The Sarbanes-Oxley Act (SOX) requires publicly traded companies to declare and adopt a framework which the business will use to “define and assess internal controls.”

In response, most publicly traded companies have adopted one of two frameworks that meet the SOX requirements: the Committee of Sponsoring Organizations (COSO) internal control framework, and the IT Governance Institute’s Control Objectives for Information and Related Technology (COBIT). 

To be clear, SOX itself doesn’t identify any specific framework that companies must use; nor do any regulatory agencies like the U.S. Securities & Exchange Commission expressly endorse one. But companies do need to select and implement some sort of framework to comply with SOX, so businesses subject to the law should try to understand COBIT and COSO, and how they can be used together to achieve more effective IT governance. 

What Is COBIT?

The COBIT framework was first published in 1996 by the Information Systems and Audit Control Association (ISACA), a group that creates globally recognized IT certifications and guidance for enterprises that use information systems. 

COBIT brings together global IT standards such as the Information Technology Infrastructure Library (ITIL), the Capability Maturity Model Integration (CMMI), and the International Organization for Standardization (ISO) to set out standards to assure the sound deployment of IT resources. 

Using the COBIT framework, organizations can improve the value of their IT processes and manage risk at the same time.

The framework includes methods to determine whether IT practices are meeting business objectives, and provides facilities for documenting and developing the tools, processes, and organizational structures required for effective IT management. 

Providing maturity models and various metrics to measure the framework’s achievement, COBIT consists of a variety of components, including:

  • Framework: the IT team organizes governance objectives to implement best practices in processes and domains by linking business requirements with IT. 
  • Process descriptions: using COBIT as a reference, these descriptions should include the stages of planning and building the framework, which is then operated and monitored by the IT team. 
  • Control objectives: a total list of requirements considered by upper management to create an effective IT business control. 
  • Maturity models: used to assess the maturity of each process and its capability to address any gaps in the processes. 
  • Management guidelines: used to assign responsibilities while measuring the performance of the processes, these guidelines help team members agree upon common objectives and improve the relationships with other processes in the organization. 

COBIT also provides a tool kit for compliance with SOX and other regulatory frameworks, including:

  • An executive summary that gives an overview of COBIT’s founding principles. 
  • The compliance framework with detailed descriptions of high-level control objectives for IT, and the business requirements for information and IT input required. 
  • Objectives for control including statements of the purpose of each control objective and the desired results. 
  • Guidelines for performing and passing audits with step by step guides for each control objectives. 
  • Primers for management and a summary of the methods employed by organizations that have successfully applied the COBIT framework in their own environments, and some related tools. 
  • Reference materials including the IT Control Practice Statement — a detailed layout of the reasons for the controls set out for IT and operational risk assessment, and best practices for dealing with them. 

In addition to assuring regulatory compliance, COBIT helps IT better understand the needs of a business, and defines which practices are needed for IT operations to be more efficient and effective.

COBIT 2019 vs. COBIT 5

The current COBIT framework is known as COBIT 2019. It supersedes the previous version, COBIT 5, which debuted in 2012. 

COBIT 5 was created in response to an increasing number of organizations migrating to the cloud. This version gave companies a standard set of guidelines to combat the steady rise in risk from cloud-based technologies. 

COBIT 5 incorporates five strategic principles, which emphasize the elements for IT governance that matches enterprise needs:

  • Meeting stakeholder needs: introduces cascading goals to ensure that those receiving benefits and those bearing risks are considered in decision-making. 
  • Covering the enterprise end-to-end: emphasizes that an enterprise risk management (ERM) approach to IT must incorporate all information, technologies, and processes. 
  • Applying a single integrated framework: maps multiple standards to a single governance and management framework for the enterprise. 
  • Enabling a holistic approach: integrates processes, organizational structures, culture, policies, information, infrastructure, and people to manage the interconnectedness of governance across the enterprise. 
  • Separating governance and management: uses need evaluation to distinguish between prioritized direction and tracking activities. 

COBIT 2019 is considered an update to COBIT 5, using the same foundation alongside new and more relevant developments. It gives organizations a more flexible framework to solve specific problems, or can be adopted across the organization. 

