COSO Framework
The COSO Framework is a structured, five-component model for designing and evaluating internal controls within an organization. Developed by the Committee of Sponsoring Organizations of the Treadway Commission in the early 1990s and updated in 2013, COSO has become the global standard for how companies think about control design, particularly for Sarbanes-Oxley compliance and broader enterprise risk management. It provides a common language for control assessment: control environment, risk assessment, control activities, information and communication, and monitoring.
For the public body that regulates auditors, see PCAOB.
Origins: The Treadway Commission
The story of COSO begins with the financial scandals of the 1980s. In response, the National Commission on Fraudulent Financial Reporting (known as the Treadway Commission) was formed in 1985 to investigate the causes of financial statement fraud and recommend safeguards. The commission issued its report in 1987, concluding that weak internal controls and inadequate management oversight were endemic.
To operationalize the Treadway recommendations, five sponsoring organizations—the American Institute of CPAs, the American Accounting Association, Financial Executives International, the Institute of Internal Auditors, and the National Association of Accountants—jointly formed COSO in 1992 to develop a common control framework. The result, Internal Control—Integrated Framework, became the gold standard.
When Sarbanes-Oxley mandated that companies assess and disclose internal control effectiveness in 2002, regulators pointed to COSO as the framework to use. The PCAOB endorsed it. The SEC endorses it. Today, any large company building a control system uses COSO’s language.
The five components
COSO organizes controls into five overlapping, interdependent categories:
1. Control Environment
This is the foundation—the tone at the top and the cultural infrastructure. Does the CEO and CFO prioritise integrity and compliance, or do they tacitly accept rule-bending to hit targets? Are employees trained on ethical expectations? Does the organization have a code of conduct? Are consequences enforced?
The control environment also encompasses governance structures: does the audit committee meet regularly and challenge management? Are internal audit resources adequate? Control environment is not a procedural control—it is the bedrock on which all other controls rest. A company with weak control environment—one where management overrides controls and tone from the top is permissive—cannot fix that with better spreadsheet reconciliations or automated approvals.
2. Risk Assessment
Management identifies the risks that could distort financial reporting and evaluates their likelihood and potential impact. A company with volatile foreign exchange exposure faces currency risk in revenue and payables. A company with complex revenue contracts (e.g., a software firm with long-term service agreements, multiple pricing components, and variable deliverables) faces revenue recognition risk.
Risk assessment is forward-looking. It asks: what could go wrong? What transactions, estimates, or ledger balances are most prone to error or manipulation? Once risks are identified, the company designs controls to address them. If inventory valuation is a key risk, the company might establish a control that requires cost of goods sold to be compared to physical inventory counts quarterly. If payroll is a risk (e.g., because of complex bonus structures), controls might include segregated approvals for bonus accruals and IT controls that prevent unauthorized employee additions.
3. Control Activities
These are the actual mechanisms: approvals, authorizations, reconciliations, segregation of duties, and system validations. They exist at multiple levels.
Entity-level controls apply across the organization. Examples include a policy that all journal entries above $50,000 require dual approval, or a rule that no individual can both authorize a purchase and receive the goods.
Process-level controls are specific to a business cycle. In the sales-to-collection cycle, controls might include: the approval of credit limits, the matching of purchase orders to invoices to receiving reports before payment (three-way match), and the timely followup on overdue accounts.
System controls (IT controls) ensure that data is accurate and secure. An example is a control that prevents a user from both creating and approving a transaction in an ERP system.
Control activities are where most compliance resources are spent: designing workflows, documenting approvals, automating validations, training personnel. Yet the PCAOB and internal auditors emphasize that control activities alone cannot succeed without a strong control environment and proper monitoring.
4. Information and Communication
For controls to work, information must flow correctly. Transactions must be captured in the accounting system accurately and on time. Accounts must reconcile to source systems. A receivable payment must be matched to the correct invoice.
Communication is equally critical. Finance leadership must communicate to the accounting team what controls are expected. The audit committee must communicate governance expectations to management. Internal audit must communicate findings to leadership. If people do not understand the control, they will not execute it.
