There is no doubt, then, that the scope of managing compliance as it relates
to your IT systems is a rather daunting task. This is where the control frame-
works come into play, including COBIT and COSO (see the next two sections).
These control frameworks provide an outline of the issues you need to look
at, as well as providing some nice four- and five-letter acronyms for you to
add to your alphabet soup.
COBIT
Published by the IT Governance Institute and the Information Systems Audit
and Control Association (ISACA), COBIT (Control Objectives for Information
and Related Technologies) is an open source standard that provides an IT
governance framework to manage risk and compliance issues based on best
practices.
According to ISACA, the bottom-line function for IT is to support the business
goals for the company. To do that, COBIT supports an IT governance frame-
work that helps a company make sure that its IT systems are aligned with
the business, that IT enables the business and maximizes IT’s benefits to the
business, that IT resources are used responsibly, and IT risks are managed
appropriately. For more information, go to the ISACA Web site at http://www.
isaca.org.
COSO
The full name for COSO (www.coso.org) is the Committee of Sponsoring
Organizations of the Treadway Commission, and it is a voluntary private
sector organization dedicated to improving the quality of financial reporting
through business ethics, effective internal controls, and corporate governance.
As such, the organization has created an internal control framework known
as the COSOS-Enterprise Risk Management Framework. According to a COSO
publication titled “Enterprise Risk Management — Integrated Framework:
Executive Summary,” the framework is based on eight interrelated compo-
nents by which to evaluate the company’s risk management strategy:
�Internal Environment
�Objective Setting
�Event Identification
�Risk Assessment
�Risk Response
�Control Activities
�Information & Communication
�Monitoring
270 Part IV: Managing the Flow of Information
