COSO stands for the Committee of Sponsoring Organizations. It refers to the system that allows businesses to assess their internal controls in regard to their organisation’s processes. The framework was introduced in 1992 and due to the changing business environment, it was updated in 2013 to increase its relevance. It includes five components of internal controls, objectives and principles to help a company make its vision a reality. It was created along with five other private organisations:

  • Institute of Management Accountants (IMA) (formerly the National Association of Accountants)
  • American Accounting Association (AAA)
  • The Institute of Internal Auditors (IIA)
  • American Institute of Certified Public Accountants (AICPA)
  • Financial Executives International (FEI)

The COSO framework is usually depicted as a cube that focuses on three of its sides.


The COSO framework has 3 main objectives. To remember those the acronym C.O.R. might be useful.

  • Compliance
  • Operations
  • Reporting


Compliance is crucial as it focuses on whether the business is abiding by the laws and regulations. These objectives ensure that all relevant rules will be followed during the operation of the business and that managers are aware of all regulatory bodies that affect the company.


This COSO goal refers to the performance of the business and targets the effectiveness and efficiency of an entity. This objective can be set for the management to determine whether the operational goals that they have to achieve are realistic.


It involves the requirements of reporting financial, non-financial, internal and external information. Businesses need to be aware of what they need to report and ensure that they produce quality documents that are reliable.

The objectives are on the top side of the cube and they need to be achieved through the components of the framework. To determine the effectiveness of the framework the company can look at the areas that are covered which include the function, business unit, division and entity level.

COSO framework components

The front side of the cube focuses on the five components of the framework. Sometimes the acronym C.R.I.M.E. is used to make the components easier to remember. These are:

  • Control environment
  • Risk assessment
  • Information and communication
  • Monitoring
  • (Existing) Control activities

Control environment

This component refers to the standards and processes within the business that enable the internal controls to be implemented. They ensure that the organisation is running in an ethical and responsible way. The board of directors and management of the company are very important in this component as they set expectations and ensure the enforcement of those standards. The control environment is crucial in setting the tone the enterprise operates in. Ideally, this would mean an environment where people are held accountable and there is a commitment to ethical values.

An example of how the control environment can affect the business could be if the management stopped following the current controls, such as not performing bank reconciliations regularly. This can increase the risk of fraud and unauthorised withdrawals which can cause problems with cash flow and business growth.

Risk assessment

Business risks are threats that could lower profit, efficiency, productivity and overall the achievement of financial goals. Every organisation faces some type of risk, such as compliance, operational and security risks. They could be either from the internal or external environment and they vary in impact and likelihood. A risk assessment helps to identify those risks and develop strategies to manage them. By controlling, reducing or eliminating risks an enterprise can achieve its goals effectively and minimise its losses.

As the business environment changes, so do the threats that affect a company. For example, a manufacturing company might perform a risk assessment regarding a crucial piece of equipment malfunctioning ro predict the impact it will have on its projects and organisation.

Information and communication

The COSO framework ensures that communications, whether internal or external, meet ethical and legal requirements. By maintaining the industry-standard practices, the business will be able to set and achieve its objectives in a responsible manner. The main focus is on quality information that assists in carrying out internal controls. Failing to obtain and use quality information can have a negative impact on the effectiveness of communications. There needs to be clear and direct communication between team members, supervisors, management and the board of directors. Emails and meetings between staff fall under information and communication.


It is not enough to just establish internal controls, there needs to be monitoring to oversee the elements of the COSO framework. Monitoring is essential to ensure that internal controls are enforced. It gives reassurance that the components are carried out effectively and that staff are complying with the requirements set by the organisation. Separate evaluations might be needed. An example of monitoring are internal audits. These are usually carried out by auditors and results are reported to the board of directors. The information gathered from monitoring can show any issues that might exist within the organisation in relation to the internal controls.

(Existing) Control activities

Control activities are related to the risk assessment component as they are in place to mitigate risks across different departments of the business and help it achieve its goals. They are created based on the policies and procedures and they need to be reviewed frequently to reflect the changing objectives and risks. They can be developed as a way to detect or prevent threats and they need to address all levels of the company. An organisation may implement regular preventative maintenance as a control activity to ensure its machinery does not malfunction.

How to implement the COSO framework

COSO framework

 It is crucial to understand every aspect of the framework before trying to implement it. The more familiar the management is with the COSO framework, the more effective the implementation process will be. The steps include:

  • Planning
  • Assessment
  • Remediation
  • Testing and reporting
  • Optimisation of internal controls


Like most actions, a plan will be required to implement the COSO framework in the organisation. The five components need to be considered before starting this step. A team that will be responsible for the implementation can be created. It can also be given to a committee, usually the compliance or audit committee. The team can then decide the resources that will be needed for the framework to cover all areas of the organisation, the timeframe and the responsibilities the staff within the team will have. There needs to be constant communication between the group and the management or the board of directors to ensure a smooth implementation.


At this stage, the control needs to be assessed and the committee needs to determine if there is a formal enterprise risk management process. Documentation will be needed of the ERM process, along with other risk management strategies. The committee might come to the conclusion that there is not enough documentation of business activities. If that is the case, a consultant might be required to organise this process and analyse whether the guidelines in place support the COSO framework or if they need to be changed. Once the processes and controls have been documented the committee might conduct interviews with certain employees to decide how to implement controls for different processes.


If the assessment step has identified gaps between the state of the organisation and the COSO framework components changes will need to be made to cover these gaps. A remediation plan can be created to address each of the weaknesses in the documents and outline the timeframe in which those weaknesses will need to be resolved. Every change needs to be overseen by the relevant staff. Once the remediation plan is implemented, it is important that it can be understood by both internal and external stakeholders.

Testing and reporting

Testing can help in determining which controls need prioritisation. Qualitative and quantitative data are relevant in this step to assist in rating internal controls. A test should identify which risk it is focusing on and the management strategies that have been taken to mitigate it. Through interviewing, observing and analysing, management can get a better idea of the effectiveness of each control. In some instances, quantitative data is more useful while others might require qualitative research. The committee needs to evaluate the approach they will take case by case to make the right decision on how to test and report their findings.

Optimisation of internal controls

Based on the findings of the previous steps, new internal controls can be created or current ones altered. The decisions for these developments should be made in accordance with the business’s objectives and ethical responsibilities. The COSO framework will help the business connect its goals to its control and assist in the effective operation of the organisation. Just like most steps, monitoring will be necessary to ensure the optimisation of the internal controls and ensure they are still addressing the threats they were developed for. Monitoring usually involves the collection of data and reports that highlight the performance of the measures. 


The COSO framework offers many benefits if implemented correctly. One of them is the improvement of internal controls. The internal controls allow the organisation to manage its risks and make better decisions. The business is more likely to identify potential threats and be proactive when responding to risks that it is facing. It encourages reliable reporting which can result in better decision making.

It can also reduce business costs as organisations understand risks better and are able to collect meaningful data from their operations. By focusing on operating ethically and legally the business will prevent costs associated with lawsuits and damage to its reputation. This will also attract more investors as the business is reducing its exposure to legal issues and community backlash. It will also be better protected against fraudulent activities.

COSO framework is very broad and can be changed to address various business needs that might arise. It can also be applied to many industries and different business models. It allows businesses of any size to improve their governance and as a result their security and compliance.


The COSO framework relies on human judgement, which can be flawed. Human errors could negatively impact the success of the framework or its implementation as decision making heavily affects the success of COSO in the business. COSO relies on accurate reporting and a control environment that encourages its implementation. But humans are the ones responsible for creating that environment and producing reports that meet the framework’s standards. The reports can only be as good as the employees who create them.

As it has been made to apply to many industries, it can be hard to adapt it to every business and can result in a complex process for the management. The framework also fails to recognise that risk methods can be put in place without the risk being identified or assessed extensively beforehand. It can prove to be ineffective when handling unpredictable events as it is constructed around the likelihood of a risk occurring. It does not take into account the uncertainty that surrounds business objectives.


The COSO framework can be very beneficial for a company if the implementation focuses on its five core components. Each step needed for its implementation is crucial and contributes to the success of the business. Management should not try to force the COSO framework onto the business as it might not be the correct system for every organisation. In order to increase effectiveness, there must first be an assessment of whether the business in question meets the requirements for the framework. An evaluation of the advantages and disadvantages should also occur to support decision making.