SOX COBIT COSO - Center for IT and e

advertisement
SOX, CoBIT, COSO Project
Subra Krishnan
_______________________________________________________________________
Abstract:
The grand framework of SoX, COSO, CoBIT and their future trends with some
managerial caveats are introduced. Trustworthy computing usage model from Microsoft is
summarized to indicate the direction where modern software development is heading. This
would become a de facto standards for all software corporations. In COSO framework, ideas
on Enterprise Risk management is touched upon. ERM not an end in itself, but rather an
important means and helps an entity achieve its performance and profitability targets, and
prevent loss of resources. It helps an entity get to where it wants to go and avoid pitfalls and
surprises along the way. Under CoBIT, CRM and the Key Performance Indicators using
Dashboard techniques to help top management evaluate the projects is discussed and IT is a
major component of it. Some managerial intuition and how corporation are turning this new
compliance into financial opportunity. In that regard the concept of Single Compliance
platform will be the wave of the future.
Keywords:
Business Risk Management, Information Trust and Compliance Issues (SOX),
Trustworthy Systems Development.
Cross Link keywords:
Dependable & Trustworthy Enterprises Systems, Enterprise Information Security Policy.
________________________________________________________________________
Trustworthy Computing
Page 1 of 18
3/6/2016
SOX, CoBIT, COSO Project
Subra Krishnan
_______________________________________________________________________
Executive Summary
All public companies must comply with Sarbanes-Oxley. Compliance is hard work and
expensive as well, to establish effective internal controls for good corporate governance. Good
governance can be good for business. By complying, some fortune 500 companies are turning
the unavoidable costs of Sarbanes-Oxley into an opportunity, to improve business processes and
distinguish themselves in the financial community. Whatever governance you have in place
today, be ready to adapt it to make the most of future business conditions. With that in mind this
project will touch upon the grand frame work of SOX and their flow from COSO to CoBIT.
The pillars of Trustworthy Computing are essential to have robust internal controls and
essential for good governance. A case study on Microsoft’s software security with emphasis on
Security Development Lifecycle is discussed, to underscore the importance of inclusion of
Security in the initial stages of software development.
Under the CoBIT umbrella, some of it’s best practices in the form of, IT governance
implementation roadmap, is discussed at length. In particular the usage model for metrics
measurement using Dashboard concept, will help the readers to see the big picture, using ING’s
as a case study.
Under the COSO framework, Enterprise Risk Management talks about providing a
framework for management, to effectively deal with uncertainty, risk and opportunity and
thereby enhance its capacity to build value. Since no entity operates in a risk-free environment,
enterprise risk management fills the need to enable management to operate more effectively in
these environments.
No new materials are being presented here. This report is a collection of best practices
and their implementation methods.
The content that follows are:
1.Overview
SOX , CoBIT, COSO
2. Trust Worthy Computing
3. Case Studies
Microsoft (Security)
ING (CoBIT)
4. Emerging Trends
SOX, CoBIT
________________________________________________________________________
Trustworthy Computing
Page 2 of 18
3/6/2016
SOX, CoBIT, COSO Project
Subra Krishnan
_______________________________________________________________________
1. Overview
Compliance is a form of standardization that different industry sectors have to adhere to
when doing business, by following metrics or when implementing a process. Protocols also come
under this wing. For instance when countries hosts dignitaries certain regulations are followed.
As suspected there are different kinds of regulations in the business world:

Regulations around financial controls such as Sarbanes-Oxley, Basel II.

