COSO and COBIT

COSO: The Committee of Sponsoring Organization

 The Committee of Sponsoring Organization of the Treadwell Commission (COSO) defined Internal Controls in a broad fashion that can be described as a process or set of processes designed to address operating efficiencies and effectiveness and reliability of financial reporting and compliance with laws and regulations Key Concepts

 - Internal control is a process. It is a means to an end, not an end in itself.

- Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization.

- Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.

- Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

 The overall goal of COSO is to keep company profitable, achieving its mission and minimizing surprises. To achieve this goal, Control objectives fall into three categories:

 - Operational: Promote efficiency of operations and reduce risk of assets loss

- Financial: Help ensure the reliability of financial statements

- Compliance: Help ensure compliance with applicable laws and regulations

 COSO Internal control consists of five interrelated components. These are derived from the way management runs a business, and are integrated with the management process

 1. Control Environment:

- Foundation for all other components of control

- Integrity, ethical values, competence, authority, responsibility

 2. Risk Assessment:

- Identifying and analyzing relevant risks.

 3. Control Activities:

- Policies that ensure management directives are carried out

- Approval and authorizations, verifications, evaluations, safeguarding assets security and segregation of duties

 4. Information and Communication Systems:

- Relevant information identified, captured and communicated timely

- Access to internal and externally generated information

- Information flow allows for management action

 5. Monitoring:

- Assess control system performance over time

- Ongoing and separate evaluations

- Management and supervisory activities

 These five components provide the framework for effective internal control over financial reporting and in similar fashion provide a framework more generally for disclosure controls and procedure. They provide the context for evaluating internal control over financial reporting.

 For each of the five components, COSO provides several attributes. For each attribute COSO provides point of focus; for each point of focus, more granular criterion may be developed to support the assessment

COBIT: Control Objectives for Information and related Technology

The internal control framework (COSO) recommended for Sarbanes Oxley compliance by the SEC, addresses the topic of IT controls, but does not dictate requirements for control objectives and activities. As such the Industry sentiment is that COSO does not address the specific concerns of IT with sufficient fidelity.

 To address the IT gaps, the IT Governance Institute (ITGI) developed the Control Objectives for Information and related Technology (COBIT) COBIT plugs into the over-arching COSO framework and is recognized as an industry standard for addressing SOX IT concerns. About 15% of COBIT is related to software engineering. It includes over three hundred specific ‘control objectives’ and includes a framework and audit guides for over 30 information technology processes. Overall, COBIT is organized into six components, Executive Summary, Management Guidelines, Framework, Control Objectives, Implementation Toolset, Audit Guidelines

 - Complete IT control framework available

- Gaining acceptance as standard approach

- Supported by leading bodies ISACA / ITGI

- Backed by excellent academic research