(This article is excerpted from Relating the COSO Internal Control--Integrated Framework and COBIT, an ISACA COBIT Series white paper.)
Many enterprises ask, "With the update of both the COSO Internal Control--Integrated Framework and the COBIT framework, are they still complementary and compatible? The answer to this question is yes, the frameworks are complementary and compatible as guidance to support the assessment and improvement of internal control practices and activities within the governance and management arrangements of an enterprise.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control--Integrated Framework and the ISACA COBIT framework have a long and beneficial history of in-tandem use by many enterprises, long before the Sarbanes-Oxley Act of 2002 regulations were enacted. With the advent of this set of regulatory challenges, enterprises were compelled to use COSO for their financial framework. (The U.S. Securities and Exchange Commission mentioned the COSO framework (1) as one of the sources of guidance for evaluating internal control over financial reporting.) These same enterprises were also drawn to COBIT for their IT control framework guidance because of the specific IT Control Objectives for Sarbanes Oxley product that ISACA published and their recognition of IT as a critical enabler to the operation of strong financial controls. In May 2013, COSO released its updated and refreshed Internal Control--Integrated Framework. ISACA participated in this update program, serving as a member of the COSO Advisory Council. Meanwhile, ISACA released COBIT 5, (2) its update and revision to COBIT, in April 2012. Because many enterprises rely on the use of both frameworks internally and many others use both frameworks in their consulting work, ISACA realized the natural need to consider how the two frameworks relate to each other. For this reason, ISACA developed this white paper to present the ISACA perspective on the relationship between the two frameworks and to support dialogue among professionals who use the frameworks.
This article takes the refreshed and updated COSO Internal Control--Integrated Framework as its base structure and examines how the relevant components and content of the COBIT 5 framework and its supporting guidance deliverables relate to the COSO framework. Through the efforts of many (including ISACA), the May 2013 refreshed COSO framework places much stronger emphasis on the importance of information technology, in addition to other enhancements within its principles. The purpose of this article is to highlight areas of alignment and differences in the content of the frameworks, and also to help enterprises that are using the COSO framework by presenting the relationship between the COSO framework guidance and the COBIT 5 framework guidance. (It is assumed that readers have an understanding of the COSO and COBIT 5 framework concepts and components, which are freely available in foundational reference publications, on each organization's website. Therefore, the repetition of content from these reference publications is kept to a minimum.)
THE COSO INTERNATIONAL CONTROL--INTEGRATED FRAMEWORK
(Note: This section quotes directly from the COSO International Control--Integrated Framework.)
The framework assists management, boards of directors, external stakeholders, and others interacting with the entity in their respective duties regarding internal control without being overly prescriptive. It does so by providing both understanding of what constitutes a system of internal control and insight into when internal control is being applied effectively.