Fundamentals of the COSO Framework: Building Blocks for Integrated Internal Controls

The Committee of Sponsoring Organizations of the Treadway Commission, or COSO, is a private sector initiative led by the American Institute of Certified Public Accountants (AICPA), Institute of Management Accountants (IMA), American Accounting Association (AAA), Institute of Internal Auditors (IIA), and Financial Executives International (FEI). COSO formed to investigate the fraud scandals of the 1970s and 1980s, releasing an internal controls framework in 1992.

This COSO Internal Control – Integrated Framework (ICIF) — also somewhat confusingly known simply as COSO or the COSO framework — provided guidance for how organizations can implement controls to prevent, detect, and manage fraud risk related to external financial reporting. This article will break down the five pillars and seventeen principles of the COSO framework as well as how implement and use it as a foundation for modern internal controls and fraud deterrence. 

Overview of the COSO Framework

Although the original aim of COSO (the organization) was to investigate and address fraud in the 1970s and 1980s, the COSO framework (the framework) gained increased importance due to the fraud cases of the 1990s and 2000s (Enron, WorldCom, Sunbeam, Tyco) and the subsequent passing of the Sarbanes-Oxley Act (SOX). SOX requires public companies to implement and maintain effective internal controls across the organization related to financial statements. Companies subject to SOX regulations adopted COSO as one of the primary frameworks to satisfy these requirements. The COSO Internal Control – Integrated Framework (ICIF) , was revised and reissued in 2013 with updated guidance, and periodic updates are issued by the Committee. COSO also provides guidance for establishing an Enterprise Risk Management (ERM) program, which often times works hand in hand wtih a Company’s control environment.

In March of 2023, COSO released a study and guidance regarding internal controls over sustainability reporting (ICSR) by leveraging the COSO internal controls framework. As scrutiny increases around corporate sustainability, more regulations have come into play requiring reliable, trusted reporting around environmental, social, and governance (ESG) matters. COSO and other professional organizations are adapting, and this new guidance around ICSR to give companies a vetted avenue for reporting around sustainability. Though sustainability matters are considered “non-financial”, COSO has supported stakeholder demand to adapt COSO’s ICIF for ESG reporting. 

The COSO “cube” visual below summarizes the pillars and components of the COSO framework. On the first face of the cube are five foundations of internal controls. On the top face of the cube are the control objectives categories — that is, the organization’s operational, compliance, and reporting objectives in relation to internal controls. On the last face of the cube are the levels at which controls need to be implemented, from the Entity level to the functional level.

What Are the Five Pillars of the COSO Framework?

The five pillars of the COSO framework, illustrated on the front face of the cube, support internal controls objectives around operations, reporting, and compliance by providing some guidance on how to implement effective controls. These pillars are further broken down into 17 principles.

Control Environment

The Control Environment of an organization refers to the overall cutlture of internal controls and is established from the top down.’ As demonstrated by Enron and other, more recent fraud cases, poor “tone at the top” can lead to fraudulent activity with devastating consequences. Establishing a Control Environment in accordance with the COSO frameworks involves demonstrating the following principles:

• 1. The company commits to integrity and ethical values.
• 2. The Board of Directors maintains independence from management and oversees internal controls programs.
• 3. Management defines organizational structure, authority, reporting lines, and responsibilities to execute on the company’s operational, reporting, compliance, and business objectives.
• 4. The company prioritizes the recruitment, development, and retention of capable, competent individuals aligned to internal controls objectives.
• 5. The company establishes accountability for control responsibilities.

Achieving these principles can be done through documentation of policies, mission and vision statements, strategic planning documents, meeting notes, and periodic evaluation of the company’s internal controls program, either through an internal audit or external compliance audit.

Risk Assessment

The next pillar of the COSO framework stipulates the need for periodic or ongoing risk assessments based on the organization’s internal controls system. These risk assessments can be performed by internal personnel, such as an internal audit team, or third parties, such as a consulting or CPA firm. COSO specifies four core principles for risk assessment and risk treatment, listed below:

• 6. The company establishes objectives with enough specificity to enable the identification and assessment of risks to the objectives.
• 7. The company identifies risks to objectives and scrutinizes identified risks to develop an action plan for risk treatment.
• 8. When evaluating risks, fraud is explicitly considered as part of the assessment.
• 9. The organization anticipates and assesses any changes that may affect internal controls.

Risks should be logged in a risk register or risk inventory that describe the risk, the likelihood that the risk will be realized (Likelihood/Probability), the impact if the risk is realized (Impact), the plan for mitigating the risk, the timeline for mitigating the risk, and the person(s) responsible for that risk. Risk assessments should occur at least annually, and the risk register should be updated as risks are discovered or mitigated. Consideration of these risk assessments and risk registers should incorporated into the organization’s decision-making process, and align with the organization’s risk tolerance.

