Fundamentals of the COSO framework: Building blocks for integrated internal controls

Key Takeaway: The COSO Internal Control–Integrated Framework (ICIF, 2013) defines five components and 17 principles that anchor most SOX 404 programs. COSO has since extended this structure to sustainability reporting (ICSR, 2023) and generative AI (February 2026 roadmap). Practitioners should treat ICIF as the umbrella and layer newer guidance onto existing control libraries.

The Committee of Sponsoring Organizations of the Treadway Commission, or COSO, is a private sector initiative led by the American Institute of Certified Public Accountants (AICPA), Institute of Management Accountants (IMA), American Accounting Association (AAA), Institute of Internal Auditors (IIA), and Financial Executives International (FEI). COSO formed to investigate the fraud scandals of the 1970s and 1980s, releasing an internal controls framework in 1992.

This COSO Internal Control–Integrated Framework (ICIF) — also referred to simply as COSO or the COSO framework — provided guidance for how organizations implement controls to prevent, detect, and manage fraud risk related to external financial reporting. This article breaks down the five components and 17 principles of the COSO framework and explains how to use it as a foundation for modern internal controls and fraud deterrence.

Overview of the COSO framework

In simple terms, the COSO framework is a structured set of guidelines that helps organizations design, implement, and evaluate internal controls to manage risk, prevent fraud, and produce reliable reporting. Its core purpose is to connect internal controls directly to business processes, bridging risk management and operational execution through a common language for management, auditors, and the board.

Although the original aim of COSO (the organization) was to investigate and address fraud in the 1970s and 1980s, the COSO framework gained increased importance due to the fraud cases of the 1990s and 2000s (Enron, WorldCom, Sunbeam, Tyco) and the subsequent passing of the Sarbanes-Oxley Act (SOX). SOX requires public companies to implement and maintain effective internal controls related to financial statements. Companies subject to SOX adopted COSO as one of the primary frameworks to satisfy these requirements. The ICIF was revised and reissued in 2013 with updated guidance, and periodic updates are issued by the Committee.

Two COSO frameworks, not one. It's worth distinguishing the two complementary frameworks COSO publishes: the ICIF covered here, and the COSO Enterprise Risk Management (ERM) Framework, updated in 2017, which has five components and 20 principles and takes a broader, strategy-aligned view of risk across the enterprise. Most SOX programs are built on ICIF; ERM is layered on top for board-level risk governance.

In March 2023, COSO released a study and guidance regarding internal controls over sustainability reporting (ICSR). As scrutiny around corporate sustainability increases, more regulations require reliable, trusted reporting around environmental, social, and governance (ESG) matters. COSO and other professional organizations are adapting, and this guidance gives companies a vetted avenue for reporting around sustainability. Although sustainability matters are considered "non-financial," COSO has supported stakeholder demand to adapt ICIF for ESG reporting — a shift now reinforced by EU CSRD (mandatory for 2025 reporting) and IFRS S2 (effective January 1, 2024).

The COSO "cube" visual below summarizes the components and pillars of the framework. The first face of the cube shows five foundations of internal controls. The top face shows the control objective categories — operational, compliance, and reporting objectives. The last face shows the levels at which controls are implemented, from the entity level to the functional level.

The three objectives (the COSO cube)

The COSO framework is often visualized as a "cube" to illustrate the relationship between all its parts. The "top face" of this cube represents the three categories of objectives that an internal control system should support:

1. Operations objectives: These pertain to the effectiveness and efficiency of the organization's operations, including operational and financial performance goals and safeguarding assets against loss.
2. Reporting objectives: These relate to the reliability of internal and external financial and non-financial reporting, including transparency, timeliness, and adherence to standards set by regulators, standard-setting bodies, or the organization's own policies.
3. Compliance objectives: These are focused on adherence to all applicable laws and regulations the organization is subject to.

What are the five components of the COSO framework?

The five components of the COSO framework, illustrated on the front face of the cube, support internal controls objectives around operations, reporting, and compliance by providing guidance on how to implement effective controls. These components are further broken down into 17 principles.

Control environment

The control environment refers to the overall culture of internal controls and is established from the top down. As demonstrated by Enron and other fraud cases, poor "tone at the top" can lead to fraudulent activity with devastating consequences. Establishing a control environment in accordance with the COSO framework involves demonstrating the following principles:

1. The company commits to integrity and ethical values. This entails unequivocal communication of ethical standards and the expectation that all employees adhere to them. It involves a code of conduct, ethics training, and a whistleblower policy to enable reporting of unethical behavior without fear of retaliation.
2. The board of directors maintains independence from management and oversees internal controls programs. An independent board, particularly an audit committee, is crucial for providing oversight and ensuring management accountability. Regular meetings and comprehensive reports on the effectiveness of internal controls are essential. COSO's March 2026 board oversight principles provide 12 current guidelines for this responsibility.
3. Management defines organizational structure, authority, reporting lines, and responsibilities to execute on operational, reporting, compliance, and business objectives. A clearly defined organizational structure ensures clarity in roles and responsibilities, which is vital for the efficient operation of internal controls.
4. The company prioritizes the recruitment, development, and retention of competent individuals aligned to internal controls objectives. This principle underscores the importance of hiring individuals with the requisite skills and qualifications. Ongoing training and professional development keep employees current with practices in internal controls and compliance.
5. The company establishes accountability for control responsibilities. Accountability is enforced by setting explicit expectations and performance metrics related to internal controls. Regular performance reviews, along with a system of rewards and consequences, ensure that employees understand the significance of adhering to internal controls.

Achieving these principles can be done through documentation of policies, mission and vision statements, strategic planning documents, meeting notes, and periodic evaluation of the company's internal controls program — either through an internal audit or external compliance audit.

On-Demand Webinar: Emerging Trends in SOX Compliance

View Now

Risk assessment

The next component of the COSO framework stipulates the need for periodic or ongoing risk assessments based on the organization's internal controls system. These risk assessments can be performed by internal personnel, such as an internal audit team, or third parties, such as a consulting or CPA firm. COSO specifies four core principles for risk assessment and risk treatment:

1. The company establishes objectives with enough specificity to enable the identification and assessment of risks to those objectives. These objectives should encompass strategic, operational, reporting, and compliance goals. Clear objectives serve as a reference point for identifying potential risks and determining their impact.
2. The company identifies and analyzes risks that could potentially affect achieving its objectives and develops an action plan for risk treatment. Techniques such as SWOT analysis (Strengths, Weaknesses, Opportunities, Threats), PESTLE analysis (Political, Economic, Social, Technological, Legal, Environmental), and brainstorming sessions can be employed to uncover risks.
3. Fraud is explicitly considered as part of the risk assessment. Notably, COSO explicitly requires fraud risk to be evaluated — a distinguishing feature among internal control frameworks, and one the PCAOB has flagged as a persistent ICFR deficiency in recent inspection reports.
4. The organization anticipates and assesses changes that may affect internal controls.

Risks should be logged in a risk register or risk inventory that describes the risk, the likelihood it will be realized, the impact if realized, the plan for mitigation, the timeline, and the person(s) responsible. Risk assessments should occur at least annually, and the risk register should be updated as risks are discovered or mitigated. These risk assessments should be incorporated into the organization's decision-making process and align with its risk tolerance.

Control activities

Once an organization has defined its objectives, established an ethical control environment, and performed or initiated a risk assessment, the COSO framework goes another level deeper. Control activities are the processes, activities, actions, and communications performed to mitigate risks and maintain strong internal controls. Three COSO principles fall into this component:

1. Control activities address and mitigate risks to the company's objectives.
2. The company establishes control activities over technology in line with the company's objectives.
3. Policies and procedures define the control activities that should be taking place as part of the internal controls program.

There are three types of control activities:

• Preventive controls are designed to stop errors or irregularities before they occur. Examples include authorization procedures, segregation of duties, and physical controls over assets.
• Detective controls are designed to identify errors or irregularities that have already occurred. Examples include reconciliations, audits, and performance reviews.
• Corrective controls are designed to correct errors or irregularities after they have been detected. Examples include remedial action plans and follow-up procedures.

Common internal control procedures aligned with COSO include separation of duties, access controls, physical audits, standardized documentation, trial balances, periodic reconciliations, and approval authority. Each can be implemented as preventive, detective, or corrective.

Modern organizations increasingly use continuous controls monitoring (CCM), robotic process automation (RPA), and analytics-driven full-population testing to reduce the manual SOX burden — KPMG's 2025 SOX survey reported average compliance costs of $2.3 million and testing hours up 32% to 15,580, making automation a defensive necessity rather than an upgrade. PwC's 2025 Global Compliance Survey found 64% of executives are prioritizing compliance technology investment for better risk visibility and 53% for faster response.

A specific example of a preventive control activity: code changes must be (1) reviewed by an appropriate individual, (2) reviewed by someone other than the developer, and (3) approved in the ticketing system. Another preventive control might be the termination of an employee account within 24 hours of their last day.

Information and communication

Another core aspect of a successful compliance and internal controls program is appropriate, consistent, and timely information distribution and communication to relevant stakeholders. The COSO framework requires companies to communicate and share information based on these principles:

1. The company uses quality data and information to support control objectives. Useful data must be relevant, timely, accurate, and accessible. High-quality data allows management and employees to make informed decisions and effectively manage risks. It encompasses both financial and non-financial data, ensuring coverage of all areas critical to the organization's objectives.
2. The company communicates relevant information — objectives, assignments, accountability, and responsibilities for internal control activities — both upward, downward, and laterally.
3. The company communicates with external entities regarding internal controls when necessary, including investors, regulators, customers, and suppliers.

Many B2B organizations include contractual clauses requiring disclosure of data breaches, incidents, cyberattacks, and other internal controls matters to external entities. HIPAA directives require the reporting of data breaches to affected parties. A well-orchestrated communication plan reduces the friction of building out a COSO program.

Monitoring activities

The fifth and final component of the COSO framework involves monitoring, measuring, and reporting on the company's internal controls system. It includes the following principles:

1. Regular or ongoing evaluations determine if the internal controls program is operating effectively. This includes supervisory reviews, transaction reviews, and performance metrics. Evaluations should combine internal and external assessments. The internal audit function may be used to evaluate internal controls, and external auditors may conduct reviews as part of their annual financial statement audit.
2. Any internal control deficiencies are reported timely to the accountable parties, including the board of directors and upper management when necessary. Deficiencies are then evaluated for severity (deficiency, significant deficiency, or material weakness).

What are the steps to implement and use the COSO framework?

To build and integrate an effective COSO program, organizations can follow these four general steps.

1. Planning

To get the most out of the COSO framework, organizations need to do some legwork upfront. Teams should understand why they are using the framework, how it fits into their overall strategic roadmap, and the 17 principles themselves. Since COSO applies to the whole organization, it is essential to develop a thorough plan for setting up and maintaining an internal controls system based on COSO. COSO has also issued specific guidance for smaller public companies, highlighting 20 key principles to make the framework more accessible to organizations with limited resources. Investing in compliance management software to coordinate COSO control activities facilitates both planning and execution.

2. Evaluation and documentation

Following planning, it is important to understand the maturity of the organization's internal controls program and what documentation supports objectives and components. The responsible team should collect available documentation, taking into account whether there are common processes, formal Enterprise Risk Management (ERM), and appropriate control activities in place. If documentation is insufficient to support the organization's objectives and the requirements of COSO, these should be tracked for remediation as gaps.

3. Remediation

As internal control assessments reveal gaps, the parties responsible for those control activities or areas undertake remediation or risk mitigation activities. If a gap is found, the responsible team plans the remediation steps, timeline, and responsibilities, then executes that plan.

4. Testing and reporting

Once a company has completed the preceding steps and has comfort with COSO alignment, testing and reporting occur. Design effectiveness testing evaluates whether a control, if operating as described, would prevent or detect a material misstatement — typically through walkthroughs and one-instance inspection. Operating effectiveness testing then evaluates whether the control operated consistently throughout the period, using sample sizes calibrated to control frequency (e.g., 25 samples for daily controls, 2–5 for quarterly controls per AICPA guidance). A test of an incident management control might involve inspecting the log of incidents for a given period and determining if proper documentation was completed for a select subset.

Management should receive regular reporting on the internal controls program and the results of testing.

What are the pros and cons of the COSO framework?

The COSO framework is a foundation of modern internal controls and fraud deterrence. It has been used to guide other compliance frameworks. The COSO cube emphasizes the need for integration of operational and control activities. Plenty of resources are available to organizations building a COSO program. And applying COSO as an organization subject to SOX is one of the most defensible ways to meet internal control requirements.

