What are the differences between COBIT & COSO
COBIT and COSO may have similar mandates, but they are totally different organizations. COBIT stands for Control Objectives for Information and Related Technologies. COSO is an acronym for Committee of Sponsoring Organizations of the Treadway Commission.
Both bodies assist companies to manage their controls of financial reporting. Organizations need to grasp the differences, similarities and shared ideas in order to set sensible objectives for their internal control of data.
COBIT versus COSO
COSO was established in 1985 by five major professional associations. Its mandate was to fund National Commission on Fraudulent Financial Reporting. The following organizations wanted to institute a set of frameworks to guide fraud deference, internal control, and risk management.
- Institute of Internal Audits (IIA)
- Institute of Management Accountants (IMA)
- The American Accounting Organization (AAA)
- Institute of Certified Public Accountants (AICPA)
- Financial Executives International (FEI)
Meaning of ISACA
ISACA stands for the Information Systems and Audit Control Association. It was established in 1967 and today only uses the acronym ISACA. It provides certifications and makes guidelines for IT auditing control.
The COSO framework was updated in 2016 to provide the approach of an applied risk management for internal controls. It applies to both internal and financial reporting, where its framework encompasses these five strategic pillars.
- Strategy and Objective Setting – goals of risk tolerance must be measured objectively.
- Governance and Culture – to oversight enterprise risk management daily.
- The Performance Segment- risks should be prioritized for effective reporting.
- Information, Communication and Reporting- proper communication internally and externally
- Review and Revision – continuous internal audit and measuring to revise measures
COBIT 5 Framework
Just like COSO, COBIT has its 5 strategic principles, with varying purposes and goals, as follows.
- Covering Enterprise End-to-End – Apart from focusing on the IT function, ERM incorporates applications, assets and all technologies and information.
- Meeting Stakeholder Needs- Determines resources needed based on people bearing risks and those receiving benefits.
- Applying a Single Integrated Framework –multiple standards are mapped out to the framework of single governance and management.
- Enabling a Holistic Approach- has the interconnection of information, policies, infrastructure, people, organizational structures, culture and all processes.
- Separating Governance and Management –analyzing needs to set objectives with clear direction while severing tracking duties from governance authority
Difference between COBIT 5 and COSO
These organizations have different mandate and functions, even as they may seem similar. COSO establishes the guiding principles for organizations to institute risk tolerance and reduce fraud. On the other hand, COBIT 5 delivers the framework for organizations to build controls of best practices.
Companies that use COSO for establishing their risk reporting approaches can employ COBIT 5 to organize their control ecosystem. Like constructing a building, COSO lays out the framework of the rooms with just an outline.
COBIT 5 is the master plan for the installation of HVAC equipment, plumbing, drainage, waterways and electrical systems on the house. COBIT 5 sets the plans of COSO in real action so that companies can secure their IT and reporting departments.
Why do organizations need both COSO and COBIT?
COSO and COBIT 5 need to work together on risk governance and a controlled landscape for companies to comply with security requirements. It responds only to challenges to do with fiduciary duty. It has limitations to certain IT ecosystems of the organization.
COBIT 5 covers the entire environment beyond financial reporting. It is safe to say that one complements the other as far as compliance, risk and governance issues are concerned. For instance, organizations in trust services can govern compliance under COSO and then use COBIT 5 procedures to map out key practice goals.
Organizations should assess risks to determine important environments under COSO. Next, they must define these measurements into stakeholder needs in an IT satisfactory ecosystem to meet the objectives of the industry. Therefore, the specific definitions within COBIT align to the needs of COSO for organizations to achieve high quality in monitoring and compliance.
Why use an automated system for mapping COSO and COBIT 5?
A typical AICPA worksheet contains 414 rows that involve several COBIT 5 alignments. It can be overwhelming to manage the compliance of all the controls and mapping the architectures to COBIT 5 is nearly impossible. Luckily, companies can spend just six weeks to auto sync frameworks using ZenGRC seed content.
The software has a compliance dashboard with color-coded audit capability. It highlights organizational gaps by marking instant visual insights. There is a danger if it indicates a red low marker on the ‘Audit Readiness’ panel. An organization must review its controls if they do not align to COSO or COBIT.
Under COBIT, organizations must involve stakeholders in the whole enterprise. Inherent communication is important for companies. The streamlined workflow that ZenGRC provides helps with administrative issues.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.