Three foundational internal control frameworks: COSO vs COBIT vs NIST

Trying to manage internal controls these days is an uphill battle. Risks we thought we understood keep changing, especially when we consider technology risks. For those of us who work in the assurance world, we know that designing, implementing, and operating effective internal controls to mitigate complex risks is not just a question of compliance. Our work is a major factor in whether our organization survives. 

Many organizations adopt control or governance frameworks to provide structure, common terminology, and guidance on how to design, implement, assess, and improve controls. Some frameworks, like COSO, focus on internal controls and financial reporting. Others, like COBIT, specialize in IT governance, and some are more specific to cybersecurity risk, such as NIST CSF. Each framework addresses different but related concerns. In practice, leading organizations use all three of these foundational control frameworks together. In this article, we’ll examine these frameworks, compare their goals, and offer guidance on when and how to use them together to help our organizations succeed.

• COSO — Internal controls basics
• Structure: Components and principles, not specific controls
  • Control environment
  • Risk assessment
  • Control activities
  • Information and communication
  • Monitoring activities
• COBIT — IT governance, control and management
• Structure: Domains, governance and management objectives
• NIST CSF — Cybersecurity framework
• Structure: Core, organization profiles, and tiers
  • CSF core
  • CSF organizational profile
  • CSF tiers
• Comparing and combining: COSO vs COBIT vs NIST CSF
  • COSO
  • COBIT
  • NIST CSF
• Public company example
• Conclusion

Structure: Domains, governance, and management objectives

COBIT organizes its content into two broad domains: Governance and Management. In the governance domain, the IT function is positioned to support the organization’s needs, monitor performance, and ensure continuous improvement. The management domain covers the process of planning, building, running, and monitoring the IT function.

Within these domains, COBIT defines governance and management objectives such as:

• Evaluate, direct, monitor - The focus is on setting direction, overseeing management’s performance, and ensuring accountability.
• Align, plan, organize - Key activities include defining IT strategy, managing enterprise architecture, managing risk, innovation, and security, and establishing roles and responsibilities. Essentially, this domain ensures that IT is planned and structured for success before execution begins.
• Build, acquire, implement - The goal is to ensure new systems, processes, or changes are delivered efficiently, securely, and with minimal risk. This domain includes project and program management, change control, solution delivery, and knowledge transfer to operations.
• Deliver, service, support – The objective includes incident and problem management, service requests, security operations, and continuity management. The goal is to ensure reliable, secure, and efficient IT services that meet business needs and maintain user satisfaction.
• Monitor, evaluate, assess – The focus includes monitoring internal controls, evaluating compliance with policies and regulations, and assessing performance against objectives. The aim is to promote continuous improvement and maintain assurance that IT governance and management systems remain effective.

Because COBIT is very detailed, organizations often choose a subset of processes to focus on initially — like processes around security, change management, or asset management — and then expand over time.

NIST CSF — Cybersecurity framework

The US government developed the NIST Cybersecurity Framework (CSF) to improve critical infrastructure cybersecurity, but over time, it has been broadly adopted by organizations of all types. Like other NIST frameworks, NIST CSF is a voluntary, flexible framework designed to help organizations identify, assess, manage, and reduce cybersecurity risks. While the framework does not mandate specific technologies or controls, it provides a high-level taxonomy and methodology, working well in combination with other existing standards and control sets.

Structure: Core, organization profiles, and tiers

NIST CSF has three main parts that organizations can use when implementing the framework:

1. CSF core

   CSF core is a set of five high-level functions, each subdivided into categories and then subcategories. The five functions are:
   • Identify — develop an understanding of the organizational environment, risks, assets, and governance.
   • Protect — develop and implement safeguards and controls to ensure delivery of critical services, like access controls, data security, training, and maintenance.
   • Detect — implement timely discovery of cybersecurity events.
   • Respond — take action regarding detected cybersecurity events.
   • Recover — maintain resilience, restore capabilities, and services after a cybersecurity incident.
   The five functions are general enough to allow an organization to apply them to its unique circumstances, such as geography, industry, sector, and technology.

