Compliance School

Step 3: Establishing an IT Control Framework

As we mentioned, COSO is the de facto internal control framework associated with Sarbanes-Oxley. Therefore, COBIT is a natural choice for the IT Control Framework. The COBIT Framework is a set of 34 high-level control objectives organized into the four areas described in the financial and technical standards section.


    Requires Free Membership to View

The diagram above shows the 34 high-level control objectives and their relationship to the four areas. While a majority of the controls have elements that are important in SOX compliance, a number of the high-level objectives stand out.

In the area of Planning and Organization:

  • Determine the information architecture
  • Define the IT organization and relationships
  • Ensure compliance with external requirements
  • Assess risks
Virtually all of the elements of Acquisition and Implementation:
  • Acquire and maintain application software
  • Acquire and maintain technology infrastructure
  • Develop and maintain procedures
  • Install and accredit systems
  • Manage changes
Many of the elements of Delivery and Support:
  • Ensure systems security
  • Educate and train users
  • Manage the configuration
  • Manage problems and incidents
  • Manage data
  • Manage facilities
  • Manage operations
And all of the elements associated with Monitoring:
  • Monitor the processes
  • Assess internal control adequacy
  • Obtain independent assurance
  • Provide for independent audit
Using these objectives, COBIT recommends organizations follow a plan, do, check, correct cycle. This philosophy, if followed, will help to improve the effectiveness of IT operations and, at the same time, help an organization achieve SOX compliance.


Home: Introduction
Step 1: Understanding compliance -- Financial and technical standards
Step 2: Scope of compliance
Step 3: Establishing an IT Control Framework
Step 4: Detailed objectives and policies
Step 5: Measuring compliance
Step 6: Managing and tracking compliance
Step 7: The changing nature of compliance

This was first published in February 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: