are competent when running their businesses and IT operations, but do not document their policies, procedures, changes and authorization workflows to the degree SOX compliance requires. Organizations have to improve in this area if they are to maintain compliance.
Step 1: Understanding compliance -- Financial and technical standards
Step 2: Scope of compliance
Step 3: Establishing an IT Control Framework
Step 4: Detailed objectives and policies
Step 5: Measuring compliance
Step 6: Managing and tracking compliance
Step 7: The changing nature of compliance