eIQviews

The Sarbanes-Oxley Act is one of the more unusual animals in the IT compliance menagerie.  Unlike more clearly-defined laws such as HIPAA, or standards such as PCI and ISO27002, SOX’s applicability to IT is very vague – Sections 302 and 404 of SOX, collectively known as the “IT sections”, don’t talk about technology, and don’t even describe specific controls.  Instead, SOX basically says, “ensure that your financial reporting process has integrity, or very bad things will happen to you.”  While this is a nice sentiment to have, it also means that the hands-on process of building a SOX compliance program is open to wildly varied interpretation.  Fortunately, the SEC (one of the lead driving organizations behind SOX) has issued guidance to help organizations better comply with the law.  The SEC recommends the use of a controls framework to help achieve compliance with SOX, and they have specifically mentioned two well-known frameworks, one general in nature (COSO), and the other specific to IT processes (COBIT).

First up is COSO.  Several years before widespread adoption of the Internet, and before IT security became a concern to most organizations (and by definition, the confidentiality, integrity, and availability of IT data, infrastructure, and processes), COSO established a framework for how organizations could control and manage their own internal processes (financial, operational, or otherwise).  Originally authored by Coopers & Lybrand under the review of the Treadway Commission (itself a product of corporate malfeasance in the 1970’s), COSO establishes a way that organizations can organize and manage almost any business process (although it was specifically designed for financial accounting functions).  COSO also established the concept of a “maturity model” for organizations to measure the depth (think “degree of evolution”) of how they implemented these processes.  While COSO is a general framework (i.e., its governance model, risk model and controls are not specific to finance, IT, or any other business area), it can be (and often is) applied specifically to IT, especially those IT processes and controls that are governed by SOX.  First and foremost, COSO is focused on processes, and then associates information and controls with those processes.

COBIT, an IT-specific framework first published in 1994, is loosely based on COSO; that is, it a framework for processes, specific to IT.  In addition, COBIT provides hundreds of specific controls for each of these processes; in this way, COBIT describes high-level processes related to planning, implementing, and maintaining IT systems, while also giving them specific statements of how this should be done.  COBIT is, in some ways, analogous to the ISO27002 standard: it provides a recommendation of how to implement stuff that needs to get done for IT to function.  Unlike ISO27002, however, COBIT is not solely focused on information security – it addresses things like review and acquisition of technology and performance measurement, which are outside the traditional scope of security.  Also, unlike COSO, COBIT is focused first and foremost on information, and then associates processes and controls with this information.

From an implementation perspective, then, how do SOX, COSO, and COBIT relate to each other?  Much like the pieces of a puzzle, each connects with the other, while still providing something unique.  First off, it’s important to remember that no public company must use either COSO or COBIT; as long as an organization can demonstrate to an auditor that their controls and processes are reasonable, they should pass an audit – however, Big-4 firms have seized on these two frameworks as their own benchmark to determine whether their clients’ controls are adequate.  Second, although there are some points of connection between COSO and COBIT, they are not really competitive with each other.  Because COSO is a general framework, and COBIT is specific to IT, they can be – and often are – used simultaneously together: COSO as the criteria to audit general accounting processes, and COBIT to audit against IT-specific processes.  Regardless of whether an organization chooses to adopt COSO, COBIT, or a combination of the two in order to meet SOX compliance the fact that they are using a known, accepted framework for managing processes and controls puts that organization on the path to compliance.