However, the framework's greatest strength and limitation is its broadness. Designed to apply across industries and company sizes, COSO does not prescribe specific methods for implementing control activities — it provides overarching principles for how internal controls should be structured. Despite this broadness, COSO's other limitation is its stringency. Smaller organizations may find COSO requirements demanding because of coordination effort and the scope of work needed to establish an effective system of internal controls. Optro simplifies the path to a strong internal controls program by unifying risks, controls, policies, frameworks, issues, and stakeholder communications to meet the compliance needs of modern businesses.

On-Demand Webinar: Leveraging the COSO ERM Framework

View Webinar

FAQs about COSO Framework

What is the COSO framework in simple terms?

The COSO framework is a structured set of guidelines that helps organizations design, implement, and evaluate internal controls to manage risk, prevent fraud, and produce reliable reporting. It connects internal controls directly to business processes through five components and 17 principles, providing a common language for management, auditors, and the board. It is the most widely adopted framework for satisfying SOX 404 internal control requirements.

What is the difference between COSO ICIF and the COSO ERM framework?

COSO publishes two complementary but distinct frameworks. The Internal Control–Integrated Framework (ICIF, updated 2013) has five components and 17 principles focused on internal controls over reporting, operations, and compliance. The Enterprise Risk Management Framework (ERM, updated 2017) has five components and 20 principles and takes a broader, strategy-aligned view of risk. ICIF answers "are our controls effective?"; ERM answers "are we managing risk to strategy and performance?" Most SOX programs are built on ICIF, with ERM layered on top for board-level governance.

What are the most common internal control procedures aligned with COSO?

The seven commonly cited internal control procedures that align with COSO's control activities component are separation of duties, access controls, physical audits, standardized documentation, trial balances, periodic reconciliations, and approval authority. These map to COSO Principle 10 (control activities mitigate risks) and Principle 12 (policies and procedures define control activities). Each can be implemented as preventive, detective, or corrective, and increasingly automated through continuous controls monitoring (CCM).

How does COSO explicitly address fraud risk?

COSO Principle 8 explicitly requires organizations to consider fraud risk when assessing risks to objectives — a distinguishing feature versus frameworks like COBIT or ISO 27001. Practitioners should document fraud risk factors across three categories (fraudulent reporting, misappropriation of assets, corruption), evaluate incentives/pressures, opportunities, and rationalizations, and link identified fraud risks to specific anti-fraud controls. PCAOB inspections have flagged inadequate fraud risk assessments as a persistent ICFR deficiency.

How can organizations automate COSO control testing to reduce SOX compliance costs?

With KPMG's 2025 SOX survey reporting average compliance costs of $2.3 million and testing hours up 32% to 15,580, automation is no longer optional. Practitioners should deploy continuous controls monitoring (CCM) for IT general controls, RPA for reconciliations and access reviews, and analytics-driven full-population testing in place of attribute sampling. PwC's 2025 Global Compliance Survey found 64% of executives are prioritizing technology for better risk visibility and 53% for faster response.

How does COSO apply to internal controls over sustainability reporting (ICSR)?

COSO's 2023 ICSR supplemental guidance maps each of the 17 ICIF principles directly to sustainability data, requiring the same control rigor for ESG metrics as for financial reporting. That means defining ESG control owners, performing fraud risk assessments over sustainability data, and testing design and operating effectiveness of ESG controls. Practitioners should align ICSR controls with EU CSRD (mandatory for 2025 reporting) and IFRS S2 (effective January 1, 2024) to satisfy assurance requirements with a single control set.

How should organizations apply COSO controls to generative AI?

COSO's February 2026 Achieving Effective Internal Control Over Generative AI roadmap adapts the 17 ICIF principles to GenAI by organizing use cases into eight capability groups and introducing "AI reliance" — measurable indicators like confidence scores and accuracy dashboards that determine whether a GenAI output can be trusted as a control. Practitioners should inventory GenAI use cases, map each to the eight capabilities, and establish reliance metrics before relying on GenAI in any reporting or control workflow. Pairing this with ISO/IEC 42001:2023 creates a certifiable governance posture.

About the authors

Arden Leland, CPA, is a Manager of Solutions Advisory Services at Optro. Prior to joining Optro, she spent 7 years at PricewaterhouseCoopers managing external audits for both private and public companies, with a specific focus on working with companies in their early years of SOX compliance. Connect with Arden on LinkedIn.