Regulations around privacy such as the EU Data Protection Act and

Regulations around fraud such as anti-money-laundering legislation.
IT departments generally have two different roles in compliance:
1) Making sure of the availability of technology that can enable people to adhere to
compliance and
2) Ease of use of this technology.
IT needs to deal with compliance because compliance affects all businesses. Hence the
pervasiveness of IT departments. Figure 1, below illustrates the broad frame work of the
regulations in place.
Figure 1: Control Frameworks of SOX
Source: CIO guide to SOX Reymann Group Inc., Jan 2005
________________________________________________________________________
Trustworthy Computing
Page 3 of 18
3/6/2016
SOX, CoBIT, COSO Project
Subra Krishnan
_______________________________________________________________________
Sarbanes Oxley (SOX) Overview:
Thousands of companies face the task of ensuring their accounting operations are in
compliance with the Sarbanes Oxley Act. Auditing departments typically have a comprehensive
external audit (by a SOX compliance specialist) performed to identify areas of risk. Next,
specialized software is installed that provides the "electronic paper trails" necessary to ensure
SOX compliance. The most important Sarbanes-Oxley sections for compliance are listed below.
Certification and specific public actions are now required by companies to remain in SOX
compliance.
SOX Section 302 - Corporate Responsibility for Financial Reports
a) CEO and CFO must review all financial reports.
b) Financial report does not contain any misrepresentations.
c) Information in the financial report is "fairly presented".
d) CEO and CFO are responsible for the internal accounting controls.
e) CEO and CFO must report any deficiencies in internal accounting controls, or any
fraud involving the management of the audit committee.
f) CEO and CFO must indicate any material changes in internal accounting controls.
SOX Section 404: Management Assessment of Internal Controls
All annual financial reports must include an Internal Control Report stating that
management is responsible for "adequate" internal control structure, and an assessment by
management of the effectiveness of the control structure. Any shortcomings in these controls
must also be reported. In addition, registered external auditors must attest to the accuracy of the
management’s assertion that internal accounting controls are in place, operational and effective.
SOX Section 409 - Real Time Issuer Disclosures
Companies are required to disclose on a almost real-time basis, information concerning
material changes, in its financial condition or operations.
SOX Section 902 - Attempts & Conspiracies to Commit Fraud Offenses
It is a crime for any person to corruptly alter, destroy, mutilate, or conceal any document
with the intent to impair the object’s integrity or availability for use in an official proceeding.
[http://www.aicpa.org/info/sarbanes_oxley_summary.htm]
________________________________________________________________________
Trustworthy Computing
Page 4 of 18
3/6/2016
SOX, CoBIT, COSO Project
Subra Krishnan
_______________________________________________________________________
CoBIT: Control Objectives for Information and related Technologies
CoBIT was developed in 1996 by the Information Systems Audit and Control
Association (ISACA) and is now issued and maintained by the IT Governance Institute (ITGI) as
a framework for providing control mechanisms over the information technology domain.
Now in its third version, CoBIT has been extended to serve as an IT governance framework by
providing maturity models, critical success factors, key goal indicators, and key performance
indicators for the management of IT. At the heart of CoBIT are 34 high-level control objectives.
These control objectives are grouped into four main domains:

