Browse Definitions :

COSO cube

The COSO cube is a diagram that shows the relationship among all parts of an internal control system. Aside from showing how these parts are connected, it also identifies a number of principles an organization should follow to meet their internal control objectives.

The COSO cube is a part of a control framework generally called the COSO framework. It was created by the Committee of Sponsoring Organizations of the Treadway Commission, or COSO. COSO is made up of representatives from five different organizations: the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, the Institute of Management Accountants and the Institute of Internal Auditors. Together, they develop guidance documents to aid organizations with risk assessment, internal controls and fraud prevention.

The COSO framework was originally conceived in 1992, and later updated in 2013 and 2017. The 2013 updated framework contains the COSO cube. The framework was developed to help organizations reach objectives related to operations, reporting and compliance. The purpose of internal control is to ensure these objectives are achieved. This process is normally implemented by an organization's board of directors, management and other personnel. For years, the 2013 framework was considered a gold standard for applying and testing internal controls.

The COSO cube

While the 1992 framework was proficient at evaluating existing controls, it wasn't comprehensive. The 2013 version addressed this with the addition of the COSO cube, which focused on the design and implementation of a risk management framework. The COSO cube replaced the previous framework principle image that was shaped like a pyramid.

The cube is made up of a number of columns and rows that visualize internal control systems. Columns of the cube make up the three objective categories. The rows in the cube are the five components. On the third dimension is organizational structure.

The three objective categories found in the columns consist of operations, reporting and compliance. In the image, this is normally the top side of the cube.

The five components found in rows on the front face of the cube include -- from top to bottom -- the control environment, risk assessment, control activities, information and communication as well as monitoring activities. The control environment is a set of standards, processes and structures that form internal control. Risk assessment forms the basis for which risk is managed -- in both internal and external environments. Control activities are the preventative and detective policies, procedures and standards that aid management in mitigating risks. Information and communication relate to information gained that can support internal control components. Monitoring activities include consistent evaluations verifying that each of the five components of internal control are present and are working correctly.

The organizational structure is the hierarchy of an organization. On the right side of the cube -- from left to right -- an organization's entity level, division, operating unit and function are displayed. Each may be affected by business unit activities, function controls and business-level controls.

The 17 principles

The COSO framework also outlines 17 principles an organization should adopt in order to reach its internal control objectives. Framework principles fall within each component of the COSO cube: five principles for the control environment, four for risk assessment, three for control activities, three for information and communication, and the last two for monitoring activities.

Control environments principles include:

  • commit to integrity and ethical values;
  • exercise oversight responsibility;
  • establish structure and reporting lines;
  • demonstrate a commitment to competence; and
  • enforce accountability.

Risk assessment principles include:

  • specify suitable objectives;
  • identify and analyze risk;
  • assess fraud risk; and
  • identify and analyze significant changes.

Control activity principles include:

  • select and develop control activities that mitigate risk;
  • select and develop control activities involving technology; and
  • deploy control activities through specific policies and procedures.

Information and communication principles include:

  • use relevant information;
  • communicate internally; and
  • communicate externally.

Monitoring activity principles include:

  • conduct ongoing or separate evaluations; and
  • evaluate and communicate deficiencies.

The updated COSO framework

The COSO framework was updated in 2017, with a name change to "Enterprise Risk Management -- Integrating with Strategy and Performance." The update focuses on ERM and more heavily considers risk in processes and performance management. Along with the update, the graphic changed from a cube to a helix structure. Organizations that abide by the previous COSO framework aren't required to change to the new one. The COSO cube can continue to be useful to organizations since it still provides a framework for improving risk management and internal control. An understanding of the COSO cube provides a fair amount of background knowledge for the 2017 version of the framework as well.

The helix-shaped graphic for the COSO ERM framework represents how risk management principles are integrated throughout an organization's lifecycle.

The helix is based on five components, each supported by multiple principles. Ideally, by following COSO's updated graphic, organizations will be able to implement and enforce its principles, leading to improved performance in ERM initiatives.

The five components shown in the helix include:

  • Governance and culture -- which establish the oversight for ERM.
  • Strategy and objective-setting -- which form a strategic-planning process.
  • Performance -- which identifies risks that affect strategic-planning processes. This should also include a way to highlight and respond to apparent issues.
  • Review and revision -- which focus on reviewing organization performance to determine how ERM components are functioning and if any changes should be made.
  • Information, communication and reporting -- which focus on gathering and sharing information as necessary, typically from internal and external sources.

Twenty principles support the five components, which should lead organizations to understand and manage risks and business objectives.

This was last updated in July 2020

Continue Reading About COSO cube

  • cloud-native network function (CNF)

    A cloud-native network function (CNF) is a service that performs network duties in software, as opposed to purpose-built hardware.

  • microsegmentation

    Microsegmentation is a security technique that splits a network into definable zones and uses policies to dictate how data and ...

  • Wi-Fi 6E

    Wi-Fi 6E is one variant of the 802.11ax standard.

  • MICR (magnetic ink character recognition)

    MICR (magnetic ink character recognition) is a technology invented in the 1950s that's used to verify the legitimacy or ...

  • What is cybersecurity?

    Cybersecurity is the protection of internet-connected systems such as hardware, software and data from cyberthreats.

  • Android System WebView

    Android System WebView is a system component for the Android operating system (OS) that allows Android apps to display web ...

  • privacy compliance

    Privacy compliance is a company's accordance with established personal information protection guidelines, specifications or ...

  • contingent workforce

    A contingent workforce is a labor pool whose members are hired by an organization on an on-demand basis.

  • product development (new product development -- NPD)

    Product development, also called new product management, is a series of steps that includes the conceptualization, design, ...

  • talent acquisition

    Talent acquisition is the strategic process employers use to analyze their long-term talent needs in the context of business ...

  • employee retention

    Employee retention is the organizational goal of keeping productive and talented workers and reducing turnover by fostering a ...

  • hybrid work model

    A hybrid work model is a workforce structure that includes employees who work remotely and those who work on site, in a company's...

  • Salesforce Trailhead

    Salesforce Trailhead is a series of online tutorials that coach beginner and intermediate developers who need to learn how to ...

  • Salesforce

    Salesforce, Inc. is a cloud computing and social enterprise software-as-a-service (SaaS) provider based in San Francisco.

  • data clean room

    A data clean room is a technology service that helps content platforms keep first person user data private when interacting with ...