Use of COBIT as Corporate Governance Audit Methodology - Essay Example

Use of COBIT as Corporate Governance Audit Methodology Abstract This study focuses on a comparative analysis between two firms that use COBIT as the basic IT framework and the various uses and applications of COBIT and other IT systems for security management, IT management, performance management are also discussed. The focus however is on the use of COBIT in enhancing auditing processes in organizations and in this context, the Sarbanes Oxley Act, the corporate scandals, and the need for transparent accounting have been discussed. The use of COBIT as a core in enhancing corporate accountability has also been examined to suggest how companies to successfully improve auditing methods could adopt COBIT. Keywords: Computer security and Audit, Information Security and control , Computer Security & Risk Management, COBIT and IT systems, Sarbanes Oxley Act, Project management, Risk assessment, Security Management, Performance management, Corporate Accountability, Audit. Chapter 1: Introduction As an outcome of the analysis of the famous Enron and Anderson Scandals in late 2001, the US Government introduced Sarbanes Oxley Act 2002 that enforced a number of enhancements in the methodology of Corporate Governance and also ensured better accountability of auditors in control of corporate frauds. The Act promoted greater accountability and transparency of corporate functions and accounting as it has enhanced assessment and financial evaluation in large corporate houses. The section 404 of Sarbanes Oxley act pertains to the internal control assessment & accountability of the management of the organization whereby the company is required to submit an internal control evaluation report pertaining to the procedures of financial reporting. This would mean companies will have to be controlled by internal auditors whose practices and evaluation of company financials will have to be made accountable to external auditors, financial analysts, the media and public at large. Accountability of large corporations have become especially important after the major corporate scandals that exposed the flaws in accounting and even highlighted unethical practices that devalued accounting as a profession. The importance of the legal structure, the efficacy of IT systems in businesses and governance and controls are some of the more important aspects of business and auditing systems. In the modern context most of the organizations possess IT enabled Business & Financial Control systems and hence internal controls are largely related to IT governance. IT Governance is gradually forming deep roots into the corporate governance of businesses globally and hence best practices of IT Management like ITIL & COBIT are gaining popularity very rapidly across the world. In fact many organizations are now looking forward to implement integrated frameworks comprising of practices recommended by ITIL, COBIT and ISO 27001. Management of internal systems are thus possible only when the IT systems are also upgraded and updated in accordance with the needs of the business. The research project is targeted to evaluate the feasibility, strengths & weaknesses of COBIT framework when deployed as an Internal Auditing System for IT Governance as a part of the overall Corporate Governance system of an organization. [Findlaw.com. 2002]. Need for Research The research objectives and directions of this project are based on the analysis of COBIT as a framework for information systems used by organizations and businesses. COBIT as a methodological framework to manage IT systems across organizations is a very popular choice and COBIT is used extensively across organizations for various reasons from up gradation of IT systems to performance improvement and to make accounting, auditing and related information systems more accessible. Butler (2004) suggests that all problems on spreadsheet risks should be immediately reported so that firm management can pay attention to the risks. The Information Systems Audit & Control Foundation and the IT Governance Institute have published and recommended CoBIT and this system according to the author highlights mainstream IT control issues and how they relate to corporate governance. This paper illustrates how spreadsheet risk and control issues can be mapped onto the CobiT framework and thus brought to managers attention in a familiar format. Risk and security management frameworks could enhance the control system of organizations and the COBIT being defined as the control objectives for information and related technology is one of the most accepted forms of technology guidance framework that helps organizations to reach the IT targets and business objectives. Here in this research, the advantages of using COBIT are delineated along with a literature review of changes in IT systems and introduction or uses of COBIT in various organizational settings. Two case studies are considered – the use of COBIT at Allstate and the use of COBIT by Coopers and Lybrand. A comparative analysis is drawn between these two case studies considering the facts and processes and the use of COBIT from the upgrade of management and IT systems. Objectives The research objectives and directions include 1. Analysis and evaluation of COBIT as a guidance framework for management and IT systems in organizations 2. Examination of the usability of COBIT in business organizations 3. Application of COBIT and other IT systems in various organizational disciplines to solve IT related problems and issues 4. Studying the use of COBIT to knowledge management, risk management, security management and performance management of organizations. 5. Comparison of case studies and white paper analyses of organizations using COBIT as their basic guidance framework for IT systems implementation 6. Comparison of the use and application of COBIT to various IT scenarios and business situations including the study of range of contexts in which COBIT or other IT systems could be applied. 7. Use of COBIT by organizations and why the IT framework is used and what other options are available for companies. 8. The advantages and disadvantages of COBIT, ITIL and other IT systems in management of organizational settings and frameworks 9. The role of COBIT and advanced IT systems in general in auditing and accounting 10. Links between the use of COBIT and it role in sustaining the Sarbanes Oxley Act and in increasing auditing transparency and corporate accountability The research problem deals with identification of the various scenarios and business contexts in which COBIT is applicable and drawing a comparative analysis of the applications of COBIT by considering the use of COBIT in organizations. In this case, the research methodology used is comparison of case studies of organizations that have used COBIT for their business and IT systems. The hypothesis would be related to drawing out a comparative analysis and tabulating features of two case studies suggesting that there will be major similarities in the use and applications of COBIT depending on facts or background of such organizations. The limitations of such research would be the ethical considerations as it will not be possible to go beyond the technical uses of COBIT as a framework for IT systems and discuss the ethics of using IT and accounting systems in business organizations. Moreover only two case studies are used which cannot be generalized. Here in this project, the advanced IT systems for management of a corporation are considered and an analysis and evaluation is drawn between COBIT and other IT systems. The usability of COBIT is considered and also the features, unique attributes and the requirements of other IT systems are also discussed. Following this an exposition into the nature of the audit process, the issues in accounting and auditing and the different advanced IT systems could be considered and analysed. The thesis here is that IT management is significantly holistic and involves the participation of not just IT managers and analysts but also the other management and administration staff who could efficiently handle all IT related requirements during the auditing and financial management or other management process. The IT requirements are especially significant for the complete working of the internal auditing system as internal auditing would depend on upgraded technological systems including hardware and software support that would help in maintaining a detailed financial accounting procedure. This essay could help in identification of COBIT and other IT systems and the advantages and disadvantages of using them. The emphasis is on the use of COBIT and other such IT systems that could enhance the auditing process of any financial organization and using COBIT and such systems could have several advantages as related to advancement of the IT system in general within an corporate organization. The use of such systems, the features or attributes of COBIT and similar IT systems and the changes that could be implemented by such systems within the framework of IT requirements of auditing firms are considered. The objectives and vision of a company are first considered along with the infrastructural facilities available and the advanced IT systems available at the company offices. These are then compared to provide an analysis as to what kind of company goals could be possibly met with the type of IT facility provided and what further IT system or infrastructural changes would be necessary to meet all company objectives or to further improve company auditing and financial reporting. The COBIT and related IT systems are especially important in auditing and financial reporting and help to enhance the accounting procedures of a company making it accessible, transparent and detailed, requirements that have become extremely important in public accounting especially after accounting scandals of major corporations (Isaca, 2007). IT systems could provide accountability and transparency and that is how they are very important to accounting and other major firms. The introduction and use of such advanced IT systems and frameworks like COBIT also helps companies from a legal point of view as with increased accountability as provided by these IT