What You Need To Know About COSO Framework

Published on : 24 Nov 2020

coso framework

The 2013 COSO Framework is a model designed to evaluate the internal controls and processes of an organization. The Framework is widely adopted globally by a large number of organizations to ensure the effectiveness of its organization’s internal controls.

It provides an insight into the industry’s best practice and offers a benchmark for evaluating the operational effectiveness and efficiency and reliability of financial reporting. The COSO framework outlines how you can use it to build strong, and effective internal control systems for your organization.

In today’s article, we have focused on the 17 principles of the COSO Framework that details a set of standards, processes, and structures that provide the basis for organizations to implement effective internal controls across the organization. But, before we move on to learning about the principles, let us first understand a bit more about the COSO Framework. 

What is the COSO Framework? 

Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a committee comprising representatives from five organizations namely the American Accounting Association, American Institute of Certified Public Accountants, Financial Executives International, Institute of Management Accountants, and Institute of Internal Auditors.

With an aim to help organizations better their internal controls and prevent fraud, the committee developed a COSO Framework in the year 1992, with the most recent version published in 2013. The framework is like a guide to the organization that helps them implement an effective risk assessment process and internal controls. 

Objectives of COSO Framework

The COSO framework was developed to bring efficiency in business operations and Compliance. The framework divides internal control objectives into three main categories namely –

  • Operations – The framework focuses on the effectiveness and efficiency of your business operations. This would be in context to ensuring controls are in place and designed effectively to deliver services on time. It would also mean setting realistic goals for organizations’ operational and financial performance and securing assets against risk. 
  • Reporting –Focuses on ensuring transparency, timeliness, and reliability of the organization’s reporting systems and process which would include both internal and external financial reporting and non-financial reporting.
  • Compliance-Focuses on setting internal controls in alignment with adhering to industry standards and regulations that the organization must comply with and that your clients care about.

Key focus areas of the 2013 COSO Framework

Key areas   
Risk Assessment  1) This would include defining risk assessment concepts related to inherent risk, and risk tolerance, designing risk management, and implementing risk assessment and control activities. 
2) Identify potential risk and develop risk mitigation strategies for achieving organizational objectives. 
Outsources Service Providers  1) Considerations related to OSPs are included in the framework which is outlined in 12 out of 17 principles.
2) Requires management to determine how OSPs are monitored. 
Information Technology  1) Considerations related to IT are included in the framework which is outlined in 14 out of 17 principles.
2) Use of Data Analytics to assist in continuous monitoring within the system of internal control. 
3) Requirements for ensuring data integrity. 

17 Principles on COSO Framework


The COSO Framework developed by the COSO Committee upgraded its original version and integrated the internal control framework in the year 2013. Thereafter, it explicitly describes every principle making it easier for companies to implement them in their systems. The COSO framework’s 17 principles of effective internal control include-

Control Environment

  • Commitment to integrity and ethical values– Organizations are expected to demonstrate commitment to integrity and ethical values by establishing and evaluating adherence to standards of conduct. 
  • Exercises oversight responsibility- The board of directors is expected to demonstrate independence from management and exercises oversight of responsibilities and internal control.
  • Establishes structure, authority, and responsibility- The management is expected to establish structures, reporting lines, and appropriate authorities and responsibilities in line with the organizational and standard objectives. 
  • Demonstrates commitment to competence– The organization is expected to demonstrate a commitment to developing, and retain competent individuals in alignment with objectives. 
  • Enforces accountability- The organization is expected to hold individuals accountable for their internal control responsibilities in line with the objectives. 

Risk Assessment

  • Specifies suitable objectives– The organization is expected to specify objectives giving clarity to enable the identification and assessment of risks.
  • Identifies and analyzes risk- The organization is expected to identify risks and determine risk management to achieve its objectives. 
  • Assesses fraud risk- The organization is expected to determine the potential fraud by assessing risks in line with the objectives.
  • Identifies and analyzes significant change- Organizations are expected to identify and assess changes that could significantly impact the system of internal controls.

Control Activities

  • Selects and develops control activities- The organization is expected to develop control activities that facilitate risk mitigation for the achievement of objectives to acceptable levels.
  • Selects and develops general controls over technology- The organization is expected to develop IT control activities for achieving the objectives.
  • Deploys through policies and procedures- The organization is expected to develop and deploy policies and procedures in line with the objectives. 

Information & Communication

  • Uses relevant information- The organization is expected to obtain generate and use relevant information to ensure appropriate functioning of internal control.
  • Communicates internally- The organization is expected to internally communicates information, including objectives and responsibilities for internal control, necessary to ensure appropriate functioning of internal control. 
  • Communicates externally- The organization is expected to communicate with third-parties they engage regarding matters affecting the functioning of internal control. 

Monitoring Activities

  • Conducts ongoing and/or separate evaluations- The organization is expected to perform ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 
  • Evaluates and communicates deficiencies- The organization is expected to evaluate and communicate internal control deficiencies promptly with the third-parties responsible and ensure corrective action as appropriate.


The 17 principles outlined in the COSO Framework helps establish a strong foundation for sound internal control within the organization. Implementing the outlined framework will proactively address and mitigate potential and significant risks. Further, the implementation of internal control as per the set framework will ensure constant monitoring and addressing problems promptly. The principles outlined are broad enough to apply to all types of business activities and complement other industry standards facilitating Compliance and adherence to industry regulations. 

Send us message or call us at (+1-415-513-5261); We will help your organization to maximize performance and reduce risk.

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QPA, PCI QSA, PCI SSF ASSESSOR, CISSP, CISA, CRISC, 27001 LA) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.