The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) framework for internal business controls helps organizations ensure that their financial statements are accurate, their assets and stakeholders are protected from fraud, and their operations are running efficiently and effectively. Its guidance encompasses the entire organization, from auditing to IT.
COSO also helps organizations comply with laws and regulations enacted over the years, including the Sarbanes-Oxley Act (SOX), a federal law enacted in 2002 to protect public companies and their stakeholders from accounting errors and fraud, and the Foreign Corrupt Practices Act (FCPA). For compliance with SOX and FCPA, COSO is the definitive tool.
Although COSO is the United States’ most widely used framework for internal controls, compliance can be challenging and expensive. But it’s not as costly or difficult as recovering from fraud, theft, reputational loss, or legal penalties. (COSO compliance is voluntary, but SOX and FCPA compliance are not.)
To simplify your COSO journey, we’ve compiled an exhaustive trove of information for your use. Read this guide, or skip to the sections most relevant to your enterprise. Along the way, you’ll find links to take you more deeply into any topic. Click away and become an expert in all things COSO.
What Is the COSO Framework?
Fraud deterrence was the main impetus behind forming the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and its 1992 framework for internal control: Internal Control—Integrated Framework.
Known as the COSO framework, this document provided the first standard definition of “internal control” and a system that organizations could use to assess the effectiveness of their internal controls.
COSO defines “internal control” as “…a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
Unpacking this definition reveals five concepts regarding internal controls.
- Establishing them is a process, not a destination.
- They help organizations to achieve objectives—operational, reporting, and compliance.
- People put them into effect.
- They can provide “reasonable assurance,” but not absolute assurance, to senior management and the board regarding:
- Effectiveness and efficiency of operations
- Reliability of financial reporting
- Compliance with applicable laws and regulations.
- They can be adapted to the “entity” structure, applied entity-wide, or to one or more subsidiaries, divisions, operating units, or business processes.
The COSO Framework: A Short History
The Committee of Sponsoring Organizations, or COSO, was initially organized in 1985 to sponsor the National Commission on Fraudulent Reporting (NCFR). Its member organizations were the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and the Institute of Internal Auditors (IIA).
As its name implies, the NCFR was formed to study why and how fraudulent financial reporting at organizations occurs and to recommend ways to reduce it. The NCFR’s 1987 report focused on internal financial controls, highlighting this crucial topic for perhaps the first time. It also pointed out that there was no standard definition of “internal control” and began a project to create one. The COSO internal control framework, published in 1992, was the result.
Twenty years would pass before an update to the COSO framework. Increased business complexity, globalization, and the ascendant role of IT in business operations were among the factors inspiring the update, released in May 2013.
COSO’s Main Elements
COSO’s five key components of internal control (described in more detail in the next section) are:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities
Each component includes principles—17 principles in all—with supporting “points of focus” to help design, implement, conduct, monitor, and assess internal control processes.
COSO has also published other documents to improve internal control management:
- Internal Control over External Financial Reporting (ICEFR): Compendium of Approaches and Examples—to help users apply the framework to external financial reporting objectives
- Illustrative Tools—to help users assess the effectiveness of a system of internal control based on requirements listed in the updated framework
The organization in 2004 issued a second framework: Enterprise Risk Management—Integrated Framework, updated in 2017.
What Are the Five Components of the COSO Framework?
COSO defines five risk management components, which are what an organization needs to achieve its objectives, each with corresponding principles:
1. Control environment
- Commitment to integrity and ethical values
- Independent Board of Directors’ oversight
- Structures, reporting lines, authorities, and responsibilities
- Attract, develop, and retain competent people
- People held accountable for internal control responsibilities
2. Risk assessment
- Clear objectives specified
- Risks identified to achievement of objectives
- Potential for fraud considered
- Significant changes identified and assessed
3. Control activities
- Clear objectives specified
- Risks identified to achievement of objectives
- Potential for fraud considered
- Significant changes identified and assessed
4. Information and communication
- Quality information obtained, generated and used
- Internal control information internally communicated
- Internal information externally communicated
5. Monitoring activities
- Ongoing or separate evaluations are conducted
- Internal control deficiencies evaluated and communicated
The five components comprise one face of the “COSO cube,” a three-dimensional framework defining internal control from varying perspectives.
