COBIT is a framework which provides broad guidance for IT controls
evaluation. As such COBIT takes into account much more than just IT
controls surrounding financial reporting. Many organizations ask this question, whether COBIT can be used for Section 404 SOX compliance. The answer is a yes, COBIT can be used for IT controls, however, IT control objectives specified in COBIT need to be tailored to suit the requirements of the organization.

Even if a company were to take the effort for documentation based on
COBIT, it would have to filter relevant control objectives applicable to Sarbanes Oxley compliance. Only control objectives relevant to the financial reporting process need to be addressed as part of 404. A lot also depends upon the IT environment in the organization, and the applications underlying it. Testing of operating effectiveness is only requried for applications and IT processes which directly relate to financial reporting. Some important points to keep in mind before using COBIT for Section 404 are:

1. IT Application and data owner processes that support application should be focused upon.
2. COBIT should be tailored based on specific needs of the organization.
3. Approach should stress only those applications linked to FR process.

Related Posts

Main Indicators of Material Weakness
Selecting the Right Audit Committee
IT Governance for Sarbanes Oxley
Sarbanes Oxley XBRL Integration