Auditing with COSO, COBIT, and ISO Control Frameworks

Auditing with COSO, COBIT, and ISO Control Frameworks

Internal auditors rely on internal control frameworks when documenting and testing a control environment. With so many frameworks available, management can choose which frameworks to use and even select different frameworks in specific situations. This article reviews the three most popular control frameworks used by internal auditors — COBIT, COSO, and ISO frameworks — and includes a six-step plan for auditing with any control framework.

What Is a Control Framework?

An internal control framework is a structured guide that organizes and categorizes expected controls or control topics. Some organizations design control frameworks for general purposes like the COSO internal control framework, while others are more specific such as the COBIT IT Control framework. When an organization uses a control framework effectively (typically in audit risk assessments and risk management), management designs internal control processes with the framework as a baseline. Doing so helps the organization design control procedures that create and preserve value while minimizing risk.

The InfoSec Survival Guide: Achieving Continuous Compliance

What Is the COSO Internal Control Framework?

The COSO framework is the most commonly used internal control framework. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) internal control framework that corporations most frequently use to run an efficient and effective financial statement control environment. COSO developed a control framework containing five components that break into 17 principles. The principles are further detailed into 87 points of focus to provide detailed guidance to managers when designing or mapping internal controls when used for audit risk assessments and by risk management.

What Is the COBIT Framework?

Within the IT audit community, COBIT is the most popular IT control framework example. ISACA (Information Systems Audit and Control Association) owns the COBIT (Control Objectives for Information and Related Technology) framework and designed it for IT governance and management. Some professionals refer to COBIT as a guideline aggregation framework. As an internal control integrated framework, it cross-references many of the other popular IT frameworks, making it an IT security framework that addresses the IT side of business risk.

What Are ISO Frameworks?

The International Organization for Standards creates ISOs on a wide variety of topics. The most commonly used ISO control frameworks for internal auditors are ISO:9001 for quality auditing and ISO:27001 as another IT control framework example. 

How to Audit with an Internal Control Framework?

When approaching a control audit, there are six common steps to follow. These six steps guide the team through the process regardless of the framework.

Step 1: Confirm the framework.

Auditing with a control framework starts with confirming the framework that management chose to best support the business objectives. Take note that the framework is selected and implemented by management, not internal audit. If no framework exists, audit may still choose to audit against a common internal control framework like the COSO internal control framework or  the COBIT IT control framework. The outcome of this practice would be recommendations for evaluating internal control environments and implement controls accordingly.

Step 2: Align internal controls.

The next step is control mapping. In this step, auditors align the organization’s internal controls to the expected controls in the framework. In the best-case scenario, management has already performed the control alignment, but the exercise is often not completed before the audit.

Step 3: Perform a gap analysis.

The outcome from the control alignment is a listing of internal controls compared to the expected controls. For the design test, auditors are identifying missing controls and poorly designed control as gaps in the internal control environment.

Step 4: Document control design gaps and gather action plans.

Audit discusses the gaps with management, who then put corrective action plans into place to close the exposure. A timing issue will generally occur at this point. The audit team will move into testing while management designs new controls. 

Step 5: Test control effectiveness and gather action plans.

The next step is the control effectiveness testing, which is the area where auditors are most comfortable and experienced.

Step 6: Monitor mitigation activity.

After testing is complete, the final step is to monitor progress on management’s corrective action plans. Depending on the use case for the framework, the corrective action plans may be time-sensitive. 

Technology Enables Control Frameworks

For any internal control framework you may be required to audit against, the process previously outlined guides you through evaluating internal controls. Using compliance software like AuditBoard’s integrated compliance management solution, organizations can streamline framework gap assessments and easily create a standard controls framework to avoid redundant testing.