systems, companies are able to maintain a strong legal stance as far as accounting practices and ethical requirements in practice are concerned. The target companies are chosen and two major companies are who have adopted COBIT practices and the related auditing systems and have achieved reasonable maturity of IT governance and the corresponding mapping with the corporate governance of the organization. The chapter breakdown is as follows: 1. Introduction 2. Literature review 3. Research Questions and Objectives 4. Research Methodology 5. Data Collection 6. Data analysis 7. Conclusions & Generalizations The Literature Review has been carried out with the help of the Isaca.org portal, ingentaconnect and google scholar search and the various research and case studies published in educational databases. The output of the Literature Review shall be appropriate research question(s) and design of data collection templates with white paper reports to be used in the project. Post data collection, the data is presented in the raw format as well as in analytical format to arrive at conclusions and generalizations. Chapter 2: Literature Review Since its original inception in 1992, COBIT has developed into the de facto control framework for IT governance. Now accepted globally, COBIT and its supporting products provide wide-ranging guidance and support to many enterprises and government departments around the world. Because IT and the guidance required to manage it effectively do not stand still, COBIT users, especially those who have committed their organisations to adopting the COBIT framework, expect continuous support and improvement. In 2002, 10 years after the COBIT project began and through the production of three versions, a strategy was developed to ensure the sustainability of COBIT's further development. One of the key objectives of this strategy was to provide for a continuously maintained and updated framework reflecting the needs of fast-changing IT issues, user feedback and continuous improvement.[new face of COBIT] In 2003, COBIT Online® was launched as the up-to-date COBIT repository, providing a resource that can be updated immediately and continuously, and is easily accessible to all COBIT users. From time to time, when more fundamental updates are made to reflect significant changes, new printed and downloadable PDF versions of COBIT will also be produced. In the five years since COBIT® 3rd Edition© was launched in 2000, ITGI has conducted wide-ranging research into IT governance as well as analysis of extensive COBIT user feedback. These formed the basis for the COBIT 4.0 update project, commenced in 2004 and due for release in November 2005 IT Management is no longer a small management system operated by a group of professionals that are primarily technical administrators & experts. With more and more organizations migrating to IT enabled business process management systems, the components & building blocks of IT Infrastructure & Applications have gradually achieved the criticality of being the most valuable assets of the organization but least understood from the governance perspective. In this context the organizations having high dependence on IT enabled business processes need to practice an effective IT Risk Management system to comply with regulatory requirements and manage the business dependence on IT effectively. Hence, it is mandatory in the modern business era that IT Management & Governance becomes the responsibility of the executive management and the board of directors of an organization. The advantages of having strong & well managed IT Governance in organizations are the following: (a) Effective Business Asset Management & control system (b) Strong fundamentals for Enterprise Governance and Risk Management (c) Optimization of the usage of the available IT resources (d) Better management of threats to business (e) Capitalising of the opportunities offered by the markets and customers (f) Improved competitive advantages (g) Better compliance to applicable regulations (h) Business performance management – performance of people, processes & technologies can be assessed more objectively (i) Improved customer satisfaction (j) Faster growth of business (k) Knowledge management (l) Management by objectives – a KPI (key performance indicators) based approach Many more would be discussed as we proceed to evolve more correlations between the business and IT. The COBIT (Control Objectives for Information and related Technology) Framework provides the control objectives & controls in a logically organized structure that comprises of good practices designed by a large panel of experts. The primary contributions of this framework are to link IT objectives with business requirements, designing a process model for IT activities, identification & optimum utilization of the major IT resources and defining IT management control objectives. Figure 1: The COBIT Cube (Source: COBIT 4.1 Executive Summary, ISACA.org, 2007) IT Processes: DS2 exercises control over the IT process of Manage third-party services. DS2 satisfies the business requirement for IT of providing satisfactory third-party services while being transparent about benefits, costs and risks and is achieved by establishing relationships and bilateral responsibilities with qualified third-party service providers and monitoring the service delivery to verify and ensure adherence to agreements. IT Resources: The IT Resources applicable to DS2 are applications, information, infrastructure, and people. he required Information Criteria for DS2 is effectiveness (P), efficiency (P), confidentiality (S), integrity (S), availability (S), compliance (S), and reliability (S), where P refers to a primary criterion and S refers to a secondary criterion. COBIT's management guidelines provide tools to create dashboards, scorecards and benchmarking to help address these questions. The main components of the guidelines are as follows: Process inputs and outputs: Process inputs identify the deliverables needed by a process and the processesfrom which those deliverables will come.  Similarly, process outputs identify the deliverables expected from a process and the processes to which they are delivered.[isaca.com COBIT demo] Process activities and RACI charts: Process activities and RACI charts show a range of generic roles that are Responsible, Accountable, Consulted, and Informed for key activities. Business, IT, process, and activity goals: predefined measures that indicate if an IT process met its business requirements in terms of the relevant information criteria. KGIs are lag indicators and they indicate if we achieved our objectives. Metrics–Key goal and performance indicators: Key Performance Indicators (KPIs) are predefined measures that determine how well the IT process enables the goal to be achieved. They indicate whether or not a goal is likely to be achieved, and are good indicators of capabilities, practices, and skills. KPIs are lead indicators used to measure our progress towards our goal. Maturity models: are a method of measuring proficiency so that an organization can make a systematic attempt to improve. This approach is derived from the Maturity Model defined by the Software Engineering Institute for the maturity of software development capabilities. By using MMs, management can map: The current status of the organization on various parameters The targets to be achieved How the organization plans to achieve these targets or the strategy n this process, the organization can compare itself with other companies in the industry in the national and international environment. In addition to the above benefits, MMs also serve as a tool to share the development road map within the organization. The COBIT Framework ties the requirements of businesses pertaining to information & governance to the IT objectives of the organization. IT goals respond to business goals by virtue of IT processes that manage the IT resources (COBIT Cube in Figure 1). O’Leary (2007) discussed the importance of validation and assessment of IT systems and frameworks. The paper also develops a framework for accounting and auditing systems and highlights the research issues involved. O’Leary mainly discusses about expert systems or systems that pertain to existing accounting and auditing frameworks and suggest that validation and assessment are both critical to design, implementation and decision making of expert systems. In most studies, the focus is on objectivity and validation is required to enhance such objectivity as it would support what a support tend to inherently mark as correct or incorrect. The system’s level of expertise is only recognized through validation of information as validation also provides information on the underlying theoretical structure that determines the functioning of the system. Validations also at the same time enhances reliability of a system as it is related to decision making and suggests that any expert system used within the framework of corporate strategy should involve an interplay between decision making, reliability, validation and assessment of the data or information used. O’Leary developed the validation framework in expert systems for corporate governance using research methods that highlighted the different aspects of these systems when compared in contrast to other such computer programs and systems. So this particular framework could be used by developers of expert and other IT systems as the basis to perform validation and assessment of information and use it as a framework to incorporate research questions and issues and also highlight the aspects of accessibility, reliability and assessment in computer and IT systems within an organization or major corporation. Medori and Steeple (2000) discussed auditing and performance systems management, especially with reference to manufacturing organizations. They suggested that any world class corporation should be differentiated by its performance management system and such measurement systems should incorporate financial and non financial measures that could be of interest to businessmen and CEOs, accountants and analysts. The manufacturing industry has especially been the focus of corporation and researchers with regard to their use of financial and non financial measures of performance