One of the cornerstones of compliance is COBIT– the Control Objectives for Information and Related Technology – issued by the IT Governance Association. COBIT systematically analyzes IT and defines general control objectives, performance indicators and maturity models for IT. COBIT organizes the control objectives into four major areas: planning and organization; acquisition and implementation; delivery and support; and monitoring. And there are thousands of controls in COBIT.
It's important to understand which ones are key controls for your business process. In case of SOX, says Michelle Johnston Sollicito, "key controls are controls that are key to ensuring that the values on the balance sheet are accurate and reliable." In the run-up to the deadline for SOX last year, many companies may have gone overboard with controls. Last week at the Sarbanes Oxley Conference and Expo, Michael Hultberg, executive director at Time Warner Inc., said "many of the key controls we'd identified actually weren't that key," according to Computerworld.
Time Warner spent 350,000 man-hours developing and testing controls for SOX Section 404 compliance last year. Another cable company, Viacom, conducted 19,600 tests on 1,560 business controls and 540 IT controls. Ron Edmonds, global accounting director for Dow Chemical, which conducted 30,000 internal control tests last year to meet its Section 404 requirements, including self-assessments, reviews, and internal audits, said, "We have to figure out how to make [Section 404 controls verification] more efficient. We don't want to see any deficiencies, but with a company our size, we're going to have them."
Here at CA, we also found that many of the COBIT controls were not necessary for our compliance efforts. Rather than being attached to implementing controls, you need to understand your business process, figure out what is key to the process, and put controls around it. I like to think of it like pH paper. Figure out what needs to be acid, what needs to be base, and then test the pH levels.