The Act itself doesn't provide direct guidance on what it means to comply. Instead, it refers to an organization and an accompanying control framework as a method to achieve compliance. The organization, the Committee of Sponsoring Organizations (COSO) was founded by professional accounting associations and is dedicated to improving the quality of financial reporting through business ethics, effective internal controls and corporate governance.
COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting. Its original chairman was SEC Chairman James C. Treadway, Jr. Hence, the popular name of the National Commission was The Treadway Commission.
COSO published its Internal Integrated Control Framework that defines what a control is and describes the various aspects of the process of control including the control environment, risk assessment, control activities, information and communication, and monitoring. It also discusses how corporate roles map to responsibilities in effecting internal control in these areas. The COSO framework is designed to provide a model that corporations can use to run an efficient and well controlled financial environment. Adherence to its principles can help with, but not guarantee, SOX compliance.
The COSO framework recognizes that IT requires a dedicated governance framework like COBIT (Control Objectives for IT). COBIT, a standard maintained by the IT Governance Institute, is internationally accepted as a set of control objectives (i.e. goals) for structuring and maintaining control over IT operations and security, in particular.
COBIT, like COSO, defines IT governance as a cyclical process that involves:
- Planning and organizing to maintain control
- Acquisition and implementation of control mechanisms (e.g., technology) and measures (e.g., policies and processes)
- Delivery and support of operations (including control activities)
- Monitoring and evaluation of controls
ISO17799, an international security code of practice, provides examples of good security practices, many of which correspond to COBIT objectives. IT organizations can use COBIT as an overall governance framework and ISO as a guide to implementing policies and practices for security in general, and SOX required activities in particular.
Step 1: Understanding compliance -- Financial and technical standards
Step 2: Scope of compliance
Step 3: Establishing an IT Control Framework
Step 4: Detailed objectives and policies
Step 5: Measuring compliance
Step 6: Managing and tracking compliance
Step 7: The changing nature of compliance
This was first published in February 2006