Increasingly, to keep themselves and their companies out of trouble, members of the Information Systems Audit and Control Association (ISACA) are turning to an IT governance tool, the Control Objectives for Information and Related Technology, or Cobit.

Although Cobit has been around since the early 1990s, the Sarbanes-Oxley Act is pushing new interest in the tool, said users who have implemented it. Cobit is also getting updated: A new version of a Sarb-Ox-specific tool that uses Cobit, the IT Control Objectives for Sarbanes-Oxley, is being finalized by the IT Governance Institute (ITGI). Public comment is now being accepted on the updated tool, which includes recent U.S. Security and Exchange Commission guidance.

A major update of Cobit, Version 4, was released in December by the ITGI. Cobit and the Sarb-Ox framework are both available as free downloads from the www.isaca.org Web site.

Cobit creates a common framework for business and IT management and in a “nontechnical way” explains about building controls around a business process, said Steven Suther, director of information security management for American Express Technologies, the IT arm of American Express Co. Cobit allows “my business folks to actually understand IT processes for the first time ever,” he said.

The management focus of Cobit differs from the Information Technology Infrastructure Library (ITIL) that is gaining data center adoption. But both are complementary, and the latest version of Cobit has improved integration with ITIL, said Robert Stroud, an IT service management evangelist at CA Inc., and contributor to Cobit.