D
Found a couple of things that tie this together better than I did:
Excerpts from the SEC Final Rule
‘We believe that each company should be afforded the flexibility to design its system of internal control over financial reporting to fit its particular circumstances.’
In this same final rule, the SEC says:
‘The methods of conducting evaluations of internal control over financial reporting will, and should, vary from company to company. Therefore, the final rules do not specify the method or procedures to be performed in an evaluation.’
They go on to discuss the COSO framework:
‘…we have modified the final requirements to specify that management must base its evaluation of the effectiveness of the company’s internal control over financial reporting on a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.
The COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management’s annual internal control evaluation and disclosure requirements. However, the final rules do not mandate use of a particular framework, such as the COSO Framework, in recognition of the fact that other evaluation standards exist outside of the United States, and that frameworks other than COSO may be developed within the United States in the future, that satisfy the intent of the statute without diminishing the benefits to investors.’
http://www.sox-online.com/coso_cobit_sec_on_frameworks.html
In most companies of any size, data moves between multiple business groups and IT systems on its way from initial transactions to the reports that the CEO and CFO must attest to.
Attesting to the accuracy of the data requires confidence in accounting procedures and controls. These are addressed within the COSO framework.
The SOX 404 attestation also requires confidence in the IT systems that house, move, and transfom data. This requires confidence in the processes and controls for those IT systems and databases. The COBiT framework was designed to address IT concerns.
Finally, an excerpt from IT Control Objectives for Sarbanes Oxley this is the document that maps Cobit objectives to COSO
‘The PCAOB standard includes specific requirements for auditors to understand the flow of transactions, including how transactions are initiated, authorized, recorded, processed and reported. Such transactions’ flows commonly involve the use of application systems for automating processes and supporting high volume and complex transaction processing. The reliability of these application systems is in turn reliant upon various IT support systems, including networks, databases, operating systems and more. Collectively, they define the IT systems that are involved in the financial reporting process and, as a result, should be considered in the design and evaluation of internal control.
The PCAOB suggests that these IT controls have a pervasive effect on the achievement of many control objectives. They also provide guidance on the controls that should be considered in evaluating an organization’s internal control, including program development, program changes, computer operations, and access to programs and data. While general in nature, these PCAOB principles provide direction on where SEC registrants likely should focus their efforts to determine whether specific IT controls over transactions are properly designed and operating effectively.
This document discusses the IT control objectives that might be considered for assessing internal controls, as required by the Act. The appendices of this document provide control examples that link PCAOB principles, including their relationship to internal control over financial reporting. To support implementation and assessment activities, illustrative control activities and tests of controls are provided in the appendices.’