Knowledge Center / COSO
COSO · Global

COSO Internal Control Framework

The leading framework for internal control and enterprise risk management.

Introduction to the COSO Internal Control Framework

The COSO Internal Control - Integrated Framework, published by the Committee of Sponsoring Organisations of the Treadway Commission, is the most widely adopted model in the world for designing, implementing, operating and evaluating a system of internal control. First issued in 1992 and comprehensively updated in 2013, the framework provides a principles-based structure that helps organisations of any size, sector or geography to achieve objectives across operations, reporting and compliance while managing risk to acceptable levels.

For CyberSigma clients, COSO matters for two distinct but connected reasons. First, it is the de facto benchmark that external auditors and regulators expect management to use when asserting that internal control over financial reporting (ICFR) is effective - most notably under the U.S. Sarbanes-Oxley Act (SOX) Sections 302 and 404, but increasingly referenced by boards, audit committees and regulators worldwide. Second, and less obviously, COSO is a foundational control philosophy that underpins many cybersecurity and information-security governance efforts: SOC 2 (whose Trust Services Criteria are explicitly mapped to the seventeen COSO principles), COBIT, and enterprise risk programmes all draw directly on the COSO components. Understanding COSO therefore gives an organisation a common vocabulary for control across finance, IT, security and operations.

This guide is written for audit committees, chief financial officers, chief information security officers, internal audit leaders, control owners and process managers who need an auditor-grade understanding of how COSO is structured and how to assess an internal control system against it. It walks through the five components, the seventeen principles and the associated points of focus, then provides a master assessment checklist, a phased implementation approach, a maturity model, an evidence request list and mappings to adjacent frameworks. Throughout, we distinguish the design of controls (are the right controls in place?) from their operating effectiveness (do they work consistently over the period under review?).

Copyright and licensing note
The COSO Internal Control - Integrated Framework, the 2013 Framework and Illustrative Tools, the ERM - Integrating with Strategy and Performance framework and all related COSO publications are the copyrighted intellectual property of the Committee of Sponsoring Organisations of the Treadway Commission and are distributed by the American Institute of Certified Public Accountants (AICPA). The framework text, the seventeen principles and the points of focus may not be reproduced verbatim without a licence. This CyberSigma guide is an original interpretation and practical assessment aid; it paraphrases and summarises concepts for educational purposes and does not reproduce COSO's copyrighted wording. Organisations should purchase the official framework and any executive summaries from COSO or the AICPA for authoritative reference.

What is COSO

COSO is a private-sector, not-for-profit initiative jointly sponsored by five major professional associations in the United States: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA) and the Institute of Internal Auditors (IIA). It was formed in 1985 to support the National Commission on Fraudulent Financial Reporting (the Treadway Commission) and has since become the leading authority on internal control, enterprise risk management and fraud deterrence.

The COSO Internal Control - Integrated Framework defines internal control as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in three categories: operations (effectiveness and efficiency of operations, including performance and safeguarding of assets), reporting (reliability, timeliness and transparency of internal and external financial and non-financial reporting) and compliance (adherence to applicable laws and regulations). Several ideas embedded in this definition are important. Internal control is a process, not a one-off event; it is effected by people at every level, not just policy documents; it can provide only reasonable, not absolute, assurance; and it is geared to the achievement of objectives, meaning control is a means to an end, not an end in itself.

The 2013 update introduced the most significant change to the framework's usability: the codification of seventeen principles distributed across the five long-standing components. Each principle represents a fundamental concept associated with its component, and COSO's position is that all seventeen principles are relevant to every entity. For an internal control system to be deemed effective, each of the five components and each of the seventeen relevant principles must be present and functioning, and the five components must operate together in an integrated manner. "Present" means the components and principles exist in the design and implementation; "functioning" means they continue to operate as designed. A major control deficiency in a component or principle - meaning it is not present or not functioning - precludes management from concluding that the entity has met the requirements for effective internal control.

It is important to distinguish the Internal Control framework from COSO's companion Enterprise Risk Management (ERM) framework, most recently updated in 2017 as "Enterprise Risk Management - Integrating with Strategy and Performance." The ERM framework is broader, addressing how risk is considered in strategy-setting and performance across the whole enterprise, and is organised into five components and twenty principles. This guide focuses primarily on the Internal Control framework, which is the version referenced for SOX and SOC 2, while noting ERM where it adds value.

