Press Release

 ISACA Issues Updated IT Control Objectives for Sarbanes-Oxley 

Rolling Meadows, IL, USA (04 December 2014)—To help executives and information technology (IT) professionals focus on performing an IT assessment for financial reporting controls in line with Sarbanes-Oxley and similar legislation, global IT association ISACA has released IT Control Objectives for Sarbanes-Oxley, 3rd Edition.

“Significant changes and enhancements were made in the regulatory environment and with professional guidance in recent years,” said Ken Vander Wal, CISA, CPA, past international president of ISACA. “Coupled with lessons learned that come from a decade of experience in the application of internal controls in a technology landscape, a refreshed approach to Sarbanes-Oxley compliance was needed. This latest guide will help professionals align with these changes in the industry.”

IT Control Objectives for Sarbanes-Oxley was first published in 2004 and has been updated with input and direction from global experts from many organizations, including several accounting and professional firms. Companies worldwide have used it as a tool for design, implementation and assessment of IT controls in support of Sarbanes-Oxley compliance and other global financial reporting requirements.

The third edition is in response to significant changes and updates in the industry. For example, ISACA released COBIT 5, an update to the business and IT framework, in 2012. Many organizations subject to the Sarbanes-Oxley Act have used COBIT 4.1. This guide provides a road map from COBIT 4.1 to COBIT 5 for the design of IT general controls frameworks to achieve and sustain SOX compliance, and for their internal and external auditors and consultants to assess the effectiveness of the control environment. Other changes that prompted the update include:

  • The Public Company Accounting Oversight Board (PCAOB) issued Auditing Standard No. 5 (AS 5), “An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements” in 2007 as a replacement for the prior AS 2. This new standard contained major amendments to the requirements for the audit, including a more risk-based approach.
  • The Committee of Sponsoring Organisations of the Treadway Commission (COSO) released its updated Internal Control-Integrated Framework in 2013. COSO is the framework used by most organizations to meet their responsibilities under the Sarbanes-Oxley Act to maintain a system of internal control over financial reporting. ISACA has closely aligned the COBIT 5 framework to COSO.
  • Auditors of the organizations that must comply with the Sarbanes-Oxley Act typically rely extensively on independent attestation audits of third-party service organizations. The Auditing Standard Board (ASB) recently promulgated Statement on Standards for Attestation Engagements No. 16 (SSAE16), Reporting on Controls at a Service Organization. SSAE 16 replaces Statement on Auditing Standards No. 70 (SAS 70), Service Organizations, which has been an important element of compliance with Sarbanes-Oxley.

IT Control Objectives for Sarbanes-Oxley, 3rd Edition is available as a free download for ISACA members and is available for purchase by nonmembers. To order a copy of the publication, visit

Note: At the time of publication, this book was complimentary to ISACA members for an introductory time period. There is now a charge for this item. ISACA members receive six COBIT publications free of charge (a US $210 value), and significant discounts on all other COBIT publications.


With more than 115,000 constituents in 180 countries, ISACA ( helps business and IT leaders build trust in, and value from, information and information systems. Established in 1969, ISACA is the trusted source of knowledge, standards, networking, and career development for information systems audit, assurance, security, risk, privacy and governance professionals. ISACA offers the Cybersecurity Nexus, a comprehensive set of resources for cybersecurity professionals, and COBIT, a business framework that helps enterprises govern and manage their information and technology. ISACA also advances and validates business-critical skills and knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems Control (CRISC) credentials. The association has more than 200 chapters worldwide.

Participate in the ISACA Knowledge Center:

Follow ISACA on Twitter:

Join ISACA on LinkedIn: ISACA (Official),

Like ISACA on Facebook:

Media Contacts:

Kristen Kessinger, +1.847.660.5512,

Joanne Duffer, +1.847.660.5564,