IT Auditors Turn to Cobit for Sarb-Ox Guidance

Companies use the IT governance guidelines to improve compliance

ORLANDO -- Increasingly, to keep themselves and their companies out of trouble, IT auditors are going by the book -- the Cobit book on IT governance.

Cobit, formally known as the Control Objectives for Information and Related Technology, is a framework for governing IT and evaluating internal system controls. The guidelines have been around since the early 1990s, but the need to comply with the Sarbanes-Oxley Act is fostering new interest in them, according to attendees at a con-ference held here last week for IT auditors.

Sarbanes-Oxley "is an amorphous document -- it says 'Have controls,' but it doesn't tell you what controls or how to have them," said Scott Thomas, an IT security manager at a large food services company that he asked not to be named. Thomas said Cobit has given his company "a nice, solid proc-ess" to follow on Sarbanes-Oxley compliance, as well as a means for showing external auditors the security controls it has in place.

In Plain English

The framework also gives IT and business managers a common language on system controls, according to Thomas. Without Cobit, communication between the business and IT sides at his company often was "apples to oranges," he said at the conference, which was sponsored by the Information Systems Audit and Control Association (ISACA), based in Rolling Meadows, Ill.

Cobit explains in a "nontechnical way" how to build controls around a business process, said Steven Suther, director of information security management at American Express Technologies, the IT arm of American Express Co. in New York. The framework allows "my business folks to actually understand IT proc-esses for the first time ever," Suther said at the conference.

ISACA offers free downloads of the Cobit framework and a related set of guidelines that are specific to Sarbanes-Oxley. Both were developed by the IT Governance Institute, which works in tandem with ISACA and is also based in Rolling Meadows.

A Version 4 update of Cobit was released in December, and a proposed second edition of the more focused IT Control Objectives for Sarbanes- Oxley document has been made publicly available for review and comment. The draft reflects recent controls-related guidance from the U.S. Securities and Exchange Commission and the Public Company Accounting Oversight Board. The comment period ends June 30.

Complements ITIL

The controls management focus of Cobit differs from the data center orientation of the IT Infrastructure Library. But the two frameworks are complementary, and the latest version of Cobit includes improved integration with ITIL, said Robert Stroud, an IT service management evangelist at CA Inc. and a contributor to Cobit.

ITIL is focused on IT proc-esses, such as how a help desk handles trouble tickets submitted by end users. Cobit takes issues to a higher level inside a company by focusing on meeting business needs, Stroud said. He noted that IT staffers who want to discuss, for instance, how much storage capacity is available aren't necessarily giving business managers the information they really need. "The business just cares about the ultimate service," Stroud said.

Meanwhile, the city of Phoenix is in the planning stages of a Cobit implementation, according to Lance Turcato, the deputy city auditor. Turcato, who previously was involved in a Cobit implementation within the private sector, said the framework can foster a better partnership among IT, business users and corporate auditors.

Take Control
Here's a look at some of the recommendations found in the Cobit guidelines:

light_orange_bullet.gif
Ensure that response-and-recovery activities are in line with prioritized business needs and that costs are kept at an acceptable level.
light_orange_bullet.gif
Record information regarding all exceptions to internal controls and ensure that the underlying cause is analyzed and that corrective action is taken.
light_orange_bullet.gif
Do formal training to ensure that all workers are aware of their compliance obligations. Responsibilities should be clearly explained.

Source: IT Governance Institute, Rolling Meadows, ILL.

Copyright © 2006 IDG Communications, Inc.

  
Shop Tech Products at Amazon