ZenGRC

Simply Powerful GRC

Mapping COBIT to COSO

· ·

The Sarbanes-Oxley Act (SOX) requires publicly traded companies to declare and adopt a framework that the business will use to “define and assess internal controls.”

In response, most publicly traded companies have adopted one of two frameworks that meet the SOX requirements: the Committee of Sponsoring Organizations (COSO) internal control framework and the IT Governance Institute’s Control Objectives for Information and Related Technology (COBIT). 

To be clear, SOX itself doesn’t identify any specific framework that companies must use, nor do any regulatory agencies like the U.S. Securities & Exchange Commission expressly endorse one. However, companies must select and implement some frameworks to comply with SOX, so businesses subject to the law should try to understand the COBIT framework and the COSO framework objectives and how they can use them together to achieve more effective IT governance.

What Is COBIT?

The COBIT framework created by the Information Systems Audit and Control Association (ISACA) was first published in 1996 by the Information Systems and Audit Control Association (ISACA), which creates globally recognized IT certifications and guidance for enterprises that use information systems. 

COBIT brings together global IT standards, such as the Information Technology Infrastructure Library (ITIL), the Capability Maturity Model Integration (CMMI), and the International Organization for Standardization (ISO) to set standards to assure the sound deployment of IT resources. 

Using the COBIT framework, organizations can improve the value of their IT processes and manage risk simultaneously.

The framework includes methods to determine whether IT practices meet business objectives and provides facilities for documenting and developing the tools, processes, and organizational structures required for effective IT management. 

Providing maturity models and various metrics to measure the framework’s achievement, COBIT consists of a variety of components, including:

  • Framework: the IT team organizes governance objectives to implement best practices in processes and domains by linking business requirements with IT. 
  • Process descriptions: using COBIT as a reference, these descriptions should include the stages of planning and building the framework, which is then operated and monitored by the IT team. 
  • Control objectives: a total list of requirements upper management considers to create an effective IT business control. 
  • Maturity models: used to assess the maturity of each process and its capability to address any gaps in the processes. 
  • Management guidelines: used to assign responsibilities while measuring the performance of the processes. These guidelines help team members agree upon common objectives and improve the relationships with other processes in the organization. 

COBIT also provides a tool kit for compliance with SOX and other regulatory frameworks, including:

  • An executive summary that gives an overview of COBIT’s founding principles. 
  • The compliance framework with detailed descriptions of high-level IT control objectives and the required business requirements for information and IT input. 
  • Objectives for control include statements of the purpose of each control objective and the desired results. 
  • Guidelines for performing and passing audits with step-by-step guides for each control objective. 
  • Primers for management: a summary of the methods employed by organizations that have successfully applied the COBIT framework in their environments and some related tools. 
  • Reference materials include the IT Control Practice Statement, a detailed layout of the reasons for IT and operational risk assessment controls, and best practices for dealing with them. 

In addition to assuring regulatory compliance, COBIT helps IT better understand the needs of a business and defines which practices are needed for IT operations to be more efficient and effective.

Is COBIT a risk management framework?

Yes, the COBIT framework developed by the ISACA can be viewed as an IT-related risk management framework that aligns with business goals and processes. It provides tools and guidance to help organizations conduct risk assessments, define risk tolerance levels, implement risk response activities and controls, and monitor the effectiveness of risk management practices related to information systems and technology. While not solely focused on risk, COBIT incorporates comprehensive risk management concepts and activities as part of its IT governance and control approach based on the COSO framework.

Is COBIT an audit framework?

COBIT, created by the ISACA, is not strictly an internal or external audit framework but provides strong support for IT audit activities relating to security, risk, and control. The COBIT framework’s control objectives and guidelines serve as criteria for auditors to evaluate the effectiveness of IT governance, controls, and processes in enabling business goals. Specific ways COBIT supports auditing include:

  • Providing a standard for audibility by defining comprehensive, enterprise-wide IT control objectives.
  • Establishing maturity models to benchmark and measure process capabilities
  • Offering mapping guidance to relate COBIT processes to other frameworks like COSO used in audits
  • Supplying management guidelines for auditors on governance, responsibility, and performance

What Is the COBIT Framework Used for?

