As security is such a major theme on the Act, many organizations are using the international ISO standards. The ISO 27001 Portal outlines these. A copy of the standards, and security policies, can be obtained via the ISO 17799 Toolkit.
Our server logs indicate some interesting mis-spellings: Sarbannes Oxley, Sorbane Oxley, Sarbanne Oxley, Sarbaines Oxley, Sarbanesoxley, Sorbanes Oxley, Sabanes Oxley, Sarbane Oxley, and Sarbanes Oaxley, to name but a few!
Sarbanes-Oxley Act Forum: Forums
The Sarbanes Oxley Act :: View topic - SOX,COSO and COBIT
Posted: Wed May 10, 2006 8:50 am Post subject: SOX,COSO and COBIT
I am a newcomer to the world of SOX. I read through material and some books but still had these basic doubts -
1. COSO and COBIT are two frameworks. COSO is for accounting professionals while COBIT is for IT professionals. Both ensure SOX compliance. Am I right on this one?
2. If yes, then are COSO and COBIT related to each other? For example, if there is a finance control, will it have a related COBIT control?
My understanding is that the relationship is unidirectional. COSO ---> COBIT.
Am I correct on this one?
3. What is section 404 about? If I need to implement section 404, what would I have to do?
Joined: Jan 12, 2006 Posts: 849 Location: Roanoke, Virginia
Posted: Thu May 11, 2006 10:52 am Post subject:
Hi QB and welcome to the forums
Yes, COBIT is an "IT control framework built in part upon the COSO framework". COBIT is related to best auditing practices from an IT perspective. SOX 404 is more oriented towards security best practices and assurances that all IT controls are sound (as modern day accounting systems have a high reliance on IT systems themsevles).
Some of these links might help, as I also wanted to better understand these relationships:
COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.
COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. ITGI’s latest version— COBIT® 4.0—emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.
SOX 404 Information
Section 404: Certification of Internal Controls
Section 404 is the largest driver of Sarbanes-Oxley compliance projects and the most significant section for IS organizations. It requires a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company, attested to by the company's auditor. This statement includes an assessment of the controls and identification of the framework used for the assessment. Section 302 requires that financial statements be complete and accurate; section 404 requires that the process that is used to generate statements be accurate and meet an accepted industry standard (the Committee of Sponsoring Organizations of the Treadway Commission standard is the de facto standard).
Because the processes and internal controls are implemented principally in IT systems, section 404 audits involve a detailed assessment of these systems. Process changes to meet compliance must be documented and implemented by the IS organization. Although a completely paper-based organization could be compliant, most organizations make such extensive use of technology for financial reporting that the CIO plays a major role in auditing and compliance projects. Section 404 also requires reporting of material process changes every quarter. Thus, a new enterprise resource planning (ERP) system or any material change to a system could require a new 404 audit, attestation and report.
Posted: Mon May 15, 2006 12:35 pm Post subject: SOX,COSO and COBIT
COSO could best be described as a corporate governance framework; while COBIT is an IT governance framework. The ISACA link posted by harrywaldron has excellent information on the mapping or correspondence between the two, including an excellent new document still in draft titled "IT Control Objectives for Sarbanes-Oxley". Though since this is still in draft, you probably have to join as a member to access it. ISACA membership is highly recommended as a great resource.
In answer to your last question, if you fully implemented COBIT perfectly, you may still not be SOX compliant. There are many aspects of SOX that have to do with accounting methods and organizational management that are outside the scope of information security. Though, since information security is such a large concern within the SOX compliance endeavor, it would serve most IT departments and auditors well to be familiar with how it fits in to their organization's compliance roadmap.
Joined: Jan 12, 2006 Posts: 849 Location: Roanoke, Virginia
Posted: Mon May 15, 2006 2:08 pm Post subject:
I agree with the excellent points made by iaraudit ... SOX compliancy is based more on meeting the internal framework of the act itself, than specific accounting or IT standards. Both COSO and COBIT are recommended methods to help with best practices in meeting SOX related financial controls, but there's more to be done.
The SOX 404 standards must also be implemented for improved IT and security controls. It's probably the most difficult area to interpret and implement. If you were to ask 50 different people for solutions, you could get 50 different interpretations, as some aspects of this are subjective
I've found the "101" site helpful for me in the past and will share the partial URLs for that below For all four major sections you need both human and IT controls where possible to ensure that these areas of compliance will be met.
Summary of the key sections needed for SOX compliancy
SOX Section 302 - Corporate Responsibility for Financial Reports
a) CEO and CFO must review all financial reports.
b) Financial report does not contain any misrepresentations.
c) Information in the financial report is "fairly presented".
d) CEO and CFO are responsible for the internal accounting controls.
e) CEO and CFO must report any deficiencies in internal accounting controls, or any fraud involving the management of the audit committee.
f) CEO and CFO must indicate any material changes in internal accounting controls.
SOX Section 404: Management Assessment of Internal Controls
All annual financial reports must include an Internal Control Report stating that management is responsible for an "adequate" internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. In addition, registered external auditors must attest to the accuracy of the company management’s assertion that internal accounting controls are in place, operational and effective.
SOX Section 409 - Real Time Issuer Disclosures
Companies are required to disclose on a almost real-time basis information concerning material changes in its financial condition or operations.
SOX Section 902 - Attempts & Conspiracies to Commit Fraud Offenses
It is a crime for any person to corruptly alter, destroy, mutilate, or conceal any document with the intent to impair the object's integrity or availability for use in an official proceeding.
Finally, some of these ideas might help in a successful approach:
1. Research and understand what's required (e.g., get training & education as that can help setup the proper framework)
2. Set up a project plan to implement SOX standards from both an IT and business perspective
3. Work hand-in-hand with either internal and/or external auditors along the way
4. Senior management support of the process is a critical factor for success (e.g., staffing, budgetary, emphasis, etc)
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Trademarks referenced on the SOX Act Forum are property of their respective owners. Comments are property of their respective posters. Sarbanes-Oxley Act Implementation Portal: Sarbanes Oxley compliance, information, software, & internal audit committee resources. Sarbox. Site source is copyright nuke (c)2003, and is Free Software under the GNU / GPL licence agreement. All Rights Are Reserved.