As we mentioned, COSO is the de facto internal control framework associated with Sarbanes-Oxley. Therefore, COBIT is a natural choice for the IT Control Framework. The COBIT Framework is a set of 34 high-level control objectives organized into the four areas described in the financial and technical standards section.
In Compliance School, guest instructor Richard Mackey shows you exactly what you need to do to meet regulations' ongoing demands and arms you with actionable items to ensure your business remains continuously compliant. Best of all you can attend any of the following on-demand lessons when it's most convenient for you:
The diagram above shows the 34 high-level control objectives and their relationship to the four areas. While a majority of the controls have elements that are important in SOX compliance, a number of the high-level objectives stand out.
In the area of Planning and Organization:
Determine the information architecture
Define the IT organization and relationships
Ensure compliance with external requirements
Virtually all of the elements of Acquisition and Implementation:
Acquire and maintain application software
Acquire and maintain technology infrastructure
Develop and maintain procedures
Install and accredit systems
Many of the elements of Delivery and Support:
Ensure systems security
Educate and train users
Manage the configuration
Manage problems and incidents
And all of the elements associated with Monitoring:
Monitor the processes
Assess internal control adequacy
Obtain independent assurance
Provide for independent audit
Using these objectives, COBIT recommends organizations follow a plan, do, check, correct cycle. This philosophy, if followed, will help to improve the effectiveness of IT operations and, at the same time, help an organization achieve SOX compliance.