Evergreen Offers Tips for Internal Audit Frameworks
- By Jon William Toigo, Enterprise Systems
- November 7, 2005
In its latest IT management tip, Evergreen Systems, an IT technology and process
consulting firm, advises IT departments to take the lead in mapping business
audit standards to IT operations.
Although many organizations have adopted internal control standards set forth
by the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
for business operations, they have yet to effectively map these higher level
controls to what IT actually does. Evergreen believes IT managers should take
the lead by mapping and communicating the links that exist between COSO and
commonly accepted IT frameworks such as IT Infrastructure Library (ITIL) and/or
Control Objectives for Information and Related Technologies (COBIT®).
COSO provides a business-focused common definition of internal controls, standards
and criteria against which companies and organizations can assess their control
systems. Aligning COBIT and ITIL through a COSO framework leads to a more organized
auditing process, particularly from an IT perspective. Mapping COSO to IT frameworks
such as ITIL and COBIT enables this by providing a clear picture to the organization
and auditors about how IT operations align to business control objectives.
"Our clients are concerned that auditors coming in with the COSO standards
as a guide won't know where to look or what to focus on when it comes to IT,"
says Joe Koester, VP of consulting services. "By mapping COSO to more IT-specific
frameworks and then sharing this information with auditors, we can ensure they
focus on the areas that relate directly to COSO and to what the business really