Following the rampant spread of corporate scandals in the 70s and 80s, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed an integrated internal control framework, famously known as the COSO framework, for detecting, preventing, and managing fraud risks in 1992. Since then, the fundamentals of COSO framework have been integral to the day-to-day operations of most organizations, particularly those in the accounting, finance, and public-trading spheres.
The COSO framework is founded on five key components: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities. These components subscribe to 17 principles, which outline what organizations need to do precisely to comply with COSO’s standards for protecting themselves from operation disruptions, fraud, and other potential risks.
The COSO framework provides a standardized structure that organizations can use to manage potential risks effectively, address existing compliance issues, and institute solid internal controls. Ultimately, this leads to the accuracy, reliability, and timeliness of financial reporting, which safeguards them against fraudulent activities.
Implementing the COSO framework can be challenging, especially for less established organizations due to resource constraints. However, no one can question its exceptional benefits. From standardized business operations and operational efficiency to business resilience and risk mitigation, organizations have much to benefit from the COSO framework, and this article will explore the basics.
But first, let’s look at some background information about the framework. In case you are in a hurry, below is an overview of the five components, 17 principles, and key takeaways:
COSO Framework Components and Principles
| Component | Component Description | Principles |
| Control Environment | Sets the base tone for the organization’s internal controls | 1: Integrity and ethical values 2: Board independence and oversight responsibility 3: Defined organization structure 4: Competent workforce 5: Accountability enforcement |
| Risk Assessment | Identifies industry-specific risks and analyzes them | 6: Objective setting 7: Risk identification 8: Risk evaluation 9: Change anticipation and assessment |
| Control Activities | Sets policies, procedures, and regulations that provide responses and preventive action | 10: Risk mitigation controls 11: General controls 12: Policies and procedures |
| Information & Communication | Encourages all-direction flow of information | 13: Control objectives support 14: Internal communication 15: External communication |
| Monitoring Activities | Promotes continual monitoring and correcting of inconsistency and internal control issues | 16: Continuous and regular evaluation 17: Deficiency reporting |
Key Takeaway:
- The COSO framework is a structured system by the Committee of Sponsoring Organizations (COSO) that establishes controls that can be integrated into business operations.
- The COSO framework is founded on five pillars or components and 17 principles shared in the table above.
- This framework is widely used by organizations seeking enhanced internal controls, especially those in the accounting, financial, public trading, and service sectors.
- Key advantages of the COSO framework include standardized business operations, operations efficiency, business resilience, risk mitigation, stakeholder confidence, broad application, wide acceptance, stable performance, and increased opportunities.
- Notable challenges of the COSO framework include implementation hiccups, resource constraints, structure rigidness, and administrative workload.
- Key stages of implementing the COSO framework include planning, evaluation, documentation, remediation, testing, reporting, and optimization.
Background Information
Although COSO’s (referring to the organization) original goal was to establish a framework that addresses the widespread fraud cases in the 70s and 80s, the framework gathered more momentum in the early 2000s when the Enron and WorldCom scandals broke out, which are two of the world’s most prominent corporate scandals.
Subsequently, the Sarbanes-Oxley Act, popularly known as SOX, was passed. SOX requires public entities to adopt and sustain adequate internal controls on financial matters. Interestingly, companies subscribing to SOX regulations were among the first to implement the COSO framework as one of their primary frameworks for satisfying SOX requirements.
Later, in 2013, the COSO Internal Control-Integrated Framework (ICIF) was revised, resulting in newer guidelines for addressing fraud risks—a part of the update provided guidelines for instituting the Enterprise Risk Management (ERM) program.
The other update included the COSO Cube, a 3D diagram demonstrating how various internal control elements relate. Below is a visual representation of the five pillars or components of the COSO framework (on the first face), the control objectives (on the top face), and the implementation levels (on the last face) as depicted by the COSO Cube.
With increased emphasis on corporate sustainability, COSO, among other organizations, has ramped up efforts to emphasize the importance of reliable and accurate reporting around ESG (Ethical, Social, and Governance) issues. COSO has also been at the forefront of providing guidelines around ICSR (Internal Control Over Sustainability Reporting) matters to offer organizations a vetted channel for reporting sustainability matters.
What’s the COSO Framework?
The COSO Framework is a system created by the Committee of Sponsoring Organizations (COSO) in 1992 to establish internal controls that organizations can integrate into their business processes. These controls ensure that the organization runs transparently, ethically, and according to existing industry standards.
The framework was engineered by COSO executive vice president James Treadway Jr-led committee in collaboration with the following parties:
- American Accounting Association
- Institute of International Auditors
- Finance Executives International
- Institute of Management Accountants
- American Institute of Certified Public Accountants
Fundamentals of the COSO Framework: Foundational Components and Governing Principles
Generally, the COSO framework is built upon five pillars or components, further founded on 19 principles. Discussed are the five components and their applicable principles:
1. Control Environment
The Control Environment refers to an organization’s internal control culture, which runs top-down. This pillar sets the tone for the organization’s internal controls and is based on principles 1-5.
