COSO Framework for Internal Controls

COSO Framework - Toolshero

COSO Framework for Internal Controls: this article provides a practical explanation of the COSO Framework for Internal Controls. Next to what it is, this article also highlights the changes to COSO Framework, the COSO Framework principles and a short summary. After reading, you’ll have a basic understanding of this management tool. Enjoy reading!

What is COSO Framework for Internal Controls?

The COSO Framework, COSO model, or COSO square, defines the internal control of an organisation – carried out by management – as a process. A process that identifies events that could potentially affect the entity is referred to as Enterprise Risk Management (ERM).

ERM includes methods and processes that organisations use to manage risk and seize opportunities that ensure that the company’s objectives are met.

Free Toolshero ebook

Changes to COSO Framework

The COSO ERM Framework was originally developed in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO developed this framework to help companies identify, assess and improve the control of internal processes.

The importance of internal (risk) management is significant, since the presence or absence of such a management system can determine the quality of the output in the statements of results.

A functioning and accurate internal control process provides the users of the financial statements with a reasonable degree of certainty that the statements of results are correct and can be used in a well-considered decision making process.

In September 1992, COSO released a report entitled “Internal Control – Integrated Framework”. Following its issue, they made a number of changes in 2004. The report describes a common definition of internal control and provides a framework for organisations to manage and improve their internal control systems.

Since then, the framework has been used as a standard reference model by many organisations to achieve effective internal control.

COSO Framework principles

COSO’s ERM is based on the principle that every organisation is primarily active in creating added value for its stakeholders. The greater the risk of a decision taken, the higher the return.

In a rapidly changing environment, uncertainty often arises, and this offers both risk and opportunity. ERM enables management to identify, assess and manage these risks.

The COSO internal control framework is generally presented as a cube, because three dimensions for control have been merged into the framework that represents the direct relationship between the:

COSO erm framework - toolshero

Figure 1 – the COSO framework for Internal Controls

A – Control activities (control environment)

1. Internal environment

The management draws up a philosophy with regard to risks and thus indicates the risk appetite of the organisation.

The internal environment provides the basis for the idea of how risks are viewed and how they are anticipated. It is crucial that senior management demonstrates the importance of ERM at all levels of the organisation.

2. Setting objectives

Objectives must be set before management can identify potential events affecting performance and results. ERM ensures that management has a process or tool to set SMART Goals and that the chosen goals are in line with the mission statement of the organisation and consistent with the risk appetite.

3. Identification of events

It is of great importance that the identification of events that may affect the objectives is carried out for both the internal and external environment. This includes events that represent risks and events that may create opportunities. Events that affect both should be handled with extra care.

4. Risk assessment

The risks identified must be analysed before it can be determined how they will be handled. Risks are associated with targets that can be influenced and are assessed on both an inherent and residual basis.

The assessor should take into account the risk weight as the impact. This is an ongoing process which means that risk analysis must be performed on a continual basis.

5. Risk control measures

After the risks have been identified and assessed in this part of the COSO Framework, the risk analyst identifies and evaluates possible responses to the risks including avoiding, accepting, reducing or sharing risks. Management selects a series of actions to align risk with the risk tolerance and risk appetite of the organisation.

6. Control measures

Once the risks, measures and responses to them have been identified, procedures are drawn up or the policy is adjusted to ensure that the selection of risk management measures is carried out carefully and effectively.

7. Information & communication

Relevant information relating to the risks run, measures taken or organisational units affected, is recorded and communicated to employees at all levels of the organisation. This may take the form of a timetable that enables staff to carry out their responsibilities while respecting the risks.

8. Monitoring

The entire ERM process is monitored and modified if necessary. In a highly dynamic environment, adequate and dynamic action and response is required to limit damage or exploit opportunities.

B – Activities

COSO emphasises that risk management is not strictly a series process, where a component only affects the next component, but a multi directional process where almost every component may influence a different component. The process should therefore be applied at all levels of an organisation:

  • The whole of the organisation
  • Organisational divisions
  • Business units
  • Subsidiaries

C – Organisational objectives

Within the framework of COSO, ERM aims to achieve the objectives of an organisation, as set out in the four categories below. Managing the risks within these four categories will create added value for the stakeholders within the organisation because it reflects the risk appetite of the organisation.

1. Strategic

These objectives are set at a high level and are aligned with a company’s mission statement and vision.

2. Operations

These objectives relate to the actions that a company performs to achieve the set goals and are tested for effectiveness and efficiency.

3. Reporting

These objectives reflect the need for reliable reporting within an entity.

4. Compliance

The objectives under compliance refer to the need of an organisation to comply with relevant laws and regulations.

Executive Summary COSO Framework

Organisations operate in an environment where factors such as globalisation, technology, restructuring, changing markets, competition and regulation may create uncertainty. These uncertainties offer both risks and opportunities. COSO’s ERM offers organisations:

  • The ability to manage risks within their risk appetite philosophy
  • Providing maximum value to stakeholders
  • Certainty and knowledge about risks
  • The ability to prevent business failures and scandals
  • A framework to meet the requirements of laws and regulation
  • Reporting objectives (external financial reporting)

Join the Toolshero community

It’s Your Turn

What do you think? Are you familiar with COSO Framework explanation? To what extent do you think active risk identification and management is important for business results? What are your business or processes that can contribute to a reliable risk policy?

Share your experience and knowledge in the comments box below.

More information

  1. Coso, I. I. (2004). Enterprise risk management. Integrated Framework.
  2. Bowling, D. M., & Rieger, L. (2005). Success factors for implementing enterprise risk management: building on the COSO framework for enterprise risk management to reduce overall risk. Bank Accounting & Finance, 18(3), 21-27.
  3. Moeller, R. R. (2007). COSO enterprise risk management: understanding the new integrated ERM framework. John Wiley & Sons.

How to cite this article:
Janse, B. (2018). COSO Framework for Internal Controls. Retrieved [insert date] from Toolshero:

Original publication date: 01/05/2018 | Last update: 11/17/2023

Add a link to this page on your website:
<a href=””>Toolshero: COSO Framework for Internal Controls</a>

Did you find this article interesting?

Your rating is more than welcome or share this article via Social media!

Average rating 4.2 / 5. Vote count: 5

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Ben Janse
Article by:

Ben Janse

Ben Janse is a young professional working at ToolsHero as Content Manager. He is also an International Business student at Rotterdam Business School where he focusses on analyzing and developing management models. Thanks to his theoretical and practical knowledge, he knows how to distinguish main- and side issues and to make the essence of each article clearly visible.


2 responses to “COSO Framework for Internal Controls”

  1. Georges says:

    Thank you for this interesting article! The evolution of COSO is now COSO 3, more integrated in the company.

Leave a Reply