COSO, COBIT, ITIL 493
Ross last edited by
Good morning George and thank you for the information below.
I’ve been functioning as a Remediation Project Manager on a SOX 404 for nearly two months and I’ve been working hard to ramp up my knowledge base in a methodical and wholistic manner.
Your email below is very empowering and I thank you for your time on this.
angie last edited by
I agree with Ross. sometimes we need to recall the references and the basis of this project as we have been in so much details and as agreed deviations and disparities related to SOXA.
I have on hands the Internal Control Integrated Framework Book, issued in 1994 by the Committee of Sponsoring Organization iof the Treadway Commission.
Does anyone have some bibliographie - COSO or COBIT - related more recently revised and issued?
Denis, you are referring to ‘ITGI’ on the bridge between COBIT And COSO. Where I could get an example? Web site of ITGI?
Thanks a lot
SOX-Migration last edited by
There’s actually an online user group for COBIT over at controlit.org. Maybe someone over there might have something on this.
This is certainly an area that demands further exploration and clarification.
I believe that a good source for COSO or COBIT related articles is soxonline.com/coso_cobit.html.
WAM last edited by
Hi - new to this forum but not to IT or ITIL.
I am between jobs and want to know what might be useful to pick up training-wise that is COBIT/SOX related. I am in the Service Delivery Management and Project Management side of IT.
Is this something practically done without the sponsorship of a company? Assuming this kind of training and/or certification can be expensive. There are all kinds of companies touting courses but want to be sure if I choose any that they are realistic and wil lhave ROI for me.
Not being a CPA, etc. what kinds of roles will be coming up that people like myself should get prepared for?
Thanks very much in advance,
BANK-AU-TRM last edited by
The problem with COBIT is that it becomes quite prescriptive in how you implement your internal controls for IT. The theory is that if you implement all the COBIT processes and meet all the control objectives, then you run a perfect IT Shop. This is causing a lot of grief for many companies as they struggle to meet the ‘perfect world’ scenario. e.g. How many companies out there have an automated comprehensive configuration management system?
I come from a security/risk background and would much prefer to use, from an IT sense, something like AS 7799 which actually defines requirements without prescribing how it should be met. This make a lot more sense as it allows each invididual company to implement controls that is most suitable to their business.
Is anyone here using a framework other than COBIT for IT?
It is true that COBIT is broad, not only for Sarbanes Oxley .
COBIT provides specific control objectives for IT and is a recognized control framework over information, IT and related risks.
We have already discussed in this list about BS 7799. In Australia and New Zealand, BS 7799.2:2002 is known as AS/NZS 7799.2:2003. The two standards are very similar.
SOX-Migration last edited by
We too are naturally more inclined to adopt ISO 17799 / BS7799. Having said that though, I’ve just bought the ‘COBIT Toolkit’ to learn about COBIT (there’s a link from the SOX directory: http://www.sarbanes-oxley-forum.com/modules.php?name=Web_Links-and-l_op=viewlink-and-cid=4 ).
I’ll probably do a brainstorm and some sort of cross reference to choose between them.
Why is this so hard?
Chris last edited by
Check out the following link:
If you’re an ISACA member you should be able to get some of the publications listed there for free. I notice there is a COBIT mapping of ISO 17799
Also available is the IT Control Objectives for Sarbanes-Oxley which has become (around here at least) the ‘handbook’ for SOX GCC’s. Often this is referred to as ‘COBIT Lite’
Should you discuss it with your external auditors? What do you believe about that? :roll: