PrepAway - Latest Free Exam Questions & Answers

For what purpose was the COSO framework developed?

For what purpose was the COSO framework developed?

PrepAway - Latest Free Exam Questions & Answers

A.
To address fraudulent financial activities and reporting

B.
To help organizations install, implement, and maintain CobiT controls

C.
To serve as a guideline for IT security auditors to use when verifying compliance

D.
To address regulatory requirements related to protecting private health information

Explanation:
A: COSO is an acronym for the Committee of Sponsoring Organizations of the Treadway Commission, which was formed in 1985 to provide sponsorship for the National
Commission on Fraudulent Financial Reporting, an organization that studies deceptive financial reports and the elements that lead to them. Thus, the COSO framework was
essentially developed to deal with fraudulent financial activities and reporting. Basically, COSO helps ensure that public companies who report their financial information to the
Security Exchange Commission (SEC) are telling the truth and not “cooking the books.”
B is incorrect because COSO preceded CobiT; therefore, COSO was not developed to help organizations install, implement, and maintain CobiT controls. CobiT was derived
from the COSO framework and offers a way to meet many of the COSO objectives from an IT perspective. COSO is a model for corporate governance on a strategic level, while
CobiT is a model for IT governance on an operational level.
C is incorrect because COSO was not developed to serve as a guideline to help IT security auditors. However, CobiT, which was derived from the COSO framework and
defines goals for the controls that should be used to properly manage IT and ensure IT maps to business needs, is often used by auditors. CobiT lays out executive summaries,
management guidelines, frameworks, control objectives, an implementation toolset, and audit guidelines. A majority of regulation compliance and audits are built on the CobiT
framework.
D is incorrect because COSO was not developed to address regulatory requirements related to private health information. However, NIST SP 800-66 is a risk assessment
methodology that is designed to be implemented in the healthcare field or other regulated industries.


Leave a Reply