COSO History, Framework Principles, and The Fault in the Implementation Foundation

Blog post

As fraud levels worldwide continue to reach all-time highs[1], many companies have growing concerns over their financial security. This has led companies of all sizes to adopt best practices and new risk frameworks in order to combat this growing threat. The most common of these best practices is the COSO Framework©, a model for evaluating risk management internal controls that has quickly become the generally accepted premier framework.

While COSO itself has a proven track record of being a safe and secure model that companies everywhere strive for, for many companies, the implementation lacks a level of standardization needed to accurately and confidently abide by the COSO framework. The level of change involved in the risk management strategy has not been reflected into how that strategy is carried out.

Below you’ll find a brief history of the COSO framework, a summary of COSO framework principles and an analysis of the unreliable manual environments used to abide by the definitive standard of risk management.

1992 COSO Framework

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a framework known as the “Internal Control – Integrated Framework” to help companies across all industries and sizes measure the effectiveness of their internal control structures.

Better known as the 1992 COSO Framework, it laid out the foundation to ensure the highest possible quality of the financial statements produced by the companies that instituted it. This foundation that provides its users with “reasonable assurance” that the numbers within the financial statements are as accurate as possible and can be used to provide upper-level management with guidance for their decision making.

The 1992 COSO framework was the first to implement the use of “The COSO Pyramid” which laid out the five tenets of COSO control components, Control Environment, Risk Assessment, Control Activities, Information & Communication and Monitoring Activities. Starting from the bottom up, where the completion of one level naturally leads to the completion of the next, these components work together to support the risk management mission, strategy and all related business objectives for the company.

2013 COSO Framework

While it was incredibly effective in evaluating any existing controls, the 1992 framework lacked the direction and comprehensiveness to assist companies in the steps and standards necessary to establish their own effective internal control structure.

So, in 2013, COSO instituted new guidelines, now referred to as the 2013 COSO Framework, that issued new tools to help companies with the design and implementation of a risk management framework as well as updated the previous COSO pyramid – changing it to “The COSO Cube.” 

The updated framework and cube revolved around 17 different internal control principles that fall within the five original categories of the COSO pyramid. Of the 17 new principles, there are 77 points of focus; the important characteristics associated within each principle are intended to provide helpful guidance in designing, implementing and conducting internal controls to check if the relevant principles are present and functioning.

2017 COSO Framework

For years, the 2013 COSO Framework was the gold standard of applying and testing internal controls in order to evaluate or create the risk management and risk culture that companies wanted. However, in 2017 they updated the framework to reflect the evolving landscape and challenges that businesses now handle – highlighting, as they put it, the, “Importance of considering risk in both the strategy-setting process and in driving performance.” This is perhaps the most important addition to the COSO philosophy, and many companies were quick to adopt this new best practice.

Unfortunately, depending on how organizations have attempted to comply with the COSO framework, there exists a flaw in the very foundation of this “gold standard” for evaluating risk management internal controls.

The Potential Flaw in the Your COSO Foundation

The philosophy and guidance that COSO provides is tried and true, and its core tenets are adaptable to every size of company, but the processes and tools companies typically use to adhere to its tenets haven’t kept up.

For the most part, companies have done well in being flexible enough to adopt new guidelines to overcome new problems. However, the foundational principal for following the COSO guidelines is that monitoring activities must be performed with the greatest care and consistency, and this can’t be accomplished within the manual environments, such as spreadsheets, binders or even emails, that they so frequently reside in. Manual methods do not provide the visibility or standardization across the organization to allow for the proper risk monitoring. Quickly, despite your best efforts, this can leave companies open to misstatements, quickly reduce their access to data that can provide crucial insights into business decisions and even leave them exposed to financial and public relations disasters, such as fraud.

Where to Go Now

As risk management continues to be a priority for executives, approaches, such as COSO, with a proven record of success can and should play a large role in driving a healthy risk culture within their organization. Following established guidelines that have a proven history of driving performance will help companies accomplish this goal.

However, to properly execute a tried and true method, the same level of change that a company makes in what’s involved in the risk management strategy needs to be applied to how they conduct the subsequent tasks they handle. This simply can’t be done properly and with any real confidence when it’s approached through manual monitoring, something that has dominated the risk management strategies of so many companies – even for those you would think would know much better.

Monitoring, as defined in the COSO Framework is implemented to, “Help ensure that internal control continues to operate effectively.” And while companies understand the importance of a risk strategy, their reliance on manual processes denies them the ability to fully conform with an established best practice.

From identifying internal control problems to preparing accurate and timely financial statements –Automating tasks empowers companies with a level of standardization and speed to gain the compliance they want, in the places they need.

To learn more about how automation can strengthen your risk management strategy, download our eBook.

Written by: Caleb Walter & Jon Sykora


[1] Tara Seals US/North America News. (2018, January 22). Global Levels of Fraud Reached an All-Time High in 2017. Retrieved June 11, 2018, from https://www.infosecurity-magazine.com/news/global-levels-of-fraud-all-time/