BoD and BoC may familiar with COSO framework that used as methodology for evaluating an organization's control. There is always a question for them how to control their Information & Technology Division? This slide may help them to understand the relationship between SOX, COSO, Cobit and ITIL which every framework can be mapped into main objectives.

1. IT CONTROL OBJECTIVES FRAMEWORK
COMPLIANCE WITH COSO AND
SARBANES-OXLY ACT
Alfid Ardyanto
PT Hino Finance Indonesia

2. SARBANES-OXLY ACT - SOX
• SOX is designed to ensure public companies have controls in place over financial reporting; controls
that support the assertions that are made in public disclosures of financial statements.
SOX Section 302 SOX Section 404
Who Corporate management, executive and
financial officer
Corporate management, executive and
financial officer
What 1. Evaluate effectiveness of disclosure
controls (with focus on changes since the
most recent evaluation)
1. Evaluate design and operating
effectiveness of internal controls over
financial reporting
2. Evaluate changes in internal control over
financial reporting
2. Disclose all known controls, significant
deficiencies
3. Disclose all known control deficiencies
and weaknesses
3. Disclose acts of fraud
4. Disclose acts of fraud
How
Often
Quarterly Assessment by management Annual assessment by management and
independent auditors

3. COSO - COMMITTEE OF THE SPONSORING ORGANIZATIONS
OF THE TREADWAY COMMISSION
• Comprehensive framework for evaluating an
organization’s controls; process-oriented and
controls-based.
• Focuses on fiduciary controls; lends itself well to
evaluating business processes for SOX.
• 3 objective categories.
• Operations, Financial Reporting, and Compliance.
• 5 control components.
• Control Environment, Risk Assessment, Control
Activities, Information & Communication,
Monitoring.
• More information available online (www.coso.org).

4. CONTROL OBJECTIVES FOR
INFORMATION AND RELATED TECHNOLOGY - COBIT
IT framework established by IT Governance
Institute (ITGI) and Information System Audit
and Control Association (ISACA).
Comprehensive framework with 4 domains:
Plan and Organize, Acquire and Implement,
Deliver and Support, and Monitor and
Evaluate.
ITGI/ISACA recently issued the second edition
of “IT Control Objectives for Sarbanes-Oxley”.
Maps 12 (of 34) high-level objectives from
COBIT to the PCAOB’s 4 categories for General
Computer Controls: Program Changes,
Program Development, Computer Operations,
and Access to Programs and Data.
More information available at ITGI (www.itgi.org)
or ISACA (www.isaca.org).

5. IT INFRASTCTURE LIBRARY - ITIL
• While COSO and COBIT are widely
utilized, there are other frameworks
available that can also be leveraged in
support of SOX.
• IT Infrastructure Library (ITIL) –
www.itil.co.uk
• ITIL is owned and maintained by the UK
Office of Government Commerce (OGC).
• International Organization for
Standardization (ISO) 17799 –
www.iso.org
• Can be used to augment COBIT
security objectives.

6. RELATIONSHIPS
BETWEEN COSO, COBIT AND ITIL
COSOComponents
•Control Environment
•Risk Assessment
•Control Activities
•Information and
Communication
•Monitoring
Section302
Section404
CobiT Objectives
•Plan and Organize
•Acquire and Implementation
•Delivery and Support
•Monitor and Evaluation

7. MAPPING COSO & COBIT

8. MAPPING
COBIT & ITIL

9. END OF PRESENTATION