The Committee of Sponsoring Organizations of the Treadway Commission (COSO)’s enterprise risk management framework defines five components of internal control, which are what an organization needs in an effective internal control system to achieve its enterprise-risk-management objectives. Each component also has corresponding principles:

  • Governance and culture
    • Commitment to integrity and ethical values
    • Independent board of directors’ oversight
    • Structures, reporting lines, authorities, and responsibilities
    • Attract, develop, and retain competent people
    • People held accountable for internal control responsibilities 
  • Strategy and objective setting
    • Clear objectives specified
    • Risks identified to achievement of objectives
    • Potential for fraud considered
    • Significant changes identified and assessed 
  • Performance
    • Clear objectives specified
    • Risks identified to achievement of objectives
    • Potential for fraud considered
    • Significant changes identified and assessed
  • Review and revision
    • Quality information obtained, generated, and used
    • Internal control information internally communicated
    • Internal information externally communicated
  • Monitoring activities
    • Ongoing and/or separate evaluations conducted
    • Internal control deficiencies evaluated and communicated

The five components make up one face of the “COSO cube,” a three-dimensional framework defining the effectiveness of a system of internal control from varying perspectives.

COSO: A Brief History

COSO’s original framework was developed in 1985 to enable the National Commission on Fraudulent Financial Reporting to review the causes of fraudulent financial reporting. The framework was designed to help manage financial risk and improve internal control as well as external financial reporting. In fact, the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, was originally named the National Commission on Fraudulent Reporting (NCFR). 

COSO’s member organizations were the American Accounting Association (AAA), American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), Institute of Management Accountants (IMA), and the Institute of Internal Auditors (IIA).

The Treadway Commission devised the Internal Control-Integrated Framework to help businesses comply with the Sarbanes-Oxley Act (SOX). SOX Section 404: Management Assessment of Internal Controls, is the regulation’s most complex, demanding, and expensive section. COSO helps enterprises strengthen their system of internal control to protect their data, especially financial information, from tampering. It’s often used in tandem with frameworks and standards including the International Organization for Standardization (ISO) 31000, Risk management–Guidelines and COBIT (Control Objectives for Information and Related Technologies). 

Another result of SOX was the formation of the Public Company Accounting Oversight Board (PCAOB), an independent agency that regulates external audit firms and establishes auditing standards for external auditors—including Auditing Standard No. 5, or AS5, used by auditors to gauge compliance with various SOX sections.

Although COSO began as a roadmap for internal auditors to use to verify public companies‘  financial statements, it evolved over time to govern the entire organizational structure and aid in decision making regarding enterprise risk.  

When it was published in 1992, the COSO internal control framework established for the first time a standard, common definition of effective “internal control.” This definition refers to three types of risk management “objectives,” which is what a business hopes to achieve:

Operations objectives

Concerning the effectiveness and efficiency of entity operations including operational and financial performance goals and safeguarding assets against loss.

Reporting objectives

Concerning internal and external reporting, financial and non-financial. These controls may encompass reliability, timeliness, transparency, or other concepts set forth by regulators or the organization’s policies.

Compliance objectives

Concerning conformance to relevant laws and regulations.

In 2017, COSO updated the COSO Framework, placing a focus on enterprise risk management as part of an organization’s DNA rather than a discrete, unconnected function within the company.

One-Size-Fits-All Risk Management

Rather than focusing on a “one size fits all” approach to enterprise risk management (ERM), the COSO Framework allows for a compendium of approaches and business models with flexibility and variability built-in.

COSO deliberately shies away from checklists and guidance, letting senior management decide how to exercise its oversight responsibilities while complying with applicable laws. For organizations wanting to grow, therefore, COSO provides an ERM approach to doing so, since it is not written as a set of “best practices” but as a way to weave risk management throughout all organizational functions.

COSO’s 5 Core Business Activities for Risk Management

COSO also lists five core business activities essential to good risk management:

Managing Governance and Culture

COSO defines corporate governance as the oversight and management of ERM, while culture focuses on ethical values, the desired behaviors to ensure integrity, and overarching understanding of risk.