Who must comply with COSO

COSO is a voluntary framework - no law mandates COSO by name. However, it is effectively required in many contexts because regulators and auditors expect management to use a suitable, recognised control framework, and COSO is the overwhelmingly dominant choice. The table below summarises the populations that in practice must, or strongly should, adopt COSO.

PopulationDriver / obligationHow COSO applies
U.S. SEC public companies (issuers)Sarbanes-Oxley Act Sections 302 and 404; SEC rulesManagement must assess and report on the effectiveness of internal control over financial reporting using a suitable framework; COSO 2013 is the near-universal choice.
External auditors of issuersPCAOB Auditing Standard AS 2201The independent auditor's ICFR opinion is evaluated against the same COSO-based control framework management uses.
Companies pursuing SOC 2 reportsAICPA Trust Services Criteria (TSC)The TSC common criteria are explicitly organised around and mapped to the seventeen COSO principles; a SOC 2 examination implicitly assesses COSO principles.
Foreign private issuers and cross-listed firmsSEC registration; home-country equivalentsMust demonstrate an internal control framework; COSO commonly adopted alongside or instead of local frameworks.
Indian listed companiesCompanies Act 2013 Section 134(5)(e) and 143(3)(i); SEBI LODRDirectors must assert adequate internal financial controls (IFC); auditors report on IFC operating effectiveness - COSO is the common reference model.
Government and public-sector entities (U.S.)OMB Circular A-123; GAO Green BookThe GAO Green Book adapts COSO's five components and seventeen principles for federal internal control.
Financial institutions and regulated entitiesPrudential and conduct regulationSupervisors expect sound internal control; COSO frequently used as the design and evaluation basis.
Private companies and subsidiariesContractual, lender or M&A due-diligence requirementsAdopt COSO voluntarily to strengthen governance, prepare for future listing, or satisfy investors and acquirers.
  • Boards and audit committees carry ultimate oversight responsibility and must understand whether management's COSO-based system is effective.
  • Management (from the CEO and CFO down to process owners) designs, implements and operates the controls and makes the effectiveness assertion.
  • Internal audit provides independent evaluation of the system but does not own the controls.
  • Every employee has some role in internal control - controls are effected by "people at every level."

Structure of COSO

The COSO Internal Control - Integrated Framework is visualised as a three-dimensional cube. The three objective categories (operations, reporting, compliance) form the columns across the top; the entity's organisational structure (entity level, division, operating unit, function) forms the third dimension; and the five components form the horizontal rows. The seventeen principles are nested within the five components. The table below sets out the five components and their constituent principles - this is the backbone against which any COSO assessment is performed.

ComponentPrinciple no.Principle (paraphrased)
Control Environment1Demonstrates commitment to integrity and ethical values.
Control Environment2Board exercises oversight responsibility, independent of management.
Control Environment3Management establishes structures, reporting lines, authorities and responsibilities.
Control Environment4Demonstrates commitment to attract, develop and retain competent people.
Control Environment5Holds individuals accountable for internal control responsibilities.
Risk Assessment6Specifies objectives with sufficient clarity to enable risk identification.
Risk Assessment7Identifies and analyses risks to the achievement of objectives.
Risk Assessment8Assesses the potential for fraud in assessing risks.
Risk Assessment9Identifies and assesses significant changes that could affect internal control.
Control Activities10Selects and develops control activities that mitigate risks.
Control Activities11Selects and develops general controls over technology.
Control Activities12Deploys control activities through policies and procedures.
Information and Communication13Obtains, generates and uses relevant, quality information.
Information and Communication14Communicates internal control information internally.
Information and Communication15Communicates internal control matters with external parties.
Monitoring Activities16Selects, develops and performs ongoing and separate evaluations.
Monitoring Activities17Evaluates and communicates internal control deficiencies in a timely manner.
The three requirements for effectiveness
An internal control system is effective under COSO only when: (1) each of the five components is present and functioning; (2) each of the seventeen relevant principles is present and functioning; and (3) the five components operate together in an integrated manner. Points of focus - COSO provides around eighty-seven - are illustrative characteristics that help design, implement and evaluate the principles, but they are not mandatory in themselves; management may determine that some are not suitable or relevant.

