I prefer control/principle-rich frameworks such as ISO27k myself, but many organizations are at such an ground-level stage of maturity. For these organizations, Visible Ops / Visible Ops Security (or even ITIL, as you mentioned) might be better frameworks than COBIT or ISO27k. This may also explain why COSO simplifies the IT audit. The best tool is the best tool, and for many organizations it’s better to have something than to try and do everything.

“There are also a large number of projects out there to align the myriad of best practices and standards for IT (e.g., ITIL, PCI, ISO27002, etc.) to COBIT’s broad set of IT processes and controls”

You must be referring to ISACA’s “Guidance on Aligning COBIT, ITIL and ISO 17799″ document or possibly the V3WP document from the BITS Shared Assessments program, although I have seen others that are similar in approach. Both are very useful documents for mapping controls. I would question, “what are the right controls for any given organization”? Visible Ops / Visible Ops Security makes this more clear, which is why I prefer them as starting points, especially for SOX pre-audits / internal IT audits. Note that BITS Shared Assessments SIG is more and more often used to replace a SysTrust or SAS 70 Type II audit (the baby sister of a SOX audit) and it is very rich in IT and security controls.

I have always found the relationship between frameworks, regulations, standards, and best practices (such as specific assessment methodologies, risk analysis & risk management frameworks, etc) to be the most interesting part of compliance. Since most public companies are also technology companies, it would stand reason that SOX would inherit IT-specific frameworks strong in IT/security controls, as well as IT/security best practices. In other words, I think that COBIT or ISO27k are where these technology companies need to be (instead of just ITIL or COSO), but I think they also need to look at NSA IAM/IEM/RTM, DIACAP, OSSTMM, FAIR, CSA, OCTAVE, etc.

ISO/IEC 38500 includes ISO27k along with ISO9k and ISO20k as the global IT governance framework. It’s an interesting document that speaks stronger to an all-encompassing framework for IT that doesn’t leave out security, quality, or service delivery – but rather makes each an issue to be dealt with separately and equally. This is great because over the years I’ve heard too many complaints about how e.g. ITIL (probably referring to v2) doesn’t say anything about security, or how PCI-DSS is overly concerned about specific security requirements. ISO 38500 is the best alignment I’ve seen to date on all IT issues, and it’s clarity also speaks volumes.

The problem with COSO is that it was developed along with SAC over 14 years ago and has never really changed. COBIT was also developed around this time, but has been through many revisions. ITGI (the makers of COBIT, who also developed the CISA certification for ISACA) has always planned to update COBIT every 3 years. The problem with COBIT is that it’s not staying up-to-date. If COBIT was flawless, then PCI-DSS wouldn’t be in the place it is today, and ISO27k wouldn’t be considered so much more mature in comparison. The problem with SOX+COBIT is that not every public company is also a technology company (although at least a third of them are, which is why there is a lot of overlap between SOX and PCI).

With CICA (i.e. Canada) following CoCo (instead of COSO) and ITCG (instead of COBIT) for many years (and Australia and New Zealand having their own standards and associated regulations), it’s no wonder that the ISO/IEC standards are becoming more popular from a global perspective. I really think that the overlapping aspects of compliance are outrageously excessive and unnecessary. I can’t wait for ISO to replace PCI-DSS with a ISO27k-like standard, especially before PCI becomes law.

Sure, we have SOX, GLB, HIPAA, and PCI here in the US. One single company may have to do all 4 audits, and as you stated, there could be multiple internal and external auditors for even the same regulation. Then they might also have to do the ISO audits. Does anyone have a problem with this besides me? Do you see the overlap? Isn’t that a bit too much overhead?

SOX-scoped organizations generally do have internal auditors, but they are also required to utilize external auditors. In a perfect world, it would be great for organizations to have a single internal audit capability, that was educated well enough in both accounting processes and IT operations to support a seamless audit function between the two. Pragmatically, however, most organizations just aren’t there. In most cases, IT functions are still discrete from accounting functions, and as a result, most organizations split up their auditing into different efforts; IT SOX audits become a subset of the overall SOX compliance audit. While it’s true that this does add overhead compared to a single, end-to-end audit function, the reality is that very few organizations are politically structured in a manner that supports this. Practically speaking, the vast majority of SOX companies have separate groups (both internally and externally): one to address SOX audits for financial reporting, and one to address the IT operations that support that financial reporting process.

From an IT auditing perspective, COBIT is well established (at least in the U.S.) All major accounting firms base their own IT SOX auditing on the COBIT framework, and even if they have their own audit criteria, they map this criteria into COBIT. There are also a large number of projects out there to align the myriad of best practices and standards for IT (e.g., ITIL, PCI, ISO27002, etc.) to COBIT’s broad set of IT processes and controls; this points to the increasing popularity of COBIT as an IT-specific controls framework.

Don’t most organizations under SOX utilize internal auditors to do both “general accounting” and “IT-specific” processes? Why would an organization separate the two? Wouldn’t that add unnecessary overhead to the audit process? Isn’t this where the idea of COSO vs. COBIT (as competitive frameworks) comes from?

AFAIK, internal auditors use COSO in the United States, especially for SOX. COBIT is just for the academic and research literature. Correct me if I’m wrong.