What are the COSO frameworks?
The COSO frameworks are documents that provide guidance on establishing internal controls and enterprise risk management (ERM) programs in organizations. Collectively, the frameworks are designed to help improve organizational performance in areas that include business operations, corporate reporting, regulatory compliance and risk management. They're intended to be used as planning and implementation guides, primarily by boards of directors, senior executives, risk leaders and audit teams.
The frameworks were developed by the Committee of Sponsoring Organizations of the Treadway Commission, which is commonly known as COSO. Founded in 1985, COSO is a private sector body that's jointly sponsored by five professional associations: the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, the Institute of Internal Auditors, and Institute of Management Accountants.
COSO currently offers two frameworks: one focused on internal controls and the other on ERM. The COSO internal control framework is a model for creating and implementing controls in business processes to help an organization achieve its operational, reporting and compliance objectives. Similarly, the COSO enterprise risk management framework offers a high-level blueprint for developing ERM strategies and processes.
Despite some risk-related overlaps, the two frameworks are meant to be distinct and complementary. The internal control framework incorporates risk assessment as a core component but with a limited focus on operational risks and ones that stem from reporting or compliance issues. In contrast, the ERM framework focuses more broadly on integrating risk management into strategic planning and business decision-making. Its goals are to create a culture of risk awareness in an organization and ensure that risk management becomes a core tenet of internal processes at every level.
In addition to the internal control and ERM frameworks, COSO offers a guide on creating fraud risk management programs that was published in 2016 and updated in 2023. It's working to develop a third framework focused on corporate governance in collaboration with the National Association of Corporate Directors. A draft of the corporate governance framework was released for public comment in May 2025 and then withdrawn two months later. COSO said it would "evaluate the extensive feedback … and engage further with stakeholders" before releasing a revised draft at an unspecified future date.
Overview of the COSO internal control framework
The internal control framework, introduced by COSO in 1992 and updated in 2013, is detailed in a publication titled "Internal Control -- Integrated Framework." As mentioned previously, the framework guides organizations in designing, implementing and evaluating internal control systems. It includes five core components and a set of 17 principles associated with them. In the document, COSO uses a cube diagram to visualize the relationship between the five components, the three categories of objectives addressed by the framework and an entity's organizational structure.
At a higher level, the framework aims to enable organizations to develop controls that can adapt to changing business environments, mitigate risks to acceptable levels and support effective decision-making and governance processes. In addition to the framework itself, COSO has published supporting documents on applying it in specific business areas. For example, a publication with guidance on using the framework to help govern the use of robotic process automation technology was released in 2024, and one on implementing internal controls for sustainability reporting was issued in 2023.
The 5 components of the COSO internal control framework
The following are the internal control framework's five components, which are supposed to be implemented in an integrated way:
- Control environment. The control environment is a set of organizational standards, processes and structures that serve as the foundation for an internal control system. It details expected business practices and standards of conduct. This helps ensure that the business is run in a responsible way and adheres to reporting and regulatory compliance requirements. Individual elements of the control environment include the organization's commitment to business integrity and ethical values; oversight of the internal control system by the board of directors; designated internal control authority and responsibilities; and performance metrics, incentives and rewards to drive accountability for effective controls in the organization.
- Risk assessment. Risk is an inherent part of doing business: Every organization faces various internal and external business risks that can result in adverse consequences. To avoid business problems, organizations commonly adopt risk management plans to help them identify and respond to relevant risks. Risk assessment is a key aspect of deciding how to manage and control risks. In this component of the framework, an organization's management specifies business objectives and establishes processes for identifying and analyzing potential risks that could affect the ability to achieve those objectives. Internal or external business changes that could reduce the effectiveness of internal controls also must be assessed.
- Control activities. Control activities are also tied to risk management efforts. They're actions to help mitigate risks that an organization spells out in its internal control policies and procedures. Control activities can be put in place at all levels of the organization, both in business processes and IT environments. They can also be a combination of manual and automated actions for things such as authorizations, approvals, verifications and reviews of business performance.
- Information and communication. Relevant internal and external information is delivered to senior management to support oversight of the internal control system and ensure that it's functioning effectively. Similarly, processes are established for both internal and external communications. Inside an organization, a communication plan must be designed to provide clear messages about internal control responsibilities and expectations. External communication measures should ensure that information about internal controls is shared with outside parties in adherence to legal and regulatory requirements.
- Monitoring activities. Monitoring is also an important part of the COSO internal control framework. Monitoring activities can include a combination of ongoing evaluations built into business processes and periodic ones scheduled at regular intervals. As part of the monitoring process, an internal control system is measured against regulatory requirements, recognized industry standards and internal policies. At a minimum, internal auditors examine whether employees are adhering to established internal controls. In public companies, however, it's common for an outside auditor to evaluate the organization's regulatory compliance. In either case, the audit results are typically reported to management and the board of directors.
How is this framework used?
The COSO internal control framework is widely used by publicly traded companies because it can help them more easily meet their financial performance forecasts and their reporting and compliance obligations. However, the framework has also been adopted by private companies, government agencies and nonprofit organizations that see it as a tool to improve internal accountability and reduce the risk of improper or fraudulent actions by employees.