Principle #1: Integrity and ethical values
COSO dictates that organizations demonstrate their commitment to observing integrity and ethical values. That means communicating all ethical standards and moral values top-down and ensuring adherence by all concerned parties.
The principle involves:
- Implementing a Code of Conduct
- Documenting a Whistleblower Policy to protect whistleblowers against reiteration
- Offering regular and timely ethics and integrity training
Principle #2: Board independence and oversight responsibility
COSO also expects organizations to show their commitment to supporting an independent board of directors. The board should fulfill its mandate without interference from the organization’s top management or ownership.
The board should enjoy independence, particularly in these scenarios:
- Providing oversight
- Holding the management accountable
- Ensuring comprehensive financial reporting
Principle #3: Defined organization structure
COSO requires organizations to have a defined structure for executing their operations, observing compliance, effective reporting, and attaining objectives. The authority figures and reporting lines should be clear, as should the responsibilities to ensure the efficiency of the internal controls. A defined structure is integral to the effectiveness of a company’s internal controls.
Principle #4: Competent workforce
Organizations should prioritize effective recruitment, talent development, and retention of capable individuals. This fourth principle advocates for this. It affirms the importance of hiring people with the requisite skills, training, and professionalism.
To ensure there’s always a competent workforce, organizations should:
- Establish recruitment practices and policies
- Evaluate candidate competencies regularly
- Institute frameworks for succession planning
Principle #5: Accountability enforcement
This COSO principle requires companies to hold individuals accountable for their internal control duties. It involves:
- Setting clear expectations and observing performance metrics that relate to the company’s internal controls
- Performance reviews and follow-ups to ensure employees understand the essence of staying compliant with the internal controls
- Establishing incentives, rewards, and discipline guidelines depending on employee performance or lack of it
2. Risk Assessment
After creating a controlled environment, the next pillar asserts the need for regular and continuous risk assessment based on internal controls. The risk assessment exercise can be carried out by an internal audit team, a third-party consultant, or a CPA firm
Below are the four principles that govern risk assessment (principles 6-9):
Principle #6: Objective setting
Organizations should establish clear and specific objectives for identifying and assessing risks. Clear objectives are a reference point for establishing potential crises and their impact. These objectives consider all key organization areas and include the following goals:
- Compliance goals: Compliance objectives reflect external regulations and consider the organization’s risk tolerance.
- Operation goals: Operation objectives reflect management’s wishes, consider the company’s risk tolerance, and form the basis for committing the organization’s resources.
- Financial reporting goals: Financial reporting focuses on compliance with industry accounting standards, precision, and materiality.
- Internal reporting goals: Internal reporting objectives reflect the management’s wish list and organization activities and focus on high-level precision reporting.
Principle #7: Risk identification
This principle insists on identifying risks that could affect the organization’s efforts to attain its internal control objectives. It maintains the need to scrutinize the risks and develop an effective action plan, which may involve techniques like:
- SWOT (strengths, weaknesses, opportunities, and threats) analysis
- PESTLE (political, economic, social, technological, legal, and environmental) analysis
Principle #8: Risk evaluation
The ‘risk evaluation’ principle maintains the importance of considering potential fraud threats in stopping the organization from attaining its set objectives. It encourages organizations to measure the pressure levels, incentives, and opportunities during the risk assessment.
Principle #9: Change anticipation and assessment
According to COSO, organizations should anticipate changes that could impact their internal control system and assess these changes to determine their impact. This includes evaluating potential changes in the business model, its leadership, and the external environment.
3. Control Activities
Upon initiating the risk assessment, organizations should focus on their control activities, which include processes and actions that mitigate risks and solidify internal controls. Principles 10-12 come into effect here.
Principle #10: Risk mitigation controls
This principle dictates that the organization establishes controls to help mitigate potential risks to acceptable levels and attain its objectives. The principle focuses on integrating risk assessment into the organization’s internal control system and addressing duty segregation issues.
Principle #11: General controls
This 11th principle requires the organization to establish general controls over technological solutions to attain its objectives. It specifically focuses on:
- Determining the dependency between technology utilization in business operations and general technological controls
- Determining relevant technological acquisitions and development control activities
Principle #12: Policies and procedures
In this principle, the organization deploys internal controls through policies that outline what’s expected and procedures that enforce them (the policies). The principal also establishes the responsibilities for executing the guidelines and policies, taking action, using competent personnel, and being accountable.
4. Information and Communication
Another founding pillar of the COSO framework is the timely and consistent sharing of internal control information with relevant stakeholders. This COSO component requires organizations to share information on principles 13-15.
Principle #13: Control objectives support
This 13th principle reiterates the need to capture relevant data sources and process them into meaningful information. It insists on maintaining quality while processing data to support internal control objectives.
Principle #14: Internal communication
Internally, communication about the organization’s internal controls should be clear. Internal stakeholders, who include top management, the board, and the workforce, should understand their responsibilities and obligations regarding the organization’s internal objectives. The principle insists on the need for dedicated communication lines for the internal stakeholders.
Principle #15: External communication
Good communication shouldn’t just be internal. It should also be external, involving outside stakeholders like regulators, suppliers, and customers. This principle requires organizations to share relevant information with relevant external stakeholders. Sometimes, this may mean providing separate channels for communicating with external parties.