The COBIT framework serves multiple IT governance, management, and compliance purposes, including:

  • Providing comprehensive IT control objectives and activities to govern and manage information and technology assets
  • Setting standards for organizations to follow to ensure sound IT resource deployment
  • Helping align IT with enterprise-wide business requirements, risk management policies, and delivery of value
  • Offering guidance to manage risk, ensure regulatory compliance, and meet overall business goals
  • Integrating multiple other IT best practice frameworks like COSO, ISO standards, ITIL, and CMMI

COBIT 2019 vs. COBIT 5

The current COBIT framework is known as COBIT 2019. It supersedes the previous version, COBIT 5, which debuted in 2012. 

COBIT 5 was created in response to the increasing number of organizations migrating to the cloud. This version gave companies a standard set of guidelines to combat the steady rise in risk from cloud-based technologies. 

COBIT 5 incorporates five strategic principles, which emphasize the elements of IT governance that match enterprise needs:

  • Meeting stakeholder needs: introduces cascading goals to ensure that those receiving benefits and those bearing risks are considered in decision-making. 
  • Covering the enterprise end-to-end emphasizes that an enterprise risk management (ERM) approach to IT must incorporate all information, technologies, and processes. 
  • Applying a single integrated framework: maps multiple standards to a single governance and management framework for the enterprise. 
  • Enabling a holistic approach integrates processes, organizational structures, culture, policies, information, infrastructure, and people to manage the interconnectedness of governance across the enterprise. 
  • Separating governance and management: needs evaluation to distinguish between prioritized direction and tracking activities. 

COBIT 2019 is considered an update to COBIT 5, using the same foundation alongside new and more relevant developments. It gives organizations a more flexible framework to solve specific problems or can be adopted. 

ISACA lists the following as the most essential COBIT 2019 updates:

  • Improved focus areas and design factors enable organizations to establish risk management practices quickly and place other governance protocols based on individual requirements. 
  • More aligned with global risk management standards, security standards, other universal frameworks, and most protocols. 
  • It comes with regular updates to ensure compatibility with new and upcoming technologies. 
  • More prescriptive guidelines, which support more integrations with governance and risk management. 
  • Open-source model that incorporates feedback into future updates to the framework, which are evaluated by the steering committee for consistency and quality.
  • Stronger focus on newer technologies and methodologies and updated operational practices, including cloud-based systems and outsourcing.

Since its creation, COBIT has helped organizations improve their performance by managing their data, information, and technology. Overall, COBIT guides companies in developing a successful governance strategy while allowing businesses to tailor it to their operations.

What Is COSO?

Used for financial and internal reporting, the COSO framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides an applied risk management approach to internal controls. Updated in 2013, COSO integrates risk considerations into designing and implementing internal controls and strategic objectives. 

While COSO control objectives cover effectiveness, efficiency of operations, reliable financial reporting, and compliance with laws and regulations, its primary role is fiduciary. 

Like COBIT, COSO consists of five interrelated components to convey the framework’s principles:

  • Control environment describes the culture and ethics contributing to the framework’s ability to work effectively. This includes the overall organization but mainly refers to the behavior of top management–those responsible for implementing the controls in place. 
  • Risk assessment: after establishing the control environment, your organization needs to address any risks and understand how they relate to your objective. A risk assessment will help you identify and implement controls against internal and external risks. Every organization’s risks differ depending on several factors, including nature, industry, objectives, etc. 
  • Control activities: defining the processes and procedures that organizations implement against identified risks. Control activities are based on the type of risk they respond to. Commonly used control activities include authorizations, approvals, reviews, physical and digital security measures, verifications, reconciliations, segregation of duties, management, organization, etc. 
  • Information and communication refers to the flow of information to the relevant authorities so that they may implement the appropriate control activities. Having the proper channels for information and communication with management and personnel is critical for implementing control activities. 
  • Monitoring: once control activities are in place and communicated to management, you will need procedures to monitor them. Regularly reviewing and monitoring will help your organization identify deficiencies in your control activities and find a solution. 

