Lessons learned: COSO, COBiT and other emerging standards for SOX compliance.

• Author: Putrus, Robert
• Position: SOX COMPLIANCE - Committee of Sponsoring Organizations - Control Objectives for Information and Related Technologies - Sarbanes-Oxley Act of 2002

After nearly three years, many companies still are coming to grips with the Sarbanes-Oxley Act, specifically Sec. 404, and other new compliance laws, such as HIPAA and Gramm-Leach-Bliley.

And even now, there are lessons to learn regarding tools and methodologies used during these early stages of Sec. 404 compliance.

Although SOX is relatively new, the compliance methodologies that companies employ are well-established and direct outgrowths of established best practices.

Adopted frameworks used in rendering Sec. 404 compliance services include The Committee of Sponsoring Organizations' Internal Control-Integrated Framework and Control Objectives for Information and Related Technologies.

THE COSO REPORT

The most commonly used framework for evaluating financial reporting internal controls is COSO's Internal Control-Integrated Framework, which established a broad definition of internal control extending to all objectives of an organization.

The report establishes three categories of controls: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with laws and regulations.

COSO also identifies five, inter-related components that must be functioning to have an effective internal control system, as well as describes the criteria for effective internal control mechanisms.

THE COBiT STANDARD

COBiT is a 1996 IT control framework published by the IT Governance Institute and the Information Systems Audit and Control Association. It's built, in part, upon COSO's framework and provides a comprehensive approach for managing risk and control of information technology. COBiT comprises four domains, 34 IT processes and 318 control objectives.

The framework has been adopted worldwide by leading companies, financial institutions and governments as a consistent approach to complying with SOX.

COBiT is considered a gold standard because it indicates good practices for the management of IT processes in a manageable and logical structure. This structure bridges the gaps between business risks, technical issues, control needs and performance measurement requirements.

[ILLUSTRATION OMITTED]

LESSONS LEARNED

No. 1: Automated Software Tools Aren't the Solution. In response to SOX, many software companies and enterprise resource planning vendors sought to develop software that could document company processes, identify risks, develop test procedures, track the test results and document project status.

At first, the concept seems...