2. CSF organizational profile

   CSF organizational profiles represent the alignment of the Core’s functions with the current state of the organization or a target state. In effect, you map which subcategories apply, how well you're achieving them today, and where you want to be in the future.

3. CSF tiers

   CSF tiers describe the degree to which an organization's cybersecurity risk management practices exhibit certain characteristics, like the level of the cyber program’s proactiveness, formality, or agility. The Tiers represent the degree of integration, initiative, and sophistication in cybersecurity risk management.

By considering the organization’s Profile and Tier, teams can then assess controls implemented against the Core framework to identify gaps and prioritize improvements.

Comparing and combining: COSO vs COBIT vs NIST CSF

The three frameworks previously discussed serve different but complementary purposes. Understanding where they overlap, where they differ, and how they might integrate is important for any organization that is considering adoption.

• COSO

  COSO is broadest in terms of internal control, corporate governance, and risk across financial, operational, and compliance domains. Its primary orientation is internal control and assurance.

• COBIT

  COBIT focuses on IT governance and management to ensure IT delivers value and manages risk in line with business goals, including but not limited to cybersecurity risk.

• NIST CSF

  NIST CSF is concentrated on cybersecurity risk by identifying, protecting, detecting, responding, and recovering from cyber threats.

When comparing COSO vs COBIT, COSO is the highest-level governance framework, and COBIT complements COSO by adding an IT-specific element. For organizations considering COBIT vs NIST CSF, keep in mind that NIST CSF is tightly focused on cybersecurity, while COBIT is more generally used for overall IT governance and management.

COSO provides a foundation for internal control and risk management as the top-level control environment. Then, COBIT can sit inside COSO as the specific governance framework for IT processes by mapping COBIT processes and controls into COSO’s objectives, risk assessment, and control activities. Finally, NIST CSF can focus specifically on cybersecurity risks within the IT domain, with its functions and controls feeding into COBIT and COSO. By layering the frameworks, you gain both the breadth of COSO and the depth of COBIT and NIST CSF in your control and governance program.

Public company example

To demonstrate how COSO vs COBIT or COBIT vs NIST CSF can be applied in an organization, let's consider a public company as an example. Any publicly traded company must adhere to financial reporting regulations like Sarbanes-Oxley (SOX), but it also needs a strong IT control program that defends against cybersecurity threats.

The company would initially adopt the COSO framework to establish an enterprise-wide internal control and risk management system. COSO would assist in defining the tone at the top with the board and audit committee. From there, management will set business objectives, establish internal control over financial reporting, implement operational control activities, and develop monitoring procedures.

Deeper within the company, IT management could utilize the COBIT framework to strengthen governance over IT operations. For example, COBIT processes define IT strategy and would align with COSO’s business objectives. The COBIT processes selected include change management, incident management, access management, and asset management, which will overlap with elements of the COSO framework and with specific SOX controls.

The IT Security team would then further align their internal control activities with NIST CSF to address cybersecurity risks. The security team could work to identify and document their controls and perform a gap analysis to pinpoint areas needing process improvements. Many of the cybersecurity controls would align with COBIT processes, COSO objectives, and specific SOX requirements.  

Conclusion

When we compare COSO vs COBIT or COBIT vs NIST CSF, we reveal that these are complementary frameworks that help organizations manage controls, governance, and cybersecurity risk:

• COSO is foundational, broad, and oriented around internal controls and enterprise risk
• COBIT provides structure, processes, metrics, and governance for IT
• NIST CSF brings a cybersecurity-centered, outcome-based approach to identifying, protecting, detecting, responding, and recovering from threats

Used thoughtfully and in combination, these frameworks allow organizations to balance consistency and flexibility, achieve alignment between business and IT objectives, and continuously mature their risk and internal control environment.