COSO internal control framework: What it is & how to use it (2024)

Blog

Audit & Analytics

The Diligent team

What Is the COSO Internal Control Framework?

The COSO Framework helps organizations connect their internal controls to their business process. It reaches back to 1992 when the Committee of Sponsoring Organizations (COSO)met to createa more significant relationship between the risk and business landscapes. Several private sector organizations also contributed to the framework, including:

American Accounting Association
American Institute of Certified Public Accountants
The Institute of Management Accountants
Financial Executives International
The Institute of Internal Auditors

In 2013, theyupdatedthe COSO Framework to include a diagram of the relationship between all elements of internal controls. They edited it again in 2017 with theenterprise risk management framework, demonstrating how to prioritize risk and establish a connection between risk and business performance.

COSO’s Definition of Internal Control

According to the COSO definition, internal control is a process designed to provide reasonable assurance with regard to achieving operations, reporting and compliance objectives. Boards of directors, management and other relevant personnel, should oversee this process on an ongoing basis.

5 Components of the COSO Internal Control Framework

The fivecomponentsof the COSO Framework establish the key areas where organizations need to work towards compliance.

The five components are:

1. Control Environment

In the control environment, organizations should verify that their business processes meet industry risk standards bytesting all controls. This ensures that all activities are done responsibly, reducing an organization’s legal liability. Organizations should also work to meet all regulatory compliance requirements.

2. Risk Assessment and Management

Risks are inevitable. That doesn’t mean organizations should ignore them. Businesses can minimize the possible harm by assessing the risks that currently face their organization and putting a plan in place to manage and mitigate those risks. This process should be ongoing or evenautomatedso that organizations can identify new risks as they emerge.

3. Control Activities

Control activities are integral to risk management, ensuring that all business activities tie back to internal controls. Those controls should both support business performance and reduce the organization’s risk exposure.

4. Information and Communications

An organization’s communications also need to follow strict requirements. Various legal, ethical and industry standards apply to internal and external communications. Privacy policies and otherapplication controlsare examples of how organizations can apply controls to communication processes.

5. Monitoring

Risks can evolve, as do organizations’ systems, software and processes. Monitoring ensures that these changes don’t expose the organization to risk. An internal auditor is usually responsible for this, but external auditors often monitor organizations in relation to regulatory compliance. Both auditors will ultimately report to the board of directors.

How Do Organizations Use the COSO Framework?

The COSO Framework establishes how the organization will complete all business processes. This embeds risk management into all parts of the organization, facilitating legal and regulatory compliance. Once all controls are in place, the framework also prioritizes monitoring, which helps organizations verify that all internal controls are followed and that they can stay ahead of emerging risks.

Benefits and Limitations of the COSO Framework

While the COSO Framework does create a strategic path forward for risk management, it alsohas its limitationsthat organizations should be aware of.

These are three key benefits organizations can expect by following the COSO Internal Control Framework:

Standardizes Business Processes:When organizations implement the COSO Framework, they also standardize how their teams do business. This improves the organization’s efficiency and centralizes data while also reducing risk.
Stay Ahead of Risks:42% of businesseswith revenue between $1 billion and $10 billion experienced cybercrime in the last year — the COSO Framework positions organizations to stay ahead of these risks using best practices.
Reduce Costs:When all teams follow the same set of internal controls, business becomes more efficient. Many organizations that follow the COSO Framework act more strategically, which allows them to reduce costs over time.

As effective as the COSO Framework can be, it can also be restricting in the following ways:

Challenging to Implement:The COSO Framework is broad by design. While this allows many different types of organizations to follow the framework, it lacks specific guidance in implementing and maintaining the framework over a longer period. Organizations may struggle to adopt the framework, especially if they don’t already have an effective risk management strategy.
Rigid Structure:The COSO Framework has a particular structure. Many organizations could fall into multiple categories within the framework, making it difficult for businesses to identify the best path forward for their teams.

Use an Audit Checklist to Master Your Internal Controls

The COSO Internal Control Framework provides valuable insight into how risk management should look. But it doesn’t prescribe what an organization should do day-to-day to maintain that framework. Theinternal audit committeeneeds to operate on an always-on basis, but it can be challenging to prioritize risks, track remediations and develop reports into risk and revenue opportunities.

Diligent’s Internal Audit Checklisthelps teams take a step beyond the COSO Internal Control Framework and develop a more robust audit infrastructure. It breaks internal audit into four key steps, each with a checklist to guide internal audit teams on their way to a more secure program. Download the checklist to learn more.