【正文】 fies reporting regulatory requirements, including those of SarbanesOxley. 3. It should act as an aid to drive management assurance.The steps in implementing COF using COBIT included: Risk owners—The owners responsible for the risk Prior to this implementation, there were more than 500 entities for which risks and controls were tracked. The number was optimised to around 100 entities. This was possible due to the implementation of the key entity management model. Tracking all risks related to a ‘service’ Reference to SarbanesOxley control requirements Lack of a single control repository, resulting in control duplication Identify principal risks—The principal risks of level I were defined and frozen based on earlier information. Those identified included risks related to technology, operations, people, legal and regulatory, financial reporting, financial crime, brand, and change. Control owners—The owners responsible for maintaining control effectiveness Earlier, there were more than 1,000 controls defined. The number was reduced as each control was mapped to the COBIT framework. At the global level, the number of controls was reduced to almost 350. However, within a particular entity, region, country, etc., further drilling down of a control was allowed for tracking locally. For example, globally, in the RCA, a single control was identified for local pliances: Modifying the role description and performance evaluation process to include specific tasks for risks and controlsBenefit of Step 4Due to this topdown approach, the importance of risk management was well accepted and it was effective at all levels of the organisation.Step 5—Using a Reporting ToolA simple spreadsheet was used for maintaining a risk and control repository for each entity. Within the entity, the risk team member used an Excel spreadsheet for tracking risks, actions, etc. However, there was a requirement to have a single, mon database repository for maintaining organisationwide risks and controls. Hence, a tool was developed to gather information for all entities. This helped in: Control objectives with reference to the COBIT controls process Immature processes for assessing and testing pliance Identify level II risks—The principal risk was further broken down into level II risks. As an example, the ‘technology principal risk’ was further drilled down to: Inadequate design/testing of IT systems Unavailability of IT systems Lack of IT security Action owners—The owners of actions defined due to ineffective controlsBenefit of Step 3Through training programs, the terms ‘entity/RCA owners’, ‘risk owners’, ‘control owners’ and ‘a(chǎn)ction owners’ were explained using a Responsible, Accountable, Consulted and Informed (RACI) chart (see figure 3 for an example). The responsibilities were also mapped in the job descriptions and in performance evaluation criteria of the staff.The example in figure 3 clarifies that, although the head of facilities was held accountable for providing physical security on an ongoing basis, the chief operations officer (COO) was accountable for ensuring reporting of incidents and followup thereof. For any actions o