Overall, the framework is designed to create a system of internal controls that gives senior management and the board of directors reasonable assurance about an organization's ability to achieve its objectives in the three covered categories. For example, effective internal controls in business processes can help an organization meet its operational objectives without introducing unnecessary business risks.
Overview of the COSO ERM framework
First published in 2004, the COSO ERM framework was significantly revised in 2017, as outlined in an updated document titled "Enterprise Risk Management -- Integrating with Strategy and Performance." The first version of the framework included eight interrelated components, but the revision reduced that to five. The updated framework also calls for organizations to consider risk management when setting business strategies and driving organizational performance instead of dealing with it separately or as an afterthought. By adhering to the ERM framework, organizations should be in a better position to identify, evaluate and manage potential risks that could affect business operations.
The ERM framework's components contain 20 principles that describe risk-related practices, which organizations can apply in different ways. A "Compendium of Examples" supplement published in 2018 provides fictional case studies of framework implementations by entities in different industries and regions to illustrate how its principles might be applied. As with the internal control framework, COSO has also released documents on applying the ERM framework in particular business areas. The most recent from 2024 involves managing risks associated with alternative data from nontraditional sources. Other documents address AI, cloud computing, cyber-risk and compliance risk management.
The 5 components of the COSO ERM framework
These are the enterprise risk management framework's components:
- Governance and culture. This sets the tone for how an organization views and deals with risks. Management and board-level oversight responsibilities for risk management are established, along with operating structures for implementing the ERM program. The organization should also define ethical values and desired employee behavior related to ERM and promote an understanding of relevant business risks and the importance of managing them effectively. Hiring or developing capable risk managers is another facet of this component.
- Strategy and objective-setting. Before an organization can begin to manage risks at the enterprise level, it needs to define its business strategy and objectives and then align the ERM initiative with them. As part of the strategic planning process, a risk appetite is defined to influence day-to-day risk decisions. But risk management policies must be carefully weighed against business goals to ensure that the organization doesn't become so risk-averse that it's unable to accomplish its objectives.
- Performance. This component involves how ERM processes are performed in an organization, from risk identification to reporting the results of risk management efforts to key stakeholders. After risks are identified, they need to be assessed and prioritized based on their severity and the organization's risk appetite statement. Risk and business leaders then decide how to respond to different risks. In some cases, they might want to avoid risks altogether. In others, they could take steps to reduce risks or just accept them. The framework recommends adopting a portfolio view of risks to help coordinate the management process and risk reporting tasks.
- Review and revision. Risk management procedures don't always work as expected or remain valid forever. In this component, an organization reviews its business performance and its ERM program's effectiveness. Based on the results, it then decides whether the program needs to be revised and what changes to make to improve risk management capabilities. The potential effect of significant changes on business strategy and objectives should be assessed upfront to ensure that ERM initiatives remain aligned with organizational goals.
- Information, communication and reporting. Ideally, an organization should never make risk management decisions in a vacuum. This component aims to ensure that risk decision-makers get the information they need to make informed decisions. The required information can come from both internal IT systems and external sources. Communication channels also must be established to distribute the information and support ERM practices across the organization. Broader reporting on risks and the ERM program's performance should be included, too.
How is this framework used?
Like the internal control framework, the ERM one has been adopted by various types of organizations. But it's most widely used by publicly traded companies looking to improve the odds of a favorable business outcome when taking risks. The framework's components and associated principles are designed to provide a reasonable expectation that an organization understands the risks related to its business strategy and objectives and is working to manage them effectively.
A key aspect of using the ERM framework is applying it to consider alternative business strategies and their risks before deciding which ones to pursue. As the framework document notes, each strategy option has its own risk profile with potential business implications. Creating an ERM program based on the framework can help senior management and the board choose the strategies that best align with an organization's risk appetite and its business mission, strategic vision and core values.
What are the benefits and limitations of the COSO frameworks?
The following are some of the business benefits of using the COSO frameworks:
- Uniform business processes. Implementing one or both of the frameworks helps ensure that individual business processes are performed uniformly based on a standardized set of controls. Among other types, these might be regulatory controls as part of the internal control framework or controls related to risk reduction specified under the ERM framework. Well-designed controls can help improve operational performance, while also reducing business risks.
- Improved fraud detection. Another benefit of using the frameworks is that an organization is often in a better position to detect fraudulent activity, whether it's perpetrated by cybercriminals, employees, customers or business partners. Because the frameworks focus on risk mitigation and adherence to established best practices, vulnerability to fraud or other malicious actions can be significantly reduced.
- Increased business efficiency. Carefully crafted internal controls and risk management procedures also help make business operations more efficient, which can reduce costs and make an organization more profitable.
- Better business performance. Ultimately, both frameworks aim to ensure that organizations can achieve their business objectives and that the benefits of internal control and ERM programs outweigh the investments in them.
Despite their benefits, the COSO frameworks do have some limitations. Most significantly, they can be difficult to implement for two main reasons.
First, both frameworks have a relatively broad scope. This enables them to be relevant to a wide variety of organizations, but it also means that they lack detailed prescriptive guidance for users.
The way the frameworks are organized can also complicate implementations. Certain processes could conceivably fall into two or more of their components. Sometimes, the opposite is true, and internal processes don't align well with any of the components. As a result, organizations might have to make some tough decisions when implementing the frameworks.
