Gartner Research

IT Risk Management and COSO

Published: 24 May 2006

ID: G00203185

Analyst(s): Fred Cohen


With the emergence of laws like the Sarbanes-Oxley Act (SOX)--particularly its section 404--and the increasing costs of information technology (IT) audit for public companies, enterprises are increasingly asking themselves how to do cost-effective and meaningful IT risk management in the context of The Committee of Sponsoring Organizations of the Treadway Commission (COSO) standard referred to in the SOX regulatory interpretation scheme. In this overview, Principal Analyst Fred Cohen reviews the COSO and SOX standards and discusses how risk management under COSO can be applied to enterprise IT.

Table Of Contents



  • What Is Absolutely Mandatory
  • What Is Material and What Is Reasonable in Context
  • Objective Setting
  • Event Identification
  • Risk Assessment
  • Risk Response
  • Control Activities
  • Information and Communication
  • Monitoring
  • Recommendations
    • Do Not Use the Minimum Compliance Approach
    • Use COSO
    • Who Is Responsible for What?
    • Process Implementation

The Details

  • SOX
    • The Reported Costs of Compliance
    • What Does the SEC Say About Compliance?
    • COSO Is the Gold Standard for SOX Compliance
    • The PCAOB
    • Nothing About IT?
    • Reasonable Control over Financial Records and Results
  • Risk Management, IT, and COSO
    • The COSO Risk-Management Purpose
    • The Goal of COSO Risk Management
    • Modeling the Business
    • Turning Business Models into Risk Management
    • What Does the Risk-Management Process Need to Know?
    • What Do Enterprises Need to Know About the Aspects of Business Processes for Risk Analysis?
    • What Does the Risk-Management Process Do with the Information?
    • How Does Control Then Change Operations?
    • Compare This to CobiT, ISO 17799, and Other Approaches
  • Some Clarity on What COSO Demands
    • Technical Solutions Are Not Always the Selected Approach
    • Some CEOs and CFOs Are Getting More Involved
  • Control Activities
  • Information and Communications
  • Monitoring



©2020 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Become a client

Learn how to access this content as a Gartner client.