• There is a lot of confusion about Control Frameworks.
    *COSO is the framework on controls for financial processes, accuracy of the data, and confidence in accounting procedures.
    The COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management’s annual internal control evaluation and disclosure requirements. However, the final rules do not mandate use of a particular framework, such as the COSO Framework, in recognition of the fact that other evaluation standards exist outside of the United States and that frameworks other than COSO may be developed within the United States in the future, that satisfy the intent of the statute without diminishing the benefits to investors. (Final Rule: Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports
    The word COSO can be found 35 times in this report. But you can also read: ‘We believe that each company should be afforded the flexibility to design its system of internal control over financial reporting to fit its particular circumstances.’
    *COBIT is the framework that focuses on IT. It is an IT control framework built in part upon the COSO framework. For the SOX 404 attestation we must be sure that the IT systems that house, move, and transform data are secure. The COBIT framework was designed to address these IT concerns.

    • ITIL, for IT services, is often used to complement the COBIT framework.
      The question now: Do you use all of them (COSO, COBIT, ITIL, other)? Which do you prefer and why? I believe that this discussion is really important for many of us.

  • COSO is basically the standard control framework because it is explicitly referenced by the SEC. It’s not compulsory but it is they easy option. COBIT complements COSO and the ITGI have prepared a paper that neatly ties into the COSO cube.
    COBIT is becoming a de facto solution for IT General Controls because it is reasonably user-friendly - and is fully mapped to COSO.

  • Good morning George and thank you for the information below.
    I’ve been functioning as a Remediation Project Manager on a SOX 404 for nearly two months and I’ve been working hard to ramp up my knowledge base in a methodical and wholistic manner.
    Your email below is very empowering and I thank you for your time on this.

  • Hi there,
    I agree with Ross. sometimes we need to recall the references and the basis of this project as we have been in so much details and as agreed deviations and disparities related to SOXA.
    I have on hands the Internal Control Integrated Framework Book, issued in 1994 by the Committee of Sponsoring Organization iof the Treadway Commission.
    Does anyone have some bibliographie - COSO or COBIT - related more recently revised and issued?
    Denis, you are referring to ‘ITGI’ on the bridge between COBIT And COSO. Where I could get an example? Web site of ITGI?
    Thanks a lot

  • There’s actually an online user group for COBIT over at Maybe someone over there might have something on this.
    This is certainly an area that demands further exploration and clarification.

  • I believe that a good source for COSO or COBIT related articles is

  • Hi - new to this forum but not to IT or ITIL.
    I am between jobs and want to know what might be useful to pick up training-wise that is COBIT/SOX related. I am in the Service Delivery Management and Project Management side of IT.
    Is this something practically done without the sponsorship of a company? Assuming this kind of training and/or certification can be expensive. There are all kinds of companies touting courses but want to be sure if I choose any that they are realistic and wil lhave ROI for me.
    Not being a CPA, etc. what kinds of roles will be coming up that people like myself should get prepared for?
    Thanks very much in advance,

  • The problem with COBIT is that it becomes quite prescriptive in how you implement your internal controls for IT. The theory is that if you implement all the COBIT processes and meet all the control objectives, then you run a perfect IT Shop. This is causing a lot of grief for many companies as they struggle to meet the ‘perfect world’ scenario. e.g. How many companies out there have an automated comprehensive configuration management system?
    I come from a security/risk background and would much prefer to use, from an IT sense, something like AS 7799 which actually defines requirements without prescribing how it should be met. This make a lot more sense as it allows each invididual company to implement controls that is most suitable to their business.
    Is anyone here using a framework other than COBIT for IT?

  • It is true that COBIT is broad, not only for Sarbanes Oxley .
    COBIT provides specific control objectives for IT and is a recognized control framework over information, IT and related risks.
    We have already discussed in this list about BS 7799. In Australia and New Zealand, BS 7799.2:2002 is known as AS/NZS 7799.2:2003. The two standards are very similar.

  • We too are naturally more inclined to adopt ISO 17799 / BS7799. Having said that though, I’ve just bought the ‘COBIT Toolkit’ to learn about COBIT (there’s a link from the SOX directory: ).
    I’ll probably do a brainstorm and some sort of cross reference to choose between them.
    Why is this so hard?

  • Check out the following link:
    If you’re an ISACA member you should be able to get some of the publications listed there for free. I notice there is a COBIT mapping of ISO 17799
    Also available is the IT Control Objectives for Sarbanes-Oxley which has become (around here at least) the ‘handbook’ for SOX GCC’s. Often this is referred to as ‘COBIT Lite’

  • Should you discuss it with your external auditors? What do you believe about that? :roll:

Log in to reply