planning and organization,

acquisition and implementation,

delivery and support, and

monitoring.
More recently, CoBIT added a set of action-oriented management guidelines to provide
management direction for monitoring achievement of organizational goals, for monitoring
performance within each IT process, and for benchmarking organizational achievement.
Overall, CoBIT represents a comprehensive framework for implementing IT governance
with a very strong auditing and controls perspective, which has increasing resonance in the era of
SOX and other compliance-related regulations and legislation.
[IT governance institute and CoBIT, http://www.itgi.org]
COSO: Committee of Sponsoring Organizations (of the Treadway Commission)
The underlying premise of Enterprise Risk Management (ERM) is that every entity,
whether for-profit, not-for-profit, or a governmental body, exists to provide value for its
stakeholders. All entities face uncertainty, and the challenge for management is to determine
how much uncertainty the entity is prepared to accept, as it strives to grow stakeholder value.
Uncertainty presents both risk and opportunity, with the potential to erode or enhance value.
Enterprise risk management provides a framework for management to effectively deal with
uncertainty and associated risk-opportunity and thereby enhance its capacity to build value. As
entities cannot operates in a risk-free environment, enterprise risk management enables
management to operate more effectively in environments filled with risks.
________________________________________________________________________
Trustworthy Computing
Page 5 of 18
3/6/2016
SOX, CoBIT, COSO Project
Subra Krishnan
_______________________________________________________________________
Benefits of Enterprise Risk Management
Align risk appetite and strategy – Management considers the risk affinity by evaluating
strategic alternatives, then setting objectives aligned with strategy and in developing
mechanisms to manage the related risks.
Link growth, risk and return – ERM provides an enhanced ability to identify and assess risks,
and establish levels of risk relative to growth and return objectives.
Enhance risk response decisions – ERM provides the rigor to identify and select among
alternative risk responses – risk avoidance, reduction, sharing and acceptance. ERM
provides methodologies and techniques for making these decisions.
Minimize operational surprises and losses – Entities have enhanced capability to identify
potential events, assess risk and establish responses, thereby reducing the occurrence of
surprises and related costs or losses.
Identify and manage cross-enterprise risks – Every entity faces many risks affecting different
parts of the organization. Management needs to not only manage individual risks, but
also understand interrelated impacts.
Provide integrated responses to multiple risks – Business processes carry many inherent risks,
and ERM enables integrated solutions for managing the risks.
Seize opportunities – Management considers potential events, rather than just risks, and by
considering a full range of events, management gains an understanding of how certain
events represent opportunities.
Rationalize capital – More robust information on an entity’s total risk allows management to
more effectively assess overall capital needs and improve capital allocation.
[ER Management Framework, http://www.erm.coso.org]
Enterprise risk management is not an end in itself, but rather an important means. It
cannot and does not operate in isolation in an entity, but rather is an enabler of the management
process. Enterprise risk management is interrelated with corporate governance by providing
information to the board of directors on the most significant risks and how they are being
managed. And, it interrelates with performance management by providing risk-adjusted
measures, and with internal control, which is an integral part of enterprise risk management.
Enterprise risk management helps an entity achieve its performance and profitability
targets, and prevent loss of resources. It helps ensure effective reporting. And, it helps ensure
________________________________________________________________________
Trustworthy Computing
Page 6 of 18
3/6/2016
SOX, CoBIT, COSO Project
Subra Krishnan
_______________________________________________________________________
that the entity complies with laws and regulations, avoiding damage to its reputation and other
consequences. In short, it helps an entity get to where it wants to go and avoid pitfalls and
surprises along the way.
We shall now see how Trust worthy Computing fits into the IT governance model.
2. Trust Worthy Computing (TWC)
The four pillars of TWC namely Security, Privacy, Reliability and Business Integrity as
illustrated below (Table A) forms the framework of TWC. These goals form the trust in any
business. All these goals raise issues related to engineering, business practices and public
perceptions although not all to the same degree. These are goals from an user point of view.
Table A: The four pillars of Trust Worthy Computing
Goals
The basis for a customer's decision to trust a system
Security
The customer can expect that systems are resilient to attack, and that the
confidentiality, integrity, and availability of the system and its data are
protected.
Privacy
The customer is able to control data about themselves, and those using
such data adhere to fair information principles
Reliability
The customer can depend on the product to fulfill its functions when
required to do so.
Business Integrity The vendor of a product behaves in a responsive and responsible
manner.
Source: UIUC TWC class Lecture slide-01
The means to achieve TWC goals of Security, Privacy, Reliability and Business Integrity
is shown on Table B. A white paper on Microsofts’ own TWC environment encompasses the
following “Means” to meet the goals. These are perspectives from an IT point of view.
________________________________________________________________________
Trustworthy Computing
Page 7 of 18
3/6/2016
SOX, CoBIT, COSO Project
Subra Krishnan
_______________________________________________________________________
Table B: Means to achieve the Goals
Means
The business and engineering considerations that enable a
system supplier to deliver on the Goals
Secure by Design, Steps have been taken to protect the confidentiality, integrity, and
Secure by Default, availability of data and systems at every phase of the software
Secure in
development process—from design, to delivery, to maintenance.
Deployment
Fair Information
Principles
End-user data is never collected and shared with people or organizations
without the consent of the individual. Privacy is respected when
information is collected, stored, and used consistent with Fair
Information Practices.
Availability
The system is present and ready for use as required.
Manageability
The system is easy to install and manage, relative to its size and
complexity. (Scalability, efficiency and cost-effectiveness are considered
to be part of manageability.)
Accuracy
The system performs its functions correctly. Results of calculations are
free from error, and data is protected from loss or corruption.
Usability
The software is easy to use and suitable to the user's needs.
Responsiveness
The company accepts responsibility for problems, and takes action to
correct them. Help is provided to customers in planning for, installing
and operating the product.
Transparency
The company is open in its dealings with customers. Its motives are
clear, it keeps its word, and customers know where they stand in a
transaction or interaction with the company.
Source: Trustworthy Computing White paper, Craig Mundie – Oct 2002
The execution of “Means” is based on Intent, Implementation and evidence. This must
reflect in managerial practices as well to have a holistic view of the concepts. This is from an
organizational point of view as is shown in Table C.
________________________________________________________________________
Trustworthy Computing
Page 8 of 18
3/6/2016
SOX, CoBIT, COSO Project
Subra Krishnan
_______________________________________________________________________
Table C: Execution of Means
Intents

Company policies, directives, benchmarks, and guidelines

Contracts and undertakings with customers, including Service
Level Agreements (SLAs)
Implementation

Corporate, industry and regulatory standards

Government legislation, policies, and regulations

Risk analysis

Development practices, including architecture, coding,
documentation, and testing

Training and education

Terms of business

Marketing and sales practices

Operations practices, including deployment, maintenance, sales &
support, and risk management
Evidence

Enforcement of intents and dispute resolution

Self-assessment

Accreditation by third parties

External audit
Source: Trustworthy Computing White paper, Craig Mundie – Oct 2002
We shall now look at some case studies from a learning perspective and how corporations
have implemented them successfully to their business models. A successful integration makes it
socially responsible form of business.
3. Case Studies & White Papers
Microsoft case study for TWC:
This case discusses the Trustworthy Computing Security Development Lifecycle (SDL),
a process that Microsoft has adopted for the development of software that needs to withstand
malicious attack. The process encompasses the addition of a series of security-focused activities
and deliverables to each of the phases of Microsoft's software development process. These
activities and deliverables include

the development of threat models during software design,

the use of static analysis code-scanning tools during implementation,
________________________________________________________________________
Trustworthy Computing
Page 9 of 18
3/6/2016
SOX, CoBIT, COSO Project
Subra Krishnan
_______________________________________________________________________

the conduct of code reviews and security testing during a focused "security push" and,

before the software release it must undergo a final security review by a team independent
from its development group.
Figure 2 represent the traditional or Base model and Figure 3 represents the SDL model
currently becoming a de-facto in the software industry.
Figure 2: Standard process
Figure: 3 Newer process with built in SDL
Results: When compared to software that has not been subject to the SDL, software that has
undergone the SDL has experienced a significantly reduced rate of external discovery of security
vulnerabilities. The paper as shown in the italics, describes the SDL and experience with its
implementation across Microsoft software [Trustworthy computing security Development white paper,
Steve Lipner – Mar 2005]
Key concepts and managerial issues

Security must be considered from the initiation phase of a software development project.

Management should ALSO decide the release of the software based on security
viewpoint
Key techniques, components and models

Secure by Design and Secure by default provide the most security benefit.

