Critics say the Treadway Commission's controls framework is oudated, onerous, and overly complicated. But is there an alternative?
Helen Shaw, CFO Magazine
March 15, 2006
While conceptually I understand the point, in practice, particuarly for smaller companies, COBIT is very much an "overkill" approach with poor cost-benefit economics. Our company burned up an inordinate amount of resources, at the "request" of our auditing firm, mapping COBIT controls. For companies like ours that do not customize financial application software and have limited application interfaces impacting financial systems, COBIT generates about 50% "N/A" responses. Given the obvious lack of a cost-benefit advantage in our company environment, for this year's audit we negotiated COBIT mapping out of our SOX 404 controls documentation. Interestingly enough, our auditors continue use it, probably because they have an internal firm guideline to do so. The difference is that this year use of COBIT is an audit documentation choice that the audit firm has made, not a mandate to management, and the cost is on their dime. The audit firm has to find a way to get their audit documentation done within an agreed fee range. Unlike COSO, the SEC has never recognized COBIT as an accepted guideline for internal controls. Bottom line is COBIT may be beneficial for larger companies with complicated IT environments impacting financial reporting systems, but for most "smaller" companies it is likely to be very costly with very limited benefit, outside of providing auditors with a lot of documentation.
Posted by W Rice | October 03, 2006 12:06 pm
The applicability and effectivness of COSO to financial audits is hard to overstate. COSO is a well defined, well understood framework. This is not a light-reading article that you pick up on a weekend. This is a serious business well worth its sizeable publication. So the comments on its size or age are not well placed. In short, COSO has proven todate to be best suited for financial audits and internal controls matter. AS2 is a cut-and-paste job on the COSO framework, with a bit of risk-based auditing emulated from GAGAS' "Yellow Book"; the PCAOB would be the first to admit to it. COBIT, on the other hand is more suited to a dynamic and more granular IT attest services. Thus, mapping COSO to COBIT (in both direction) is not only a good idea, its an effective audit procedure: IT audits and reviews can rely on COBIT, while financial audits can rely on COSO.
Posted by Yigal Rechtman | March 24, 2006 09:50 am© CFO Publishing Corporation 2009. All rights reserved.