• Hi,
    I am a newcomer to the world of SOX. I read through material and some books but still had these basic doubts -

    1. COSO and COBIT are two frameworks. COSO is for accounting professionals while COBIT is for IT professionals. Both ensure SOX compliance. Am I right on this one?
    2. If yes, then are COSO and COBIT related to each other? For example, if there is a finance control, will it have a related COBIT control?
      My understanding is that the relationship is unidirectional. COSO —> COBIT.
      Am I correct on this one?
    3. What is section 404 about? If I need to implement section 404, what would I have to do?

  • Hi QB and welcome to the forums 🙂
    Yes, COBIT is an ‘IT control framework built in part upon the COSO framework’. COBIT is related to best auditing practices from an IT perspective. SOX 404 is more oriented towards security best practices and assurances that all IT controls are sound (as modern day accounting systems have a high reliance on IT systems themsevles).
    Some of these links might help, as I also wanted to better understand these relationships:
    COSO Information
    COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.
    COBIT Information
    COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. ITGI’s latest version COBIT® 4.0emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.
    SOX 404 Information
    Section 404: Certification of Internal Controls
    Section 404 is the largest driver of Sarbanes-Oxley compliance projects and the most significant section for IS organizations. It requires a statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the company, attested to by the company’s auditor. This statement includes an assessment of the controls and identification of the framework used for the assessment. Section 302 requires that financial statements be complete and accurate; section 404 requires that the process that is used to generate statements be accurate and meet an accepted industry standard (the Committee of Sponsoring Organizations of the Treadway Commission standard is the de facto standard).
    Because the processes and internal controls are implemented principally in IT systems, section 404 audits involve a detailed assessment of these systems. Process changes to meet compliance must be documented and implemented by the IS organization. Although a completely paper-based organization could be compliant, most organizations make such extensive use of technology for financial reporting that the CIO plays a major role in auditing and compliance projects. Section 404 also requires reporting of material process changes every quarter. Thus, a new enterprise resource planning (ERP) system or any material change to a system could require a new 404 audit, attestation and report.

  • Hi,
    Thanks for the reply.
    I went through the websites and found all the information very helpful.
    If I implement all the COBIT objectives, can I safely conclude that my organization is SOX compliant?

  • COSO could best be described as a corporate governance framework; while COBIT is an IT governance framework. The ISACA link posted by harrywaldron has excellent information on the mapping or correspondence between the two, including an excellent new document still in draft titled ‘IT Control Objectives for Sarbanes-Oxley’. Though since this is still in draft, you probably have to join as a member to access it. ISACA membership is highly recommended as a great resource.
    In answer to your last question, if you fully implemented COBIT perfectly, you may still not be SOX compliant. There are many aspects of SOX that have to do with accounting methods and organizational management that are outside the scope of information security. Though, since information security is such a large concern within the SOX compliance endeavor, it would serve most IT departments and auditors well to be familiar with how it fits in to their organization’s compliance roadmap.

  • I agree with the excellent points made by iaraudit … SOX compliancy is based more on meeting the internal framework of the act itself, than specific accounting or IT standards. Both COSO and COBIT are recommended methods to help with best practices in meeting SOX related financial controls, but there’s more to be done.
    The SOX 404 standards must also be implemented for improved IT and security controls. It’s probably the most difficult area to interpret and implement. If you were to ask 50 different people for solutions, you could get 50 different interpretations, as some aspects of this are subjective :roll:
    I’ve found the ‘101’ site helpful for me in the past and will share the partial URLs for that below 🙂 For all four major sections you need both human and IT controls where possible to ensure that these areas of compliance will be met.
    Summary of the key sections needed for SOX compliancy
    SOX Section 302 - Corporate Responsibility for Financial Reports
    a) CEO and CFO must review all financial reports.
    b) Financial report does not contain any misrepresentations.
    c) Information in the financial report is ‘fairly presented’.
    d) CEO and CFO are responsible for the internal accounting controls.
    e) CEO and CFO must report any deficiencies in internal accounting controls, or any fraud involving the management of the audit committee.
    f) CEO and CFO must indicate any material changes in internal accounting controls.
    SOX Section 404: Management Assessment of Internal Controls
    All annual financial reports must include an Internal Control Report stating that management is responsible for an ‘adequate’ internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. In addition, registered external auditors must attest to the accuracy of the company management’s assertion that internal accounting controls are in place, operational and effective.
    SOX Section 409 - Real Time Issuer Disclosures
    Companies are required to disclose on a almost real-time basis information concerning material changes in its financial condition or operations.
    SOX Section 902 - Attempts and Conspiracies to Commit Fraud Offenses
    It is a crime for any person to corruptly alter, destroy, mutilate, or conceal any document with the intent to impair the object’s integrity or availability for use in an official proceeding.

    Finally, some of these ideas might help in a successful approach:

    1. Research and understand what’s required (e.g., get training and education as that can help setup the proper framework)
    2. Set up a project plan to implement SOX standards from both an IT and business perspective
    3. Work hand-in-hand with either internal and/or external auditors along the way
    4. Senior management support of the process is a critical factor for success (e.g., staffing, budgetary, emphasis, etc)

  • Thanks iaraudit and harrywaldron. Your advice has been a great help.

Log in to reply