require-ments and suggested a COSO-based internal audit approach for evaluating those controls. CobiT is another powerful tool, particularly in an environment with a heavy concentration in IT processes and resources, to help internal audi-tors perform these Section 404 as well as Section 302 reviews. Discussed in Chapter 3, “Internal Audit in the Twenty-First Century: Sarbanes-Oxley and Beyond,” Section 302 is primarily concerned with the responsibilities of the CEO and CFO for financial reports and related disclosures. As part of this, SOA man-dates that an organization’s external auditors should perform limited quarterly reviews to determine whether there were any significant modifications to the internal control structure or changes in internal controls over financial reporting.
ISACA/IT Governance Institute documentation describes, in Exhibit 7.6, how the CobiT internal control framework can be mapped to the COSO model.4 This shows that an internal auditor should use CobiT’s prime objectives, from Planning & Organization to Monitoring & Evaluation, and use the controls objectives guidance for each of these to understand and evaluate internal con-trols through COSO’s five components. The actual process, then, of performing the Section 404 compliance work is very similar to that outlined in Chapter 6 on Section 404 assessments. Whether using COSO in general or CobiT, the internal auditor reviewer moves through a series a processes from planning to perform-ing risk assessments and on to identifyperform-ing, documentperform-ing, and evaluatperform-ing key internal controls.
Because of CobiT’s heritage in IT systems auditing, design, and processes, its documentation and guidance material relies very much on good systems design and software-engineering practices. For example, Chapter 20 describes the Capability Maturity Model (CMM) an approach for looking at IT organiza-tions and processes in terms of relative maturity such as whether processes are ad hoc, defined and documented, or even better. Exhibit 7.7 shows this CMM controls reliability framework in terms of the relative design of operating effec-tiveness and the extent of this documentation.
With much more information about these reliability stages in Chapter 20, this controls reliability framework provides an internal auditor with a good way to assess internal controls over an individual process or over the entire organiza-tion. An internal controls assessment, for example, might find a Stage 0, nonex-istent controls environment. This implies a complete lack of a recognizable control process and an inability to be in compliance with Section 404 require-ments at any level. This is an extreme situation, and if an internal auditor is part of an organization that appears to have the attributes of a Stage 0 assessment, flags should have been raised or even “whistles blown” if controls are that weak.
Ideally, internal audit should hope to find at least a Stage 2, and hopefully a Stage 3, environment. At Stage 3, controls and related policies and procedures should be in place and adequately documented at a level sufficient for manage-ment to be able to assert to the adequacy of these controls.
The published CobiT Section 404 review material, referenced previously, does an excellent job of matching IT and CobiT control objectives with the five COSO components. Based on the published CobiT guidance, Exhibit 7.8 shows how the major CobiT control objective areas match or link to the major COSO components of internal control. This link-up ties together even better by going a
EXHIBIT 7.6
Relationship between COSO Components and CobiT Objectives
Control Environment
Risk Assessment
Control Activities Information &
Communication Monitoring
CobiT Objectives
COSO Components
IT Processes Control
Statements ControlPractices Business
Requirements
Section 404
Section 302
level lower. For example, CobiT objective of Managing Changes under the Acquire and Implement control objective affects the COSO components of Con-trol Activities and Monitoring. The actual published CobiT detailed conCon-trol objectives will tie to each of the COSO components. There is a close relationship between these CobiT and COSO control objectives and components.
The full set of CobiT control objectives will provide strong support for an internal auditor seeking to perform a SOA Section 404 internal controls assess-ment review. While the concepts can be used in any internal control area, the emphasis is on IT applications and processes. For many organizations, an under-standing and assessment of those IT-associated internal controls is a key area to achieving SOA compliance. CobiT has been around for some years now, but for too long, many internal auditors viewed it as just specialized information sys-tems audit tool and not a more general help for other internal audit work.
Although its emphasis continues to be on IT, all internal auditors should explore the CobiT framework as an excellent tool for helping with SOA compliance requirements.
EXHIBIT 7.7
Stages of Internal Control Reliability
Extent of Documentation Awareness and Monitoring Design and Operating Effectiveness
Stage 5 Optimiz
ed Stage 4
Managed and Measur
able Stage 3
Defined Process
Stage 2 Repeatab
le & Intuitiv
Stage 1 e Initial /Ad Hoc
EXHIBIT 7.8
COSO and CobiT Relationships
COSO Components
COSO Control Objectives Control Environment Risk Assessment Control Activities Information & Communication Monitoring Plan and Organize
Define a strategic IT plan X X X
Define the information architecture X X
Determine technological direction
Define the IT organization and relationships X X
Manage the IT investment
Communicate management aims and direction X X X
Manage human resources X X
Ensure compliance with external relationships X X X
Assess risks X
Manage projects
Manage quality X X X X
Acquire and Implement Identify automated solutions
Acquire and maintain application software X
Acquire and maintain technology infrastructure X
Develop and maintain procedures X X
Install and accredit X
Manage changes X X
Deliver and Support
Define and manage service levels X X X
Manage third-party services X X X X
Manage performance and capacity X X
Ensure continuous service X X X
Ensure systems security X X X X
Identify and allocate costs
Educate and train users X X