BUSACT702 · Accounting Information Systems
Systems Development & Risk Frameworks: COSO & COBIT
This chapter of University of Auckland BUSACT 702 steps up to how systems are built and governed: the systems development life cycle (SDLC), the COSO internal-control framework and COBIT for IT governance. COSO and COBIT are standard, public frameworks and are taught here at the standard level — the exact depth and any prescribed detail for your quarter are set on Canvas, so confirm the coverage there rather than assuming a particular level of detail.
What this chapter covers
- 01The systems development life cycle (SDLC): the phased approach to building or acquiring an information system (broadly: planning/analysis -> design -> build -> implement -> operate and maintain)
- 02Why the SDLC matters for accountants: controls and documentation must be designed in, not bolted on after
- 03COSO as an internal-control framework: a structured way to think about the components of internal control across an organisation
- 04The standard COSO components (control environment, risk assessment, control activities, information & communication, monitoring activities) — confirm the exact treatment on Canvas
- 05COBIT as an IT-governance framework: aligning IT with business objectives, with governance separated from management
- 06How the frameworks relate: COSO frames internal control broadly; COBIT focuses on governing and managing enterprise IT
- 07Caveat: the available course materials name these as examinable topics but do not fix a depth — treat detail as standard-level and confirm coverage on Canvas
Placing a control in the COSO framework
- +1(a) A code of conduct and tone-from-the-top set the organisation's integrity and ethical values and its control culture — the Control Environment component (the foundation the others rest on).
- +1(b) A formal process to identify and assess risks to reporting objectives is the Risk Assessment component — deciding what could go wrong and how significant it is.
- +1(c) Ongoing monthly review of exception reports is a Monitoring Activity — evaluating whether controls are present and functioning over time. (A specific control such as an authorisation would instead be a Control Activity.)
Key terms
- Systems development life cycle (SDLC)
- The phased approach to developing or acquiring an information system — broadly planning/analysis, design, build, implementation, and operation/maintenance — during which controls and documentation should be designed in.
- COSO framework
- A widely used framework for designing and evaluating internal control across an organisation, structured into standard components. In this course, learn it at the standard level and confirm the assessed depth on Canvas.
- Control environment
- The COSO foundation component — the organisation's integrity, ethical values, governance and tone from the top that underpin all other controls.
- Risk assessment
- The COSO component covering the identification and analysis of risks to the entity's objectives, informing which controls are needed.
- Monitoring activities
- The COSO component covering ongoing and separate evaluations that check whether controls are present and functioning over time.
- COBIT
- A framework for the governance and management of enterprise IT, aligning IT activities with business objectives and distinguishing governance from management.
Systems Development & Risk Frameworks: COSO & COBIT FAQ
What is the SDLC and why do accountants study it?
It is the phased life cycle for building or acquiring a system. Accountants care because controls and documentation must be designed in during development, not retrofitted — a system built without them is expensive to control later.
What is the difference between COSO and COBIT?
COSO is a framework for internal control across the whole organisation; COBIT is a framework for governing and managing IT specifically, aligning it with business goals. They complement rather than compete.
How much COSO/COBIT detail do I need for BUSACT702?
Learn them at the standard level — the COSO components and what COBIT is for. The course materials name these as examinable topics but the exact depth for your quarter is set on Canvas, so confirm the required detail there rather than over- or under-preparing.
Can Sia explain the COSO components to me?
Yes — Sia can walk through the standard COSO components and COBIT's purpose and quiz you on placing a control in the right component. Treat it as a study aid and confirm the assessed framework detail against your course outline on Canvas.
Exam move
Because the available materials name COSO and COBIT without fixing a depth, learn the standard structure — the COSO components and COBIT's IT-governance purpose — and the SDLC phases, then confirm the exact coverage on Canvas so you match your quarter's treatment. Practise placing example controls into the right COSO component, and be able to say in one line how COSO (organisation-wide internal control) differs from COBIT (IT governance). Don't fabricate detail beyond the standard framework; where you're unsure, note 'confirm on Canvas'.
Working through Systems Development & Risk Frameworks: COSO & COBIT in BUSACT 702? Sia is AskSia’s AI Accounting tutor — ask any BUSACT 702 Systems Development & Risk Frameworks: COSO & COBIT question and get a clear, step-by-step explanation grounded in how BUSACT 702 is taught and assessed. Read this chapter free, then take your hardest questions to Sia.