COBIT and COSO share more than pleasant alliteration. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the Control Objectives for Information and Related Technologies (COBIT) both help organizations manage financial reporting controls. Understanding the similarities, differences, and overlaps between the two can help organizations create robust internal control objectives that protect data.


What is COSO?

Five major professional associations founded COSO in 1985 to sponsor the National Commission on Fraudulent Financial Reporting. The American Accounting Organization (AAA), American Insitute of Certified Public Accountants (AICPA), Financial Executives International (FEI), Institute of Internal Auditors (IIA), and Institute of Management Accountants (IMA) collaborated to found a joint initiative. COSO’s frameworks and guidance on enterprise risk management, internal control, and fraud deterrence provide thought leadership on governance.

What is COBIT?

Initially founded in 1967 as the Information Systems and Audit Control Association, the IT professional organization now uses only the acronym ISACA. ISACA creates globally-recognized IT certifications and guidance for enterprises that use information systems. A key tool is the COBIT framework, which stands for Control Objectives for Information and Related Technology.

What is the COSO Framework?

The COSO Framework provides an applied risk management approach to internal controls. Relevant to both financial reporting and internal reporting, in its 2017 update, the COSO framework integrates risk considerations into the design and implementation of internal controls and strategic objectives.

Five interrelated components convey the framework’s principles. “Governance and Culture” establishes oversight responsibilities and reinforces the importance of ethical behaviors. “Strategy and Objective Setting” connects organizational goals with bases for identifying, assessing, and responding to risk. The “Performance” component requires prioritization of risks and reporting on effectiveness. “Review and Revision” leverages continuous monitoring and internal audit to strengthen enterprise risk management components as needed. Finally, “Information, Communication, and Reporting” mandates the gathering and sharing of the necessary information with stakeholders throughout the organization.

What is the COBIT 5 Framework?

COBIT is a framework for information technology governance and management in a business setting. Potentially confusing things, COBIT 5 also incorporates five strategic principles. Although the numbers match, the two frameworks’ goals and purposes differ. COBIT emphasizes the elements necessary for IT governance that matches enterprise needs. Understanding these five principles helps overlay COSO and COBIT.

“Meeting Stakeholder Needs” introduces cascading goals to ensure that those receiving benefits and those bearing risks are considered in decision-making. “Covering the Enterprise End-to-End” emphasizes that an ERM approach to IT must incorporate all information, technologies, and processes. “Applying a Single Integrated Framework” maps multiple standards to a single governance and management framework for the enterprise. “Enabling a Holistic Approach” integrates processes, organizational structures, culture, policies, information, infrastructure, and people to manage the interconnectedness of governance across the enterprise. “Separating Governance and Management” uses need evaluation to distinguish between prioritized direction and tracking activities.

What are the differences between COBIT 5 and COSO?

While the two seem similar, they perform different functions for organizations. COSO articulates key concepts that organizations can use to enhance internal controls and deter fraud. COBIT 5 helps organizations achieve objectives—both through and regarding information technology.

Organizations using financial risk reporting models that align with COSO can still use COBIT 5 to help organize their enterprise IT landscape. The two work together, like the variety of documents needed for a new house. The survey lays out the building’s location on the plot of land but doesn’t dictate room placement. COSO allows an organization to frame the structure. However, walking through a framed home only shows an outline of how the building will look. COBIT 5 shows organizations where to put the electrical systems and plumbing. The COBIT framework sets the COSO plan into action, with details that allow organizations to secure the IT environment.

Why do organizations need both COBIT and COSO?

COBIT 5 and COSO work together to create not only a controlled landscape but also a risk and governance model that fosters both compliance and information security.

COSO emphasizes controls related to fiduciary duty. Originally designed to enable Sarbanes-Oxley (SOX) 404 requirements on financial reporting, COSO is limited in its consideration of an organization’s IT environment. In contrast, COBIT 5 explicitly addresses an enterprise’s IT landscape. Therefore, the two complement each other as well, as an organization develops an overarching risk, compliance, and governance program.

For example, trust services organizations governing their compliance under COSO can map its principles to the COBIT 5 processes and determine which key practice goals cover both. The AICPA, for example, provides an excel spreadsheet to help visualize the mapping.

Under COSO, organizations must assess the risk to determine critical environments and ensure mitigation. As part of this process, external financial reporting must reflect the underlying transactions and events.

COBIT 5 aligns with this requirement by offering specific ways to assess IT risks. Elements like COBIT’s PO 8 “Manage Quality” dovetail with the COSO Performance component. Clarifying metrics, COBIT defines its measurements as the percent of stakeholders satisfied with IT quality, IT processes formally-reviewed that meet target goals and objectives, and processes receiving QA reviews.

Thus, the specific definitions of controls within COBIT create strategic alignments to COSO that enable quality compliance and monitoring.

Why use an automated system for mapping COSO and COBIT 5?

The above-referenced AICPA worksheet incorporates 414 rows that engage multiple COBIT 5 alignments within each. Managing the compliance of these controls in conjunction with mapping to COSO can quickly become overwhelming. Mapping other compliance architectures to COBIT 5 then becomes nearly impossible.

With ZenGRC’s seed content, organizations can onboard in as little as six weeks and align their controls to COBIT 5.

Once they have aligned their controls to COBIT 5, they can map those to COSO or any other compliance framework by using ZenGRC’s gap analysis tool. The gap analysis tool in the platform harmonizes controls across multiple standards to ease the burden of compliance across frameworks.

For example, ZenGRC’s compliance dashboard provides color-coded audit readiness markers, offering instant visual insights into organizational gaps. A red, low “Audit Readiness” marker visually represents a danger for entities organizing their compliance programs around a particular standard. If that standard appears under COBIT or COSO, then the organization knows they also need to review associated controls.

Moreover, COBIT requires organizations to engage enterprise-wide stakeholders. Organizing people requires ongoing communication. ZenGRC’s streamlined workflow eases the administrative burden by eliminating emails so that varied stakeholders can communicate more efficiently.

To see how ZenGRC can help organize COBIT and COSO compliance, contact us for a demo today.