  • The board of directors acts as the starting point for all risk oversight and is ultimately accountable for reviewing risk tolerance levels.
  • Organizations need to review the risks inherent in their daily operations and the ways they can change.
  • Companies need to define core values that align with their risk tolerance.
  • Operating style and senior management’s conduct must align to core values.
  • Management needs to align human resource development and retention to the core values.

Setting Strategy and Objectives

The COSO internal control framework focuses on conducting a risk assessment that starts with business objectives, then implements plans based on risk appetite, as follows:

  • Discussing business connections with managers and the board
  • Creating a risk appetite statement that sets parameters for organizational business decisions
  • Recognizing that risk assumptions change, and planning to respond accordingly 
  • Setting objectives that apply to all departments and functions, aligned with the risk appetite

Evaluating Performance

Once you’ve defined your risk impacts, you’ll need to prioritize risks and report your processes.

  • Risk identification requires an ongoing review that considers emerging and not-yet-known risks.
  • Scenario analysis should embed quantitative and qualitative analyses for stronger risk mitigation.
  • Your organization should prioritize its risk responses using criteria such as adaptability, complexity, velocity, persistence, and recovery.
  • Management should rely on the business context, a cost-benefit analysis, risk severity, and risk appetite when deciding whether to accept, transfer, mitigate, or avoid risk.
  • Management and the board of directors need to review the risk interdependencies that using integrated business solutions can produce.

Reviewing and Revising Strategies

As part of continuous monitoring, organizations should review performance and revise appropriately.

  • Monitor all business processes for changes that may lead to performance gaps or invalidate critical assumptions.
  • Workers with risk management responsibilities must ensure that their business processes are always in accordance with the business’s risk appetite.
  • Review and update the ERM regularly.

Information, Communication, and Reporting

ERM requires communicating internally and externally to obtain and share information that affects risk appetite and strategies.

  • Information systems can help improve interdepartmental communications.
  • Risk data should be shared with employees, managers, and the board. 
  • The board of directors must review a variety of reports on risk, culture, and performance.

How to Use COSO’s Integrated Framework

COSO focuses your company objectives. Instead of following a prescriptive checklist, your organization can use the COSO Internal Control-Integrated Framework according to its unique needs to maintain a system of internal control.

PWC released a Compendium of Examples in June 2018. Rather than offering case studies as “best practices,” the Compendium of Examples offers nine illustrative tools that show individualized approaches to creating COSO control activities.

Thus, a company must align its system of internal control to its own definitions of risk and value.

How to Create an Internal Control Framework

The COSO ERM framework focuses on embedding risk into all organizational decisions. Rather than assuming that risk mitigation occurs separately from other business activities, it aims to incorporate risk appetite as a driver throughout the company.


Your first step is to identify the benefits of ERM to your enterprise and your strategy for your ERM program and present them to your board of directors to gain their support. Make sure you can speak their language when describing your risks, and quantify them to help board members grasp the return on their investment. Planning involves not only setting you a strategy but also assigning roles and responsibilities to members of your workforce.


Next, identify and adopt tools that will help you classify and assess your risks. When you’ve established your company’s risk appetite, you can review your internal control activities to determine whether they mitigate your risks sufficiently.


As part of embedding risk management in all your organizational activities, evaluate the effectiveness of your control environment, and suggest improvements.


To run a resilient enterprise, you need to be aware of your vulnerabilities and use internal controls to shore them up for fast response to, and recovery from, threats and incidents.  

Let Zen Do the Work

ZenGRC’s System of Record makes auditing and reporting easy, and it streamlines workflows by tracking the progress of your team’s risk management and compliance tasks. (We also integrate with ServiceNow.) Our software-as-a-service also helps you stay apprised of your third-party vendors’ risk management and compliance status.

Zen’s user-friendly dashboards map your controls across multiple frameworks, standards, and regulations to determine where your compliance gaps are and tell you in a glance how to fix them. And our “Single Source of Truth” repository collects and holds all your documentation for an instantly available audit trail–no more hunting for emails. 

Suddenly, integrated enterprise risk management is worry-free. For a free consultation and demo, contact us today.