as performance could be related to motivation and work output or targets achieved as also profits and revenue drawn. Certain accounting and performance measurement frameworks have been developed nearly two decades back to understand how these corporate houses could implement changes related to performance and employee motivation. Such frameworks are also developed to fulfill design requirements and the advantages and disadvantages of such frameworks are also discussed. However the performance management systems and models largely followed across companies have policies and strategies to obtain feedback from various levels of management and performance of employees in business. Performance management is thus not just about training and implementation of strategies to measure output and increase motivation among employees but also about obtaining the right kind of measures which could be further used by various levels of management to understand expectations and abilities of employees and the general growth of the firm. Bititchi et al (1997) discussed the performance management process as a closed loop control system that not only determines policy and strategy but also manages performance related feedback. The performance measurement system is the central part of the performance management system but is an information system that helps in the input and measurements of data that could be effective in the functioning of performance management within an organization. The elements that could be important for the content and structure of performance measurement systems would be integrity and deployment (Bititchi et al, 1997). To maintain the correct and ethical standards of performance, the viable systems model or VSM has been used for dealing with the integrity and facilitation of performance management systems and according to the paper the model could be used as a framework for the design and auditing of performance management systems. Performance management could thus not only be assessment with a software performance measurement tool but added support by a systems model could help in enhancing performance measurement even more. Performance management involves performance measurement tools and tools for the facilitation of correct and ethical evaluation of performance. Information systems are also important in the context of security management of an organization and Treek (2003) has provided a framework for security management in organizations. In case of online communication, the use of internet and subsequent security on the internet has emerged as one of the key factors related to the security issue. The business use of the internet has shown that security is not just important in business but also in deterring company information leaks for the benefit of competitors. Management of e-business security could have several approaches related to technology and management issues as also organizational and legislative aspects as security would have legal implications and would require technological upgrades and advanced organizational management and planning as well. Treek argues that management of security would require an integrated approach and the various approaches would be considering issues related to technology, law, and management. Any kind of security threat faced by a company or firm would have to be dealt with from an integrated viewpoint and all dimensions of the problems and all relevant technological, legal or management issues will have to be considered together rather than separately. The paper by Treek suggests that security systems in e-businesses should be based on integration of existing models and approaches to functioning of the systems and this integration should be done so that a balanced level of functioning considering all aspects of security is attained. The conceptual model could be used for practical purposes and in the real security enhancement of business organizations. As Kwo-Shing et al (2003) suggest, with electronic commerce and online businesses, organizations are under the threat of increased security challenges, however new security and management tools could be very important for businesses and can not only protect businesses from external threats but also enhance the functions of businesses. However there may be a dire need for a theoretical framework and proper approach to information security and security policies and control. Kwo-Shing et al proposes an integrated systems theory or as they put it, a comprehensive theory of information security management (ISM), considering integration of security policy theory, risk management theory, control and auditing theory, management system theory and contingency theory. The new integrated systems theory and theory of information security management could help in evaluation of information related to security management and management of outcomes and strategies related to security procedures within an organization. Any information security management theory or strategy could predict management outcomes and the use of an integrated security management theory could comprehensive use all aspects of management and technology to provide a strategy that would be more multidimensional and broad in its agenda and reach thus serving to be applicable to various levels and aspects of business. Rezaee and Reinstein (1998) discussed the impact of information technology on auditing and dealt with security issues and data processing techniques, accounting systems and electronic and technological interchange. They suggested that businesses could use electronic data processing or EDP techniques so that auditors and accountants could use all critical information efficiently and with the emerging technologies of the internet and electronic data interchanges as also other modern technological tools, auditing has become largely dependent on the newer technological tools as also the internet so EDP techniques rather than the traditional auditing methods are now more valid and applicable for data processing. With the use of advanced technology in auditing, transactions and events have become even simpler and results are better, critical, detailed and more accurate. Auditing transactions are now highly specialized and reported in a way that enhances accountability and the newer technologies have made this possible. The new technology and its uses may have even enhanced security, performance as described earlier, along with the enhancement of the assessment method itself. Informed decision could be taken when people have sufficient understanding on the likely sources of evidence and the methods of evaluation. Auditors are required to use evidential information for their auditing processes and all auditing transactions should be backed and supported by evidence. This could make the audit procedure simpler and more efficient and especially for online clients the need to have a transparent detailed and technological auditing procedure is especially important. Auditors and accountants have to evaluate the security issues, the technological issues and at the same time maintain evidential support for auditing when they complete the audit procedure for their clients. Evidence as seen is especially necessary for online clients as also the evaluation of security control and procedure and this could enhance the auditing process to an extent that could allow both auditors and clients to engage in informed decision making with the support of detailed auditing transactions. Debreceny et al (2003) discussed the development of audit systems to support monitoring within an e-commerce environment. They stressed on the development of continuous audit processes as in real time electronic commerce systems that are technologically controlled, although the development of continuous audit techniques are suggested to be critical (Debreceny et al, 2003). Auditors tend to monitor accounting information systems in real time and the Embedded Audit Module (EAM) helps in the development of monitoring systems. Auditing and monitoring tend to be related as EAM alerts are especially important for fraud alerts and these alerts use stored database procedures to trigger monitoring of internal control environments. The embedded audit module would be beneficial for monitoring and control of any ecommerce environment and alerting systems that the module supports is especially complementary to the firm’s internal control system as the alerts and the system in general tend to strengthen monitoring and helps in reporting of irregularities within any control environment even in an organization. Debreceny et al provides insights into the development of such Audit modules and use of alert systems, constructions of EAMs and limitations in the development of the module within the controlled e-commerce environment. There are however many issues in the use and application of such modules and these have been highlighted for further study and research by Debreceny et al as their paper provide a whole new approach to monitoring and control and development of audit systems and procedures within an ecommerce environment. Hone and Eloff (2002) discussed the attributes of information security policy and the security controls that are used. They explain on what constitutes a policy considering implementation of security. There is also a problem related to fitting in with the organization’s culture. The information security policy helps in meeting security standards although may not be comprehensive in guidance. The utilization of the COBIT framework has been studied by Ridley et al (2004) as they argue that “ the control objectives for information and related technology (COBIT) is a "trusted" open standard that is being used increasingly by a diverse range of organizations throughout the world” (Ridley et al, 2004). COBIT has been considered as the most appropriate control frameswork that can help an organization to use the IT framework and business goals emphasizing on business needs that would satisfy control objectives. The use of IT and business goals of an organization should synchronize so that there is efficient and effective IT governance. IT governance is according to the authors “the structure of relationships and processes to develop, direct and control IS/IT resources in order to achieve the