Listen to Audio
COSO and COBIT share more than just pleasant alliteration. Both the Control Objectives for Information and Related Technologies (COBIT) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) help organizations to manage their financial reporting controls.
It is important for everyone to understand the similarities, differences, and even overlaps that exist in the structure of the two. This will help the organizations to develop robust internal control objectives, which ensure that data is fully protected.
What is COSO?
COSO was founded by five professional associations in 1985 with the objective of supporting the National Commission on Fraudulent Financial Reporting. The American Institute of Certified Public Accountants, American Accounting Organization,Institute of Internal Auditors (IIA), Institute of Management Accountants (IMA), and Financial Executives International (FEI) came together to develop frameworks that would provide guidance on fraud deterrence, enterprise risk management, and internal controls.
What is ISACA?
The Information Systems and Audit Control Association was initially established in 1967. It currently uses the acronym ISACA. The organization creates globally-acclaimed IT certifications besides developing auditing control guidance.
COSO vs. COBIT 5 Frameworks in Brief
Most recently restructured in 2016, the COSO framework provides a practical risk management approach to the internal controls that organizations put in place. The framework applies to both internal reporting and financial reporting. It majorly focuses on five key interrelated strategic points. These are governance and culture, strategy and objective setting, performance, review and revision, information, communication, and reporting.
Just like COSO, COBIT 5 also incorporates five strategic principles. These are meeting stakeholder needs, enabling a holistic approach, covering the enterprise end-to-end, applying a single integrated framework, and separating governance and management.
What Differences Exist Between COSO and COBIT 5?
In as much as the two frameworks are similar in the sense that both have five key strategic principles, they perform dissimilar functions for organizations. Whereas COSO only provides guidance for organizations to use in their efforts to establish risk tolerance and reduce fraud, COBIT 5 offers the same organizations a framework for developing best-practice controls.
Therefore, organizations that are looking to create financial risk reporting frameworks that make use of COSO can also use COBIT 5 to organize their control landscape. Basically, COSO acts like a building plan for a new house. To put this into perspective, the framework provides a layout of the general location of rooms. COSO enables an organization to frame its control structures.
Nevertheless, walking through an outlined home will only give you an idea about how the final product will appear. This where COBIT 5 comes in since it shows you where to install plumbing, electrical systems, and so on. Therefore COBIT 5 sets COSO into action by furnishing organizations with details needed to secure their IT environments.
Why Do Organizations Need Both COBIT 5 and COSO?
COSO and COBIT 5 work in harmony to not only create a control landscape but also an impermeable risk and governance model, which allow you to comply with all requirements. COSO is there to respond to controls that pertain to fiduciary duty and, therefore, limits itself to your organization’s IT environment.
On the other hand, COBIT 5 goes beyond financial reporting since it covers the entire IT environment of an organization. Therefore, the two frameworks are complementary of each other besides having an overarching impact on an organization’s risk, compliance, and governance models. For instance, trust services firms that govern their compliance under the COSO framework can the principles of COBIT 5 processes in an effort to establish which core practice objectives cover both.
As per the requirements of COSO, it is mandatory for organizations to undertake risk assessments in a bid to pinpoint critical environments. This is the most effective strategy for ensuring mitigation. Key to this process is external financial reporting to reflect underlying events and transactions. The definition of controls found within COBIT creates strong strategic alignment to COSO. Ultimately, incorporating aspects of both COSO and COBIT will go a long way in enabling quality compliance and monitoring.
Why Should Automated Systems Be Used To Map COSO and COBIT 5?
The AICPA schedule incorporates 414 rows, which engage various COBIT 5 alignments. The management of the compliance of the controls in concurrence with mapping them to COSO can be overwhelming. In this regard, mapping the other compliance frameworks to COSO becomes almost impossible.
By utilizing automated systems, organizations can easily overboard in as little time as six weeks. In doing so, they will also be aligning their controls to the requirements and frameworks of COBIT 5. Once organizations have attuned their controls to COBIT 5, it will be easy for them to use gap analysis tool to map out their controls to both COSO and COBIT 5 thus lessening their compliance burden across different frameworks.