Master assessment checklist

This is the core of the guide. Below, each of the five components is broken out with its principles, and for every principle we provide a table of what to verify (the auditor's test objectives, informed by COSO's points of focus) and the typical evidence a control owner should be able to produce. Work through every row: skipping a principle risks an undetected major deficiency. For each principle, assess both design adequacy (would the control, if operating, prevent or detect the relevant risk?) and operating effectiveness (did it operate consistently throughout the period?).

Component 1 - Control Environment (Principles 1 to 5)

The control environment is the set of standards, processes and structures that provide the foundation for carrying out internal control across the organisation. It sets the tone at the top and influences the control consciousness of all personnel.

What to verifyTypical evidence
P1: A code of conduct defines integrity and ethical standards and is communicated to all levels including the board and outsourced providers.Code of conduct/ethics policy, annual acknowledgement records, vendor code of conduct clauses.
P1: Processes exist to evaluate adherence to standards of conduct and to address deviations in a timely manner.Whistle-blower/ethics hotline records, investigation logs, disciplinary action records.
P2: The board (or audit committee) is independent of management and possesses relevant expertise.Board charter, director independence assessments, board skills matrix, biographies.
P2: The board provides oversight of the design and operation of internal control.Audit committee minutes, oversight agendas, reports received from management and internal audit.
P3: Management establishes reporting lines, authorities and responsibilities appropriate to objectives.Organisation charts, delegation-of-authority matrix, role descriptions, approval limits.
P4: The organisation defines competence requirements and recruits, develops and retains capable people.Job descriptions with competency requirements, training plans, succession plans, performance appraisals.
P5: Performance measures, incentives and rewards are aligned with internal control responsibilities and accountability.Performance objectives linking control duties, KPI dashboards, remuneration policy, accountability records.

Component 2 - Risk Assessment (Principles 6 to 9)

Risk assessment is the dynamic and iterative process for identifying and analysing risks to the achievement of objectives, forming a basis for determining how risks should be managed. It presupposes that objectives have been clearly set.

What to verifyTypical evidence
P6: Objectives across operations, reporting and compliance are specified with sufficient clarity, including reporting materiality and applicable accounting standards.Documented objectives, materiality memoranda, accounting policies, compliance obligation register.
P6: External financial reporting objectives reflect the applicable reporting framework and account balances/assertions.Financial statement assertions matrix, significant account and disclosure listing, risk-of-material-misstatement analysis.
P7: Risks are identified at entity and activity levels, and analysed considering likelihood and impact.Risk register, risk-scoring methodology, risk heat maps, process-level risk-and-control matrices.
P7: Management determines how to respond to risks (accept, avoid, reduce, share).Risk treatment plans, control response documentation, residual-risk assessments.
P8: The potential for fraud (fraudulent reporting, asset misappropriation, corruption, management override) is explicitly assessed.Fraud risk assessment, fraud scenario analysis, segregation-of-duties reviews, override monitoring.
P9: Significant changes (business model, leadership, systems, regulatory, external environment) are identified and their impact on internal control assessed.Change management logs, impact assessments, post-implementation reviews, environmental scan reports.

Component 3 - Control Activities (Principles 10 to 12)

Control activities are the actions established through policies and procedures that help ensure management's directives to mitigate risks are carried out. They occur throughout the organisation, at all levels and in all functions, and include a range of preventive and detective activities such as authorisations, verifications, reconciliations, reviews of operating performance, and segregation of duties.

What to verifyTypical evidence
P10: Control activities are selected and developed to mitigate risks to acceptable levels, considering entity-specific factors and a mix of control types.Risk-and-control matrices, control design documentation, mapping of controls to risks and assertions.
P10: Segregation of duties is applied; where not feasible, compensating controls exist.SoD conflict matrix, access role definitions, compensating control descriptions and sign-offs.
P11: IT general controls (ITGCs) over infrastructure, security management, and system acquisition/development/maintenance are established.Change management records, logical access reviews, backup/recovery evidence, SDLC documentation.
P11: Technology-dependent business controls and relevant application controls are identified and linked to ITGCs.Application control listings, interface reconciliations, configuration change logs, IPE (information produced by the entity) validation.
P12: Control activities are deployed through policies that establish expectations and procedures that put policies into action.Documented policies and procedures, process narratives, standard operating procedures, control ownership assignments.
P12: Controls are performed by competent personnel in a timely manner, with corrective action taken on matters identified.Control performance evidence (sign-offs, reconciliations, exception reports), remediation tracking, periodic reassessment of controls.

Component 4 - Information and Communication (Principles 13 to 15)

Information is necessary for the entity to carry out internal control responsibilities in support of the achievement of objectives. Communication is the continual, iterative process of providing, sharing and obtaining necessary information, both internally and with external parties.

What to verifyTypical evidence
P13: Relevant, quality information is identified, captured, processed and used to support internal control functioning.Data governance policy, information requirements mapping, data quality controls, IPE completeness/accuracy checks.
P13: Information systems produce information that is timely, current, accurate, complete, accessible, protected and retained.System documentation, data lineage, retention schedules, controls over reports and spreadsheets.
P14: Internal communication of objectives and control responsibilities occurs, including a separate line of communication (e.g. whistle-blower channel).Internal policy portals, control responsibility communications, whistle-blower channel and usage logs.
P14: Communication flows up, down and across the entity, and between the board and management.Management reporting packs, board reporting, town-hall and cascade communications.
P15: Relevant internal control information is communicated to external parties (regulators, customers, shareholders, auditors, service providers).External reporting, regulatory filings, customer/vendor communications, external whistle-blower access.
P15: External parties' communications (complaints, hotline tips, regulator feedback) are received and acted upon.Customer complaint logs, external hotline records, regulator correspondence, response tracking.

Component 5 - Monitoring Activities (Principles 16 to 17)

Monitoring activities are the ongoing evaluations, separate evaluations, or some combination of the two, used to ascertain whether each of the five components of internal control is present and functioning, and to communicate deficiencies for correction.

What to verifyTypical evidence
P16: A mix of ongoing and separate evaluations is selected, developed and performed, with scope and frequency reflecting risk.Monitoring plan, internal audit plan, continuous-monitoring/analytics reports, management self-assessments.
P16: Evaluators have sufficient knowledge and objectivity, and evaluations use a suitable baseline.Internal audit charter, evaluator competency records, baselining documentation, quality assurance reviews.
P17: Internal control deficiencies are evaluated and communicated to parties responsible for corrective action and to senior management and the board as appropriate.Deficiency logs, severity assessments (deficiency / significant deficiency / material weakness), reporting to audit committee.
P17: Corrective actions are monitored through to completion on a timely basis.Remediation trackers, follow-up audit reports, status dashboards, closure evidence.
Integration is itself a test objective
Beyond the seventeen principles, COSO requires that the five components operate together in an integrated manner. In practice this means testing that risk assessments actually drive the design of control activities, that information flows support monitoring, and that monitoring feeds back into the control environment. A well-run entity can have strong individual principles yet still fail integration if the components operate in silos.

Scoping the COSO assessment

Scoping determines which objectives, entities, processes, accounts and IT systems are in scope for a COSO-based evaluation. For an ICFR/SOX assessment, scoping is typically driven by a top-down, risk-based approach: start with financial reporting objectives, identify material accounts and disclosures, trace to significant business processes and the relevant assertions, and then identify the controls (entity-level, process-level, and IT general controls) that address the risks of material misstatement.

  • Define objectives in scope - operations, reporting (external financial, external non-financial, internal), and compliance. For SOX the focus is external financial reporting.
  • Determine materiality and set a scoping threshold to identify significant accounts, disclosures and relevant assertions (existence, completeness, accuracy, valuation, rights/obligations, presentation).
  • Identify in-scope locations/business units using quantitative coverage and qualitative risk factors; multi-location scoping should reflect risk concentration.
  • Map significant processes (e.g. order-to-cash, procure-to-pay, payroll, treasury, financial close) to the accounts and assertions they affect.
  • Identify relevant IT systems and the IT general control domains supporting automated and IT-dependent controls.
  • Include entity-level controls (control environment, risk assessment, monitoring) that operate across the whole organisation.
  • Consider outsourced service providers and reliance on SOC 1/SOC 2 reports, including complementary user entity controls.
  • Document and obtain sign-off on the scope, rationale and any exclusions.

