COSO vs COBIT
1. COSO is concerned with the fiduciary role of management, and Internal Control over
(external) financial reporting.
2. Its sponsors are the American Accounting Association (AAA), AICPA, Financial
Executives International (FEI), Institute of Internal Auditors (IIA), and Institute of
Management Accountants (IMA).
3. Endorsed by SEC for SOX compliance.
http://www.sec.gov/rules/interp/2007/33-8810.pdf
While,
1. CobiT is concerned with IT Controls, and “all (not just financial) information”.
2. Its sponsor is the ISACA. http://www.isaca.org/COBIT
3. No ‘endorsement’ of CobiT.
However- Nearly all controls have to be ultimately implemented, as IT controls.
Therefore, COSO-CobiT maps are required to select ‘relevant’ IT control objectives from
CobiT.
In practice, map to COSO, and then take a subset of CobiT. (see example)
AC 340