Sarbanes-Oxley IT Compliance Using COBIT and Open Source Tools

Working the List for the COBIT Domain of Delivery and Support follows the same process as the previous chapters, utilizing the fictitious companies as their environments. However, although not the primary objective of this book, we committed to noting areas where SOX compliance can be used to address previous IT issues and/or to reposition IT within a new department. The COBIT Domain of Delivery and Support presents such an opportunity.
While reviewing the control objectives, it was noted that the majority selected were defined by COBIT for domains related to SLAs. If the control objectives are stated and defined as part of your financial processes and procedures, the auditor expects you to show evidence. (Because the other focus of this book is SOX compliance utilizing open source, more specific tools that can be used to assist in this domain are provided later in this chapter.)
The control objectives in this chapter are a combination of SOX and COBIT, and each is clearly identified. Again, your particular environment should drive your customization activities, and you should work with your auditor prior to finalizing your efforts. For a complete list of the COBIT Control Objectives of Delivery and Support, please see Appendix A.
COBIT requires a lot of documentation, and although your SOX effort does not require as much documentation, there is still a fair amount. To compound this, the Sabanes-Oxley Act requires that the audit firm rendering the test be independent of the compliance...