Cobit, formally known as the Control Objectives for Information and Related Technology, is a framework for governing IT and evaluating internal system controls. The guidelines have been around since the early 1990s, but the need to comply with the Sarbanes-Oxley Act is fostering new interest in them, according to attendees at a conference held in Orlando last week for IT auditors.

Sarbanes-Oxley "is an amorphous document -- it says 'Have controls,' but it doesn't tell you what controls or how to have them," said Scott Thomas, an IT security manager at a large food services company that he asked not to be named. Thomas said Cobit has given his company "a nice, solid proc-ess" to follow on Sarbanes-Oxley compliance, as well as a means for showing external auditors the security controls it has in place.

In plain English

The framework also gives IT and business managers a common language on system controls, according to Thomas. Without Cobit, communication between the business and IT sides at his company often was "apples to oranges," he said at the conference, which was sponsored by the Information Systems Audit and Control Association (ISACA), based in Rolling Meadows, Ill.

Cobit explains in a "nontechnical way" how to build controls around a business process, said Steven Suther, director of information security management at American Express Technologies, the IT arm of American Express Co. in New York. The framework allows "my business folks to actually understand IT proc-esses for the first time ever," Suther said at the conference.