The COSO Framework Overview
| Component | What It Addresses | Principles |
|---|---|---|
| Control Environment | The tone, culture, and foundation for all other controls | 1–5 |
| Risk Assessment | Identifying and analysing risks to achieving objectives | 6–9 |
| Control Activities | Policies and procedures that mitigate risks | 10–12 |
| Information & Communication | Relevant information identified, captured, and communicated | 13–15 |
| Monitoring Activities | Ongoing assessments of control effectiveness | 16–17 |
Component 1 — Control Environment (Principles 1–5)
The Control Environment is the foundation of all internal control. It encompasses the integrity, ethical values, and competence of the organization's people, as well as management's philosophy, operating style, and organizational structure.
- Principle 1 — Commitment to Integrity and Ethical Values: The board and management demonstrate a commitment to integrity and ethical values through their conduct, communications, and consequences for violations
- Principle 2 — Board Independence and Oversight: The board is independent of management and exercises effective oversight of the internal control system
- Principle 3 — Organizational Structure and Reporting Lines: Management establishes structures, reporting lines, and appropriate authorities and responsibilities in pursuit of objectives
- Principle 4 — Commitment to Competence: The organization demonstrates a commitment to attracting, developing, and retaining competent individuals in alignment with its objectives
- Principle 5 — Accountability for Internal Control: The organization holds individuals accountable for their internal control responsibilities
Component 2 — Risk Assessment (Principles 6–9)
- Principle 6 — Specify Objectives: Clear objectives must be specified at entity, division, and function levels to enable identification of risks to those objectives
- Principle 7 — Identify and Analyse Risk: Risks to achievement of objectives across the organization are identified and analysed for likelihood and impact
- Principle 8 — Assess Fraud Risk: The organization specifically considers the potential for fraud in assessing risks — an explicit COSO requirement that many organizations inadequately address
- Principle 9 — Identify and Analyse Significant Change: Changes in the external environment, business model, or leadership that could significantly impact internal control are identified and assessed
Component 3 — Control Activities (Principles 10–12)
- Principle 10 — Select and Develop Control Activities: Control activities that mitigate risks to acceptable levels are selected and developed, considering how the controls address the risk, and at what cost
- Principle 11 — Select and Develop Technology Controls: General controls over technology — access management, change management, IT operations — are selected and implemented
- Principle 12 — Deploy Through Policies and Procedures: Control activities are established through policies that set expectations and procedures that carry them out in practice
Component 4 — Information & Communication (Principles 13–15)
- Principle 13 — Use Relevant Information: Quality information is obtained, generated, and used to support the functioning of internal controls
- Principle 14 — Communicate Internally: Internal communication — including objectives and responsibilities for internal control — occurs throughout the organization
- Principle 15 — Communicate Externally: Communication with external parties regarding matters affecting the functioning of internal controls is effective
Component 5 — Monitoring (Principles 16–17)
- Principle 16 — Conduct Ongoing or Separate Evaluations: Ongoing monitoring activities, separate evaluations (internal audit), or a combination of both are used to ascertain whether each of the five components is present and functioning
- Principle 17 — Evaluate and Communicate Deficiencies: Internal control deficiencies are identified and communicated in a timely manner to those responsible for corrective action — including senior management and the board where appropriate
Key Takeaway
The COSO 2013 framework is not a compliance exercise — it is the architecture of organizational integrity. Organizations that genuinely implement all five components and 17 principles build control systems that prevent operational failures, deter fraud, and provide the board with the assurance it needs to fulfill its governance responsibilities. Those that implement it as a paper exercise build control systems that look good until something goes wrong.
Read: Risk-Based Auditing →