This component also covers the segregation of duties: if one person can both create a vendor and approve payments to that vendor (resulting in fraud), the system has failed to inform the second approver of the risk. A control is only as good as the people operating it and their understanding of why it exists.
5. Monitoring
Monitoring ensures that controls are designed well and are actually operating. There are two forms:
Ongoing monitoring: Day-to-day supervisory review. A manager who reviews the daily transaction log and flags unusual items is monitoring. A system that sends an alert when a particular user approves unusually large transactions is monitoring.
Periodic assessment: A formal review of control design and operation, often done quarterly or annually. This might include testing of controls, root cause analysis of control failures, and updates to control design as business changes.
Internal audit typically performs much of the formal periodic assessment. They test whether controls actually prevented errors; they document control failures and recommend improvements. The results of monitoring feed back into the other components: if monitoring reveals that controls are not operating, management reassesses risk, updates the control activity, and improves communication.
The integrated nature of COSO
The five components are not independent. They are interlocking. A strong control environment enables employees to operate control activities with integrity. Risk assessment ensures that controls address the right risks. Control activities mitigate risk. Information and communication allows control activities to function. Monitoring identifies gaps and drives continuous improvement.
COSO visualizes this as a three-dimensional cube: the five components on one axis, organizational entities (divisions, business units, subsidiaries) on another, and objectives (financial reporting, operations, compliance) on a third. This highlights that COSO is not just about financial statement controls—it applies to operational controls (did the company execute the strategy?) and compliance controls (did the company follow laws and regulations?). However, for Sarbanes-Oxley purposes, most focus is on financial reporting controls: the subset of COSO that keeps balance sheets, income statements, and cash flow statements accurate.
The 2013 update
COSO released an updated framework in 2013, keeping the five components intact but clarifying principles and adding new guidance for enterprise risk management. The 2013 version emphasizes:
- Principle-based approach: Rather than prescriptive checkboxes, organizations should apply COSO principles to their specific context.
- Judgment and experience: Control design requires professional judgment; there is no one-size-fits-all template.
- Scalability: COSO applies to small companies and large ones; the depth of control sophistication scales with organizational complexity and risk.
- Technology: Increasing use of IT in controls; cloud systems, data analytics, and automation change how controls operate.
The 2013 version also explicitly addressed enterprise risk management (ERM): the broader discipline of identifying and managing business risks (not just financial reporting risks). Many companies now use COSO as the framework for both financial controls and broader ERM initiatives.
Practical adoption and pitfalls
In practice, COSO compliance often devolves into documentation and checkboxes. A company creates a control matrix mapping risks to controls, documents the controls, and has auditors test them. This is necessary but insufficient. Over-documentation can obscure weak control environment or sloppy risk assessment. A company might have a binder full of controls that are well-documented but not actually operating—controls that exist on paper but are bypassed in real life.
The PCAOB and top internal auditors emphasize that COSO is a framework for thought, not a checklist. True COSO implementation means:
- Honest risk assessment: Not sugarcoating known risks to avoid control expense.
- Tone from the top: No amount of procedural control will prevent a determined CFO from lying.
- Regular monitoring: Not just annual testing but ongoing supervisory review.
- Continuous improvement: Controls evolve as the business changes; stale controls are control failures.
See also
Closely related
- Internal control over financial reporting — what COSO is used to design and assess
- PCAOB — the auditor that verifies COSO implementation for public companies
- Sarbanes-Oxley Act — the law that mandates COSO-based control assessment
- Audit committee — the board group responsible for control environment
- Risk assessment — the COSO component identifying threats to financial reporting
- Control activities — the COSO mechanisms that mitigate risk
Wider context
- Financial statement — the outputs COSO controls protect
- Balance sheet — subject to COSO control assessment
- Income statement — also subject to control assessment
- Revenue recognition — typically high-risk under COSO frameworks
- Accounts receivable — major control focus
- Fraud — what COSO controls aim to prevent or detect
- 10-K — where COSO control assessment is disclosed