Implementation approach

A COSO implementation or uplift programme is best delivered in phases. The phases below assume an organisation moving towards a defensible ICFR/internal control assertion; adapt the emphasis for a pure governance or SOC 2 readiness effort.

Phase 1 - Mobilise and govern

  • Activities: secure board/audit committee and executive sponsorship; establish a steering committee and programme management office; agree objectives, scope and reporting framework; confirm COSO 2013 as the evaluation basis; define roles across finance, IT, risk and internal audit.
  • Deliverables: programme charter, RACI, governance structure, high-level plan and budget, communication plan.

Phase 2 - Assess current state and scope

  • Activities: perform top-down risk-based scoping; document objectives, material accounts, assertions and significant processes; map existing controls to the seventeen principles; conduct a gap assessment against components, principles and points of focus.
  • Deliverables: scoping memorandum, risk-and-control matrices, principle-by-principle gap assessment, prioritised remediation backlog.

Phase 3 - Design and remediate

  • Activities: design new or enhanced controls to close gaps; strengthen entity-level controls and ITGCs; formalise policies, procedures and process narratives; assign control owners; establish segregation of duties and compensating controls.
  • Deliverables: updated control documentation, remediation plans with owners and dates, revised policies and procedures, control ownership register.

Phase 4 - Test and validate

  • Activities: test design adequacy and operating effectiveness of controls over the assessment period; validate IPE; evaluate deficiencies and classify severity; coordinate with external auditors on reliance and testing.
  • Deliverables: test plans and working papers, deficiency evaluation, aggregated deficiency assessment, evidence repository.

Phase 5 - Report, monitor and sustain

  • Activities: report conclusions to management and the audit committee; support the effectiveness assertion; embed ongoing and separate evaluations (continuous monitoring); establish an annual refresh cycle covering changes and new risks.
  • Deliverables: management assertion support pack, audit committee report, continuous monitoring framework, sustainability/annual-refresh plan.

Maturity and capability model

COSO itself does not prescribe a maturity model - effectiveness is assessed as present-and-functioning against each principle. However, a capability maturity model is a valuable management tool for prioritising uplift and demonstrating progress over time. The five-level model below is a practical CyberSigma scale applicable to the control system as a whole or to individual components and principles.

LevelNameCharacteristicsIndicative evidence
1Initial / ad hocControls are undocumented, inconsistent and reactive; reliance on key individuals; no formal risk assessment.Little or no documentation; controls known only to performers; frequent surprises.
2Repeatable / informalSome controls documented for critical areas; performed with limited consistency; risk assessment sporadic.Partial procedures; inconsistent evidence retention; localised control ownership.
3DefinedControls, policies and procedures are documented and standardised across the entity; principles are mapped; ownership is assigned.Complete risk-and-control matrices; approved policies; principle mapping; consistent evidence.
4Managed / measuredControl performance is monitored with metrics; deficiencies tracked and remediated; testing is periodic and risk-based.KPI dashboards, monitoring reports, deficiency trend analysis, tested control effectiveness.
5OptimisedContinuous monitoring and analytics; controls automated where feasible; proactive improvement; strong integration across components.Continuous-controls-monitoring outputs, automation, benchmarking, forward-looking risk management.

Assessment and audit approach

The following ordered steps describe how CyberSigma conducts a COSO-based internal control assessment, whether for an ICFR/SOX programme, a SOC 2 readiness engagement or a broader governance review.

  1. Confirm objectives, reporting framework and the COSO 2013 basis with the audit committee and management sponsor.
  2. Perform top-down, risk-based scoping to identify in-scope objectives, entities, accounts, assertions, processes and IT systems.
  3. Understand and document the design of entity-level controls, process-level controls and IT general controls, mapping each to the relevant COSO principle and risk.
  4. Assess design adequacy - would the control, if operating as designed, mitigate the risk to an acceptable level?
  5. Develop a risk-based test plan specifying sample sizes, timing, nature of testing (inquiry, observation, inspection, re-performance) and IPE validation.
  6. Test operating effectiveness across the assessment period, gathering and cross-referencing evidence to working papers.
  7. Identify and evaluate deficiencies, determining severity as a control deficiency, a significant deficiency, or a material weakness, and aggregating related deficiencies.
  8. Evaluate whether each of the five components and seventeen principles is present and functioning, and whether the components operate together in an integrated manner.
  9. Report findings, root causes and recommendations; agree remediation plans with owners and target dates.
  10. Support management's effectiveness assertion and coordinate with the external auditor; establish ongoing monitoring and an annual refresh.

