No doubt a dumb question that everyone knows the answer to.. 483

  • Hi all:
    I am just getting to grips with the SOX malarky and I have a very basic question. S404 requires internal control evaluation and reporting. I have heard that COSO, CoBIT, ITIL etc are suitable methodologies that meet the requirements of S404.
    However, my question is simply this: Who decides what is an acceptable methodology (the SEC ?) and where is this list of acceptable methodologies published please ?
    Many thanks to anyone that can help and I’m sorry if I’m dragging you back to a novice’s question,

  • COBIT and ITL are not acceptable frameworks for S404 as they only cover the IT component.
    COBIT’s use has been accepted (for IT objectives) as a result of work done by the IT Governance Institute to map COBIT objectives to COSO.
    The only frameworks that I am aware of being acceptable are COSO (which is referenced in the SEC Guidance) and the UK’s Turnball Guidance which forms part of the UK Combined Code on Corporate Governence - there has been an explicit statement by the SEC on this.

  • Thank you.
    If I have understood you correctly:

    • COSO is the only approved methodlogy
    • any alternatives must be validated (i.e. mapped as you described it) against COSO
    • CoBIT satisfies S404 for IT elements only because of the mapping to COSO
    • ITIL cannot satisfy S404 for the IT elements as it has not been mapped to COSO (but could if that mapping where to be completed?). Similarly any other alternatives.
      It looks like I need to get the guidance to which you refer. I have found a White Paper Proposing Practical, Cost Effective Compliance Strategies by Tim J. Leech which I shall read today - is that what you mean ? I’ll also try to locate the Turnball Guidance.
      Thanks for your help,

  • …I’ll also try to locate the Turnball Guidance.
    To save you Google-frustration, it’s called Turnb u ll and one useful link may be the English accountants’institute’s page :

  • COSO-SOX mapping:
    Turnbull: The Turnbull Guidance as an Evaluation Framework for the Purposes of Section 404 (A) of the Sarbabes-Oxley Act

  • Thank you both. Looks like I have some heavy duty reading over then next few days …

  • Hi Bewilder
    would you be nice and let me know where I could find such White paper.
    I am about collecting info to write a paper/thesis for a master course, on top of being daily involved in SOXA withing the cy.
    Thanks a lot

  • Sure.
    Email me at 1193 at and I will send you everything I have already plus anything I discover through this site.

Log in to reply