ISACA lists the following as the most important COBIT 2019 updates:

  • Improved focus areas and design factors enable organizations to establish risk management practices easily and place other governance protocols based on individual requirements. 
  • More aligned with global risk management standards, security standards, other universal frameworks, and most protocols. 
  • Comes with regular updates to make sure it’s compatible with new and upcoming technologies. 
  • More prescriptive guidelines, which support more integrations with governance and risk management. 
  • Open-source model that incorporates feedback into future updates to the framework, which are evaluated by the steering committee for consistency and quality.
  • Stronger focus on newer technologies and methodologies, and updated operational practices including cloud-based systems and outsourcing.

Since its creation, COBIT has helped organizations improve their performance by managing their data, information, and technology. Overall, COBIT guides companies in the development of a successful governance strategy while giving businesses the ability to tailor it to their operations.

What Is COSO?

Used for both financial reporting and internal reporting, the COSO framework provides an applied risk management approach to internal controls. Updated in 2013, COSO integrates risk considerations into the design and implementation of internal controls and strategic objectives. 

While COSO control objectives cover effectiveness, efficiency of operations, reliable financial reporting, and compliance with laws and regulations, its primary role is fiduciary. 

Like COBIT, COSO consists of five interrelated components to convey the framework’s principles:

  • Control environment: identified as the most crucial part of an organization’s internal control system, control environment describes the culture and ethics that contribute to the framework’s ability to work effectively. This includes the overall organization, but mainly refers to the behavior of top management–those responsible for implementing the controls in place. 
  • Risk assessment: after establishing the control environment, your organization needs to address any risks and understand how they relate to your objective. A risk assessment will help you to identify internal and external risks to implement controls against them. The risks that every organization faces are different depending on a number of factors including its nature, industry, objectives, etc. 
  • Control activities: defining the processes and procedures that organizations implement against identified risks, control activities are based on the type of risk they respond to. Commonly used control activities include authorizations, approvals, reviews, physical and digital security measures, verifications, reconciliations, segregation of duties, management, organization, etc. 
  • Information and communication: refers to the flow of information to the relevant authorities so that they may implement the appropriate control activities. Having the proper channels for information and communication with management and personnel is critical for implementing control activities. 
  • Monitoring: once control activities are in place and they have been communicated to management, you will need procedures in place to monitor them. A regular reviewing and monitoring process will help your organization identify deficiencies in your control activities and find a solution. 

COSO defines “internal control” as a process designed to provide assurances of efficiency and effectiveness in achieving a company’s objectives, and confirming the reliability of its financial reporting in line with relevant laws and regulatory compliance issues. Internal controls are an ongoing process that is affected by a commercial organization’s board of directors, management staff, and other team members. 

A “control” is defined by COSO as any proactive measure put in place by management to achieve an objective. Management’s objectives are intended to address risk, including the possibility for financial or operational loss. 

In addition to financial objectives, controls may also address issues such as integrity, confidentiality, and security, as well as more broad operational aims like efficiency, stability, reliability, and scaling. 

Controls may take several forms, including:

  • Automated: these are strong financial controls and are programmed with a comprehensive logic that should stand up to intense statistical testing. 
  • Partially automated: these controls are implemented by people, interacting with IT systems. Under the COSO framework, these systems are referred to as “electronic evidence.”
  • Manual: these controls are entirely dependent on human operations, with no IT element involved. 

Within the COSO framework’s control environment, management must first assess the risk associated with not being able to meet specified business objectives: a risk assessment. After a risk assessment, controls are then implemented to assure that any risks identified are properly addressed. 

To maintain an effective overview of the organization and its control environment, relevant data is captured and transmitted across the enterprise on an ongoing basis. In response to changing business conditions or changes in the compliance regime, the whole process is continuously monitored and modified as necessary. 


COBIT and COSO may seem similar, but they perform different functions for organizations. 

COSO articulates key concepts that organizations can use to enhance internal controls and avoid fraud. COBIT helps organizations achieve objectives, both through and regarding information technology. 

That said, COBIT and COSO can be used together to organize a company’s enterprise IT landscape.

COBIT and COSO also work together to create a controlled landscape and a risk and governance model that fosters both compliance and information security. 

While ISACA makes explicit reference to COSO’s fiduciary role, it also extends COBIT’s role to cover quality and security requirements in seven overlapping categories: effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability of information. 

