COBIT and COSO are two alliterations that have a lot in common. COSO stands for The Committee of Sponsoring Organizations while COBIT stands for Control Objectives for Information and Related Technologies. These two organization’s function is to help companies organize and monitor financial reporting controls.

However, there are a few differences between the two organizations, and in this article, you will understand those in detail.

Understanding COSO

COSO was established in 1985 by five professional associations. Their main aim was to sponsor the National Commission on Fraudulent Financial Reporting.  These five associations included:

  • Institute of Internal Auditors
  • the American Accounting Organization
  • Institute of Management Accountants
  • The American Institute of Certified Public Accountants
  • Financial Executives International

The body’s main goal is to help to provide guidance on risk management and to develop an enterprise framework, fraud deterrence, and internal control.

Understanding ISACA

ISACA was established in 1967. The initials stand for Information Systems and Audit Control Association.  It is an IT professional body. The organization main role is to develop auditing control guidance and create world recognized IT certification.

The Framework of COSO

In 2016, COSO updated its framework. The new framework uses a risk management approach in managing internal controls.  The framework applies to both internal and external financial reporting. The framework is based on five crucial strategic points.

They include:

  1. Governance and culture
    This point relates to ERM and oversees daily activities
  2. Strategy and Objective Setting
    This principle states that risks must be measured objectively.
  3. The performance
    This approach stipulates that there should be effective reporting of risks.
  4. The Review and Revision
    This element involves internal audit and monitoring of controls.
  5. Information, Communication, and Reporting
    This requirement says there should be communication between internal and external members.

The Framework of COBIT

COBIT also have five crucial principles. The role of these principles differs from those of COSO.

The five principles include:

  1. Meeting Stakeholders Needs
    The decision of the organization should comprise of those who bear risk and those who receive benefits to determine the needed resources.
  2. Covering the Enterprise end to end
    This principle makes sure ERM takes into consideration information and technologies like assets and applications instead of focusing on IT.
  3. Applying a Single Integrated Framework
    This rule aims at mapping several standards to one business governance and management.
  4. Enabling a Holistic Approach
    Culture, integrates processes, policies information, organizational structures, as well as people to manage and govern the enterprise.
  5. Separating governance and management
    This element involves evaluating ways to offer direction and to separate tracking activities from those who are governing.

Comparison of COSO with COBIT

Although the two organizations appear to have some form of similarities, they carry out different functions for various institutions. COSO offers guidance that companies can refer to when creating risk tolerances to minimize theft and fraud. On the other hand, COBIT gives organization guidelines that provide best-practice controls.

Companies that choose to create financial risk reporting architecture that is compatible with COSO can also implement COBIT to create their control landscape. COSO let companies to frame their building.

Why your company needs COSO and COBIT?

COSO and COBIT are designed to make control landscape as well as risk and governance infrastructure that lets security align with requirements.

COSO responds to controls that are associated with a fiduciary duty which are meant to comply with Sarbanes-Oxley requirements.  The problem with COSO is that it limits itself to a particular segment of an organization.  For COBIT, it provides a specific manner through which risk is assessed. For instance, the PO 8 Manage Quality is compatible with the risk assessment element of COSO.

As soon as a company aligns its control with COBIT, it can do the same to COSO and other viable frameworks through the use of gap analysis. With the gap analysis tools, the organization can control across different standards to avoid the issue of compliance with various frameworks.

Ken Lynch

Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity Labs to pursue just that. Learn more at

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.