COSO Framework. History. Components and Principles

Aug 8, 2022by Eduyush Team

COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission. It is a framework that organizations can use to manage enterprise risk.

The COSO framework is a widely recognized reporting standard for internal auditing and business processes. It was developed by the Committee of Sponsoring Organizations of the Treadway Commission, or COSO, in 1992.

The Framework guides how to conduct an effective internal audit and improve organizational governance. In 2013, COSO released an updated framework that reflected business practices and regulatory requirements changes.

Organizations that adhere to the COSO framework can enhance their enterprise risk management and control processes and demonstrate compliance with regulations.

History of COSO

 In 1985, COSO was created to sponsor The National Commission on Fraudulent Financial Reporting. Its charge was to study and report the factors leading to fraudulent financial reports. 

 It was motivated by yet another intense period when financial reporting fraud and alleged audit failures were prominent in the news. Since this initial undertaking, COSO has expanded its mission to improve the quality of external financial reporting. A significant part of this mission is to develop guidance on system of managing internal control. COSO published the Internal Control-Integrated Framework in 1992, which provided businesses and other entities with evaluation tools for evaluating their effective internal control systems.

The COSO framework identifies five components of internal control:

  1. Control environment
  2. Risk assessment
  3. Control procedures
  4. Information and communication
  5. Monitoring

Today these remain unchanged from the 1992 Framework. That is a testament to the fundamental correctness of the COSO Framework. However, the level of detailed guidance over the years has increased due to the more recent widespread implementation of the Framework in our business environment and a desire to apply COSO principles consistently.

The Current COSO Framework

The revised COSO Framework (2013) replaces the 1992 and 2006 guidance and documents. Those prior publications will be considered superseded after December 15, 2014. Some critical elements of the new guidance include:

  • Retention the five essential components: control environment, risk assessment, control activities, information and communication, and monitoring.
  • Identification of 17 Principles that are deemed essential to the five components
  • Clear expectations that the elements of internal control work together in an integrated way.

The COSO Framework identifies five main components of internal control, and one of the keys to working with it is understanding how these components relate to and influence one another. 

COSO envisions these individual components as being tightly integrated into a nonlinear fashion. 

What are the five components of the COSO framework?

COSO Framework is composed of five interrelated components: are, briefly:

  1. Control environment. Providing discipline and structure, the control environment provides a foundation for all other internal control components. Senior management must set an appropriate tone at the top that positively influences personnel's attitudes towards authority, impacting their work performance outcomes and ethical behaviour more generally (i.e., how they treat people).
  2. Risk assessment. The entity must identify risks to manage them. It should set objectives and integrate those throughout its activities so that it's operating together as a cohesive unit, with an awareness of financial reporting vulnerabilities along every step of the way!
  3. Control activities. The control policies and procedures must be established to ensure transactions are processed daily, such as sales or expense reportings; these should also apply for regular accounting periods like accruals and consolidations. These will help the organization complete accuracy in their accounts receivable ledgers because all related activities can occur accordingly. A transaction may occur at any time during an accounting period - even if it came about through another customer making purchase orders known via email.
  4. Information and communication. Any organization structure needs information and communication systems that enable the people within an enterprise to share necessary data. Today these can be implemented through automated (computer) methods or manual procedures depending on what is most efficient for each particular business's needs at hand - but they always include internal governance channels as well external contacts such shareholders/investors.
  5. Monitoring. The COSO Framework requires management to regularly monitor the company's internal control process. If issues arise, they should be communicated appropriately within the organization to react dynamically and not need special procedures or independent audit findings when conditions change."

What are the 17 principles of the COSO framework?

Control Environment

  1. Demonstrates commitment to integrity and ethical values
  2. Exercises oversight responsibility
  3. Establishes structure, authority, and responsibility
  4. Demonstrates commitment to competence
  5. Enforces accountability

Risk Assessment

  1. Specifies clear objectives
  2. Identifies and analyzes risk
  3. Assesses fraud risk
  4. Identifies and explores significant changes

Control Activities

  1. Selects and develops control activities to mitigate risks
  2. Determines and develops information technology general controls
  3. Deploys controls through policies and procedures

Information and Communication

  1. Uses relevant information
  2. Communicates internally
  3. Communicates externally


  1. Conducts ongoing and separate evaluations
  2. Evaluates and communicate deficiencies


 The COSO framework is a widely recognized standard for internal auditing and control processes. Released in 2013, the updated Framework reflects business practices and regulatory requirements changes.

Adhering to the COSO framework can enhance an organization's risk management and compliance posture.

If you're looking to learn more about how to apply the COSO framework, the AICPA has a variety of courses available. Speak to our teams at +919643308079 to know more.

Leave a comment

Please note, comments must be approved before they are published

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.