A control framework is a data structure that organizes and categorizes an organization’s internal controls, which are practices and procedures established to create business value and minimize risk.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a commonly used framework for internal controls. The COSO framework is designed to provide a model that corporations can use to run an efficient and well-controlled financial environment.
COSO's main components:
- Internal control environment
- Objective setting
- Event identification
- Risk assessment
- Risk response
- Control activities
- Information and communication
According to COSO, those components constitute a viable framework for describing and analyzing an organization's internal control system in a way that conforms to financial compliance regulations. COSO was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting.
IT controls are a subset of internal controls related to information technology (IT). IT control frameworks include COBIT (Control Objectives for Information and Related Technology), ISO/IEC 17799: Code of Practice for Information Security Management and ITIL (Information Technology Infrastructure Library).
See also: PCI-DSS, enterprise risk management (ERM), compliance, governance, risk and compliance (GRC), GRC software