COBIT Case Study: Jefferson Wells Ensures Effective IT Control for Sarbanes-Oxley Review 

 

Abstract

A retail/wholesale company had a well-run information technology department, but as part of a Sarbanes-Oxley audit, it realized it needed to assess and address IT controls.  The company contracted with Jefferson Wells for IT controls assessment. Jefferson Wells used Control Objectives for Information and related Technology (COBIT), published by the IT Governance Institute (ITGI), to provide IT management with the guidance that helped it ensure the organization had effective high-priority controls in place.

Background

Jefferson Wells provides professional services for finance and audits.  The client in this case study is a wholesaler/retailer of college textbooks. The company has a corporate office/warehouse and approximately 250 retail locations in the US. Most of the retail locations have their own web site. The company needed to develop information for a first-year Sarbanes-Oxley internal review.  The corporate office and the retail locations must also comply with the Payment Card Industry (PCI) data security standard requirements.

Process

The retailer was preparing for its first-year Sarbanes-Oxley audit and wanted help evaluating IT controls. The organization had a very stable IT department so it never felt the need to write procedures or policies—everyone just knew what to do. The company’s main information systems were proprietary and had no requirements or design documentation.

Jefferson Wells used COBIT to assess existing controls and make recommendations on new controls. The highest-priority recommendation was to develop a structure of policies and procedures.

For the IT controls, there is an assessment form that maps COSO to COBIT (other mappings are available). Assessment results are recorded directly into the database, as are controls, test results and remediation activities. Standard report formats are created for each delivery phase. 

Conclusion

Using COSO as the basis for required controls, it was easy to demonstrate to the client’s senior managers that they had some work to do before they would be compliant. COBIT helped break down the information into understandable requirements. The company was also able to scope out any of the controls that were not required for COSO compliance and senior management provided valuable support for IT governance activities using COBIT.

COBIT helped Jefferson Wells provide guidance for the client to address and improve processes and issues. Its comprehensive guidance helped the client’s organization build the high-priority controls it needs.