- Operations controls
- Reporting controls
- Compliance controls
These are described in greater detail in this post.
The third face represents an organization’s structure: units, divisions, or processes, each of which may or may not be affected by a particular internal control:
- Business unit activities
- Division and function controls
- Business entity-level controls
Benefits of using the COSO framework
The COSO framework offers several key benefits for organizations implementing it:
- Provides a common language for internal control concepts across the organization, facilitating communication and coordination.
- It helps design, implement, and evaluate internal controls more effectively. Principles and focus points guide the process.
- Clarifying organizational structure, reporting lines, authorities, and responsibilities supports accountability.
- Identifies and analyzes risks to achieving objectives, enabling risk management.
- Considers fraud potential when assessing risks, aiding prevention.
COSO Framework Limitations
While useful, the COSO framework has some limitations:
- Principles-based guidance, not prescriptive requirements. Implementation takes effort and judgment.
- Subjectivity in assessing effectiveness can lead to consistent application.
- Focus on financial reporting objectives may result in overlooking operational and compliance risks.
- More technical guidance on control methods for specific activities like IT security is needed.
- Ongoing monitoring and updating for changes adds to the administrative workload.
What Are the 3 Types of Internal Controls for COSO?
When it was published in 1992, the COSO internal control framework established for the first time a standard, common definition of effective “internal control.” This definition refers to three types of risk management “objectives,” which is what a business hopes to achieve:
Operations Objectives
It concerns the effectiveness and efficiency of entity operations, including operational and financial performance goals and safeguarding assets against loss.
Reporting Objectives
They are concerning internal and external reporting, financial and non-financial. These controls may encompass reliability, timeliness, transparency, or other concepts set forth by regulators or the organization’s policies.
Compliance Objectives
It concerns conformance to relevant laws and regulations.
These objectives form one face of the three-sided COSO “cube,” a three-dimensional model illustrating internal control from various perspectives. The other two dimensions depict “components,” what the entity needs to achieve its objectives, and the organizational structure.
Ten years after the publication of the original COSO framework, in 2002, Congress enacted the Sarbanes-Oxley Act (SOX), which requires that U.S. publicly listed companies report on the effectiveness of their ICFR using a suitable framework. Many companies use COSO’s Integrated Control—Integrated Framework to guide SOX compliance. They may utilize the document’s appendix, The Illustrative Tools for Assessing Effectiveness of a System of Internal Control, for templates and scenarios to use when applying the COSO framework.
What are the COSO Coverage Areas?
One of the three sides of the “COSO cube,” a three-dimensional illustration of how the COSO internal control framework may be applied, lists the areas of an entity to which COSO might be used to achieve operational financial and compliance objectives:
ENTITY LEVEL
DIVISION
OPERATING UNIT
FUNCTION
These four coverage area criteria correlate to the top-down structure of a typical organization. They establish that the COSO framework can be used to gauge the effectiveness of controls for an enterprise as a whole or at the division, operating unit, or function level—and that control activities should take place at all these levels.
The higher the level, the more abstract their relation to financial reporting activities. Entity-level controls often have an indirect relationship to financial statements and can be harder to quantify than more direct process-level controls. Entity-level controls also vary according to an organization’s complexity and risk profile and must be evaluated qualitatively instead of qualitatively.
Relationship of ERM and Internal Controls
Adequate internal controls are essential to Enterprise Risk Management (ERM). ERM helps an organization manage risk at every level, from strategy-setting through review and revision, and uses internal controls to achieve four types of risk-management objectives:
- Strategic
- Operations
- Financial reporting
- Compliance
Recognizing the importance of ERM and internal control to successful enterprise governance and management, COSO has published an ERM framework as well as an internal control framework:
- COSO Internal Control—Integrated Framework (updated 2013)
- COSO Enterprise Risk Management—Integrating with Strategy and Performance (updated 2017)
COSO also guides using both frameworks in its 2014 paper, Improving Organizational Performance and Governance: How the COSO Frameworks Can Help.
The COSO ERM framework defines enterprise risk management as:
A process, effected by an entity’s board of directors, management, and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
According to COSO, the COSO ERM framework is a strategic guide to meeting business objectives, while the COSO internal control framework is a tactical guide.
