• Bookmark

Are COSO 2013 and COBIT 5 Compatible?

By Steven Babb, CGEIT, CRISC, ITIL

COBIT Focus | July 2014 Japanese

Steven BabbMany enterprises ask, “With the update of the 2013 COSO Internal Control—Integrated Framework (COSO framework) and the 2012 release of COBIT 5, are they still complementary and compatible?”


ISACA recently published a white paper, Relating the COSO Internal Control—Integrated Framework and COBIT, which examines how the relevant components and content of the COBIT 5 framework and its supporting guidance deliverables relate to the COSO framework. Through the efforts of many (including ISACA), the refreshed COSO framework places a stronger emphasis on the importance of IT, in addition to other enhancements within its principles.


The ISACA white paper highlights areas of alignment and differences in the content of the frameworks and also presents the relationship between the COSO framework guidance and the COBIT 5 framework guidance. First, the paper introduces the COSO and COBIT 5 frameworks and their main components. Next, it examines how the COBIT 5 framework components and content relate to the COSO framework’s fundamental concepts and objectives. Finally, the paper looks at how COBIT 5 framework components and content relate to each of the 17 COSO framework principles. An appendix documents the relationship between the COSO principles and COBIT 5 process guidance.


Ultimately, the paper concludes that the answer is yes—the frameworks are complementary and compatible as guidance to support the assessment and improvement of internal control practices and activities within the governance and management arrangements of an enterprise. However, the use of both frameworks continues to require professional judgment and work by enterprise management and its auditors/advisors to comprehend, adapt and apply the principles and guidance to specific enterprise goals and enterprise capabilities. Relating the COSO Internal Control—Integrated Framework and COBIT provides support for such professional judgment.


Steven Babb, CGEIT, CRISC, ITIL

Is the technology risk management, compliance and assurance leader at Vodafone and international vice president of ISACA.

Share: Email
THIS WEBSITE USES INFORMATION GATHERING TOOLS INCLUDING COOKIES, AND OTHER SIMILAR TECHNOLOGY.
BY USING THIS WEBSITE, YOU CONSENT TO USE OF THESE TOOLS. IF YOU DO NOT CONSENT, DO NOT USE THIS WEBSITE. USE OF THIS WEBSITE IS NOT REQUIRED BY ISACA. OUR PRIVACY POLICY IS LOCATED HERE.