enterprise's goals” (Ridley et al, 2004). The deployment and use of information through the application of technology would be a critical success factor in the achievement of corporate success and one research paper has revealed that large organizations tend to spend 50% of the capital investment on IT. The contribution of IT governance could vary in its effectiveness and control frameworks are designed to promote effective IT governance so that control could be beneficial for the overall effectiveness of IT. The recent reports on organizations such as Enron have led to increased necessity of corporate accountability and in order to improve accountability, the Sarbanes-Oxley Act of 2002 and such other legislative measures have improved governance requirements and now there are new measures in place for the promotion of effective IT governance. The corporate governance model with an increased emphasis on IT governance could focus on governance beyond the financial aspects. Tyler (1999) discusses the implementation of COBIT in New South Wales Healthcare systems and studied 17 area health services facilities and public hospitals and health organizations spread across Australia and NSWH employs around 100,000 people at a point of time being the largest agencies of the government. The use of COBIT in the health system of New South Wales is geared towards improving quality of service and providing impartial access to quality care and facilities. In another study van Solms (2005) investigated the complementary use of COBIT and ISO 17799 reference frameworks used in companies for enhanced information security governance. The study highlights the level of synchronization between these frameworks and how these can be used in a complementary and coexistent manner. REGULATORY REQUIREMENTS ON CORPORATE GOVERNANCE “With the amount of effort still needed to address Sarbanes-Oxley, Basel II, and the European 8th Directive---to name but a few---compliance with regulations is expected to maintain its position as the top driver for information security going forward” (Ernst &Young (2005)) These regulatory requirements constitute a large portion of the need for structure within organizations and the implications on IT are substantial. In coordination with various financial and regulatory requirements, a new era of high level corporate and IT thinking has emerged. A key driver for IT governance have the last couple of years, been these external demands and the most significant one so far has been the Sarbanes-Oxley act, described below. There are a few other important regulations, like Basel II, the European 8th Directive and Mifid but they will not be discussed in this study and their implications to IT will not be taken into account. (Schleifer A. & Vishny (1997),) THE SARBANES-OXLEY ACT OF 2002 The Sarbanes-Oxley act of 2002, SOX, has changed the world of reporting accountabilities as we know it. A number of corporate and accounting scandals, most notably Enron, Tyco International and WorldCom reinvigorated the debate on regulating corporate governance. The loss of trust in large corporations accounting and reporting practices became apparent. To restore the lack of trust investors and shareholders experienced, the Sarbanes-Oxley act was created. The act was passed on as United States federal law on July 30, 2002 initiated by the naming sponsors, Senator Paul Sarbanes and Representative Michael G. Oxley. All companies, including subsidiaries, American or not, listed on American stock exchanges like NYSE, the New York Stock Exchange, or NASDAQ are required to comply with the Sarbanes-Oxley act. “The two sections that should concern IT executives the most are 302 and 404(a) because they deal with the internal controls that a company has in place to ensure the accuracy of their data. This relates directly to the software systems that a company uses to control, transmit and calculate the data that is used in their financial reports.” Section 302 is characterized mainly by the CEO’s and CFO’s responsibility of internal control regarding the annual financial reporting.( Dietrich, Robert (2004)) Section 404 demands each annual report to contain an internal control report which shall (1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. Even though the act is focused on accounting and financial reporting, the importance of appropriate IT systems as an integral part in the reporting procedure is evident. (PUBLIC LAW 107–204)The systems ensure the validity of information and provide fundamental structure to the reporting standards and assessments of financial data. Section 409 of the act expresses the real time accounting demands and is central to the IT systems involved. ”REAL TIME ISSUER DISCLOSURES.—Each issuer reporting under section 13(a) or 15(d) shall disclose to the public on a rapid and current basis such additional information concerning material changes in the financial condition or operations of the issuer, in plain English, which may include trend and qualitative information and graphic presentations, as the Commission determines, by rule, is necessary or useful for the protection of investors and in the public interest.]” The relationship between IT systems and section 409 is described by Rob Smith, Co-Chair of Industry Solutions – SOX Committee and Michael Kuhbock, Co-Chairman and Founder of the Integration Consortium. ”The only way for issuers to be aware of real time information and trends on operations or the physical activities of their organization is for the issuers systems to report on anomalies and trends in real time and on an exception basis. As well, the integration of any new system into an organization will have to pass SOX compliancy before it is either selected or ‘plugged in’. Failure of control process, due to a systems failure will strictly fall under the 409 clause regarding “material change”. (PUBLIC LAW 107–204) This could very well be the most grueling challenges in the compliance work and one of the reasons corporations struggle to find easily adopted, implemented and administered frameworks to facilitate the process of compliance. A framework is required by the act; however the choice of version is free. One such framework is provided by COBIT and another by COSO, (Smith R. Kuhbock M) Chapter 3 : COBIT Feature Analysis Companies growing and merging with other businesses demand great changes to their infrastructure. The equities market space is constantly evolving and the implications to the IT systems and processes within the organizations are substantial. Companies today depend to a great extent on the information stored and managed through IT and many would not be able to operate without a functional IT structure. The increasing regulatory demands also put a pressure on the accounting, documenting and reporting through IT. The systems are required not only to support the operations of the companies, but to report and store financial and organizational data to meet external demands. It is no longer enough to look at talented individuals to manage IT projects, the projects regularly need to be structured as sustainable processes, where documentation and measuring is standardized. Many companies acknowledge this need and put more effort into standardizing the IT structure, policies and procedures and focus on aligning them to the business objectives. This practice is called IT governance and will be further explained and discussed throughout this report. To facilitate the governing of IT there are several frameworks available on the market. One of the most frequently used and chosen in this work is called COBIT1, the Control Objectives for Information and Related Technology, ( IT governance institute (2005), Control objectives for Sarbanes-Oxley) gives guidance from “best practices” derived from major global IT-related standards, practices and frameworks on processes and its constituents to aid in the work of governing IT. Thus the focus is on corporate governance, on the development of internal IT systems and integration of the COBIT framework within the auditing system. This in turn would highlight the changes in auditing and evaluation systems within large corporations following the major auditing scandals and these changes are not just legal but also deal with systems, infrastructure, management and technology. There are various stages to the development of audit and with development of certification and processes of application, auditing processes can also be used for IT outsourcing. Leem and Lee (2004) discussed the use of ASP (Application Service Provider), a service that provides access to data located externally. The reliability and efficiency of the ASP service would be determined by certification and audit processes and this is especially important for information systems. Certification and auditing are important aspects of ASP and all similar service providers that use IT systems for basic functioning. Leem and Lee used a survey of 35 Korean companies and their concerns on advantages of ASP services. The verification processes of ASP services, and the reliability of the services and applications were discussed. The traditional information systems and audit processes are redefined with the new ASP frameworks and in a similar manner even the use of COBIT could be explained as essential for modernization of IT systems and auditing processes. This could help in improving the efficiency of auditing processes in general. The thesis will deal extensively with COBIT and other management practices such as ITIL and the necessity to upgrade IT systems and frameworks. The COBIT framework could be used for the internal auditing system and also for general corporate governance of global businesses. The Control Objectives for Information and related Technology or COBIT is an IT governance framework and a set of best practices or framework for information technology (IT) management. It is not just an IT governance framework but also a supporting toolset that helps in associating technical issues, business risks with control requirements of a business organization. The COBIT framework has been created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996 (Isaca, 2007). Figure 2: The COBIT Framework (Source: COBIT 4.1 Executive Summary, ISACA.org, 2007) Figure 2 shows the COBIT framework elements getting mapped on to the IT governance focus areas. The overall design of the framework is as presented below: (a) There are four broad groups comprising of 34 processes each. These processes make use of IT resources available within the organization. (b) All the 34 processes possess high level control objectives (c) A total of 318 control objectives and corresponding audit guidelines are presented in the framework (d) For each of the 34 processes, management guidelines, maturity models, critical success factors, key goal indicators and key performance indicators are presented The entire framework is designed to present controls that are applicable to the areas of Management for risk & control investment balance, users for getting assurance of security & controls of IT services and auditors for advising management on the overall system of internal controls. [ISACA.org. 2007; Butler, Raymond J. 2004] The research is done to achieve the following objectives: (a) To assess and verify the effectiveness of COBIT framework as an Internal Auditing System to verify the effectiveness of establishment, maintenance, measurement & improvement of internal control governance framework of organizations that largely depend upon IT to run their businesses. (b) To analyze the advantages and disadvantages of COBIT Auditing Framework in meeting the business requirements of information management, control and security. (c) To assess the problems faced by organizations in managing the COBIT auditing framework as a Business As Usual (BAU) system. The COBIT cube discussed above shows the comprehensive uses and applications of COBIT for enhancing internal auditing process and business processes in general. However the various contexts in which COBIT has been applied or could be applied could be understood with a wider range of studies and the literature review has been conducted to provide a wide view of security and information management, use of computing systems and networks and particularly the use of COBIT in various organizations and contexts. Later on two case studies are discussed to show how the applications of COBIT could be compared qualitatively using different business contexts and situations. COBIT provides a common IT framework for managers, evaluators, assessors, auditors, and IT specialists and they work with a set of rules and processes and follow best practices that help to maximize benefits through the use of information technology so that there could be the right kind of corporate and IT governance framework in their company. The COBIT helps organizations to meet their business risks and challenges successfully. Business processes tend to have a critical dependence on IT systems and the CoBit framework provides this support to businesses so that businesses can easily handle risks and security management issues (Isaca, 2007/2009). According to the Information Systems Audit and Control Association (ISACA), the advantages of using CoBit are given as follows: 1. COBIT is an IT governance framework and supporting toolset allowing managers to bridge the gap between control requirements, technical issues and business risks. 2. COBIT enables policy development and good practice for IT control throughout business and policy making organizations. 3. COBIT emphasizes regulatory compliance and has strict rules and regulations, processes and indicators and helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework. 4. COBIT 4.1 , the latest version is used to enhance work already done using earlier CoBIT versions; and does not invalidate previous work or make it irrelevant in any way suggesting that advanced versions of COBIT could be used in integrated and upgraded IT control frameworks without much difficulty and there should be no problem using older COBIT frameworks along with newer version and they should be easy to use, access and should also be compatible. (from ISACA, 2009) The use of COBIT in corportae auditing and management practices could be considered as complementary to the use of all other advanced IT systems as is the common practice of IT frameworks in corporate governance and management. COBIT suggests an advancement in IT management and represents a system that could make the accounting and auditing process mnot just technologically superior but also transparent and manageable. The role of IT and COBIT frameworks in corporate frameworks will thus have to be studied in accordance with the requirements of corporations, with the advances in IT, with the new IT systems available along with the upgrades and the management policies and frameworks. The objectives and directions of a company will have to thus follow the basic rules of management that in turn depend on IT systems and requirements. Here in this project, the advanced IT systems for management of a corporation are considered and an analysis and evaluation is drawn between COBIT and other IT systems. The usability of COBIT is considered and also the features, unique attributes and the requirements of other IT systems are also discussed. Following this an exposition into the nature of the audit process, the issues in accounting and auditing and the different advanced IT systems could be considered and analysed. The thesis here is that IT management is significantly holistic and involves the participation of not just IT managers and analysts but also the other management and administration staff who could efficiently handle all IT related requirements during the auditing and financial management or other management process. The IT requirements are especially significant for the complete working of the internal auditing system as internal auditing would depend on upgraded technological systems including hardware and software support that would help in maintaining a detailed financial accounting procedure. This essay could help in identification of COBIT and other IT systems and the advantages and disadvantages of using them. The emphasis is on the use of COBIT and other such IT systems that could enhance the auditing process of any financial organization and using COBIT and such systems could have several advantages as related to advancement of the IT system in general within an corporate organization. The use of such systems, the features or attributes of COBIT and similar IT systems and the changes that could be implemented by such systems within the framework of IT requirements of auditing firms are considered. The objectives and vision of a company are first considered along with the infrastructural facilities available and the advanced IT systems available at the company offices. These are then compared to provide an analysis as to what kind of company goals could be possibly met with the type of IT facility provided and what further IT system or infrastructural changes would be necessary to meet all company objectives or to further improve company auditing and financial reporting. The COBIT and related IT systems are especially important in auditing and financial reporting and help to enhance the accounting procedures of a company making it accessible, transparent and detailed, requirements that have become extremely important in public accounting especially after accounting scandals of major corporations (Isaca, 2007). IT systems could provide accountability and transparency and that is how they are very important to accounting and other major firms. The introduction and use of such advanced IT systems and frameworks like COBIT also helps companies from a legal point of view as with increased accountability as provided by these IT systems, companies are able to maintain a strong legal stance as far as accounting practices and ethical requirements in practice are concerned. Chapter 4: Methodology The methodology or the study includes assessment and evaluation of auditing systems used by different firms and the accounting and information systems used. The IT systems could be guided by COBIT a framework that provides an assessment of all internal IT requirements of a company and especially IT features that are associated with auditing and accounting activities. The methodology of this project includes using major journal databases to assess the importance of the COBIT framework and searches on the internet using search engines such as google scholar have been used to locate the right kind and amount of sources for the project. Thus the first stage of the project methodology would be to search for relevant articles and journal research papers with the search terms ‘COBIT’ and ‘IT management’ to locate adequate resources for the project and for the literature review. The literature review was conducted with the chosen articles on the applications and uses of COBIT in a corporate or any business environment. The literature review conducted provided a comprehensive outline on the nature of COBIT the applications of COBIT, the use of advanced IT management systems within any business organization. Review of Literature The literature review has also been on IT management, security management, knowledge management using COBIT and other systems and the general advantages of COBIT within a management framework. The real features of COBIT could be associated with its use and applications as in the case of providing guidance to information systems in a company and the COBIT framework provides guidance about the appropriate framework that could be used to support and enhance IT systems functioning within a business environment. The literature review would be bolstered by a hypothesis that could emphasize that using the COBIT framework in IT systems greatly enhances the management and operations of an organization. The hypothesis is that the use of COBIT as an IT framework is largely beneficial for organizational management and could be especially advantageous in operations related to auditing and accounting and in measures related to security, IT and performance management within an organization. The next stage following the literature review in which an analysis is drawn on the IT systems in management and issues such as performance and security are discussed, would be the methods of data collection and analysis of data with the results obtained. Here data collection would be largely from research papers, white papers, annual reports and research reports and analyses on the use of COBIT by companies and how the use of COBIT framework has been beneficial for the company’s general IT management and performance. Research Methodology The methodology is based on analysis of research data using comparative analytic method and a qualitative analysis is done in this case as white papers and findings of two companies that used COBIT for their businesses are discussed. A comparative analysis is drawn between the white paper releases and reports of such companies which are in turn provided in the results in a tabular form. The qualitative analysis is thus drawn with tabular results which compare findings of two companies from the white papers and these are a shortened version of company activities. Allstate and Coopers and Lybrand are the two companies that are discussed here and the whitepapers of these companies reveal that their IT systems have been significantly enhanced after the use of the COBIT framework and both these companies have in a way benefited from the COBIT although these benefits have been mentioned in different contexts. The differences in facts or background of the companies and the use of COBIT frameworks are analyzed and compared along with the processes for which COBIT was used and what were the results and benefits and how the COBIT was implemented in the IT and management systems. The methodology for this paper is thus based on qualitative rather than quantitative data. Whereas quantitative data analyzes means, standard deviations, correlations and provides other measures, qualitative data is more about content analysis when content of research papers, reports and white papers are analysed and their features or facts are compared. Thus the methodology adopted is qualitative comparative analysis and primary data are obtained from company reports and findings on how the COBIT framework has been beneficial within the organization especially with reference to working on IT systems with external clients. All dimensions of company data are considered and the current white papers as used in thus study have been obtained from the internet after a google scholar search and the data source is Techrepublic, a site which stores and provides access to company white papers, research reports and other data sources. These two white papers have not been used extensively in the literature review as these have been used and the information provided is also used in the data and analysis sections. Conclusion The methodology revealed the importance of comparative qualitative analysis in such studies and following the methodology tabular form of data could be examined in the results section drawing out a comparative analysis between the processes and facts of the two organizations as given in the white papers. In the analysis section, the focus would thus be on the similarities and differences between the two organizations and mainly in terms of their use and application of COBIT as they seem to have used COBIT for common needs yet tend to use the framework to fulfil different objectives. The next part of the study involves obtaining and delineating data from two case studies, one of Allstate and the other of Coopers and Lybrand and data are mainly based on how they used COBIT to enhance their operations and management. Allstate case study also uses graphical representation. Chapter 5: Data Comparative COBIT Case Study Analysis between Coopers and Lybrand and Allstate – White Paper Analysis CASE STUDY - I COBIT and IT Governance Case Study: Allstate FACTS Allstate has assets in excess of US $134 billion, revenues of more than US $32 billion and nearly 40,000 employees. Allstate serves more than 16 million households and is the largest publicly held property and casualty insurance company in the United States. Before 2000, Allstate Internal Audit did not have a formal IT control framework in place. In 2000 Allstate internal audit implemented a formal IT control framework and adopted Control Objectives for Information and related Technology (COBIT) and Allstate internal audit uses COBIT to scope and plan all audits.  Allstate’s infrastructure group has been trying to build-in appropriate COBIT controls into select infrastructure processes. After the Sarbanes-Oxley Act, Allstate began using COBIT to evaluate IT governance and control, to obtain benchmarks for assessing automated controls embedded in key business processes and assess the control activities performed by the company’s application support team. COBIT helps ensure alignment between business strategies and technology investments. For Allstate, COBIT helps it achieve an effective balance of appropriate and consistent controls to improve the efficiency and effectiveness of the business. COBIT also provides a common control language that enabled related control and process communications. The new director of internal audit reviewed the department and business environment, and subsequently worked with senior management to adopt Control Objectives for Information and related Technology (COBIT) as the IT governance model under which the team would operate. It was demonstrated that COBIT provided a structured means to ensure consistent and appropriate IT controls throughout the company PROCESS The process of introducing and adopting COBIT consisted of COBIT-based risk assessment approach Interviews with strategic IT and business managers to obtain enterprise views about the key business objectives and potential risk areas Development, marking and ranking, according to risk, critical application and infrastructure inventory Evaluation of the risk ratings by business unit and the systems impact for each COBIT category Identification of audits related to specific risk areas and development of the annual audit plan. Design of audit programs and templates based on COBIT objectives Allstate has since used COBIT to scope, assess and document control activities associated with the company’s internal infrastructure areas. Goals for implementing COBIT focus on: Increasing awareness of the importance of IT controls Bringing attention to corporate IT governance Fostering management accountability Improving client/auditor communication Providing a risk assessment framework The Allstate model for IT control framework is given here: Allstate IT Control Framework (from Allstate Case Study White Paper) The team members performed an IT risk assessment of COBIT to identify the objectives that relate to Sarbanes-Oxley (figure 2) and mapped the risk-assessed subset of COBIT objectives to the company’s level 1, 2 and 3 processes. They further drilled down the level 3 COBIT objectives to each infrastructure area. Next they used the risk-ranked business processes to scope their level 2 work (key applications) and elements of their level 3 work (key operating systems). For the control documentation gathering process, the team developed summary level control objectives (based on COBIT and customized by Allstate) that grouped like-kind COBIT objectives. This led to identifying which of the underlying COBIT objectives were important for each summary level Allstate objective. Allstate plans on continuing to use COBIT as its IT framework and to drive its audit planning process and subsequent audit work. In addition, because it proved to be such a beneficial tool, COBIT will remain an integral part of the company’s ongoing Sarbanes-Oxley sustainment efforts. Data Source: White Paper, from Techrepublic, accessed 2009 http://whitepapers.techrepublic.com.com/abstract.aspx?kw=COBIT&docid=113185 CASE STUDY – II COBIT Case Study:  Coopers & Lybrand (from White paper) FACTS: Coopers & Lybrand in the Netherlands has 100 EDP auditors in computer assurance services, many who already have in depth knowledge of COBIT and are putting it to use for clients. Coopers and Lybrand have successfully implemented COBIT for several Coopers & Lybrand clients and are strong supporters of the framework. The staff uses COBIT to develop improvement programs for client IT departments. The detailed control objectives of COBIT are used for better assessment of client systems management processes. For many clients the following phased approach is used: Focus. Identifying business drivers for IT and assess the level of business risks involved with the deployment of IT. Evaluate. Assessing threats and vulnerabilities, identifying lacking or inadequate control measures and determining root causes. Addressing control deficiencies. Agreeing upon action plans and apply internal control improvements. Monitor. Ensuring continuous improvement through the implementation of adequate monitoring of the internal control measures put in place. A unique benefit of COBIT is that Information Technology Infrastructure Library (ITIL) is one of the global standards on which COBIT is based. Developed in the UK, ITIL is popular in many countries. COBIT provides an excellent framework to perform these audits. PROCESS The process of using COBIT in various business situations is described below: Airline company. This included measurements of effectiveness and efficiency of the IT department of an airline company. Coopers and Lybrand measured user satisfaction and, after analyzing the findings, performed a detailed review of IT processes based on COBIT guidance. As a result, procedures in the IT department were significantly improved with the use of COBIT as the guidance. Network services supplier. A network provider implemented systems management based on ITIL. Coopers and Lybrand performed a third party review and reported the results to clients of the provider. Their staff used the COBIT framework to perform the audit. Not-for-Profit. Based on COBIT's principles and ITIL the company conducted an improvement program for the IT department of a charity/NGO. Chamber of Commerce. Several mergers and significant business changes had affected the organization's IT environment. The COBIT framework was also used to implement an appropriate improvement program for mergers and business changes. Bank. A Dutch bank needed documentation of baseline controls for several platforms. Baseline controls were described for RS/6000, Windows NT servers and several network components. For the systems management part of the baseline controls Coopers and Lybrand used and consulted the detailed control objectives from COBIT. Data Source: White paper from Techrepublic, accessed 2009 http://whitepapers.techrepublic.com.com/abstract.aspx?kw=COBIT&docid=93580 Chapter 6: Results and Analysis The white papers suggest the applicability of COBIT frameworks in several situations and in nearly all business contexts from management of IT systems to improvements of organizational environment. The results could be drawn in the form of a comparative analysis and the main features of the two case studies could be discussed. A comparative Analysis between the two cases could be given as follows: Data Source: White Papers, Techrepublic Case Study – I (Allstate) Case Study – II (Coopers and Lybrand) FACTS: Allstate has assets in excess of US $134 billion, revenues of more than US $32 billion and nearly 40,000 employees. Allstate serves more than 16 million households and is the largest publicly held property and casualty insurance company in the United States. Before 2000, Allstate Internal Audit did not have a formal IT control framework in place. In 2000 Allstate internal audit implemented a formal IT control framework and adopted Control Objectives for Information and related Technology (COBIT) and Allstate internal audit uses COBIT to scope and plan all audits.  