Evidence request list

The following categorised evidence request supports a COSO assessment. Provide current, dated and version-controlled documents, and be prepared to demonstrate operation across the full period, not just at a point in time.

  • Governance and control environment: board and audit committee charters and minutes, code of conduct and acknowledgements, organisation charts, delegation-of-authority matrix, HR competency and training records, whistle-blower policy and logs.
  • Risk assessment: enterprise and process-level risk registers, risk-scoring methodology, fraud risk assessment, change management records, materiality memoranda, financial statement assertion analysis.
  • Control activities: risk-and-control matrices, process narratives and flowcharts, policies and standard operating procedures, segregation-of-duties matrices, control performance evidence (approvals, reconciliations, exception reports).
  • IT general controls: change management tickets and approvals, logical access provisioning and periodic access reviews, privileged access records, backup and recovery evidence, SDLC and configuration documentation.
  • Information and communication: data governance and retention policies, IPE completeness and accuracy support, management and board reporting packs, internal and external communication records.
  • Monitoring: internal audit plan and reports, management self-assessment results, continuous-monitoring outputs, deficiency logs, remediation trackers and closure evidence.
  • Third parties: SOC 1/SOC 2 reports for outsourced providers, vendor contracts and control clauses, complementary user entity control documentation.

Roles and responsibilities

COSO is explicit that internal control is a shared responsibility. The table below clarifies the principal roles in a COSO-based control system.

RolePrimary responsibilities under COSO
Board of directors / audit committeeProvide independent oversight of the design and operation of internal control; challenge management; oversee fraud risk and the effectiveness assertion (Principle 2).
Chief Executive OfficerSet the tone at the top; take ultimate ownership of the internal control system; ensure a positive control environment.
Chief Financial OfficerOwn internal control over financial reporting; certify disclosures and controls under SOX 302/404 or equivalent; sponsor the ICFR programme.
Chief Information Security / Information OfficerOwn IT general controls and technology-dependent controls; ensure security, access and change management support reliable reporting (Principle 11).
Process and control ownersDesign, perform and evidence control activities in their area; identify risks and report deficiencies (Principles 10-12).
Risk management functionFacilitate risk assessment, fraud risk analysis and change assessment; maintain the risk register (Principles 6-9).
Internal auditProvide independent, objective evaluation of the control system; perform separate evaluations; report deficiencies (Principles 16-17). Does not own controls.
External auditorIndependently opine on the fairness of the financial statements and, where required, on the effectiveness of ICFR against the COSO-based framework.
All employeesPerform assigned control responsibilities and escalate issues; internal control is effected by people at every level.

KPIs to track

  • Percentage of the seventeen principles assessed as present and functioning.
  • Number of control deficiencies by severity (deficiency, significant deficiency, material weakness) and trend over time.
  • Percentage of key controls tested and passed on first attempt (control pass rate).
  • Average time to remediate deficiencies and percentage of remediations closed by target date.
  • Percentage of controls with documented, approved procedures and assigned owners.
  • Segregation-of-duties conflicts identified versus resolved or compensated.
  • IT general control exceptions (access, change, operations) per period.
  • Percentage of automated versus manual key controls (automation coverage).
  • Whistle-blower/ethics reports received, investigated and resolved within target time.
  • Coverage of the internal audit / monitoring plan actually completed in the period.
  • Timeliness and completeness of information produced by the entity (IPE) used in controls.

Readiness checklist

  • COSO 2013 Internal Control - Integrated Framework confirmed as the evaluation basis and approved by the audit committee.
  • Financial reporting and other in-scope objectives documented with materiality and relevant assertions.
  • Top-down, risk-based scoping completed and signed off, including locations, processes and IT systems.
  • Enterprise and process-level risk registers current, including an explicit fraud risk assessment.
  • Each of the seventeen principles mapped to controls, with owners assigned and gaps identified.
  • Entity-level controls, process-level controls and IT general controls documented in risk-and-control matrices.
  • Segregation of duties assessed and conflicts remediated or compensated.
  • Policies, procedures and process narratives approved, version-controlled and communicated.
  • Design adequacy and operating effectiveness testing plan agreed, including IPE validation.
  • Deficiency evaluation and severity classification methodology defined.
  • Monitoring plan (ongoing and separate evaluations) in place and resourced.
  • Third-party (SOC 1/SOC 2) reliance assessed and complementary user entity controls implemented.
  • Reporting to management and the audit committee, and support for the effectiveness assertion, prepared.
  • Annual refresh and continuous-monitoring approach established to sustain effectiveness.

