Intended audience:
Solution Store:

Anyone needing to measure Internal Control
Click here to access the templates


COSO is a joint initiative to combat corporate fraud. It is dedicated to guide executive management and governance entities on relevant aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. 

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is formed by five private sector organizations:

  • Institute of Management Accountants (IMA)
  • American Accounting Association (AAA)
  • American Institute of Certified Public Accountants (AICPA)
  • Institute of Internal Auditors (IIA)
  • Financial Executives International (FEI)

In 1992, COSO released its Internal Control - Integrated Framework which has been established as a common internal control model against which companies and organizations may assess their control systems.

The COSO framework defines several key concepts: 

  • Internal control is a process. It is a means to an end, not an end in itself.
  • Internal control is affected by people. It's not merely policy, manuals, and forms, but people at every level of an organization.
  • Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board.
  • Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

 The COSO framework defines internal control as a process, effected by an entity's board of directors, management and other personnel, designed to provide "reasonable assurance" regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations.
  • Safeguarding of Assets (MHA)

The COSO internal control framework consists of five interrelated components derived from the way management runs a business. According to COSO, these components provide an effective framework for describing and analyzing the internal control system implemented in an organization as required by financial regulations. The five components are:

  1. Control environment: The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values, management's operating style, delegation of authority systems, as well as the processes for managing and developing people in the organization.
  2. Risk assessment: Every entity faces a variety of risks from external and internal sources that must be assessed. A precondition to risk assessment is establishment of objectives and thus risk assessment is the identification and analysis of relevant risks to the achievement of assigned objectives. Risk assessment is a prerequisite for determining how the risks should be managed.
  3. Control activities: Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address the risks that may hinder the achievement of the entity's objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.
  4. Information and communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information, that make it possible to run and control the business. In a broader sense, effective communication must ensure information flows down, across and up the organization. For example, formalized procedures exist for people to report suspected fraud. Effective communication should also be ensured with external parties, such as customers, suppliers, regulators and shareholders about related policy positions.
  5. Monitoring: Internal control systems need to be monitored—a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities or separate evaluations. Internal control deficiencies detected through these monitoring activities should be reported upstream and corrective actions should be taken to ensure continuous improvement of the system.

Internal control involves human action, which introduces the possibility of errors in processing or judgement. Internal control can also be overridden by collusion among employees (see separation of duties) or coercion by top management.

CFO magazine reported that companies are struggling to apply the complex model provided by COSO. "One of the biggest problems: limiting internal audits to one of the three key objectives of the framework. In the COSO model, those objectives are applied to five key components (control environment, risk assessment, control activities, information and communication, and monitoring). Given the number of possible matrices, it's not surprising that the number of audits can get out of hand." CFO magazine continued by stating that many organizations are creating their own risk-and-control matrix by taking the COSO model and altering it to focus on the components that relate directly to Section 404 of the Sarbanes-Oxley Act.

Key Benefits

Here are the key benefits of the RequirementONE COSO Solution.

Improved Internal Controls

Through being neutral, broadly applicable, vetted by industry, and engaging to stakeholders, the Framework can reduce time and expense by providing an effectiveness measure of the existing internal control program and reduce risk by identifying areas for improvement.


The Framework creates a common language for the discussion of internal control issues that can facilitate internal and external collaboration.

Definitive standard

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls, which has been adopted as the generally accepted framework for internal control and is widely recognized as the definitive standard against which organizations measure the effectiveness of their systems of internal control.

Mapping Controls and Policies

Individual controls and policies may apply to numerous frameworks. These can be maintained as an interlinked set of procedures to avoid duplication of effort.

A Single Point of Truth

Each compliance element is stored as a record and can be updated, commented, controlled and audited individually. Data is accessible to all stakeholders with no version control issues.

Dependency Linking

All links and interfaces can be defined and maintained showing dependencies between various policies.


Track the progress of compliance projects. In-line analytics highlight gaps in compliance, traceability of changes and status of compliance efforts.


Internal and External audit teams benefit from a specialized interface with full visibility to review and evaluate procedures.

Typical Use Cases

Here is a typical, but not exhaustive, list of roles and associated use cases that would interact with this solution.

Role Use Case
End users
  • Consume the latest policies
Compliance team
  • Use the framework as a guide to implement the relevant controls and policies
Internal/external auditor
  • Audit one or more areas
  • Roadmap to achieve or improve internal controls


These apps and templates are used for the solution.

App Template


Getting started


Template Get started
Implementing COSO

Description: A plan designed to get you started with COSO Internal Control - Integrated Framework.
Download the Implementing COSO plan from the Solution Store, and assign each task to a member of the team. Follow each step of the plan according to the plan instructions.



Template Get started
COSO Internal Control Principles

Description: A specification containing the COSO principles. Use the principles in this specification to ensure that your organizations Policies, Controls and Procedures are fit for purpose.

Download the COSO Internal Control Principles Specification from the Solution Store.

Before you start, edit the Status custom field to reflect the terminology used by your organization.

For each COSO principle, verify that it is accommodated by your organizations Policies, Controls and Procedures. For each one reviewed, set the Status to an appropriate value

Link relevant Policy, Control and Procedure records to the principle record. Use filters and reporting to identify gaps


Additional notes

COSO is linked to other frameworks, standards and regulations such as COBIT 5 and SOX. Relevant links have been included as notes.

Related links

Questions or Comments?

Respond to this post if you want to comment on the template or ask the author a question.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk