COBIT and COSO share more than pleasant alliteration. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the Control Objectives for Information and Related Technologies (COBIT) both help organizations manage financial reporting controls. Understanding the similarities, differences, and overlaps between the two can help organizations create robust internal control objectives that protect data.
COBIT vs. COSO
What is COSO?
Five major professional associations founded COSO in 1985 to sponsor the National Commission on Fraudulent Financial Reporting. The American Accounting Organization (AAA), American Insitute of Certified Public Accountants (AICPA), Financial Executives International (FEI), Institute of Internal Auditors (IIA), and Institute of Management Accountants (IMA) organized to develop frameworks and guidance on enterprise risk management, internal control, and fraud deterrence.
What is ISACA?
Initially founded in 1967 as the Information Systems and Audit Control Association, the IT professional organization now uses only the acronym ISACA. Today, ISACA creates globally recognized IT certifications and develops auditing control guidances.
What is the COSO Framework?
The COSO Framework, most recently updated in 2016, provides an applied risk management approach to internal controls. Applicable to both financial reporting and internal reporting, the COSO framework focuses on five interrelated strategic points.
“Governance and Culture” relate enterprise risk management (ERM) oversight to daily activities. “Strategy and Objective Setting” argues that risk tolerance sets goals but that those must be objectively measured. “The Performance” segment requires prioritization of risks and effectiveness reporting. “The Review and Revision” portion involves continuous monitoring and internal audit to revise controls as necessary. Finally, the “Information, Communication, and Reporting” proviso requires communication across internal and external stakeholders.
What is the COBIT 5 Framework?
To confuse things, COBIT 5 also incorporates five strategic principles. Although the numbers match, the goals and purposes differ. Understanding these five principles helps overlay COSO and COBIT.
“Meeting Stakeholder Needs” requires ensuring that organizational decisions incorporate those receiving benefits and those bearing risks to determine resources needed. “Covering the Enterprise End-to-End” ensures that ERM incorporates all information and technologies, such as applications, as assets rather than focusing on the “IT function.” “Applying a Single Integrated Framework” acts to map multiple standards to a single enterprise governance and management framework. “Enabling a Holistic Approach” integrates processes, organizational structures, culture, policies, information, infrastructure, and people to manage the interconnectedness of governance across the enterprise. “Separating Governance and Management” entails evaluating needs to set a prioritized direction while separating the tracking activities from the governance body.
What are the differences between COBIT 5 and COSO?
While the two seem similar, they perform different functions for organizations. COSO provides guidance that organizations can use to establish risk tolerances to reduce fraud. COBIT 5 offers organizations a framework that builds best-practice controls.
Organizations choosing to establish financial risk reporting models that align with COSO can use COBIT 5 to help organize their control landscape. COSO acts like the building plans for a new house. The framework lays out the general locations of rooms. COSO allows an organization to frame the building. However, walking through a framed home only shows an outline of how the final plan will look.
COBIT 5 shows organizations where to put the electrical systems, plumbing, and then puts up the drywall. This framework sets the COSO plan into action with details that allow organizations to secure the IT environment.
Why do organizations need both COBIT and COSO?
COBIT 5 and COSO work together to create not only a control landscape but also a risk and governance model that allows security to comply with requirements.
COSO only responds to those controls related to fiduciary duty. Primarily designed to enable Sarbanes-Oxley (SOX) 404 requirements, COSO limits itself to a certain area of an organization’s IT environment. Meanwhile. COBIT 5 extends beyond financial reporting to the whole environment. Therefore, the two complement each other as well as the overarching risk, compliance, and governance program.
For example, trust services organizations governing their compliance under COSO can map the principles to the COBIT 5 processes and determine which key practice goals cover both. The AICPA, for example, provides an excel spreadsheet to help visualize the mapping.
Under COSO, organizations must undertake risk assessments to determine critical environments and ensure mitigation. As part of this process, external financial reporting must reflect the underlying transactions and events.
COBIT 5 aligns with this requirement by offering specific ways to assess risk. For example, COBIT’s PO 8 Manage Quality dovetails with the COSO risk assessment component. COBIT then defines measurements as the percents of stakeholders satisfied with IT quality, IT process formally QA reviewed that meet target goals and objectives, and processes receiving QA reviews.
Thus, the specific definitions of controls within COBIT create strategic alignments to COSO that enable quality compliance and monitoring.
Why use an automated system for mapping COSO and COBIT 5?
The above-referenced AICPA worksheet incorporates 414 rows that engage multiple COBIT 5 alignments within each. Managing the compliance of these controls in conjunction with mapping to COSO becomes overwhelming. Mapping other compliance architectures to COBIT 5 then becomes nearly impossible.
With ZenGRC’s seed content, organizations can onboard in as little as six weeks and align their controls to COBIT 5.
Once they have aligned their controls to COBIT 5, they can map those to COSO or any other compliance framework by using ZenGRC’s gap analysis tool. The gap analysis tool in the platform aligns controls across multiple standards to ease the burden of compliance across frameworks.
For example, ZenGRC’s compliance dashboard provides color-coded audit readiness markers offer instant visual insights into organizational gaps. A red low “Audit Readiness” marker visually represents a danger for organizations attempting compliance to a particular standard. If that standard should align to COBIT or COSO, then the organization knows they need to review their controls.
COBIT requires organizations to engage enterprise-wide stakeholders. Organizing people requires ongoing communication. ZenGRC’s streamlined workflow eases the administrative burden by eliminating emails so that varied stakeholders can communicate more efficiently.
To see how ZenGRC can help organize COBIT and COSO compliance, contact us for a demo today.