By: Janet L. Colbert, Ph.D., CPA, CIA
and Paul L. Bowen, Ph.D., CPA
In recent years, increased attention has been devoted to internal control by auditors, managers, accountants, and legislators. Five recently issued documents are the result of continuing efforts to define, assess, report on, and improve internal control. They are: the Information Systems Audit and Control Foundation's COBIT (Control Objectives for Information and related Technology), the Institute of Internal Auditors Research Foundation's Systems Auditability and Control (SAC), the Committee of Sponsoring Organizations of the Treadway Commission's Internal Control - Integrated Framework (COSO), and the American Institute of Certified Public Accountants' Consideration of the Internal Control Structure in a Financial Statement Audit (SAS 55), as amended by Consideration of Internal Control in a Financial Statement Audit: An Amendment to SAS 55 (SAS 78).
COBIT (1996) is a framework providing a tool for business process owners to efficiently and effectively discharge their IS control responsibilities. SAC (1991, revised 1994) offers assistance to internal auditors on the control and audit of information systems and technology. COSO (1992) makes recommendations to management on how to evaluate, report, and improve control systems. SASs 55 (1988b) and 78 (1995) provide guidance to external auditors regarding the impact of internal control on planning and performing an audit of an organization's financial statements.
Because different bodies developed the documents to address the specific needs of their own audiences, some disparities may exist. Nevertheless, each document focuses on internal control and each audience, i.e., internal auditors, management, and external auditors, devotes much time and effort toward establishing or evaluating internal controls. Therefore, comparing the internal control concepts presented in these documents is of interest to members of all three audiences.
A comparison of the five documents reveals that each builds on the contributions of the previous documents. COBIT incorporates as part of its source documents booth COSO and SAC. It takes its definition of control from COSO and its definition of IT Control Objectives from SAC. SAC embodies the internal control concepts developed in SAS 55, COSO uses the internal control concepts in both SAS 55 and SAC, and SAS 78 amends SAS 55 to reflect the contributions to internal control concepts made by COSO. In particular, SAS 78 responds to the Winters and Guy (1992) call for a reconciliation of the internal control concepts presented in the COSO report and SAS 55.
This article summarizes the four documents (SAC 55/78 are combined.) and compares the internal control concepts presented in each. The following Table notes the major issues presented.
| Comparison of Control Concepts | ||||
| COBIT | SAC | COSO | SASs 55/78 | |
| Primary Audience | Management, users, information system auditors | Internal Auditors | Management | External Auditors |
| IC viewed as a | Set of processes including policies, procedures, practices, and organizational structures | Set of processes, subsystems, and people | Process | Process |
| IC Objectives organizational | Effective & efficient operations Confidentiality, Integrity and availability of information Reliable financial reporting Compliance with laws & regs |
Effective & efficient operations Reliable financial reporting Compliance with laws & regs |
Effective & efficient operations Reliable financial reporting Compliance with laws & regs |
Reliable financial reporting Effective & efficient operations Compliance with laws & regs |
| Components or Domains | Domains: Planning and organization Acquisition and implementation Delivery and support Monitoring |
Components: Control Environment Manual & Automated Systems Control Procedures |
Components: Control Environment Risk Management Control Activities Information & Communication Monitoring |
Components: Control Environment Risk Assessment Control Activities Information & Communication Monitoring |
| Focus | Information Technology | Information Technology | Overall Entity | Financial Statement |
| IC Effectiveness Evaluated | For a period of time | For a period of time | At a point in time | For a period of time |
| Responsibility for IC System | Management | Management | Management | Management |
| Size | 187 pages in four documents | 1193 pages in 12 modules | 353 pages in four volumes | 63 pages in two documents |