COSO Framework: What it is and How to Use it

COSO Framework: What it is and How to Use it

Use this simple guide to the COSO framework to develop a strong, effective internal control system.

Weak internal controls are responsible for almost half of all fraud, according to the Association of Certified Fraud Examiners (ACFE).

So how do you ensure your system isn't making your organization an easy target for fraud? Use a model designed by experts to design and implement your internal controls. One of the most commonly-used frameworks was written by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

This simple guide to the COSO framework outlines how you can use it to develop a strong, effective internal control system.

Download our free cheat sheet for helpful tips on workplace fraud prevention.

What is COSO?

COSO is a committee composed of representatives from five organizations:

  • American Accounting Association
  • American Institute of Certified Public Accountants
  • Financial Executives International
  • Institute of Management Accountants
  • Institute of Internal Auditors

Together, the COSO board develops guidance documents that help organizations with risk assessment, internal controls and fraud prevention. Their vision is to "be a recognized thought leader in the global marketplace on the development of guidance in the areas of risk and control which enable good organizational governance and reduction of fraud."

RELATED: Corporate Fraud Prevention: The Ultimate Guide

What is the COSO Framework?

The original COSO framework was developed in 1992, with the most recent version published in 2013. To understand the framework, you must understand what it covers. According to COSO, internal control:

  • Focuses on achieving objectives in operations, reporting and/or compliance
  • Is an ongoing process
  • Depends on people's actions, not merely written policies and procedures
  • Provides assurance senior management of security to a reasonable degree
  • Can be adapted to the needs of the whole organization as well as each department, unit or process

Internal Control Goals

The COSO framework divides internal control objectives into three categories: operations, reporting and compliance.

Operations objectives, such as performance goals and securing the organization's assets against fraud, focus on the effectiveness and efficiency of your business operations.

Reporting objectives, including both internal and external financial reporting as well as non-financial reporting, relate to transparency, timeliness and reliability of the organization's reporting habits.

Compliance objectives are internal control goals based around adhering to laws and regulations that the organization must comply with.

Internal Control Components

The COSO framework further teaches that there are five components to an internal control system. First, control environment is the "set of standards, processes, and structures that provide the basis for carrying out internal controls across the organization." This component includes your:

  • Ethical values
  • Organizational structure
  • Commitment to employing competent employees
  • Human resources policies

Next, risk assessment involves your organization's analysis of the risks posed by internal and external changes, the ability to establish objectives and determine their suitability for your business and the process for weighing risks versus risk tolerances.

Control activities are the tasks and activities (laid out by organizational policies and procedures) that help you achieve your internal control objectives. These include actions such as "authorizations and approvals, verifications, reconciliations, and business performance reviews."

The information and communication component recognizes these two things as essential to any internal control system. COSO stresses the importance of relevant and high-quality information to control functions. Internal messages emphasizing the importance of control responsibilities, in addition to clear communication of expectations with external parties, is key to a strong system.

Finally, monitoring your internal controls is just as important as establishing them. Use ongoing evaluations built into your business processes as well as regular separate evaluations, which will vary based on your level of risk, system effectiveness and regulation requirements.

coso cube

Internal Control—Integrated Framework (Framework), © [2013] Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.

The "COSO Cube"

The image of the cube shows the relationship between all the parts of an effective internal control system.

The columns are the three objective categories (operations, reporting and compliance). The rows consist of the five components. Your organizational structure fits into the third dimension of the cube.

The framework also lists 17 principles you should apply to meet your organization's internal control objectives, divided by component.

Developing Your Organization's Internal Control System

The COSO framework explains that "an effective system of internal control reduces, to an acceptable level, the risk of not achieving" objectives. When developing your system, make sure that:

  • All five components are present and working properly
  • The five components work together as an integrated system
  • It allows the organization to predict external circumstances that could impair the achievement of your objectives and prepare for them appropriately
  • It follows reporting regulations, rules and standards
  • It complies with applicable laws, regulations, etc.

COSO recognizes that, while its framework should help you design a fraud-deterring system of internal controls, it's not without limitations. For example, even the strongest system can't prevent human error, bad judgement and external events that are beyond your control.

Find out how case management software can help you conduct more effective fraud investigations with our free eBook.

Using the COSO Framework

After reading the COSO framework, senior management and other decision-makers in your organization should use it to assess your current internal control system.  Does your system meet all of the effectiveness standards? If not, make plans on how to improve it according to COSO's model.

Lower-level managers and employees should also familiarize themselves with the COSO framework. Offer suggestions based on the document to senior management. Put together a committee of employees at all levels to brainstorm ideas for a stronger internal control system.

In addition, every employee should take their role in preventing fraud seriously. Conduct your work in a way that supports the COSO framework. For example, follow anti-fraud policies without exception and always file timely, accurate reports.

COSO Framework Limitations

The COSO framework is a great place to start when designing or modifying a system of internal controls. However, it is not without limitations.

For instance, the framework is intentionally broad in order to apply to a wide array of industries and processes. This feature can be problematic, though, for "more complex businesses (e.g., those with varied operations and complex data systems)", according to experts from East Carolina University.

They also mention that "proper execution of the COSO framework is dependent on the ability to establish a strong, formal control environment; however, the framework provides minimal implementation guidance." Small businesses and startups may feel overwhelmed and unsupported, leading them to use a model with a more detailed framework instead.

In addition, the COSO framework is not designed well to deal with objectives that fall under multiple categories. Not every task fits neatly into either operations, reporting or compliance. Risk management expert Matthew Leitch wonders, "what about financial reporting that must be reliable to be compliant? Where do you draw the line between data processing for doing business and data processing for financial reporting?"

If you're looking to create a system of internal controls or improve upon your current one, the COSO framework is one worthy option. Read through the executive summary to see if it's a good fit for your organization.


Internal Control—Integrated Framework (Framework), © [2013] Committee of Sponsoring Organizations of the Treadway Commission (COSO). All rights reserved. Used with permission.