Question

Compare and contrast the COBIT and the COSO Enterprise Risk Management Frameworks. (more details minimum provide 7 differences/similarities).

Answer 1

The COBIT Framework consolidates systems security and control standards into a single framework. This allows management to benchmark security and control practices of IT environments, users to be assured that adequate IT security and control exist, and auditors to substantiate their internal control opinions and to advise on IT security and control matters. The framework addresses control from three vantage points:

1.Business objectives, to ensure information conforms to and maps into business objectives.

2.IT resources, including people, application systems, technology, facilities, and data.

3.IT processes, including planning and organization, acquisition and implementation, delivery and support, and monitoring and evaluation.

The COBIT Framework allows businesses to maximize the benefit of informationtechnology by developing proper IT governance and IT management within the business. COBIT helps entities to maintain high-quality information, achieve operational excellence, maintain IT-related risk, optimize the heavy costs associated with IT, and assist in supporting compliance with current IT regulations.COBIT has five main principles:1. Meeting the stakeholder needs 2. Covering the enterprise end to end 3. Applying a single integrated framework 4. Enabling a holistic approach 5. Separating governance from management

COSO’s Internal Control Framework is the primary authority on internal controls.COSO is a basic examination of controls without a detailed look at the purpose orrisk of each business process. It also does not include any information on how to evaluate the results of each examination. Because the framework if so simple, there is no way to know which controls are most important, which controls are missing or whether any of the controls appropriately deal with risk.COSO has five components:

COSO’s Internal Control Framework is widely accepted as the authority on internal controls and is incorporated into policies and regulations that control business activities. However, it examines controls without looking at the purposes and risks of business processes and provides little context for evaluating the results. It makes it hard to know which control systems are most important, whether they adequately deal with risk, and whether important controls are missing. In addition, it does not adequately address Information Technology issues. It has five components:

1.Control environment, which are the individual attributes, (integrity, ethical values, competence, etc.) of the people in the organization and and the environment in which they operate.

2.Control activities, which are control policies and procedures that help ensure that the organization addresses risks and effectively achieves its objectives.

3.Risk assessment, which is the process of identifying, analyzing, and managing organizational risk

4.Information and communication, which is the system that captures and exchanges the information needed to conduct, manage, and control organizational operations.

5.Monitoring company processes and controls, so modifications and changes can be made as conditions warrant.