Question

Compare and contrast the COBIT and the COSO Enterprise Risk Management Frameworks.

Answer 1

COBIT is a framework for IT control and allows benchmarking of environment within an organization and meaningful comparison with other organizations. The COBIT framework is comprehensive and hence provides assurance that IT security and controls do indeed exist. Most importantly COBIT framework allows auditors to substantiate their opinions with regards to a company’s internal controls.

COBIT enables a holistic approach and effectively separates governance from management.

COSO’s Enterprise Risk Management Framework is a new and improved version of the Integrated Control Framework. It is the process the board of directors and management use to set strategy, identify events that may affect the entity, assess and manage risk, and provide reasonable assurance that the company achieves its objectives and goals. The basic principles behind ERM are:

1. Companies are formed to create value for their owners.

2. Management must decide how much uncertainty it will accept as it creates value.

4. The ERM framework can manage uncertainty as well as create and preserve value.

ERM adds three additional elements to COSO’s IC framework:

1. Setting objectives

2. Identifying events that may affect the company

3. Developing a response to assessed risk.