Control Activities

Once an organization has defined their objectives, established an ethical control environment, and performed or initiated a risk assessment, the COSO framework dives another level deeper. Control activities are those processes, activities, actions, and communications performed to mitigate risks and maintain strong internal controls. Three COSO principles fall into this pillar:

• 10. Control activities address and mitigate risks to the company’s objectives.
• 11. The company establishes control activities over technology in line with the company’s objectives.
• 12. Policies and procedures define the control activities that should be taking place at the company as part of the internal controls program.

An example of a control activity might be that code changes need to be 1) reviewed by an appropriate person, 2) who is not the code developer, and 3) approved by that person in the ticketing system. Another control activity might be the termination of an employee account within 24 hours of their last day.

Information and Communication

This may seem obvious, but another crucial aspect of a successful compliance and internal controls program is appropriate, consistent, and timely information distribution and communications to relevant stakeholders. That’s a mouthful — breaking that down further, the COSO framework requires companies to communicate and share information based on these principles:

• 13. The company uses quality data and information to support control objectives.
• 14. The company communicates relevant information, objectives, assignments, accountability, and responsibilities for internal control activities.
• 15. When necessary, the company communicates with external entities regarding internal controls.

More and more companies, especially B2B organizations, include clauses in their contracts that require the disclosure of data breaches, incidents, cyber attacks, and other internal controls matters to external entities. HIPAA directives require the reporting of data breaches to affected parties. A well-orchestrated communication plan can take much of the pain out of building out a COSO program.

Monitoring Activities

The fifth and final pillar of the COSO framework involves monitoring, measuring, and reporting on the company’s internal controls system and includes the following principles:

• 16. Regular or ongoing evaluations occur to determine if the internal controls program is operating effectively.
• 17. Any internal control deficiencies are reported timely to the accountable parties, including the Board of Directors and upper management when necessary.

What Are the Steps to Implement and Use the COSO Framework?

To build and integrate an effective COSO program, an organization can follow these general steps. For more in-depth details on how to improve organizational performance and governance with COSO guidance, refer to this document from COSO.

Planning

In order to get the most out of the COSO framework, organizations need to do some legwork upfront. Organizations should understand why they are leveraging this framework, and how it fits into their overall strategic roadmap, while also having a clear understanding of the 17 principles of the framework itself. Since COSO applies to the whole organization, it is crucial to develop a meticulous and thorough plan for setting up and maintaining an internal controls system based on COSO. Investing in compliance management software to coordinate COSO control activities facilitates both planning and execution.

Evaluation and Documentation

Following planning, it is important to understand the maturity of the organization’s internal controls program and what documentation exists to support objectives and pillars. In this phase, the responsible team should collect the available documentation around the organization’s internal controls, and take into account whether there are common processes, formal Enterprise Risk Management (ERM), and/or appropriate control activities in place. If the documentation available is insufficient to support the organization’s objectives and the requirements of COSO, these should be tracked for remediation as gaps.

Remediation

As internal control assessments reveal gaps in an organization’s internal controls program, the parties responsible for those control activities or areas undertake remediation or risk mitigation activities. If an internal control gap is found, the responsible team(s) plan the remediation or risk mitigation steps, timeline, and responsibilities, then execute that plan.

Testing and Reporting

Once a company has completed the preceding steps and has comfort that the company is compliant with the COSO framework, testing and reporting occur. Testing involves evaluating the design and operating effectiveness of internal controls, as well as the control’s impact on related risks. A test of an Incident Management control might involve inspecting the log of incidents for a certain period and determining if the proper documentation was completed for a select subset of those incidents.

Management should receive regular reporting around the internal controls program and the results of testing.

What Are the Pros and Cons of the COSO Framework?

The COSO framework is a foundation of modern internal controls and fraud deterrence. This framework has been used to guide and help develop other existing compliance frameworks. The visualization of the COSO cube emphasizes the need for the integration of operational and control activities. There are plenty of resources available to organizations seeking to build a COSO program. And, perhaps most importantly, applying the COSO framework as an organization subject to SOX is a great way to meet internal control requirements.

However, the COSO framework’s greatest strength and limitation is its broadness. Designed to apply to a wide range of industries and companies, the COSO framework does not provide specific methods for implementing effective control activities, but rather provides overarching principles for how internal controls should be structured. Despite this broadness, COSO’s other limitation is its stringency. Smaller organizations may find themselves challenged when implementing COSO requirements because of coordination and, plainly, the extent of work that must be completed to establish a successful, COSO-based, effective system of internal controls. AuditBoard simplifies the path to a strong internal controls program by unifying risks, controls, policies, frameworks, issues, and stakeholder communications to meet the ever-increasing compliance needs of modern businesses.