COSO defines “internal control” as a process designed to ensure efficiency and effectiveness in achieving a company’s objectives and confirm the reliability of its financial reporting in line with relevant laws and regulatory compliance issues. Internal controls are an ongoing process affected by a commercial organization’s board of directors, management staff, and other team members. 

The COSO defines ” control ” as any proactive measure put in place by management to achieve an objective. Management’s objectives are intended to address risk, including the possibility of financial or operational loss. 

In addition to financial objectives, controls may address issues such as integrity, confidentiality, security, and broader operational aims like efficiency, stability, reliability, and scaling. 

Controls may take several forms, including:

  • Automated: these are strong financial controls and are programmed with a comprehensive logic that should stand up to intense statistical testing. 
  • Partially automated: these controls are implemented by people interacting with IT systems. Under the COSO framework, these systems are called “electronic evidence.”
  • Manual: these controls are entirely dependent on human operations, with no IT element involved. 

Within the COSO framework’s control environment, management must first assess the risk associated with not being able to meet specified business objectives: a risk assessment. After a risk assessment, controls are implemented to address any identified risks adequately. 

Relevant data is captured and transmitted across the enterprise on an ongoing basis to maintain a practical overview of the organization and its control environment. In response to changing business conditions or changes in the compliance regime, the whole process is continuously monitored and modified as necessary. 

COBIT vs. COSO

COBIT and COSO may seem similar, but they perform different functions for organizations. 

COSO articulates key concepts organizations can use to enhance internal controls and avoid fraud. COBIT helps organizations achieve objectives, both through and regarding information technology. 

That said, COBIT and COSO can be used together to organize a company’s enterprise IT landscape.

COBIT and COSO also work together to create a controlled landscape and a risk and governance model that fosters compliance and information security. 

While ISACA explicitly references COSO’s fiduciary role, it also extends COBIT’s role to cover quality and security requirements in seven overlapping categories: effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of information. 

COSO was initially designed to help with SOX compliance obligations for financial reporting and, therefore, is somewhat limited in considering an organization’s IT environment. COBIT explicitly addresses an enterprise’s IT landscape. 

The two frameworks complement each other as an organization develops an overarching risk, compliance, and governance program. 

COBIT and COSO also sometimes cater to different audiences. While COSO appeals to management at large, COBIT is intended for management, users, and auditors. 

Although COBIT specifically focuses on IT controls, both COBIT and COSO view control as an entity-wide process.

Why Use COSO and COBIT Frameworks?

There are several key benefits for organizations to use the integrated COSO and COBIT frameworks together to strengthen governance, risk management, and compliance:

  • The COSO framework focuses on financial reporting controls. In contrast, the COBIT framework more broadly covers IT governance. Using both together provides comprehensive, enterprise-wide coverage of internal controls.
  • COSO provides high-level principles and guidance for financial control objectives, while COBIT offers more granular and detailed control activities and IT process guidance. The two frameworks complement each other exceptionally well.
  • Mapping relevant COBIT IT processes and control objectives to COSO principles enables better integration of critical technology controls into overall internal control frameworks.
  • Leveraging COBIT allows validation that technology controls adequately support COSO compliance requirements around reporting, operational efficiency, and risk reduction.
  • The integrated COSO/COBIT frameworks strengthen IT governance, risk management, and regulatory compliance practices organization-wide.

Do Organizations Need Both COBIT and COSO?

Whether an organization needs ISACA’s COBIT framework and the COSO internal control framework depends mainly on its regulatory environment, complexity, and business requirements around IT, compliance, and reporting.

COSO may fully meet the governance and financial control needs of smaller or less complex entities focused narrowly on financial compliance and external reporting.

