ISACA offers free downloads of the Cobit framework and a related set of guidelines that are specific to Sarbanes-Oxley. Both were developed by the IT Governance Institute, which works in tandem with ISACA and is also based in Rolling Meadows.

A Version 4 update of Cobit was released in December, and a proposed second edition of the more focused IT Control Objectives for Sarbanes- Oxley document has been made publicly available for review and comment. The draft reflects recent controls-related guidance from the U.S. Securities and Exchange Commission and the Public Company Accounting Oversight Board. The comment period ends June 30.

Complements ITIL

The controls management focus of Cobit differs from the data center orientation of the IT Infrastructure Library. But the two frameworks are complementary, and the latest version of Cobit includes improved integration with ITIL, said Robert Stroud, an IT service management evangelist at CA Inc. and a contributor to Cobit.

ITIL is focused on IT proc-esses, such as how a help desk handles trouble tickets submitted by end users. Cobit takes issues to a higher level inside a company by focusing on meeting business needs, Stroud said. He noted that IT staffers who want to discuss, for instance, how much storage capacity is available aren't necessarily giving business managers the information they really need. "The business just cares about the ultimate service," Stroud said.