5. Monitoring Activities
The last COSO framework component maintains the need to effectively measure, monitor, and report the organization’s internal controls. It specifically focuses on these two principles:
Principle #16: Continuous and regular evaluation
The 16th principle requires organizations to regularly and continually evaluate their internal control activities. That includes:
- Establishing the baseline understanding
- Using knowledgeable personnel
- Adjusting the evaluation frequency, scope, and objectivity
Principle #17: Deficiency reporting
The last principle demands that organizations identify and report deficiencies in their internal controls and communicate them promptly with responsible parties, which may include board directors and senior management.
Who Uses the COSO Framework?
The COSO framework is mainly used by organizations seeking enhanced internal controls, and that includes the following:
- Publicly traded companies
- Accounting firms
- Financial institutions
- Service based companies
The COSO framework is pivotal in enabling these organizations to comply with ethical and legal standards and risk management protocols. By integrating the COSO framework, these organizations can monitor their strict adherence to the already-established controls. The framework emphasizes effective monitoring and efficient reporting.
Also, internal control auditors widely use the COSO framework as a benchmark for designing internal controls for their bosses. The framework guides the auditors in assessing the reliability of existing financial reporting metrics and standards.
Advantages of the COSO Framework
Organizations, particularly the most established ones, have a lot to gain from the COSO framework, and here are the key benefits:
- Standardized business operations: The COSO framework helps organizations run their operations more uniformly and according to specific internal controls.
- Operations efficiency: By standardizing business operations, the COSO framework improves an organization’s efficiency, ensuring effective use of available resources and cutting unnecessary costs.
- Business resilience: The framework enables businesses to anticipate complex changes and react effectively without significantly affecting business operations.
- Risk mitigation: Organizations become better positioned to detect and address fraudulent activities, whether perpetrated by trusted employees, cybercriminals, or customers. By focusing on risk mitigation and compliance, vulnerabilities are vastly reduced.
- Stakeholder confidence: The COSO framework enables organizations to demonstrate their commitment to good governance practices, which improve stakeholder confidence in the business.
- Broad application: COSO guidelines and standards apply to various industries, from publicly traded companies to service-based businesses.
- Wide acceptance: Many companies and sectors have warmly accepted implementing the COSO framework in their business operations.
- Stable performance: Upon anticipating and avoiding risks, the COSO framework limits an organization’s vulnerabilities, minimizes disruptions, and maximizes profitability.
- Increased opportunities: Not only do COSO principles help the organization identify risks and other challenges, but they also recognize viable opportunities to leverage.
Challenges of the COSO Framework
Like most governance frameworks, the COSO framework has its fair share of challenges, which include:
- Implementation hiccups: The COSO framework can be quite broad, with many principles to consider, making it challenging to implement. Specific guidelines must be observed longer to maintain the framework, which is never easy.
- Resource constraints: Small organizations find adopting and maintaining the COSO framework challenging because of limited resources.
- Structure rigidness: The COSO framework has a specific structure that organizations must embrace. Some organizations, however, find it difficult to follow its rigid structure when implementing the framework because they fall into diverse categories.
- Administrative workload: The COSO framework is principle-based and not prescriptive. That means observing it takes good judgment and effort, which calls for proper guidance from those in administrative positions, especially senior management.
Key Stages for Implementing the COSO Framework
Below are seven key steps for implementing the COSO framework:
Stage 1: Planning
The ‘planning’ phase involves setting up effective internal controls based on the COSO framework. Organizations have to do a bit of legwork to understand what the framework entails and what’s expected of them, and an implementation team has to be set up.
Stage 2: Evaluation
The ‘evaluation’ phase requires the implementation team to assess the organization’s existing internal control structure, evaluate its fraud-related risks, and identify potential gaps. The implementation team, through its leader, may need to conduct interviews to have a clear picture of the organization’s operations.
Stage 3: Documentation
The ‘documentation’ stage involves collecting relevant information that supports the organization’s internal control activities.
Stage 4: Remediation
The ‘remediation’ phase redresses gaps in the evaluation and documentation phases. The remediation plan focuses on the organization’s vulnerabilities.
Stage 5: Testing
The ‘testing’ phase involves designing effective internal control testing procedures, considering the descriptions of the internal controls and managed risks.
Stage 6: Reporting
In this phase, the testing results, which focus on how the internal controls work, the monitoring, and performance analysis, are reported to the top management.
Stage 7: Optimization
This last phase involves altering or developing the existing internal controls to match the organizations’ needs. This ensures that the controls match the organization’s objectives and risk mitigation goals.
Embrace the Fundamentals of COSO Framework Today!
The COSO framework protects modern businesses and organizations from fraud and other risks. Thus, its observance is critical inside and outside the boardroom. That’s part of why we created our monthly corporate governance training, where we share the nitty-gritty of modern corporate governance, including adherence to the COSO standards and many other guidelines that dictate business operations. You are invited to sign up for this transformative course, which will bring you up to speed with what’s happening in the corporate world.
