Compliance Management Risk

What Is the COSO Framework? Deconstructing the Jargon (+ How to Implement the Framework in 5 Steps)


The Association of Certified Fraud Examiners (ACFE) reports that weak internal controls are responsible for almost half of fraudulent activity.

With this in mind, how do you ensure your business isn’t an easy target for fraud?

The Committee of Sponsoring Organizations (COSO) designed a framework in 1992 to help businesses design a strong and effective internal control system for fraud protection. Since its initial inception, the framework has expanded to include risk management and governance along with fraud deterrence. 

In this FAT FINGER article, you’ll learn what the COSO framework is (including the COSO cube and pyramid), along with the five principles of this framework. You’ll then learn how you can implement the COSO framework in five easy steps. 

  • What is the COSO framework?
  • What are the 5 principles of the COSO internal control framework?
  • The benefits of the COSO framework
  • How to implement the COSO framework in 5 steps 

Let’s jump straight in!

What is the COSO framework?

The COSO framework is a system that ensures organizations operate ethically, transparently, and in alignment with industry standards. The framework provides a solid system of internal controls to effectively guide businesses to understand business risk, especially regarding fraud deterrence.

COSO is an acronym that stands for the Committee of Sponsoring Organizations. The framework was created in 1992, and then later updated in 2003 (to include the COSO cube which we’ll touch on later in this article). The creation of the framework was led by Executive Vice President and General Counsel James Treadway, along with several other private organizations including:

  1. American Accounting Association 
  2. Financial Executives International 
  3. The Institute of Internal Auditors 
  4. American Institute of Certified Public Accountants

The Committee of Sponsoring Organizations of the Treadway Commission was initially established to sponsor research into the causes of fraudulent financial reporting. Today, the mission of the COSO framework has expanded to…

…help organizations improve performance by development thought leadership that enhances internal control, risk management, governance, and fraud deterrence.”

COSO, Welcome to COSO

The COSO guidelines are non-mandatory, yet the framework provided is effective for the assessment and improvement of risk management and internal control systems. Corporate scandals – caused by deficient risk management and internal controls – have created an environment where the appropriate guidance is welcomed.

The COSO pyramid 

In 1992, the COSO framework was represented by a pyramid. This pyramid laid out the five tenants of COSO control components. These five principles include:

  1. Control environment 
  2. Risk assessment 
  3. Control activities 
  4. Information and communication 
  5. Monitoring activities 

We’ll discuss these principles in more detail later.

What’s good about this pyramidal design is that it shows the completion of one level naturally leads to the completion of the next. Each level works together to support the overall risk management mission, strategy, and related business objectives. 

The COSO cube 


The COSO framework was later updated to replace the pyramidal design with a cube. This rework came as the original COSO framework was considered too simplistic, and lacked direction. This meant companies found it difficult to implement effective control systems. 

New guidelines were established in 2013 and were referred to as the 2013 COSO Framework. This framework gave companies new tools to help them design and implement a risk management model, changing the COSO pyramid to the cube. 

The COSO cube incorporates 77 points of focus. These are split across 17 new characteristics, which are organized under the five original principles detailed in the COSO pyramid. This redesign has given a more granular model.

What are the five principles of the COSO Internal Control framework?


To help you further understand the COSO framework, let’s look at the model’s five guiding principles.

Principles #1: Risk assessment 

Risk is inevitable in a business. Risk can be external or internal and can prevent a company from reaching its objectives. Risk assessments ensure businesses are acknowledging relevant risk items. Assessments also provide reasonable assurance that a business is managing risk to an acceptable level.

Principle #2: Control activities 

Control activities come in response to the risk items identified. These are steps taken to mitigate risk across an organization. The COSO framework ensures that the control activities applied are effective for the company, and help a business achieve its goals, eliminating unnecessary risk.

If you read our recent article ERM: How to Protect Your Business with Enterprise Risk Management you’d understand that there are five response strategies to treat organizational risk. 

Risk can either be avoided, reduced, transferred, accepted, or shared with another party (usually an insurance company), or alternative actions are introduced to move away from the risky processes implemented.

Principle #3: Information and communications 

The information and communication principle prevents inappropriate sharing of information. COSO controls within this principle help organizations develop communications that follow best practices and contribute to the overarching company objectives. Different control measures are used depending on the communication type.

Controls provided by the COSO framework ensure productive communication. This means using consistent language and following best practices when sharing the appropriate levels of information with the right stakeholders. 

Communications occur across formal management business reviews, employee meetings, and informal chats and emails.

Principle #4: Control environment 

The entire organization must be adhering to standard practices. This means controls are implemented in every business unit. Management needs to enforce the adopted rules and procedures from the COSO framework. 

A top-down approach is used to drive the COSO framework throughout an organization. Standards, processes, and procedures are overseen and enforced by upper management. 

Principle #5: Monitoring activities 

Once the COSO framework is implemented, it needs to be regularly monitored to verify the controls are functioning as they should. Internal audits gather information and metric data which is then used later for evaluation by regulators and management. 

