What is the COSO Framework?

Published October 21, 2019 • 2 min read

The COSO (Committee of Sponsoring Organization) Framework is a framework for designing, implementing and evaluating internal control for organizations, providing enterprise risk management. It was published for the Internal Control Integrated Framework or ICIF and it is widely used in the United States. Executive Vice President and General Counsel, James C. Treadway, Jr, led a commission for creating this framework in conjunction with five private sector organizations: 

  • American Institute of Certified Public Accountants (AICPA)
  • National Association of Accountants (now the Institute of Management Accountants (IMA))
  • American Accounting Association (AAA)
  • The Institute of Internal Auditors (IIA)
  • Financial Executives International (FEI)

These organizations are called the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The goal was to create a framework for providing guidance on internal control, allowing organizations to establish controls throughout their environment. 

What are the Five Principles of COSO Internal Control?

The five principles of COSO Internal Control are Risk Assessment, Control Activities, Information and Communication, Control Environment and Monitoring Activities.

  • Risk Assessment
    • All organizations have risks, meaning they may have factors that cause them not to reach their objectives, be they internal or external factors. Appropriate risk assessment is performed by providing reasonable assurance that organizations take only risks with an acceptable tolerance.  
  • Control Activities
    • Control activities are those activities that are taken to help mitigate risk at all levels of the organization. The COSO framework helps to ensure that the activities taken by all members of the organization are those that would help the company achieve its goals without taking unnecessary risks.  
  • Information and Communications
    • Every organization has communication occurring daily, both internal and external. The controls provided by COSO help to ensure that the communications that are occurring, internally and externally, are following best practices and working towards accomplishing the organization’s goals. They are also in place to ensure that only appropriate information is shared. Obviously, internal communication would have a different set of rules than external communication.   
  • Control Environment
    • Establishing controls across the environment ensures that standard practices are used throughout the organization. It consists of a set of standards, processes and practices. These standards are overseen and enforced by management, creating a top-down approach, so that the practices are enforced throughout the organization.  The guidelines for these are provided by the COSO Framework.
  • Monitoring Activities
    • Ongoing monitoring of all internal control systems is required to ensure the controls are working properly for the organization in the way of internal audits.   Information is gathered and evaluated by regulators and select management regularly and reports are given to management and board of directors for ongoing evaluation. External financial reporting is also a critical process that occurs, helping with fraud deterrence. 

 

For more information, see the following links:

COSO Framework – https://reciprocitylabs.com/frameworks/coso-framework-coso-compliance/
Internal Controls – https://reciprocitylabs.com/what-are-internal-controls-and-why-are-they-so-important/

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo