CLOSE

9 CIO
g
Home > Risk management and governance

Tech Accelerator
What is risk management and why is it
important?

DEFINITION

COSO Framework
u Brien Posey

c
o What is the COSO Framework?
The COSO Framework is a system used to
i establish internal controls to be integrated into
n business processes. Collectively, these
controls provide reasonable assurance that the
organization is operating ethically,
transparently and in accordance with
established industry standards.

COSO is an acronym for the Committee of

Sponsoring Organizations. The committee
created the framework in 1992, led by
Executive Vice President and General
Counsel, James Treadway, Jr. along with
several private sector organizations, including
the following:

American Accounting Association

Financial Executives International
The Institute of Internal Auditors
American Institute of Certified Public
Accountants
The Institute of Management Accountants
(formerly the National Association of Cost
Accountants)

The COSO framework was updated in 2013 to

include the COSO cube, a 3-D diagram that
demonstrates how all elements of an internal
control system are related. In 2017, the
committee introduced their COSO Enterprise
Risk Management Framework. The COSO
ERM Framework aims to help organizations
understand and prioritize risks and create a
strong link between risk, strategy and how a
business performs.

What are the five components of the

COSO Framework?
Here are the five components of the COSO
framework:

Control environment. The control

environment seeks to make sure that all
business processes are based on the use
of industry-standard practices. This can
help ensure that the business is run in a
responsible way. It may also reduce an
organization's legal exposure if the
organization is able to prove that its
business processes are all based around
industry standard practices. Additionally,
the control environment can help with
making sure that an organization is
adhering to regulatory compliance
requirements.
Risk assessment and management. Risk
assessment and management -- which is
sometimes referred to as enterprise risk
management -- is based on the idea that
risk is an inherent part of doing business.
However, those same risks can sometimes
cause a business to suffer adverse
consequences. As such, organizations
commonly adopt risk management plans
that help them to identify risks and either
reduce or eliminate risks deemed to pose a
threat to the organization's well-being.
Control activities. Control activities are
also tied to the concept of risk
management. They are essentially internal
controls that are put into place to make
sure that business processes are
performed in a way that helps an
organization to meet its business
objectives without introducing unnecessary
risks into the process.
Information and communications.
Communications rules are put in place to
make sure that both internal and external
communications adhere to legal
requirements, ethical values and standard
industry practices. For example, private
sector organizations commonly adopt
privacy policies establishing how customer
data can be used.
Monitoring. At a minimum, monitoring is
performed by an internal auditor who
makes sure that employees are adhering
to established internal controls. However,
in the case of public companies, it is
relatively common for an outside auditor to
evaluate the organization's regulatory
compliance. In either case, the audit
results are usually reported to the board of
directors.

How is the COSO Framework used?

The COSO Framework is heavily used by
publicly traded companies and accounting and
financial firms. The framework seeks to put
internal controls in place that formalize the way
in which key business processes are
performed. This helps organizations to adhere
to legal and ethical requirements, while also
focusing on risk assessment and
management. In addition to integrating such
controls into key business processes, the
framework places a heavy emphasis on
monitoring and reporting, especially as it
relates to using internal auditors to monitor
adherence to established controls.

THIS ARTICLE IS PART OF

 What is risk management

and why is it important?
Which also includes:

AI in risk management: Top benefits

and challenges explained

6 open source GRC tools compliance

professionals should know

Risk assessment matrix: Free

template and usage guide

What are the benefits and

limitations of the COSO
Framework?
One of the primary benefits to implementing
the COSO Framework is that it helps business
processes to be performed in a uniform
manner according to a set of internal controls.
Depending on how these controls are
designed, they can improve efficiency while
also reducing risks.

Another benefit is that an organization that fully

employs the COSO Framework is often in a
better position to detect fraudulent activity,
whether that activity is perpetrated by cyber
criminals, customers or trusted employees.
Because the framework focuses on risk
mitigation and adherence to established best
practices, vulnerabilities can be significantly
reduced.

Finally, some organizations find that when they

implement carefully crafted internal controls, it
helps them to make existing business
processes more efficient. This can help reduce
costs and make the organization more
profitable.

More on risk
management
7 risk mitigation strategies to protect
business operations

Risk appetite vs. risk tolerance: How

are they different?

Despite the benefits associated with

implementing the COSO Framework, it is not
without its limitations. The most significant of
these limitations is that the framework can be
difficult to implement for two main reasons.
First, the framework is relatively broad in
scope, which means that it can be applied to a
wide variety of organizations and processes.
But this broad scope also means that the
framework lacks a significant amount of
prescriptive guidance.

The second limitation that can make the

framework difficult to apply is its organizational
structure. The COSO Framework is broken
into a series of rigid categories. Organizations
often find that there are certain processes that
could conceivably fall into multiple categories,
or that do not align well with any of the
categories. As such, organizations will often
have to make some tough decisions when
implementing the framework.

This was last updated in October 2021

m Continue

·
Reading About COSO
Framework
ISO 31000 vs. COSO: Comparing

·
risk management standards

Enterprise risk management team:

·
Roles and responsibilities

4 basic types of business risks in the

·
enterprise

Risk management process: What are

·
the 5 steps?

Visit the COSO website for more

information

Related Terms

PCAOB (Public Company Accounting

Oversight Board)
The Public Company Accounting Oversight Board
(PCAOB) is a congressionally established nonprofit that
assesses audits of public ... See complete definitionq

standard business reporting (SBR)

Standard business reporting (SBR) is a group of
frameworks adopted by governments to promote
standardization in reporting ... See complete definitionq

Universal Process Notation (UPN)

Universal Process Notation is a method for illustrating the
steps in a business process. See complete definitionq

m Dig Deeper on Risk management

and governance

Top 12 IT security frameworks and

standards explained

By: Paul Kirvan

Top enterprise risk management

certifications to consider

By: Sean Kerner

enterprise risk management (ERM)

By: Alexander Gillis

ISO 31000 Risk Management

By: Alexander Gillis

-ADS BY GOOGLE

CLOUD COMPUTING MOBILE COMPUTING DATA CENTER

Cloud Computing

New dev tools at AWS re:Invent shape the

future of cloud
Noteworthy tools and updates for developers at AWS
re:Invent 2023 included AWS Fault Injection Service,
Amazon Q Code ...

Evaluate serverless computing best

practices
Serverless computing strategies require enterprises to
evaluate tools, features and costs, while understanding
application ...

About Us Editorial Ethics Policy Meet The Editors

Contact Us Advertisers Partner with Us Media Kit
Corporate Site

Contributors Reprints Answers Definitions E-Products

Events Features

Guides Opinions Photo Stories Quizzes Tips Tutorials

Videos

All Rights Reserved,

Copyright 2007 - 2023, TechTarget

Privacy Policy

Do Not Sell or Share My Personal Information