Step 3: Establishing an IT Control Framework

As we mentioned, COSO is the de facto internal control framework associated with Sarbanes-Oxley. Therefore, COBIT...

is a natural choice for the IT Control Framework. The COBIT Framework is a set of 34 high-level control objectives organized into the four areas described in the financial and technical standards section.

About Compliance School

In Compliance School, guest instructor Richard Mackey shows you exactly what you need to do to meet regulations' ongoing demands and arms you with actionable items to ensure your business remains continuously compliant. Best of all you can attend any of the following on-demand lessons when it's most convenient for you:

The diagram above shows the 34 high-level control objectives and their relationship to the four areas. While a majority of the controls have elements that are important in SOX compliance, a number of the high-level objectives stand out.

In the area of Planning and Organization:

  • Determine the information architecture
  • Define the IT organization and relationships
  • Ensure compliance with external requirements
  • Assess risks

Virtually all of the elements of Acquisition and Implementation:

  • Acquire and maintain application software
  • Acquire and maintain technology infrastructure
  • Develop and maintain procedures
  • Install and accredit systems
  • Manage changes

Many of the elements of Delivery and Support:

  • Ensure systems security
  • Educate and train users
  • Manage the configuration
  • Manage problems and incidents
  • Manage data
  • Manage facilities
  • Manage operations

And all of the elements associated with Monitoring:

  • Monitor the processes
  • Assess internal control adequacy
  • Obtain independent assurance
  • Provide for independent audit

Using these objectives, COBIT recommends organizations follow a plan, do, check, correct cycle. This philosophy, if followed, will help to improve the effectiveness of IT operations and, at the same time, help an organization achieve SOX compliance.


This was last published in February 2006

Dig Deeper on Security audit, compliance and standards