COSO was originally designed to help with SOX compliance obligations for financial reporting, and therefore is somewhat limited in its consideration of an organization’s IT environment. COBIT explicitly addresses an enterprise’s IT landscape. 

Together, the two frameworks complement each other as an organization develops an overarching risk, compliance, and governance program. 

COBIT and COSO do also sometimes cater to different audiences. While COSO appeals to management at large, COBIT is intended for not only management, but also users and auditors. 

Although COBIT specifically focuses on IT controls, both COBIT and COSO view control as an entity-wide process.

Mapping COBIT to COSO

Mapping COBIT to COSO involves examining each of the frameworks’ objectives and determining how they best apply to one another. 

High-level mapping gives auditors a point of reference when reviewing the role of technology during an assessment of internal controls, usually for financial reporting. 

For example, services organizations governing their compliance under COSO can map its principles to COBIT processes, to determine which key practice goals include both. 

It’s important that external auditors first select the relevant IT control objectives from COBIT when defining their SOX scope under the five internal control components. For internal auditors, COSO should function as the primary SOX reference, while COBIT should be a secondary resource.

Under COSO, organizations must assess risk to determine critical environments and assure mitigation. 

External financial reporting must reflect the underlying transactions and events as part of this process. COBIT aligns with this requirement by providing specific ways to assess IT risks. 

Ultimately, the specific definitions of controls within COBIT create strategic alignments to COSO that enable quality compliance and monitoring. 

As an example, the IT Governance Institute’s IT Control Objectives for Sarbanes-Oxley depicts an alternative view of the COBIT to COSO, and presents the relationship between COSO, COBIT, and SOX sections 302 and 404 in the following table:

COSO Internal Control Components COBIT Domains
(With sample control objectives relevant to SOX)
1. Control Environment    Planning and Organization (PO):

    •  PO 4.2 — Organizational placement of the IT function.
    • PO 6.1 — Positive information control environment.
    • PO 6.2 — Management’s responsibility for policies.
2. Risk Assessment    Planning and Organization (PO):

    • PO 9.0 — Assess risks.
3. Control Activities    Acquisition and Implementation (AI):

    • AI 1.4 — Third-party service requirements.
    • AI 6.0-6.8 — Manage changes.

Delivery and Support (DS):

    • DS 5.0-5.21 — Ensure system security.
    • DS 11.0-11.30 — Manage data*.

*Application control evaluations and the American Institute of Certified Public Accountants’ (AICPA) SysTrust reports can supplement COBIT’s data management control objectives.

4. Information and Communication    Planning and Organization (PO):

    • PO 6.0-6.11 — Communicate management aims and direction.
5. Monitoring    Monitoring (M):

    • M 2.0-2.4 Assess internal control.

Beware that mapping COBIT to COSO’s internal control framework can only capture a high concentration of the associated processes. COBIT does not map 100 percent to COSO. 

This shouldn’t deter auditors from using existing frameworks alongside each other. Organizations should treat these frameworks as reference material and a basis for formulating their own integrated and customized control framework for SOX. 

The AICPA also provides an Excel spreadsheet to help visualize mapping, and incorporates 414 rows that engage multiple COBIT alignments within each. 

Managing the compliance of these controls in conjunction with mapping to COSO, however, can quickly become overwhelming. Add mapping other compliance architectures to COBIT, and it becomes a nearly impossible task. 

How ZenGRC can help

Fortunately, there is a governance, risk, and compliance (GRC) software solution that can help. 

ZenGRC from Reciprocity provides seed content, allowing organizations to onboard in as little as six weeks and align their controls to COBIT. 

Once controls are aligned, you can map them to COSO (or any other compliance framework) using ZenGRC’s gap analysis tool, which harmonizes controls across multiple standards to ease the burden of compliance across frameworks. 

ZenGRC’s compliance dashboard also provides color-coded audit readiness markers, offering an instant visual insight into organizational gaps. 

While COBIT requires organizations to engage enterprise-wide stakeholders with ongoing communication, ZenGRC eases the administrative burden by eliminating emails — allowing for varied stakeholders to communicate more efficiently. 

Schedule a demo today to see how ZenGRC can help your organization map COBIT to COSO for compliance and more effective IT governance.