Skip to content

Compliance Frameworks Explained COSO and CoBit Matrix, Metrics, and Matter

June 17, 2008


The first step in compliance is to develop a basic competency in the regulations. This requires input from a variety of sources, including compliance, risk management, finance and legal departments. Existing corporate polices and directives need to be examined and expanded. It is also important to be familiar with the guidelines that auditors will be applying. COSO is of specific importance as the preferred audit guideline for financial data. COBIT standards for best practices in IT management are also likely to be applied.

COSO and COBIT do not directly address storage; however, general principles will apply. Focus areas are Risk Assessment, Control Activities, and Monitoring Areas.

After assessing risk and processes, action must be taken, addressing shortcomings that have been identified. This may include developing and documenting new operating procedures that can be set as standards, and introducing new monitoring and reporting

Managing compliance is an ongoing process that requires changes in both technology and in business processes. The first requirement is to fully understand the requirements imposed by the regulations, including those that are specific to your industry. A compliance policy needs to be developed, and this requires a dialog between IT personnel, senior management, and legal counsel.


In its final rules on the Sarbanes-Oxley Act, the SEC made specific references to the COSO recommendations. These recommendations are from the Committee of the Sponsoring Organizations of the Treadway Commission, whose mission is to strengthen financial controls. Of specific interest is Section 404 of the Act, which addresses internal controls over financial reporting. This section also requires management of public companies to assess the effectiveness of these controls and annually report the results of that assessment. This inherently has a high degree of impact on IT.

COSO is a voluntary organization in the private sector, established in 1985 with the goal of improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. It contains representatives from industry, public accounting, investment firms and the New York Stock Exchange. COSO-sponsoring organizations include the American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executives International (FEI), Institute of Internal Auditors (IIA) and the Institute of Management Accountants (IMA).

The objective of COSO is to support Internal Control, key concepts of which are stated as:

  • Internal control is a process. It is a means to an end, not an end in itself.

  • Internal control is effected by people. It is not merely policy manuals and forms, but people at every level of an organization.

  • Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entitity’s management and board.

  • Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

The COSO framework has become the broadly accepted standard for meeting reporting requirements. The overall risk management approach is designed to achieve objectives defined in four categories:

  • Strategic – high-level goals, aligned with the enterprise mission

  • Operations – effective and efficient use of resources

  • Reporting – reliability of reporting

  • Compliance – compliance with applicable laws and regulations.

The latest version of the guidelines is the Enterprise Risk Management – Integrated Framework, an extension of the Internal Control – Integrated Framework, which is generally being used as the framework of compliance for Sarbanes-Oxley and other regulations.

The internal controls dimension is the most important from an IT and storage perspective, since it specifies the types of processes and procedures that need to be in place to in order to comply with regulations. There are five dimensions of internal controls:

  1. Control Environment, which is the top level and sets the tone of the organization.

  2. Risk Assessment, used to form a basis for determining how risks should be managed.

  3. Control Activities, including policies and procedures that help ensure management objectives are carried out.

  4. Information and Communications, including processes and systems that support information transfer in a form and time frame enabling people to carry out responsibilities.

  5. Monitoring, or the processes that assess quality and performance of internal control over time.

For any given objective — in this case, reliability of financial reporting — management must evaluate the five components at the organizational and at the process level. Illustrates how these dimensions are applied

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: