COBIT Version 4.1
COBIT released the fourth version of its control framework in December 2005. Version 4.1 of COBIT was released as an update in 2007. The framework approaches IT controls by looking at all of the information needed to support business requirements and the associated IT resources and processes. COBIT is intended for management, users, and auditors (mostly IT auditors).
Sarbanes-Oxley Section 404 is strictly focused on internal controls over financial reporting. All users of COBIT must first determine the relevance of a significant IT process or IT-dependent process by assessing its primary contributions to internal controls over financial reporting, rather than to the broad spectrum of IT control processes encompassed by COBIT. One way to ensure that IT is properly anchored to a significant account, business process, or major class of transaction is to critically question the role of IT in risk mitigation and in enhancing the integrity of financial reporting and financial-statement assertions. IT auditors have a new opportunity to add value by evaluating the design and operating effectiveness of automated application controls end-to-end in addressing fraud, yet this scope is not explicit in COBIT.
It is important that auditors select relevant IT Control Objectives from COBIT when defining their Sarbanes-Oxley scope. IT’s unique contribution centers around its ability to enhance the integrity, security, and availability of financial information within those identified business processes, as well as safeguarding assets – most notably information assets.