What Are the 5 Components of the COSO Framework?

Written by
Published 01/29/2019
Workflow Automation for Compliance

In 1985, The Committee of Sponsoring Organizations of the Treadway Commission (COSO) originally formed to enable the National Commission on Fraudulent Financial Reporting. COSO’s original goal, to review causal factors leading to fraudulent financial reporting, ultimately evolved as more technologies became embedded in the process. In 2017, COSO updated the COSO Framework placing a focus on enterprise risk management as part of an organization’s DNA rather than a discrete, unconnected function within the company.

5 Components of COSO’s Internal Framework

How the COSO Framework Enables Organizations of All Sizes

Rather than focusing on a “one size fits all” approach to enterprise risk management (ERM), the COSO Framework is sensitive to variability from one organization to the next. A PWC podcast outlines the purposeful way in which COSO deliberately shies away from checklists and guidances. For organizations looking to scale, therefore, COSO provides ERM approach since it is not written as a set of “best practices” but a way to weave risk management throughout all organizational functions.

What are the 5 Components of the COSO internal control system?

In an “effective” internal control system, the following five components work to support the achievement of an entity’s mission, strategies, and related business objectives:

  • governance and culture
  • strategy and objective setting
  • performance
  • review and revision
  • information, communication, and reporting

How to Manage Governance and Culture

COSO defines governance as the oversight and management of ERM, while culture focuses on ethical values, the desired behaviors to ensure integrity, and overarching understanding of risk.

  • The Board of Directors acts as the starting point for all risk oversight and is ultimately accountable for reviewing the risk tolerance levels.
  • Organizations need to review the risks inherent in their daily operations and the ways those can change.
  • Companies need to define core values that align with their risk tolerance.
  • Operating style and management’s conduct must align to core values.
  • Management needs to align human resource development and retention to the core values.

How To Set Strategy and Objectives

The internal control framework focuses on establishing a risk assessment that starts with business objectives then implements plans based on risk appetite.

  • Discussing business connects with internal and external stakeholders acts as the first step.
  • Organizations must create a risk appetite statement that becomes integrated across the organization’s business decisions.
  • Companies need to recognize that risk assumptions change and create plans to respond to those.
  • Management should set cross-functional objectives aligned with the risk appetite.

How to Evaluate Performance

Once risk impacts are defined, organizations need to prioritize the risks and report the processes.

  • The risk identification process requires an ongoing review that looks at emerging and not-yet-known risks.
  • Scenario analysis that embeds quantitative and qualitative analysis enables stronger risk mitigation.
  • Organizations need to prioritize their risk responses based on criteria such as adaptability, complexity, velocity, persistence, recovery, and other variables.
  • Management should rely on business context, a cost-benefit analysis, risk severity, and risk appetite when deciding whether to accept, transfer, mitigate, or avoid risk.
  • Management and the Board of Directors need to review risk interdependencies arising out of integrated business solutions.

How to Review and Revise Strategies

As part of continuous monitoring, organizations should review performance and revise appropriately.

  • All businesses processes need to be monitored for changes that lead to performance gaps or invalidate critical assumptions.
  • Workforce members whose roles include risk management responsibilities must ensure that their business processes continuously align to the risk appetite.
  • Organizations need to review and update the ERM regularly.

Information, Communication, and Reporting

ERM requires communicating internally and externally to obtain and share information that impacts risk appetite and strategies.

  • Information systems can enable better interdepartmental communications.
  • Risk data should be shared with internal and external stakeholders.
  • The Board of Directors needs to review a variety of reports that encompass risk, culture, and performance.

How to Leverage COSO’s Integrated Framework

COSO focuses company objectives. Rather than following a prescriptive checklist, organizations using the COSO internal control – integrated framework can leverage their unique needs to maintain a system of internal control.

PWC released a Compendium of Examples in June 2018. Rather than offering case studies that appear to act as “best practices,” the Compendium of Examples offers nine illustrative implementations that show the individualized approaches to creating COSO control activities.

The COSO Integrated Framework focuses on approaching a company’s unique position within its industry. Moreover, on a more granular level, each organization must take into account its unique operating environment.

Thus, a company must align its system of internal control to its definitions of risk and value.

How to Create an Internal Control Framework

The COSO ERM framework focuses on embedding risk into all organizational decisions. Rather than assuming that risk mitigation acts as a single department segregated from business activities, it seeks to incorporate risk appetite as a driver throughout the company.


All risk professionals need to identify the ERM benefits and obtain support from their Board of Directors. However, securing board support requires a common language governing risk. Moreover, the planning process incorporates establishing not only the strategy but assigning workforce members roles and responsibilities.


Risk professionals need to identify and adopt tools that allow them to create an agreed upon risk classification system. After establishing risk benchmarks, they can assess the risks inherent in the business operations. Once they decide the company’s risk appetite, they can review existing internal control activities to determine whether they mitigate the risk appropriately.


To embed risk management throughout organizational activities, risk managers need to evaluate control environment effectiveness and suggest improvements.


Resiliency requires the organization not only to monitor and review risk performance but to strengthen internal control over areas with defined weaknesses.

How ZenGRC Enable COSO Compliance

A continuous monitoring program enabling continuous compliance and continuous auditing creates a robus enterprise risk management program that offers auditors reasonable assurance over control environments.

ZenGRC’s System-of-Record makes continuous auditing and reporting easy. By streamlining the workflow, organizations can eliminate emails while tracing outstanding tasks. Additionally, the unified control management feature allows organizations to map controls across multiple frameworks, standards, and regulations to determine whether compliance gaps exist. This mapping capability enables organizations to ensure consistency that leads to stronger audit outcomes.

ZenGRC’s streamlined workflow shows task managers the date on which a vendor provided a response and a status. These details mean that compliance managers no longer need to spend time following up with the organization’s multitudinous vendors.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.