Although they differ in the key components they list, these are complementary and intended to be applied in tandem.
The internal control framework lists five critical components of internal control:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities
The ERM framework lists five core business activities essential to sound risk management:
- Governance and culture, including the formulating of mission and vision statements, board oversight, and executive management functions
- Strategy and objective setting, in which executives and, possibly, the board, define organizational risk appetite and create a high-level plan for achieving corporate goals
- Performance, in which risks are identified, assessed, and prioritized, and responses to risk implemented
- Review and revision, which involves assessing performance and striving for continual improvement
- Information, communication, and reporting, including the use of information technology
Components in the internal control framework correspond to those listed in the ERM framework. ERM and internal control go hand-in-hand; internal control is essential to ERM. One supports the other: having solid internal controls enables managers to focus on operations and business objectives, knowing that the organization has a robust risk management program and complies with applicable laws, regulations, and standards.
How to Implement the COSO Framework
Implementing the COSO internal control framework requires assessing its five components (control environment, risk assessment, control activities, information and communication, and monitoring activities) and 17 principles against the organization’s current internal control system and adjusting accordingly.
Failing to enforce the COSO framework principles can violate the federal Sarbanes-Oxley Act’s (SOX) requirements. Auditors evaluating an organization’s ICFR will judge against this standard: When even one of the 17 principles doesn’t function properly, a “major deficiency” is deemed to exist—a “material weakness” under SOX Section 404.
The 17 internal control principles can serve as a handy checklist for enterprises to use to evaluate and strengthen their internal control system—but first, there is the groundwork to be laid. Applying COSO’s internal control or enterprise risk management (ERM) framework requires a systematic, step-by-step approach. To help, we’re providing this roadmap that includes implementation challenges and leading practices.
Implementing the COSO Framework in Five Phases
PHASE 1: PLAN AND SCOPE
Appoint an implementation team. Here’s how it works: The board delegates implementation authority to a committee such as an audit and compliance committee. Managers assign oversight to a management function in the organization, such as internal control or ERM. The team may include accounting managers, staff, and people with a thorough knowledge of how work gets done in the organization.
Develop an implementation plan that includes timing, resources needed, and roles and responsibilities of implementation team members. Determine the scope of the framework’s implementation: Which activities will it measure, and over what period?
At this point, the implementation team will also evaluate the five components of the COSO internal control framework to understand how the enterprise’s internal control system is designed and how well it functions.
In this phase, the implementation team should also meet with the external auditors who will be assessing the organization’s COSO compliance. They must learn their roles, avoid redundancies, and communicate the plan to the board and managers.
PHASE 2: ASSESS AND DOCUMENT
In this phase, the implementation team assesses the organization’s control structure. Are its systems centralized or decentralized? How are entity-level controls structured? Is there a formal ERM process with documented risk management activities? If so, the documents should help analyze where the organization meets COSO framework guidelines and where it falls short. If there is no coordinated approach to ERM, COSO implementation may require more time and effort.
Other activities during this phase include:
- Assess fraud risk. The COSO internal control framework emphasizes the importance of considering the potential for fraud when evaluating the risks to achieving objectives.
- Document existing processes and controls. Once managers have identified which processes are relevant to the framework’s control activities, the implementation team can study and record each. Doing so allows them to identify which internal controls apply to each process and where gaps exist. This step may involve interviews with key personnel.
- Perform gap assessments. This entails comparing the COSO internal control framework’s components and principles to practices in the organization. COSO’s publication Illustrative Tools for Assessing Effectiveness of a System of Internal Control can be helpful.
PHASE 3: REMEDIATE
Now that gap assessments are drawn up, it’s time to remediate those gaps.
- Make a remediation plan. Prioritize the control deficiencies that pose the most severe vulnerabilities and move down the list to the least serious. Include milestones and a schedule for completion.
- Implement your remediation plan.