Allstate’s infrastructure group has been trying to build-in appropriate COBIT controls into select infrastructure processes. After the Sarbanes-Oxley Act, Allstate began using COBIT to evaluate IT governance and control, to obtain benchmarks for assessing automated controls embedded in key business processes and assess the control activities performed by the company’s application support team. COBIT helps ensure alignment between business strategies and technology investments. For Allstate, COBIT helps it achieve an effective balance of appropriate and consistent controls to improve the efficiency and effectiveness of the business. COBIT also provides a common control language that enabled related control and process communications. PROCESS: The process of introducing and adopting COBIT consisted of : COBIT-based risk assessment approach -Interviews with strategic IT and business managers to obtain enterprise views about the key business objectives and potential risk areas Evaluation of the risk ratings by business unit and the systems impact for each COBIT category. Development, marking and ranking, according to risk, critical application and infrastructure inventory. Identification of audits related to specific risk areas and development of the annual audit plan. Design of audit programs and templates based on COBIT objectives COBIT used to scope, assess document control activities associated with the company’s internal infrastructure areas. Goals for implementing COBIT focus on: Increasing awareness of the importance of IT controls Bringing attention to corporate IT governance Fostering management accountability Improving client/auditor communication Providing a risk assessment framework FACTS: Coopers & Lybrand in the Netherlands has 100 EDP auditors in computer assurance services, many who already have in depth knowledge of COBIT Coopers and Lybrand have successfully implemented COBIT for several Coopers & Lybrand clients and are strong supporters of the framework. The staff uses COBIT to develop improvement programs for client IT departments. The detailed control objectives of COBIT are used for better assessment of client systems management processes. For many clients the following phased approach is used: Focus. Identifying business drivers for IT and assessing the level of business risks involved with the deployment of IT. Evaluate. Assessing threats and vulnerabilities, identifying lacking or inadequate control measures and determining root causes. Addressing control deficiencies. Agreeing upon action plans and apply internal control improvements. Monitor. Ensuring continuous improvement through the implementation of adequate monitoring of the internal control measures put in place. PROCESS: The process of using COBIT in various business situations is described below: This included measurements of effectiveness and efficiency of the IT department of an airline company. Coopers and Lybrand measured user satisfaction and, after analyzing the findings, performed a detailed review of IT processes based on COBIT guidance. As a result, procedures in the IT department were significantly improved with the use of COBIT as the guidance. A network provider implemented systems management based on ITIL. Coopers and Lybrand performed a third party systems review and reported the results to clients of the provider. Their staff used the COBIT framework to perform the audit. Based on COBIT's principles and ITIL the company conducted an improvement program for the IT department of a charity/NGO. Several mergers and significant business changes had affected the organization's IT environment. The COBIT framework was also used to implement an appropriate improvement program for mergers and business changes. A Dutch bank needed documentation of baseline controls for several platforms. Baseline controls were described for RS/6000, Windows NT servers and several network components. For the systems management part of the baseline controls Coopers and Lybrand used and consulted the detailed control objectives from COBIT. As seen from the first case study, Allstate is one of the major insurance companies in the US with assets of over $134 billion and has around 40,000 employees. Coopers and Lybrand in contrast is a smaller company but have around 100 EDP auditors who have good knowledge of the COBIT. Although Coopers and Lybrand is a smaller organization, its expertise on COBIT is highly organized and the experts can use COBIT and other systems better than people at other organizations including Allstate. Before 2000, there were no major IT control frameworks available for Allstate and the internal audit system did not have any formal IT control structures. Since its addition, Allstate has been using the COBIT framework for IT systems management processes. In case of Allstate staff uses COBIT for the better functioning of the organization and for internal auditing whereas in case of Coopers and Lybrand, the COBIT framework is used in case of IT systems and management of client businesses. Allstate has been using COBIT as its framework from 2000 although Coopers and Lybrand have many experts of COBIT already in their staff so the use of COBIT seems to be more efficient and useful for Coopers and Lybrand and they mainly use COBIT to determine IT functionality problems of their clients. Allstate uses COBIT controls for enhancement of infrastructure processes and also uses the COBIT framework for evaluation of IT governance and control objectives, they also use COBIT for assessing automated controls that are found in key business processes and in the company’s applications. COBIT ensures that there is a positive link between investments in technology as maintained by the company and the business processes, strategies and objectives. Allstate also uses COBIT to maintain a balance of appropriate controls and to improve efficiency and effectiveness of business processes. Coopers and Lybrand on the other hand uses COBIT as a guidance framework to enhance the IT control systems of their clients’ businesses. The COBIT helps in developing and improving client IT programs. Allstate uses COBIT for better process control and communication and Coopers and Lybrand primarily uses COBIT as guidance to improve client IT systems. Coopers and Lybrand has used COBIT to focus, monitor and evaluate threats and risks of organizational IT systems. It also helps to measure internal controls and objectives and identifies business drivers, assessing potential risks to the IT systems. Action plans and internal control monitoring are some of the aspects of COBIT used by Coopers and Lybrand. The processes for which COBIT is used by both the companies tend to vary with Allstate using COBIT for risk assessment programs, for evaluation of risk ratings and for designing of audit programs. Some of its goals seem to be improving client communication, fostering awareness of IT control, increasing management and auditing accountability and providing a risk assessment framework. For Allstate the application of COBIT framework improves communication and enhances internal infrastructure as related to accounting and auditing. Coopers and Lybrand on the other hand used COBIT to measure the effectiveness and efficiency of IT system in an airline company by measuring user satisfaction. COBIT has also been used in a case for a network supplier and auditing and accounting processes were completed with COBIT. Coopers and Lybrand also used the COBIT principles to perform an improvement programme for the IT department of a not for profit organization. COBIT also provides appropriate improvement programs for mergers and business acquisitions and some the clients have been aided by the COBIT framework as its principles are significantly related to better business processes, especially which have to deal with mergers and acquisitions. Coopers and Lybrand also used detailed systems management processes of COBIT to implemented baseline control on several network components. COBIT thus seems to have a wide range of uses from network controls, to efficiency and improvement programs, mergers and acquisitions, accounting and auditing, for improving communication and for risk assessment. The Sarbanes Oxley Act of 2002 which has largely emphasized on the importance of accountability in auditing processes and this is especially enhanced by the use of COBIT, ITIL and other auditing systems. As seen from the discussion COBIT and other IT systems could be used in various contexts and business situations from airline IT control systems to not for profit sectors in which IT improvement programs are necessary. COBIT is also used in business organizations and by IT consulting firms that use COBIT as guidance to improve client programs and IT systems. COBIT is also used for improvement in communication and risk assessment as well as in case business processes, mergers, acquisitions, auditing and accounting using advanced IT technology. COBIT principles are also used for setting up network systems and for meeting baseline control objectives. A detailed chart