Search Sox-Online  

    SOX-online: The Vendor-Neutral Sarbanes-Oxley Site


Control Frameworks
COSO and COBIT are - among other things - control frameworks. COSO focuses on controls for financial processes, and COBIT focuses on IT. COSO
The official name for COSO is the Committee of Sponsoring Organizations of the Treadway Commission. James C. Treadway Jr., the commission's namesake, was a member of the Securities and Exchange Commission and the initial chairman of COSO. COBIT
COBIT (Control Objectives for Information and Related Technologies) is an open standard published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA). It's an IT control framework built in part upon the COSO framework.

The latest version of COBIT is COBIT 4.0. Here's what ISACA says about it:

Successful organizations understand the benefits of information technology (IT) and use this knowledge to drive their shareholders' value. They recognize the critical dependence of many business processes on IT, the need to comply with increasing regulatory compliance demands and the benefits of managing risk effectively. To aid organizations in successfully meeting today's business challenges, the IT Governance Institute (ITGI) has published version 4.0 of Control Objectives for Information and related Technology (COBIT).

COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. ITGI's latest version - COBIT 4.0 - emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework. It does not invalidate work done based on earlier versions of COBIT but instead can be used to enhance work already done based upon those earlier versions. When major activities are planned for IT governance initiatives, or when an overhaul of the enterprise control framework is anticipated, it is recommended to start fresh with COBIT 4.0. COBIT 4.0 presents activities in a more streamlined and practical manner so continuous improvement in IT governance is easier than ever to achieve.

COBIT documents, available for free download, can be used as a framework for IT decision-making, controls, and maintenance.

The IT Governance Institute® has offered a very useful document:
IT Control Objectives for Sarbanes-Oxley. Updated since the PCAOB's March 9th standards were released, this document focuses on controls directly related to internal control over financial reporting. Read an excerpt.

ITIL stands for the IT Infrastructure Library, published by the Office of Government Commerce in Great Britain. It focuses on IT services, and is often used to complement the COBIT framework. Check out the ITIL Self-Assessment Questionnaire.