What is COSO?
The Committee of Sponsoring Organisations of the Treadway Commission (COSO) is a joint initiative of five major professional accounting and finance organisations — the American Accounting Association, AICPA, Financial Executives International, the Institute of Management Accountants, and the Institute of Internal Auditors. Established in 1985 to study fraudulent financial reporting, COSO has since become the authoritative body on internal control, enterprise risk management and fraud deterrence.
What is the COSO Internal Control Framework?
The COSO Internal Control — Integrated Framework, originally published in 1992 and significantly updated in 2013, is the most widely used framework for designing, implementing and evaluating internal controls worldwide. It defines internal control as a process effected by an organisation’s board of directors, management and other personnel to provide reasonable assurance regarding achievement of objectives in operations, reporting and compliance.
The framework is the foundation for SOX Section 404 compliance — virtually every publicly traded company in the United States uses COSO to assess and report on the effectiveness of their internal controls over financial reporting.
| Standard Body | COSO — Committee of Sponsoring Organisations |
| Current Version | 2013 (Internal Control) · 2017 (ERM Framework) |
| Mandatory or Voluntary | Voluntary — effectively mandatory for SOX Section 404 compliance |
| Geography | Global |
| Official Resource | coso.org |
The Five Components of COSO
The COSO framework organises internal control into five integrated components. All five must be present and functioning for internal control to be considered effective.
| Component | Description |
|---|---|
| Control environment | The foundation — sets the tone at the top. Covers integrity and ethical values, board oversight, organisational structure, commitment to competence and accountability. |
| Risk assessment | Identification and analysis of risks to achieving objectives — including fraud risk. Requires specification of objectives before risks can be identified. |
| Control activities | Policies and procedures that help ensure management directives are carried out. Includes authorisations, reconciliations, verifications, IT general controls and application controls. |
| Information and communication | Relevant information identified, captured and communicated in a form and timeframe that enables people to carry out their responsibilities. |
| Monitoring activities | Ongoing evaluations and separate evaluations to ascertain whether each component of internal control is present and functioning — deficiencies reported to management and the board. |
The 17 Principles
The 2013 update introduced 17 principles — each directly associated with one of the five components. For internal control to be effective, all 17 principles must be present and functioning.
| # | Component | Principle |
|---|---|---|
| 1 | Control environment | Demonstrates commitment to integrity and ethical values |
| 2 | Control environment | Board exercises oversight responsibility |
| 3 | Control environment | Management establishes structure, authority and responsibility |
| 4 | Control environment | Demonstrates commitment to attract, develop and retain competent individuals |
| 5 | Control environment | Holds individuals accountable for their internal control responsibilities |
| 6 | Risk assessment | Specifies suitable objectives to enable identification and assessment of risks |
| 7 | Risk assessment | Identifies and analyses risks to achieve objectives — basis for determining risk management |
| 8 | Risk assessment | Considers the potential for fraud in assessing risks |
| 9 | Risk assessment | Identifies and assesses changes that could significantly impact the system of internal control |
| 10 | Control activities | Selects and develops control activities that mitigate risks to acceptable levels |
| 11 | Control activities | Selects and develops general controls over technology |
| 12 | Control activities | Deploys control activities through policies and procedures |
| 13 | Information and communication | Uses relevant quality information to support functioning of internal control |
| 14 | Information and communication | Communicates internally the information necessary to support functioning of internal control |
| 15 | Information and communication | Communicates with external parties regarding matters affecting functioning of internal control |
| 16 | Monitoring | Selects, develops and performs ongoing and separate evaluations |
| 17 | Monitoring | Evaluates and communicates internal control deficiencies in a timely manner |
Securitora Assessment
COSO is the essential internal control framework for any organisation subject to SOX or seeking to demonstrate robust governance to auditors and regulators. Its five-component structure provides a practical and comprehensive approach to building and evaluating internal controls. For IT and security teams, the Control Activities component — particularly IT general controls — is directly relevant and maps closely to what auditors test during SOX Section 404 audits.
| Recommended for | Publicly traded companies, finance teams, internal audit functions, GRC professionals |
| Difficulty to implement | Medium — well-structured but requires strong understanding of control design and testing |
| Best used with | SOX · COBIT 2019 · NIST CSF 2.0 |
| Official resource | coso.org → |