Understanding the COSO Internal Control-Integrated Framework

The most widely-used framework for internal control assessments is from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Many public companies also rely on the framework to assess the effectiveness of internal control over external financial reporting (ICEFR) under Sarbanes-Oxley (SOX) section 404.

Three factors within COSO’s Internal Control-Integrated Framework make it easier to design and evaluate the effectiveness of internal control:

  • Inclusion of internal control principles. Seventeen principles explain concepts associated with the five internal control components. Each of the five components of internal control and relevant principles must be present and functioning.
  • Consideration of business changes. The framework includes guidance for assessing risk and updating related controls that consider how business may have changed, particularly through outsourcing of business processes and reliance on information technology.
  • Beyond financial reporting. Objectives are expanded beyond financial reporting, to include internal and non-financial external reporting.

Framework principles

There are seventeen COSO principles by component:

Demonstrates commitment to integrity and ethical valuesSpecifies suitable objectivesSelects and develops control activities
Exercises oversight responsibilityIdentifies and analyzes riskSelects and develops general controls over technology
Establishes structure, authority, and responsibilityAssesses fraud riskDeploys through policies and procedures
Demonstrates commitment to competenceIdentifies and analyzes significant change
Enforces accountability
Information and communicationMonitoring
Uses relevant informationConducts ongoing and/or separate evaluations
Communicates internallyEvaluates and communicates deficiencies
Communicates externally

Fundamental concepts remain similar to the 1992 original, but the updated framework released in 2013 also includes points of focus describing the characteristics that underlie each principle. These points are not required for assessing the effectiveness of internal control. However, management can use the points to design, implement, and evaluate internal controls. The points also help assess if relevant principles are present and functioning. The framework also explicitly considers potential sources of fraud when assessing risks to the achievement of an organization’s objectives. These sources include management override, safeguarding of assets, incentives, pressures, and opportunities for inappropriate acts, as well as attitudes and rationalizations that may justify these acts.


COSO has encouraged users to transition their application and related documentation to the updated framework as soon as is feasible, as the updated framework will supersede the original after December 15, 2014. During the transition period, COSO also suggests that any organizations reporting externally should clearly disclose whether the original or updated framework was utilized. As a result, when companies provide their annual assessment of ICEFR in accordance with SOX, the user should indicate which framework they used to perform the assessment.

Recommended approach for adopting the framework:

  • Review and understand changes to the framework
  • Assess training and education needs
  • Assess coverage of principles to existing processes, consider points of focus
  • Identify gaps from assessment
  • Discuss initiative and mapping results with leadership
  • Get support for compliance efforts
  • Educate stakeholders
  • Determine steps to remediate identified gaps
  • Develop timeline to achieve compliance
  • Establish monitoring and oversight of implementation
  • Develop method and procedures to identify need for future changes

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.