PHASE 4: DESIGN, TEST, AND REPORT
- Classify controls as critical or non-critical
- Design procedures for testing each critical control. Each test should consider the risk to be mitigated and the control description—both are equally important to determining a control’s effectiveness. Choose a method of testing for each control. Common methods include:
- Inquiring: Asking control owners to explain how their controls work
- Observing: Observing the control in action
- Examining: Studying all the transactions and documentation associated with a control’s functioning
- Analyzing: Using data analytics tools to gain insights into controls’ design and operations
- Test controls, reporting to management on progress and obstacles.
PHASE 5: OPTIMIZE INTERNAL CONTROLS’ EFFECTIVENESS
How do identified risks and controls mesh with your enterprise’s goals, plans, and strategies? The COSO internal control framework can help you align or realign goals and controls. When developing or redesigning controls, consider the following:
- Control activities such as reconciliation, verification, supervisory, and physical controls
- Whether controls are preventive, detective, i.e., occurring after a process has begun but before it has concluded, or corrective
- Whether controls are automated, partially automated (automation enabled or assisted by people) or manual
Once controls are in place, monitoring is critical to ensuring they remain effective. Continuous monitoring with software is preferable to manual tracking. Should a control fail, study the incident carefully to determine its cause for the most effective remediation.
What Are The Differences Between COBIT and COSO?
Developed by the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, comprising five private-sector organizations, the COSO Internal Control—Integrated Framework focuses primarily on an enterprise’s internal control system and financial reporting processes, with fraud prevention in mind.
COBIT, or Control Objectives for Information and Related Technologies, is supported by ISACA, an international professional organization focused on IT governance. The COBIT framework helps with the quality, control, and reliability of an organization’s information systems and facilitates best practices in risk management as associated with IT processes.
Both frameworks list three objectives and five components needed to achieve those objectives in their respective areas (financial controls and IT controls).
The COSO internal control framework’s objectives:
- Operations
- Financial reporting
- Compliance
Its components:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities
COBIT 5’s main objectives:
- Benefits realization
- Risk optimization
- Resource optimization
Its “five principles”:
- Meeting stakeholder needs
- Covering the enterprise end-to-end
- Applying a single integrated framework
- Enabling a holistic approach
- Separating corporate governance from management
In other words, COSO governs internal control, which it defines as “…a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
COBIT 5 enables the governing and management of IT holistically throughout the enterprise. It encompasses the entire end-to-end business and IT functional areas of responsibility and considers the IT-related interests of internal and external stakeholders.
Although their focus differs, the two complementary frameworks can be applied in tandem. Doing so is recommended to maximize risk management and controls throughout the organization.
Both frameworks can effectively achieve compliance with the Sarbanes-Oxley Act (SOX), a federal law intended to prevent accounting errors and fraud in public companies.
For most entities, the COSO framework and SOX compliance go hand-in-hand. Because COSO focuses on financial controls and fraud prevention, it dovetails nicely with SOX, and COSO framework compliance guarantees SOX compliance.
Enacted in 2002, SOX does not spell out compliance requirements for IT; however, many enterprises use COBIT to help ensure that their IT systems and processes comply with the law’s requirements.
The two complement each other in another way: COSO is more theoretical, establishing the guiding principles for organizations to use for building risk tolerance and reducing fraud, while COBIT 5 is more practical, offering concrete suggestions for how to create controls related to IT.
How Do COSO Audits Work?
Because COSO’s Internal Control—Integrated Framework is a framework, not a regulation or requirement, a COSO audit, by definition, doesn’t exist.
However, the COSO framework is beneficial for compliance with SOX, which federal law requires for all publicly traded companies. The U.S. Securities and Exchange Commission watches financial reporting closely and, since SOX’s passage in 2002, demands that those reports be transparent, accurate, and verified by an independent auditor. Noncompliance could cost your organization tens of millions in fines and send your CFO to prison for 20 years.
SOX is highly complex. Each of its 11 sections delivers a different mandate, covering oversight, auditor independence, corporate responsibility, financial statements, annual reports, and more. The regulation is intended to secure public companies, stakeholders, and customers against financial fraud, which is why most organizations audit their SOX compliance using the COSO framework.
COSO was designed to help manage financial risk and improve internal control. The Committee of Sponsoring Organizations of the Treadway Commission, or COSO, was initially named the National Commission on Fraudulent Reporting (NCFR). Its member organizations were the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and the Institute of Internal Auditors (IIA).
