As SOX regulations have enhanced the role of IT within a company, they have
also created a boom in IT projects and solutions. Niche companies are provid-
ing SOX solutions, while large software vendors are also providing software to
automate internal controls as part of a larger GRC project. SOX has created an
internal controls industry that is run by an army of vendors and consultants.
IT frameworks: Your template for compliance .................................
The SEC has mandated U.S. companies to use a recognized internal control
framework. There are a number of these, including COBIT (Control Objectives
for Information and Related Technology) and ITIL (Information Technology
Infrastructure Library). Some companies may choose one framework to
structure their controls, whereas others may cherry-pick sections from
each, although that could be more time-consuming and lead to gaps. Sound
like more rules? Maybe, but the IT frameworks are really skeletons on which
companies flesh out their own unique set of business processes.
COBIT builds on the financial compliance framework provided by COSO. COBIT
is widely recommended by analysts, auditors, and consultants. It is published
by the Information Systems Audit and Control Association (ISACA) and the IT
Governance Institute, which notes that the work that goes into meeting SOX
requirements should not only be regarded as compliance but also as an oppor-
tunity to build strong governance models. ITIL is a best practice library devel-
oped in the U.K. from work done for Office of Government Commerce.
COSO’s control framework ..................................................................
COSO was originally formed in 1985 as part of a private sector initiative by
the National Commission on Fraudulent Financial Reporting. Since 2002,
COSO has been extended and renamed. The COSO Enterprise Risk
Framework emphasizes the importance of identifying and managing risks
across the enterprise.
COSO defines internal controlas “a process, effected by an entity’s board of
directors, management, and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reportingCompliance with applicable laws and regulations”