Common gaps

  • Treating COSO as a documentation exercise rather than demonstrating that principles are actually functioning over the whole period.
  • Weak entity-level controls - poorly evidenced tone at the top, board oversight or accountability (Principles 1-5) - that undermine reliance on process controls.
  • Fraud risk assessment (Principle 8) omitted or reduced to a checkbox, with no consideration of management override.
  • Inadequate IT general controls (Principle 11), especially access reviews, privileged access and change management, invalidating reliance on automated controls.
  • Failure to validate information produced by the entity (IPE) - reports and spreadsheets used in controls without completeness and accuracy testing.
  • Segregation-of-duties conflicts unresolved and without documented compensating controls.
  • Objectives not specified with enough clarity (Principle 6), so risk assessment cannot be anchored to assertions.
  • Deficiencies identified but not aggregated or escalated, so a cluster of small issues masks a material weakness (Principle 17).
  • Over-reliance on internal audit as the only monitoring, with no ongoing management-level monitoring embedded in processes.
  • Ignoring integration - components operating in silos so that risk assessment does not drive control activities or monitoring.
  • Change assessment (Principle 9) neglected, so new systems, acquisitions or regulations erode existing controls unnoticed.
  • Outsourced processes covered by outdated or scope-limited SOC reports, with complementary user entity controls not implemented.

COSO mapped to other frameworks

COSO's components and principles map naturally onto the control and governance expectations of many other frameworks, which is why it functions as a lingua franca for control. The table below shows indicative relationships; mappings are directional aids, not exact equivalences.

FrameworkRelationship to COSO
SOX (Sections 302 / 404)Requires management and auditors to assess ICFR against a suitable framework; COSO 2013 is the standard basis for the assertion and audit.
SOC 2 (AICPA Trust Services Criteria)The TSC common criteria (CC1-CC5) are explicitly organised around and mapped to the seventeen COSO principles; additional criteria address security, availability, processing integrity, confidentiality and privacy.
COBIT 2019IT governance framework that operationalises COSO's control and risk concepts for enterprise IT; supports Principle 11 (technology general controls).
COSO ERM (2017)Companion framework extending internal control concepts to enterprise-wide risk and strategy; twenty principles across five components.
ISO 31000Risk management principles and process aligning with COSO risk assessment (Principles 6-9), though ISO is process-oriented and non-certifiable.
ISO/IEC 27001Information security management system; its Annex A controls support COSO control activities and ITGCs relevant to reporting reliability.
NIST Internal Control / GAO Green BookThe GAO Green Book adapts COSO's five components and seventeen principles for U.S. federal government internal control.
India Companies Act 2013 - Internal Financial ControlsDirectors' IFC responsibility and auditor IFC reporting are commonly designed and evaluated using the COSO framework.
Sarbanes-Oxley IT scope / ITGC auditsIT general control audits under SOX align to COSO Principle 11 and Control Activities component.
How CyberSigma helps
CyberSigma provides end-to-end COSO support tailored to your regulatory drivers, whether SOX ICFR, India Companies Act internal financial controls, SOC 2 readiness or board-level governance uplift. Our CERT-In empanelled and QSA-qualified advisors run top-down, risk-based scoping; map your control estate to all five components and seventeen principles; design and remediate entity-level, process-level and IT general controls; test design and operating effectiveness with defensible working papers; and stand up continuous monitoring so effectiveness is sustained year on year. We integrate COSO with your SOC 2, ISO 27001 and COBIT programmes to eliminate duplicate effort, and we prepare the evidence packs and audit-committee reporting that support a confident management assertion. Contact CyberSigma to accelerate a defensible, audit-ready internal control system.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

How does COSO relate to SOX?
COSO’s Internal Control framework is the most commonly used basis for demonstrating effective internal control over financial reporting under SOX.
Official documents

Need help with COSO?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.