William Montgomery Gardner III (WG) is the owner of Gardner Novelties, Inc., a large family business that designs and manufactures specialty items for sale at roadside restaurants around the country. The company has over 2,500 employees in 13 locations around the world. They have recently begun to outsource a lot of their manufacturing to China, Mexico and India. In spite of a bad economy, WG has been able to consistently grow the company’s revenues at a rate of over 10% per year over the last ten years. As a result, WG has decided to take the company public. The Initial Public Offering (IPO) is scheduled to take place next month.
WG calls you, Joseph K. Barnes (JB) into his office. You have been in charge of all Information Technology services for the company for the past 17 years. You have a staff of 12 direct reports in your department, of which 6 are located in the company headquarters office with you. Since the items being manufactured are not technical in nature, there has never been a lot of emphasis placed on protecting proprietary data in the corporate network. Most of your time is spent dealing with service calls and Internet disruptions, maintaining the firewall, and uploading software patches.
WG tells you of the plans for the company. You try to act surprised, but the rumor has been floating around the company for months now so it is anything but a surprise. You are a little alarmed by the fact that the IPO is planned for next month, however.
WG explains that once the IPO takes place, they will need to have everything in place to be in compliance with Sarbanes-Oxley. WG asks if you are familiar with Section 404 of SOX.
You struggle to find the right words. You’ve heard of Section 404 from friends and colleagues who have had to deal with it for years now, but you never though it was something you needed to know. You mention that you know Section 404 deals with management’s assessment of internal controls, and that the IT network will need to have some controls put in place.
WG tells you he needs a plan from you in one week on how to get the IT system in compliance with SOX. You will need to make a presentation to the Executive Committee (ExCom) on your plan. The ExCom will consist of, among others, WG, the COO, VP of Human Resources, and the CFO of the company. WG warns you not to let him down…there is a lot riding on this IPO and the investors and analysts want to know that the company will be in compliance with SOX.
JB walks out of the meeting and his head is spinning. He has one week to develop a plan to bring the company’s entire IT system into compliance with SOX. How is he supposed to do that? He decides that the first course of action will be to call a friend, Robert Rodes (RR), who works for a publicly-traded company. Maybe he can help point JB in the right direction.
1. Explain your plan for implementing COBIT for Gardner Novelties. Your plan should include a discussion of the following elements:
a.What will Gardner Novelties be required to do with IT to remain in compliance with SOX?
b.What is COBIT and how can it help keep Gardner Novelties in compliance with SOX?
c.What are the benefits of using COBIT as opposed to other control frameworks?
2. What questions would you expect to receive from the Executive Committee of Gardner Novelties? Identify two questions that you could be asked and address how you would answer them.