Threat modeling must be continued even after the release of the software

Difficult to measure security metrics, hence use proxy metrics to measure software
security; such as threat modeling, code review, and independent Final Release Testing.
ING’s CoBIT case study (Case study on ING financial corporation):
Case Summary: ING Group is a global financial services institution of Dutch origin offering
banking, insurance and asset management to 60 million private, corporate and institutional
clients worldwide. ING is a multi product, multi distribution company, approaching the customer
________________________________________________________________________
Trustworthy Computing
Page 10 of 18
3/6/2016
SOX, CoBIT, COSO Project
Subra Krishnan
_______________________________________________________________________
through their channel of choice. The company comprises a broad spectrum of prominent
businesses that increasingly serve their clients under the ING brand.
The ING case study indicates co-variance between ING’s business performance and the
robustness of the IT governance structure supported by innovative IT portfolio analysis
(investment management approach of enterprise IT). A strong execution capability is the hidden
force behind these activities.
Apart from the CoBIT requirements, the implementation of CoBIT regulations gave the
management a clearer view of their weakness and what solutions could be adopted to mitigate
their risks and weaknesses. The key questions that can be addressed by CoBIT are:
• Is there a framework to guide business and technology management leaders to
change IT’s role within the organization and to close the gap between IT and the
business? Is IT going to support and drive this initiative?
• What are the responsibilities at the board and management levels?
• Is this a governance issue?
Figure 4 describes the IT management and governance structure in ING while Figure 5 depicts
the generic IT implementation roadmap as given by the committee. Key elements of Figure 5,
are identification of needs, envisioning the solution, planning for the same and its execution.
Identify needs:
Phase 1 of the roadmap Identifies the needs. The CoBIT Management Guidelines offer
key goal indicators (KGI) and critical success factors to help define IT goals. The CoBIT
Control Objectives and Control Practices provides guidance on critical control requirements. The
information criteria described in the Framework help define the business value and risk
mitigation. The IT resources help define the resources required to manage the risks and value.
Figure 4: IT management and Governance structure in ING
Source: Enterprise Value: Governance of IT investments – ING case study
Figure 5: ING’s IT governance implementation roadmap
________________________________________________________________________
Trustworthy Computing
Page 11 of 18
3/6/2016
SOX, CoBIT, COSO Project
Subra Krishnan
_______________________________________________________________________
Source: IT governance implementation guide
Envision the solution:
Phase 2 of the road map envisions the solution based on the current standings. The
current maturity of the IT processes (as-is) must be assessed and the appropriate target maturity
levels (to-be) are to be set. Based on the maturity attributes in the CoBIT Control Objectives and
Control Practices, the analysis of the gaps between the as-is and to-be positions are translated
into improvement opportunities. This phase uses the critical success factors and the maturity
models from the CoBIT Management Guidelines.
Plan the solution:
The third phase of the road map will suggest improvement and translate them into
justifiable projects. After approval, these projects should be integrated into an overall
improvement strategy with a detailed plan to roll out the solution. The CoBIT Control Objectives
and Control Practices can be used to prioritize improvement opportunities and the CoBIT
Management Guidelines’ Key Performance Index and Key Goal Index are available for defining
process metrics for the IT and business goals.
Implement the solution:
The sustainability of the delivery is guaranteed by the feedback provided by the
postmortem briefing and the monitoring the improvements on the corporate and IT balanced
scorecards. In this phase the KGIs and KPIs from the CoBIT Management Guidelines can be
used to establish an IT balanced scorecard and to document a post-implementation review.
Putting It Into Practice:
In looking at a complete IT project portfolio, care is taken to ensure that project
dependencies and links are taken into account. For example, infrastructure changes (which may
be defined as separate projects) may be needed to provide a platform for a new customer
relationship management (CRM) system. ING evaluates the portfolio in terms of a series of
programs, each containing a number of linked projects, rather than as a collection of totally
________________________________________________________________________
Trustworthy Computing
Page 12 of 18
3/6/2016
SOX, CoBIT, COSO Project
Subra Krishnan
_______________________________________________________________________
independent, stand-alone projects. Value proposition using the overall benefits accruing from the
ING approach include:
• Increased financial and risk transparency resulting in improved decision making on an
investment portfolio.
• Reduction of false positives (over-optimistic business cases) and false negatives (overpessimistic business cases) resulting in more accurate project selection, safer investments
