The Control Objectives for Information and Related Technologies (COBIT) and the Committee of Sponsoring Organizations of the Treadway Organization (COSO) have more in common than the pleasant alliteration. Both entities work with establishments to help them in the management of financial reporting controls. Organizations can protect data by creating solid internal control objectives by understanding the differences, overlaps, and similarities between COSO and COBIT.
COSO Vs. COBIT
What is COSO?
In 1995, five significant professional associations came together and founded COSO with the primary objective of sponsoring National Commission on Fraudulent Financial Reporting. The five were: IMA (Institute of Management Accountants), IIA (Institute of Internal Auditors), FEI (Financial Executives International), AICPA (American Institute of Certified Public Accountants), AAA (The American Accounting Organization). These five organizations developed guidance and frameworks on internal control, enterprise risk, and fraud deterrence.
Information Systems and Audit Control Association, now known as ISACA was founded in 1967. The IT professional association creates IT certifications that are recognized all over the world and also develops guidelines for auditing control.
COSO framework gives internal controls an applied risk management approach. Its latest version was updated in 2016. The structure applies to both internal and financial reporting and focuses on five interrelated strategic points, which are:
- Governance and Culture: This relates to ERM (Enterprise Risk Management) oversight to day to day activities.
- Strategy and Objective Setting: The strategy argues that the goals set by risk tolerance have to be measured objectively.
- The Performance: Requires effective reporting and priority of risks.
- The Review Revision: Involves monitoring and internal audit on a continuous basis and when necessary revise the controls.
- Information, Communication, and Reporting: Requires communication across both external and internal stakeholders.
COBIT 5 Framework
While COBIT 5 also comprises five strategic principles, its goals and purpose differ from the COSO despite the matching numbers. COBIT 5 incorporates:
- Meeting Stakeholders Needs: Requires that those receiving benefits and bearing risks are included in the organizational decisions to determine the resources needed.
- Covering the Enterprise End to End: This principle ensures that besides the IT Function, ERM incorporates all information and technology related details like applications as assets.
- Applying a Single Integrated Framework: acts to create a single enterprise management and governance framework from the multiple standards.
- Enabling a Holistic Approach: Interconnects governance across the establishment by integrating processes, culture, organizational structures, information, policies, and infrastructure.
- Separating Governance and Management: Sets a prioritized direction by need evaluation while separating the governance body from tracking activities.
Differences between COSO and COBIT 5
These two have very different functions in organizations while they seem similar. COBIT 5 gives a framework that builds best practice controls in organizations. COSO on the other hand, guides organizations on how to reduce fraud and establish risk tolerances.
Entities that choose to establish models of financial risk reporting aligning with COSO will also find COBIT 5 helpful in the organization of their control landscape. In a new house example, COSO is the building plans as it lays out the locations of the rooms in general. It allows an organization to frame the building. But walking through a home that is framed shows only an outline of how the final plan will look.
COBIT 5 shows establishments with details like where to put plumbing, electrical systems then put up the wall. The COBIT 5 framework sets COSO into action with more information to enable organizations to secure IT environment.
Why organizations need both COSO and COBIT
COSO and COBIT 5 work together in creating a controlled landscape and a governance and risk model to allow security to comply with what is needed.
COSO responds to controls that are related to fiduciary duty only. COSO is designed to primarily enable SOX (Sarbanes-Oxley) 404 requirements and limits itself to a particular area of an entity’s IT environment. The two, therefore, overarch risk, governance program, compliance as well as complement each other.
Trust services organizations, for example, that govern their compliance under COSO can align the strategies to the COBIT 5 processes and decide which practice goals cover both.
For example, AICPA helps to visualize the mapping through an excel spreadsheet. With the COSO approach, it is crucial for establishments to take a risk assessment for mitigation and determine critical environments. External financial reporting ought to reflect the underlying events and transactions as part of the process. Since COBIT 5 offers particular risk assessment ways for risk assessment, it aligns with this requirement. Example, COSO risk assessment component and COBIT PO 8 Manage Quality dovetails. As per COBIT, the satisfaction of the stakeholders with the IT formal process QA that meet objectives and goals, receiving QA reviews process, and IT quality defines measurement.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.