What is the COSO Framework?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO), a voluntary private-sector initiative, was established in 1985 to improve business performance and governance through effective internal control, enterprise risk management (ERM) and fraud deterrence. In 1992, COSO developed the Internal Control-Integrated Framework, a model for evaluating internal controls. The COSO framework has been adopted as the universally accepted model for internal control and is widely regarded as the definitive standard against which organizations determine the effectiveness of their systems of internal control. This framework was revised and reissued in 2013.
COSO’s definition of internal control is, “a process effected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance of the achievement of objectives relating to operations, reporting and compliance.”
COSO’s three categories of objectives are defined as follows:
- Operations objectives, focus on the effectiveness and efficiency of your business operations, which includes performance goals and protecting assets against fraud
- Reporting objectives, relates to timeliness, transparency and reliability of the organization’s reporting habits, pertaining to internal and external financial reporting, as well as non-financial reporting
- Compliance objectives are internal control objectives that ensure compliance with laws and regulations that the entity must adhere to
In addition, the COSO framework includes 17 principles along with 87 related points of focus. In an effective internal control system, there are five integrated components which work to support the achievement of a company’s mission, strategies and related organizational objectives:
- Control Environment
- Demonstrates commitment to integrity and ethical values
- Exercises oversight responsibility
- Establishes structure, authority and responsibility
- Demonstrates commitment to competence
- Enforces accountability
- Risk Assessment
- Specifies suitable objectives
- Identifies and analyzes risk
- Assesses fraud risk
- Identifies and analyzes significant change
- Control Activities
- Selects and develops control activities
- Selects and develops general controls over technology
- Deploys through policies and procedures
- Information and Communication
- Uses relevant information
- Communicates internally
- Communicates externally
- Conducts ongoing and/or separate evaluations
- Evaluates and communicates deficiencies
The “COSO Cube” illustrates the relationship between all aspects of an efficient internal control system. The columns consist of the three objective categories (operations, reporting and compliance). The rows represent the five components. The third dimension of the cube forms your organizational structure.
The COSO framework is applicable to the board of directors, senior management, other management and personnel, internal auditors, independent auditors, other professional organizations and educators.
What are the requirements for COSO?
In order to completely implement the COSO framework, an organization must have an effective system of internal control. An effective system of internal control requires that:
- Each of the five components of internal control and relevant principles is present and functioning seamlessly
- The five components are smoothly integrated and operating in unison
To fully apply COSO’s Internal Control-Integrated Framework, an organization must implement the 17 principles, using the points of focus as a guide and customizing as necessary. Although the framework is broad and meant to be adjusted per organization, one way or another, all 17 principles should be implemented.
The Sarbanes-Oxley Act (SOX) is associated with COSO, due to the fact that SOX 404 compliance requires management at public companies to select an internal control framework and then assess and report on the design and operating effectiveness of their internal controls annually. Many publicly traded companies have chosen the COSO framework to do this. Additionally, when achieving SOC 1 or SOC 2 compliance, companies can use the COSO framework to meet their requirements.
COSO compliance is voluntary for organizations that don’t need to comply with a related regulation, such as SOX.
Why should you be COSO compliant?
Cyber attacks against all sectors are growing in number every year, increasing the pressure on senior executives and board members to adopt effective solutions and comply with constantly changing, complex regulations.
Implementing the COSO framework is intended to guide organizations in designing and implementing internal control. According to COSO, its model equips companies with the necessary tools to efficiently and effectively develop and maintain systems of internal control that can enhance the probability of achieving the company’s objectives and adapt to changes in the business and operating environments. If an entity is proven to have an effective system of internal control, it assures that they:
- Maintain efficient and effective operations
- Understand the extent to which operations are managed efficiently and effectively
- Prepare reports to conform with applicable regulations, rules and standards or with the organization’s specified reporting objectives
- Comply with applicable regulations, rules, laws and external standards
For organizations that must comply with SOX, implementing a “suitable framework” to comply with internal controls of financial reporting is a must. Virtually every public company has adopted the COSO framework to achieve compliance. Choosing not to follow the framework, risks a letter from the U.S. Securities and Exchange Commission (SEC), as well as not optimizing your internal control efficiency and effectiveness, putting your business at greater risk.
How to achieve compliance?
The security landscape has grown dramatically in recent years, particularly following the massive digital transformation and wide-scale adoption of remote work, intensified by COVID-19.
Whether you’re looking to comply with the COSO framework out of obligation or simply to secure your business, you almost always need to implement all 17 controls (there are rare exceptions). However, implementation requires extensive knowledge of the principles and which of the related points of focus are relevant to your company, along with understanding how to customize them further to your unique needs. There’s no one size fits all and it can be difficult to determine the correct path for your organization.
Centraleyes makes it possible to dramatically reduce the chances of a successful attack, and lower the costs associated with one by enabling cyber risk teams to methodically manage the organization’s internal and external risks. For organizations, this is critical as they must be able to reassure their customer base, regulators, employees and shareholders that their sensitive data is secure at all times.
The Centraleyes integrated risk management platform empowers you to implement the COSO framework in accordance with your unique needs, streamlining the implementation process and simplifying everything an organization needs to manage their COSO requirements in one platform.
With smart questionnaires mapped to the COSO principles and points of focus, a quantified scoring system, and benchmarking tools to track and compare progress over time, Centraleyes effortlessly guides you through the entire implementation process.
Internal Control Guidance and Thought Papers
The 2013 COSO Framework & SOX Compliance
COSO Internal Control – Integrated Framework: Executive Summary, Framework and Appendices, and Illustrative Tools for Assessing Effectiveness of a System of Internal Control (3 volume set)