and reduction of opportunity cost.
• Early identification of obsolete or non-performing projects resulting in significant cost
savings and avoidance of future budget overruns.
• More disciplined (operational) risk approach resulting in risk optimization and a
reduction of the need for costly provisions (economic capital).
• Identification of quality (investment grade) projects from a risk and return perspective
resulting in more focused and increased investment in promising business opportunities
(upside risk). [Enterprise Value: Governance of IT investments – ING case study]
ING believes in the adage “you cannot manage what you cannot measure.” To that regard,
to help the management in its quest for business accountability, the IT teams came out with an
IT dashboard. The IT dashboard process, which is carried out at the same time as ING’s annual
medium-term business planning exercise, provides the information necessary to:
• Enable ING to develop and benchmark appropriate metrics on IT dollars, performance
and value
• Help identify trends and enable best practices to be shared and also help managerial
actions to be taken
• Enable bench marking of metrics among different business units
• Assist senior business and IT management to exercise their governance responsibilities
over IT investments
IT Metrics:
The metrics that are collected and analyzed include the obvious yardsticks. Below are
few such instances.
• IT costs by category and by activity
________________________________________________________________________
Trustworthy Computing
Page 13 of 18
3/6/2016
SOX, CoBIT, COSO Project
Subra Krishnan
_______________________________________________________________________
• IT staff numbers and activity based cost analysis
• Outsourcing ratios
• IT costs as a percentage of total operating costs
• IT related operational risk incidents (number and value)
• IT security incidents (number and value)
Before providing an approval, ING looks at the financial transparency and risk/return metrics.
This information, together with the metrics collected, including its own solutions delivery
performance, results in a risk/return rating of ING’s IT investment portfolio and its ability to
actively manage the portfolio on the basis of the capability maturity model (CMM).
How ING’s IT dashboard was helpful for it’s IT governance:
The metrics collected through the dashboard process are merely a means to an end. The
results obtained from the analysis helped to answer such questions as:
• Why are IT expenditure forecasting out of synch with majority of competitors? This is
needed further as to ascertain whether is it a positive or negative trait.
• What is the reason for unclear financial transparency of many IT investments? This
will affect ING during consultations to scope out the clarity of the projects.
• Why the anomalies have in the IT investment portfolio in terms of risk versus return?
Therefore ING started reexamine existing IT investment portfolio.
• Why the uncertainty in project delivery time?
The need for CMM was understood and
the board has taken action to require all business units to attain a defined higher level
within a specified and challenging time frame.
[Enterprise Value: Governance of IT investments – ING case study]
ING Conclusion:
1) Shareholder’s ROI is partly related to how much is spent on IT. Equally important is how the
money is spent. In the short term, best shareholder return is generated by transactional (cost
saving) projects because they emphasize standardization and efficiency, which result in lower
cost per transaction.
________________________________________________________________________
Trustworthy Computing
Page 14 of 18
3/6/2016
SOX, CoBIT, COSO Project
Subra Krishnan
_______________________________________________________________________
2) Strategic IT investments must also be pursued to create future revenue growth and to improve
sustainable financial performance for all stakeholders.
3) With a demonstrated success on IT dashboard analysis development by ING, it is considering
the potential benefits to any organization in providing similar IT value and performance as a
commercial service.
Key techniques, components and models
ING’s IT management and governance structure shows that IT is melded well within the
business strategy of ING. Figure 4 shows how ING strives to ensure that the business leaders of
the firm are informed and committed and the organization structure is established to do that.
Key concepts and managerial issues
‘Portfolio management helps overcome the disconnect in communications between the
business and IT communities. It is an excellent way to deal with the perennial questions
about IT value and IT alignment with the business’. —Bill Rosser, Gartner
The link between the leadership council and the policy board is important, and to a great
extent, the leadership council have the prime responsibility for the implementation and
execution of the IT strategy approved and led by the policy board - thus joint ownership is
essential.
4. Emerging trends, applications and issues
Single Compliance Platform
Present day compliance effort is not well orchestrated. What this means is that companies
are trying to make multiple compliances work together by workarounds. This is similar to ERP
application sometime back (4-5 years ago) when everyone was buying applications and trying to
