KnowledgeLeader Blog

What Are the Five Components of the COSO Framework?

Posted by Sharise Cruz on Fri, Oct 28, 2016 @ 10:00 AM

COSO Five Components CubeIn 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls. This model has been adopted as the generally accepted framework for internal control and is widely recognized as the definitive standard against which organizations measure the effectiveness of their systems of internal control. 

The COSO model defines internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations” 

In an “effective” internal control system, the following five components work to support the achievement of an entity’s mission, strategies and related business objectives.

1. Control Environment

  • Integrity and Ethical Values
  • Commitment to Competence
  • Board of Directors and Audit Committee
  • Management’s Philosophy and Operating Style
  • Organizational Structure
  • Assignment of Authority and Responsibility
  • Human Resource Policies and Procedures

2. Risk Assessment

  • Company-wide Objectives
  • Process-level Objectives
  • Risk Identification and Analysis
  • Managing Change

3. Control Activities

  • Policies and Procedures
  • Security (Application and Network)
  • Application Change Management
  • Business Continuity/Backups
  • Outsourcing

4. Information and Communication

  • Quality of Information
  • Effectiveness of Communication

5. Monitoring

  • Ongoing Monitoring
  • Separate Evaluations
  • Reporting Deficiencies

These components work to establish the foundation for sound internal control within the company through directed leadership, shared values and a culture that emphasizes accountability for control. The various risks facing the company are identified and assessed routinely at all levels and within all functions in the organization. Control activities and other mechanisms are proactively designed to address and mitigate the significant risks. Information critical to identifying risks and meeting business objectives is communicated through established channels up, down and across the company. The entire system of internal control is monitored continuously and problems are addressed timely.

If you're looking for even more information on COSO, explore these links:

Tags: COSO Framework, COSO, KnowledgeLeader tools

Subscribe To Our Blog

About KnowledgeLeader

KnowledgeLeader is the premier resource for internal audit and risk management professionals, provided by Protiviti.

Offering over 1,400 customizable tools and 1,300 articles by industry experts, we offer the most comprehensive service on the market.

For more information:

View Our Site Tour