on the uses and applications of COBIT could be drawn: Figure 5: Chart showing applications of COBIT This research has been based on a comparative qualitative analysis of two case studies both the organizations using COBIT and this is the common feature that helped to draw a comparison between the two. The COBIT, ITIL and other IT systems discussed in this study helped analyze the uses of COBIT and how these could be applied in various business situations and contexts. In most cases, the advantages have been that COBIT provides a risk assessment framework and also helps in improvement of communication and IT systems within a organization. Since the Sarbanes Oxley Act and the legal requirements for the needs of maintaining transparency in auditing processes, the COBIT is considered as an IT framework that could provide advanced levels of security and performance management and also enhance accounting and auditing processes by making them more detailed, accessible and transparent. After the Enron scandal and other major corporate scandals as a result of poor accounting systems in organizations, the public and legislative bodies have called upon organizations to enhance their business processes by providing a system of transparent accounting and financial reporting and this is how COBIT framework has become increasingly important part of IT systems for major organizations and corporate houses. COBIT is now central and primary to the operations and IT management of an organization due to its comprehensive range of applicability and is recognized as a very effective IT tool by all major firms. The uses and benefits of COBIT are not just many, it is also very adaptable and applicable to almost all business contexts. The fact that latest versions of COBIT could be fully integrated with earlier versions makes it even more advantageous for businesses as upgrades are very common in business environments. According to ISACA, successful business organizations should understand the benefits of information technology (IT) and use this knowledge to drive their organization’s performance and their shareholders’ value (isaca.org, 2009). Business processes are critically dependent on IT and will have to comply with regulatory compliance demands and should also be able to manage business and security risks. To meet business challenges, CoBit provides a complete IT solution framework and toolkit that can be used effectively for the performance management, IT management, security and risk management of the organization. The use and applications of COBIT are varied as already discussed and the advantages are distinct as COBIT tends to improve general management as also management of a wide range of organizational areas such as security and IT. Considering this, COBIT could be used by organizations as one of the most effective tools of management that can enhance businesses and business process to provide a comprehensive framework for functionalities within a firm. It is easy to access, apply and integrate COBIT into the existing framework of management of organizations and CoBit’s usability is general accepted and known and companies are eager to use COBIT to enhance their systems and IT frameworks as well as their methods, regulations and practices of management, all of which could be guided by the COBIT framework. This thesis has only highlighted the wide range of applicability of COBIT and its uses across business situations, contexts and for a range of IT related, performance related or security management issues in large organizations. Chapter 7: Conclusions Corporate Governance is controlled by the legal & statutory machinery of the governments of the developed countries such that corporate fraud can be controlled. Sarbanes Oxley is one such act that requires self assessed & certified internal control framework to be submitted by the executive management & board of directors of organizations. Given the modern era of IT enabled businesses, the IT governance forms an integral part of Corporate Governance. COBIT is globally the most popular IT governance framework which has been adopted by a number of organizations to implement end to end internal control systems. This research proposal is presented hereby to assess how effective COBIT has been in meeting these expectations in the role of an Internal Auditing Framework. Two organizations that have adopted COBIT as the guidance framework for their own IT systems or client IT systems are chosen for the case study in this research. The results from the comparative analysis have indicated that the COBIT framework has been used by both the organizations successfully for various purposes to enhance business efficiency as well as for performance and security management, risk assessment and IT improvement programs. The firms have also been using COBIT for improvement of communication processes and to enhance internal auditing process and business infrastructure. As claimed by Brown and Nasuti (2005), the Sarbanes Oxley Act of 2002 could directly affect the governance of IT organizations. In their words, “sections of the Sarbanes—Oxley Act of 2002 (SOX) directly affect the governance of the IT organization, including potential SOX certification by the CIO, Section 404 internal control assessments, “rapid and current” disclosures to the public of material changes, and authentic and immutable record retention” (Brown and Nasuti, 2005, p.312). The IT systems and security governance are studied and a relationship between implementation of Sarbanes Oxley and the COBIT applications is established. The range of features that COBIT has seems to be substantial and the COBIT framework is used across many business situations and contexts as well. Thus COBIT seems to have varying applicability in various contexts and situations that makes it one of the most effective IT systems framework used by companies. The use of COBIT in corporate governance has been delineated in some detail throughout this entire thesis although further research would be necessary to understand the overall effectiveness of COBIT frameworks and the applications of COBIT in wider contexts will have to be studied. References 1. Bititci Umit S., Carrie Allan S., McDevitt Liam (1997) Integrated performance measurement systems: a development guide.International Journal of Operations & Production Management. Volume: 17 Issue: 5. Page: 522 – 534 2. Brown William, Nasuti Frank . (2005) What ERP systems can tell us about Sarbanes-Oxley. Information Management & Computer Security Volume: 13 Issue: 4 Page: 311 - 327 3. Brown William; Nasuti Frank. (2005) Sarbanes-Oxley and Enterprise Security: IT Governance and What it Takes to Get the Job Done . EDPACS, Volume 33, Issue 2, pages 1 - 20 4. Butler, Raymond J. 2004. Applying the COBIT Control Framework to Spreadsheet Developments. H M Customs & Excise Computer Audit Service National Office.. 5. Choon Seong Leem and Hong Joo Lee. (2004) Development of certification and audit processes of application service provider for IT outsourcing. Technovation. Volume 24, Issue 1, January, Pages 63-71 6. COBIT 4.1 Excerpts – Executive Summary Framework. IT Governance Institute. ISACA.org. 2007. 7. Debreceny Roger, Gray Glen L. , Tham Wai-Lum , Kay-Yiong Goh and Tang Puay-Ling (2003).The Development of Embedded Audit Modules to Support Continuous Monitoring in the Electronic Commerce Environment.International Journal of Auditing. Volume 7 Issue 2, Pages 169 - 185 8. Hamilton Scott and Chervany Norman L. (1981)Evaluating Information System Effectiveness - Part II: Comparing Evaluator Viewpoints. MIS Quarterly, Vol. 5, No. 4, pp. 79-86 9. Höne Karin and Eloff J. H. P..(2002) Information security policy — what do international information security standards say? Computers & Security,.Volume 21, Issue 5, 1 October 2002, Pages 402-409 10. Kwo-Shing Hong, Yen-Ping Chi, Louis R. Chao, Jih-Hsing Tang (2003) An integrated system theory of information security management. Information Management & Computer Security..Volume: 11 Issue: 5. Page: 243 – 248 11. Medori David, Steeple Derek (2000) A framework for auditing and enhancing performance measurement systems.International Journal of Operations & Production Management. Volume: 20 Issue: 5 Page: 520 – 533 12. O'Leary Daniel E. (2007) VALIDATION OF EXPERT SYSTEMS- WITH APPLICATIONS TO AUDITING AND ACCOUNTING EXPERT SYSTEMS. Decision Sciences. Volume 18 Issue 3, Pages 468 - 486 13. Rezaee Zabihollah, Reinstein Alan. (1998)The impact of emerging information technology on auditing. Managerial Auditing Journal. Volume: 13. Issue: 8. Page: 465 - 471 14. Ridley, G.   Young, J.   Carroll, P. (2004) COBIT and its utilization: a framework from the literature. System Sciences, Proceedings of the 37th Annual Hawaii International Conference. 15. Ross Tyler (1999)Implementing Cobit in New South Wales Health 16. EDPACS, Volume 27, Issue 1 July, pages 1 - 6 17. Sarbanes Oxley Act of 2002. H.R.3763. Findlaw.com. 2002. 18. Techrepublic, accessed 2009 White paper from Techrepublic, accessed 2009 19. http://whitepapers.techrepublic.com.com/abstract.aspx?kw=COBIT&docid=93580 20. Techrepublic, 2009 White Paper, from Techrepublic, accessed 2009.http://whitepapers.techrepublic.com.com/abstract.aspx?kw=COBIT&docid=113185 21. Trèek Denis. An integral framework for information systems security management.Computers & Security.Volume 22, Issue 4, May 2003, Pages 337-360 22. von Solms Basie. (2005) Information Security governance: COBIT or ISO 17799 or both? Academy for Information Technology, University of Johannesburg, Johannesburg, South Africa 23. http://www.ee.kth.se/php/modules/publications/reports/2007/XR-EE-ICS_2007_014.pdf, JOEL ETZLER 24. IT governance institute (2005), Control objectives for Sarbanes-Oxley 25. New face of COBIT http://www.isaca.org/PrinterTemplate.cfm?Section=Home&CONTENTID=27814&TEMPLATE=/ContentManagement/ContentDisplay.cfm 26. Dietrich, Robert (2004). Sarbanes-Oxley and the Need to Audit Your IT Processes, MKS 27. ”Sarbanes and Oxley act of 2002” Section 404. PUBLIC LAW 107–204 28. Smith R. Kuhbock M.. Sarbanes Oxley 404/409-Integration Organizations and SOX. www.integrationconsortium.org 29. Schleifer A. & Vishny (1997), A survey on corporate Governance. The Journal of Finance, 52(2) 30. Ernst &Young (2005), Global Information Security Survey Read More