stitch them together. But the more systems you use, the more fragmented is your approach, and
the less accurate it is and you create more problems. Companies are wasting time and effort on
these kind of compliances. Instead they are looking for a single system integrated into their
architecture which runs as part of their IT infrastructure, and hopefully these controls will be
________________________________________________________________________
Trustworthy Computing
Page 15 of 18
3/6/2016
SOX, CoBIT, COSO Project
Subra Krishnan
_______________________________________________________________________
embedded into their business controls. This means we need to be looking into a service-oriented
architecture. [http://www.itcinstitute.com/display.aspx?id=1174]
Right now, compliance functions are being handled by about three different applications.
The consolidation of these applications could solve about 80 percent of our present day
compliance issues, in terms of ease of use, security and control measures. This would help in a
big way when financial institutions are acquiring and merging with their competitors etc.,
[http://www.itcinstitute.com/display.aspx?id=1174]
SOX future compliance:
The need for tighter access control is now a reality for the third year into SOX
compliance. Auditors are looking into availability of things like process controls (business
controls) such as order to cash, procurement, closing and like. Few software controls can
automate such needs as of today.
Process controls are used for key business processes, such as provisioning, giving people
access, and then de-provisioning them. This will act as a security deterrent. The right software
can accomplish this by having many different levels of built in controls. Two common scenarios
that demand a control be put in place are: A process which does not allow someone to be able to
create and pay a fictitious vendor, preventing duplicate invoicing.
Another instance where these features can help would be in setting the threshold
inventory level to determine if the inventory is being pilfered. One of the common ways the
inventory can be pilfered is when companies scrutinize purchase requirements based on certain
amount. If an employee purchases below the threshold level that purchase is not monitored
closely and without these control an employee an place multiple purchases below the threshold
limit and get away with it in terms of lost inventory. IT controls can prevent such problems.
CoBIT 4.0:
CoBit like the other controls will evolve as IT control objectives change and refined.
The newest additions to 4.0 are the Maturity models, Key goal indicators, key performance
indicators, critical success factors. This provides the management to assess IT’s environment
with CoBIT’s 34 level control objectives. The IT governance management guideline also touch
________________________________________________________________________
Trustworthy Computing
Page 16 of 18
3/6/2016
SOX, CoBIT, COSO Project
Subra Krishnan
_______________________________________________________________________
upon the governance of IT with the business goals of adding value while balancing risk and
return. The following chart shows the components and their relationships under CoBIT 4.0
Figure 6: Components and relationships under CoBIT 4.0
5. Conclusion and findings
I started out this project, naively, to get an idea of how to coherently knit the different
regulations mandated by the government to prevent fraudulent practices and to have a secure
transactions in all levels of business. This goal was not accomplished. Instead I got caught in the
regulations such as SOX, CoBIT, COSO. I do understand that these regulatory boards address
different issues, but the thought of unifying them under a common scheme was tempting. But I
am glad to see that some industry stalwarts have the same unifying theme and are putting them to
work slowly under the banner of “Single Compliance Platform”.
The case studies I picked (however varied), gave me an insight into why the goal of
single platform under one system is important. It would simplify the maintenance of the system
and reduce the learning curve to adhere to practices. The key lesson I saw was Regulations are
dual edged sword. They can hurt you and/or make your processes transparent. It can be a
rewarding experience in the hands of a consultant or a nightmare. But overall I do agree with the
concept and implementation of Trust Worthy Computing to be a very necessary goal for all
corporations. If only the world was a bit more honest place to live in ……..
6. Annotated references
1. Trustworthy Computing White paper, Craig Mundie – Oct 2002
2. Trustworthy computing security Development white paper, Steve Lipner – Mar 2005
3. Single compliance platform: http://www.itcinstitute.com/display.aspx?id=1174
4. IT governance framework, Craig Symons, Mar 29, 2005
5. ER Management Framework, http://www.erm.coso.org
6. CIO guide to SOX, Reymann Group Inc., Jan 2005
________________________________________________________________________
Trustworthy Computing
Page 17 of 18
3/6/2016
SOX, CoBIT, COSO Project
Subra Krishnan
_______________________________________________________________________
7. http://www.aicpa.org/info/sarbanes_oxley_summary.htm
8. Enterprise Value: Governance of IT investments – ING case study
9. IT governance institute and CoBIT, http://www.itgi.org
________________________________________________________________________
Trustworthy Computing
Page 18 of 18
3/6/2016
Download