However, for enterprises in highly regulated industries or those with very expansive technology environments, adopting COBIT as a complement to the COSO framework can provide immense benefits. Adding COBIT delivers more granular IT governance and control guidance tailored to managing technology risk and enabling performance. It also facilitates tighter control integration between IT and finance functions.

COSO and COBIT offer comprehensive and robust coverage supporting enterprise-wide governance, regulatory compliance, risk optimization, internal control, and audit preparedness. An integrated COSO/COBIT approach is highly advisable for most complex, global organizations.

Mapping COBIT to COSO

Mapping COBIT to COSO involves examining each framework’s objectives and determining how they best apply to one another. 

High-level mapping gives auditors a point of reference when reviewing technology’s role during an internal controls assessment, usually for financial reporting. 

For example, service organizations governing their compliance under COSO can map their principles to COBIT processes to determine which key practice goals include both. 

It’s essential that external auditors first select the relevant IT control objectives from COBIT when defining their SOX scope under the five internal control components. COSO should be the primary SOX reference for internal auditors, while COBIT should be a secondary resource.

Under COSO, organizations must assess risk to determine critical environments and assure mitigation. 

External financial reporting must reflect the underlying transactions and events as part of this process. COBIT aligns with this requirement by providing specific ways to assess IT risks. 

Ultimately, the specific definitions of controls within COBIT create strategic alignments to COSO that enable quality compliance and monitoring. 

As an example, the IT Governance Institute’s IT Control Objectives for Sarbanes-Oxley depicts an alternative view of the COBIT to COSO and presents the relationship between COSO, COBIT, and SOX sections 302 and 404 in the following table:

COSO Internal Control Components COBIT Domains

(With sample control objectives relevant to SOX)
1. Control Environment   Planning and Organization (PO):

 PO 4.2 — Organizational placement of the IT function.

PO 6.1 — Positive information control environment.

PO 6.2 — Management’s responsibility for policies.
2. Risk Assessment   Planning and Organization (PO):

PO 9.0 — Assess risks.
3. Control Activities   Acquisition and Implementation (AI):

AI 1.4 — Third-party service requirements.

AI 6.0-6.8 — Manage changes.

Delivery and Support (DS):

DS 5.0-5.21 — Ensure system security.

DS 11.0-11.30 — Manage data*.

*Application control evaluations and the American Institute of Certified Public Accountants (AICPA) SysTrust reports can supplement COBIT’s data management control objectives.
4. Information and Communication   Planning and Organization (PO):

PO 6.0-6.11 — Communicate management aims and direction.
5. Monitoring   Monitoring (M):

M 2.0-2.4 Assess internal control.

Beware that mapping COBIT to COSO’s internal control framework can only capture a high concentration of the associated processes. COBIT does not map 100 percent to COSO. 

This shouldn’t deter auditors from using existing frameworks alongside each other. Organizations should treat these frameworks as reference material and a basis for formulating their own integrated and customized control framework for SOX. 

The AICPA also provides an Excel spreadsheet to help visualize mapping and incorporates 414 rows that engage multiple COBIT alignments within each. 

However, Managing these controls’ compliance with mapping to COSO can quickly become overwhelming. Add mapping other compliance architectures to COBIT, and it becomes a nearly impossible task. 

How ZenGRC can help

Fortunately, there is a Governance, Risk, and Compliance (GRC) software solution that can help. 

ZenGRC from RiskOptics provides seed content, allowing organizations to onboard in as little as six weeks and align their controls to COBIT. 

Once controls are aligned, you can map them to COSO (or any other compliance framework) using ZenGRC’s gap analysis tool, which harmonizes controls across multiple standards to ease the compliance burden across frameworks. 

ZenGRC’s compliance dashboard also provides color-coded audit readiness markers, offering instant visual insight into organizational gaps. 

While COBIT requires organizations to engage enterprise-wide stakeholders with ongoing communication, ZenGRC eases the administrative burden by eliminating emails, allowing varied stakeholders to communicate more efficiently. 

Schedule a demo today to see how ZenGRC can help your organization map COBIT to COSO for compliance and more effective IT governance.