Request A demo

What is COSO?

In 1985, five private sector organizations formed a joint initiative to combat corporate fraud. These organizations are called The Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO is dedicated to helping organizations improve performance by developing thought leadership that enhances internal controls for organizational governance, business ethics, enterprise risk management, fraud, and financial reporting. It has established an internal control model against which organizations may assess their internal controls. The COSO internal control framework defines Internal Control as a process, effected by an entity’s Board, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.  

What Are The Five Components Of The COSO Control Framework?

The five components of COSO, summarized below, are often referred to by the acronym CRIME. They can be thought of as COSO-recommended “high-level control capabilities.” All five components need to be present and functioning effectively to have a sound internal control system.

1. Control Environment is the set of standards, processes, and structures that ensure internal control is carried out across the organization. It is the foundation of all other internal control components. The control environment consists of the integrity and ethical values of the organization, the parameters that enable the Board to carry out its governance oversight responsibilities, the organizational structure and assignment of authority and responsibility, the process of attracting, developing, and retaining competent individuals, and the rigor around performance measures and rewards to drive accountability for performance.

2. Risk Assessment forms the basis for determining how risks will be managed. It involves a dynamic process of assessing risks against the achievement of objectives. It also requires that management consider the suitability of objectives and the impact of possible changes in the external environment and within its own business model that may render internal controls ineffective.

3. Information and Communication enable the organization to carry out its internal control responsibilities. Communication is the continual, iterative process of obtaining, providing, and sharing information from internal and external sources across the company. It enables senior management to clearly communicate that control responsibilities must be taken seriously.

4. Monitoring Activities such as ongoing or separate evaluations, or some combination of the two, are used to demonstrate whether each of the five components is present and functioning. Ongoing evaluations are built into business processes and provide timely information. Separate evaluations are done periodically and vary in scope and frequency depending on management considerations.

5. Existing Control Activities are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks are carried out. They are performed at all company levels, at various stages within the business processes, and over the technology environment. They encompass a range of manual and automated activities:

  • Authorizations and approvals for certain transactions such as expense reimbursement prior to payment; purchase requisition prior to procurement.
  • Verification such as the review of reports by a supervisor to check the validity and accuracy of transactions executed by their staff; periodic asset counts; confirming receivables and payables with relevant parties.
  • Account reconciliation such as comparing the total cash balance with the combined individual cash accounts on hand and in banks.
  • Business performance reviews such as comparing actual revenue and/or expenses against budgets; monitoring Unit or Department performance against objectives.
  • Access control includes assigning passwords to restrict computer, system, and file access to authorized users or holding a person accountable for custody of cash, supplies, or equipment.
  • Segregation of duties is typically built into the development of control activities. Where it is not possible, alternative control activities need to be put in place.

Related Reading: A Practical Guide to the COSO Framework

GRC 20/20 Report

Internal Controls by Design: An Integrated & Continuous Approach to Managing Controls

Get the blueprint on effective internal control management strategies to transform governance from GRC Pundit, Michael Rasmussen.

What Are COSO’s 17 Principles Of Effective Internal Controls?

In 2013, COSO updated its Internal Control-Integrated Framework to clearly describe 17 principles of effective internal controls. These guiding principles describe detailed control capabilities to help management design, implement, assess, and remediate their internal controls. Organizations should evaluate their current internal controls against these 17 principles to identify opportunities to improve the effectiveness of their existing control environment capability.

COSO Control framework

Benefits From Implementing The COSO Internal Control Framework

Leveraging the COSO framework to benchmark your current control environment against the 5 components and 17 principles can create valuable benefits for companies of all sizes.

Improved Governance

Poor governance and oversight of business performance have led to countless business failures and lower shareowner value. A fundamental goal of COSO is to improve the corporate governance function within organizations that monitor security, risk, and compliance programs to ensure adherence to policies, goals, and laws.

Improved Risk Assessments

More often than not, people think that incidents occur due to employee negligence or mistakes. In fact, most workplace incidents occur due to insufficient management controls. Your proactive effort to implement effective risk assessments can prevent most incidents from occurring.

Improved Fraud Detection & Prevention

The COSO framework can help organizations improve their fraud risk management effectiveness. The framework also enables organizations to have controls that first prevent the fraud from occurring, detect fraud as soon as it happens, and respond effectively to fraud incidents when they occur.

Improved Internal Controls

The COSO framework offers companies more effective internal controls to mitigate risks and have the necessary data to support sound decision-making.

Enhanced Application Security

Companies face an onslaught of fraudulent activity, security threats, and other application risks. The COSO framework provides guidelines for organizations to assess and improve their own application control environment to better detect and prevent cyber threats.

Significant Cost Savings

If organizations implement the COSO framework correctly, it will streamline processes, establish more effective internal controls, and better manage risk and compliance costs.

More Positive Attention from Investors

Investors are scrutinizing the performance of public companies more than ever before. If your company adopts the COSO framework, you’ll have a more effective set of risk management controls in place, making your organization more attractive to potential investors and better prepared for an IPO.

Implementing The COSO Framework With Pathlock

Pathlock helps you protect access to all of your applications, business transactions, and data. In addition, we can help you achieve and maintain your audit requirements for evidence of effective internal controls and enable automation to improve control effectiveness and realize significant cost savings.

Contact us today to request a demonstration or learn more about the Pathlock’s control capabilities.

Table of contents