The Treadway Commission devised the Internal Control—Integrated Framework to help businesses comply with SOX Section 404: Management Assessment of Internal Controls, the regulation’s most complex, demanding, and expensive section. Essentially, COSO helps entities strengthen their internal control system to protect their data, especially financial information, from tampering.
Another result of SOX was the formation of the Public Company Accounting Oversight Board (PCAOB), an independent agency that regulates external audit firms and establishes auditing standards for external auditors—including Auditing Standard No. 5, or AS5, used by auditors to gauge compliance with various SOX sections including.
- Section 404, rules for assessing internal controls
- Section 302, establishing management’s responsibility for financial reports
- Section 401, rules for enhanced financial reporting disclosures
- Section 409 requires the immediate disclosure of significant changes in economic conditions and operations
- Section 802, setting penalties for altering documents
- Section 806 rules regarding whistleblowers
Preparing for your COSO audit
Thorough preparation is key for a successful COSO audit. Here are some tips:
- Review framework components and principles and compare them to internal controls.
- Identify gaps where controls fall short of principles. Develop remediation plans.
- Document key processes and controls, detailing how they address COSO.
- Collect evidence that controls are functioning.
- Interview personnel to ensure they understand control responsibilities.
- Perform trial audits, testing controls, and processes to remediate failures.
- Coordinate with the external auditor to avoid redundancies.
- Verify controls over financial reporting are effectively designed and operating.
Using COSO for SOX Compliance
The best way to ensure that your enterprise is audit-ready for SOX is to use COSO to establish a robust internal control framework.
The independent external auditor you will hire to audit your SOX compliance will almost certainly use COSO standards to measure your controls. ZenGRC’s “Preparing for a SOX Audit Using COSO” audit checklist walks you through the questions you must ask to prepare for this audit.
To prepare for the audit, follow these four steps, using COSO’s five components and 17 principles for achieving financial reporting objectives as a guide.
- Prepare a framework
- Control environment
- Commitment to integrity and ethical values
- Independent Board of Directors’ oversight
- Structures, reporting lines, authorities, and responsibilities
- Attract, develop, and retain competent people
- People held accountable for internal control
- Risk assessment
- Clear objectives specified
- Risks identified to achievement of objectives
- Potential for fraud considered
- Significant changes identified and assessed
- Identify your internal controls
- Control activities
- Control activities selected and developed
- Controls developed through policies and procedures
- General IT controls selected and developed
- Information and communication
- Quality information obtained, generated and used
- Internal control information internally communicated
- Internal information externally communicated
- Test your controls
- Monitoring activities
- – Ongoing and separate evaluations conducted
- – Internal control deficiencies evaluated and communicated
- Get help if you need it.
Modern challenges require modern solutions—including software that can automate many of these processes, greatly simplifying the task of SOX compliance using a framework such as COSOs.
How To Automate Your COSO Compliance
Created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the COSO internal control framework may initially seem simple. After all, there are only five components—control environment, risk assessment, control principles, information and communication, and monitoring activities—and 17 principles.
But the framework’s high-level mandates require a long list of action items and processes—not easy to implement manually and downright tricky if you use spreadsheets for your compliance program.
Automation is the answer. Today’s technologies take much guesswork and grunt work out of compliance with regulations, standards, and frameworks. Whether your organization struggles to manage cyber risks and achieve cybersecurity goals, improve performance management, meet business objectives, or comply with mandates, software solutions can simplify these tasks and streamline compliance efforts.
When choosing a solution, look for:
- Fast, effortless deployment
- User-friendly design
- In-a-click internal audits
- Integrated, multi-framework dashboard
- Easy evidence collection
- Automatic framework updates
ZenGRC Has GRC Solutions for COSO Compliance
ZenGRC’s governance, risk, and compliance software-as-a-service, ZenGRC, offers all these features.
Used by the world’s leading companies, ZenGRC is a cloud-based solution with fast, easy deployment, unified control management, and a centralized dashboard for simple, streamlined compliance and risk management, including self-audits, without the hassle and confusion of spreadsheets. With ZenGRC, you can comply with COSO and SOX.
Contact a ZenGRC expert today to request your free demo and embark on the worry-free path to regulatory compliance—the Zen way.