The reports yielded from ongoing evaluations are given to the board of directors. The board can then use this information with external financial reports to reduce the risk of fraud and increase investor confidence. 

Keeping these five principles in mind, let’s look at the 17 characteristics that work to support the implementation of each: 

  1. Risk assessment:
    1. Company-wide objectives are set, 
    2. Process-level objectives are set, 
    3. Risk is identified and analyzed, 
    4. Change is managed effectively.
  2. Control activities:
    1. Policies and procedures are followed, 
    2. Business security is improved, 
    3. An effective change management strategy is applied, 
    4. Business continuity and backups are planned, 
    5. Outsourcing of business risk is considered. 
  3. Information and communications:
    1. The quality of information is measured, 
    2. The effectiveness of communications is determined.
  4. Control environment: 
    1. Integrity and ethical values are exercised, 
    2. A commitment to competence is made, 
    3. An audit committee is established and used along with the board of directors, 
    4. Organizational structure is created, 
    5. Management philosophy and operating style is facilitated, 
    6. Authority and responsibility is assigned, 
    7. Human resource policies and procedures are utilized.
  5. Monitoring activities: 
    1. Ongoing review and monitoring is applied, 
    2. Separate evaluations are conducted, 
    3. Deficiencies are reported.

The benefits of the COSO framework

One of the primary benefits of using the COSO framework is that it helps the performance of business processes in a uniform manner, designated by the internal controls set. These controls aim to reduce risk and ensure processes abide by industry standards. This reduces the risk of non-compliance

Another benefit is that an organization that fully employs the COSO framework is in a better position to detect fraudulent activity. Because the COSO framework focuses on risk mitigation and adherence, best practices are established and vulnerabilities are reduced significantly.

Finally, the COSO framework encourages users to document their business processes to create more efficient operations. This helps reduce business costs, ultimately making businesses more profitable. 

How to implement the COSO framework in 5 steps

To implement the COSO framework, use the five steps detailed below. 

Step #1: Planning 

To set your COSO framework plan in motion, you need a team behind you. Designate an implementation team, which would include managers and specialists. You’d also want an audit and compliance committee that’ll ensure your internal control systems are compliant.

Your designated team is charged with developing an implementation plan that details the scope, timeframe, resource allocation, and staff responsibilities for your internal control system. Use the five components of COSO to inform the design and functions of this system before presenting your plan to the board of directors. 

Strep #2: Evaluation and documentation 

The more documentation and coordination there is, the easier it will be to analyze compliance against the COSO guidelines. 

The control structure of the organization needs to be evaluated by asking the following questions: 

  1. Is the control system centralized?
  2. Is there a formal and documented enterprise risk management process?

It’s also a good idea to document every operation in your organization, with special regard to your financial processes. This way, you have full transparency over how your business is run allowing you to compare your processes to the COSO framework standards. With this comparison, you can identify gaps between the organization’s practices and the principles outlined in COSO. 

FAT FINGER is a great tool that can help you here. Keep reading to find out how you can document your business operations using the FAT FINGER platform. 

Step #3: Remediation 

The next phase is to remediate the identified gaps highlighted in the evaluation and documentation phase. This involves creating and implementing a remediation plan and prioritizing the identified vulnerabilities according to the risk they pose. This remediation plan should include targets and timeframes for implementation.

Step #4: Testing and reporting 

The testing and reporting phase involves the designation and testing of procedures for controls that are identified as critical, to ensure these controls are effective. The tests need to account for the description of the control and the type of risk that is to be mitigated. 

Teams will need an understanding of how the controls work. The controls will also need to be monitored, and any data obtained needs to be analyzed.

Step #5: Internal control optimization

Controls can be further developed and altered to better meet the organization’s needs while taking into account the required functions of the controls – reconciliation, supervision, and verification. 

Teams can design controls that are either preventative, detective, or corrective, which will be dependent on when they occur in a process. Some controls might be automated, manual, or a bit of both.

When a control failure is detected, it needs to be carefully studied to ensure a proper remediation strategy is applied. 

FAT FINGER can also assist you in this step as we’ll discuss below. 

Use FAT FINGER to help you implement the COSO framework

FAT FINGER is a no-code process documentation tool that can assist you during step #2 and step #5 of the COSO framework.

  1. Step #2: You can document any business operation using FAT FINGER’s easy drag-and-drop checklist builder. Use FAT FINGER‘s features such as Conditional Logic, GPS Location, and Alert Triggers to add the complexity you need into your operations. Documenting your operations gives you the process transparency you need to effectively evaluate your business processes against the COSO framework, and identify gaps between current operations and the practices and principles outlined in COSO.
  2. Step #5: Internal controls and testing are time-consuming and expensive processes. FAT FINGER shifts organizations towards a continuous monitoring system. Using FAT FINGER’s Alert feature means processes can be monitored in real-time as they’re run. Alerts can be set as process control features to optimize business internal control.

For more information about the FAT FINGER application and how to get started, watch the below video: 

If you’re looking to create a system of internal controls, or improve your current system, then the COSO framework is your worthy option. Use the COSO framework along with FAT FINGER to identify internal control problems and consistently prepare accurate and timely financial statements.