Section 5.2.  The Work Starts Here

5.2. The Work Starts Here Before delving into the various control objectives of the Planning and Organization domain, we reiterate that although COBIT is the de facto standard that the majority of audit firms have adopted, and the practices defined within COBIT are generally good practices to have, most large companies find the implementation and sustaining activities daunting, if not impossible. Therefore, as part of this chapter, we focus more on illustrating how, with the appropriate processes and documentation, a small to medium-sized company can effectively comply with relevant COBIT guidelines, while not overburdening their IT organization with COBIT controls to the point at which documentation and paperwork become their main focus. In Chapter 3, "The Cost of Compliance," we discussed the opportunity for a CFO, CIO, and IT Director to capitalize on their Sarbanes-Oxley Act compliance effort to position their IT organization as a strategic advantage in their company. Well, it all starts here. If you were to ask the majority of CFOs, CIOs, and IT Directors how IT was perceived at their company, most of them would say, "Executive management views IT as a necessary evil, nonvalue overhead," or even worse, "They just fix computers; don't they?" However, if you were to ask them, "In an ideal world, how would you like your IT organization to be perceived?" the answer would be vastly different. The majority of CFOs, CIOs, and IT Directors would say that they believe their IT organization can be a used as a strategic advantage to the company, one capable of improving employee productivity and contributing to the bottom line of the company. Now, we are not suggesting that the Sarbanes-Oxley Act is some sort of magic wand that will transform a company's opinion of its IT organization regardless of its competence or effectiveness. However, what we are suggesting is that if the aforementioned issues are not barriers, COBIT and SOX compliance could provide the bridge from a reactive day-to-day IT organization to strategic IT organization. Although policies are a part of every COBIT domain, the majority of the work resides in Domain I, because this is where you will need to examine the policies, processes, and practices your company currently has (documented or not), and which ones will be needed. Later in this chapter, we provide you with some examples of processes and policies to assist you in your process.