ZenGRC

Simply Powerful GRC

Libby Bevin

SOX Compliance and Private Companies

· ·

The Sarbanes-Oxley Act is a U.S. federal law; all public companies doing in business in the United States must comply with the regulation. SOX compliance activities include identification and testing of internal controls over the financial reporting process and submitting specific financial certifications within quarterly and annual reports to the SEC.

The majority of the Sarbanes-Oxley Act requirements only apply to public companies doing business within the United States. However, some portions of the SOX regulation apply directly to private companies, including the penalties for destroying, falsifying or altering records and documents, and the penalties for retaliation against whistleblowers.

Privately held companies considering or preparing for their initial public offering (IPO), or looking for ways to increase their competitive advantage may benefit from implementing a SOX compliance program. A strong internal control environment can improve efficiency during due diligence processes should an acquisition by a public company be on the horizon. Additionally, the company would be better prepared for initial public offering activities if internal control frameworks and risk assessment activities have already been implemented by the company.  

Regardless of acquisition or IPO activities, some private companies have decided to implement compliance programs which cover applicable SOX requirements in order to enhance corporate governance, establish or improve internal controls and strengthen their financial reporting processes.

COBIT vs ITIL

· ·

COBIT versus ITIL

Many organizations are looking at the COBIT and ITIL as different IT Framework services and trying to decide which one is best for them. This FAQ briefly discusses the differences between the two and how they can be used either separately or together.

COBIT

COBIT is an IT Governance Framework that is typically used from the top down, or from business goals down to the IT environment. It is more concerned about making sure things are working for the company from a management and shareholder’s perspective. In fact, its first priority is Meeting Shareholder Needs, followed by Covering the Enterprise End-to-End, Applying a Single Integrated Framework, Enabling a Holistic Approach, and Separating Governance from Management.  It works to build, improve, and monitor its implementation and tries to work towards reducing costs and establishing privacy standards.  The end results are going to be that an IT department is working properly and there is accountability back up to the management and governance groups.   

ITIL

ITIL is an IT Framework that builds itself from the bottom up and is concerned about the lifecycle of its IT services.  Its first concerns are with making sure the IT services are in place to run the company, but its priorities are not necessarily making the shareholder’s happy. It’s more about efficiency and effectiveness on the ground level. All its priorities are service based.  Service Strategy, Service Design, Service Transition, Service Operation, Continuous Service Transition. As you can tell from the priorities, it wants to make sure that everything is running, which in the end should make the shareholders happy, but that is not one of its goals.   

COBIT Versus ITIL

You could say that COBIT is more concerned with the WHAT of an organization and how it runs, where ITIL is more concerned with the HOW. Since COBIT is focused on things from a business goal perspective, it makes the rules and helps to govern what kinds of processes should be in place to achieve those goals. And since ITIL is mostly concerned about making IT work, it receives directives from management but then uses its own tools to implement the processes and services.

COBIT AND ITIL?

There are many organizations that use both frameworks in their businesses, however these are typically larger environments or more mature ones. The two work very well together and in some cases, there is overlap.  Change Management is one of those places where both frameworks have solutions, but they can still work together. Allowing COBIT to do the top down approach and ITIL to do the bottom up approach, the two end-up complementing each other.  

If you are a newer or perhaps a smaller company looking for an IT Management Framework, it might be a simpler solution to start with ITIL and then as your company grows, move up to COBIT, using ITIL to handle the IT services and COBIT to handle the IT Governance from the top down.