jiesenSign in

COSO — Internal Control and Enterprise Risk Management Frameworks

The COSO 2013 Internal Control — Integrated Framework and COSO 2017 ERM Framework, the recognized control and risk frameworks for SOX 404 compliance and enterprise risk management.

COSO8 min readLast reviewed: 2026-01Official source
Internal Control and Enterprise Risk Management Frameworks

Scope

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of five professional organizations — the AICPA, AAA, FEI, IIA, and IMA — that publishes two frameworks that have become the de facto standards for internal control and enterprise risk:

  • COSO 2013 Internal Control — Integrated Framework ("ICIF") — the recognized framework for evaluating internal control over financial reporting (ICFR) under SOX Section 404 and for COSO-based control assessments more broadly.
  • COSO 2017 ERM — Integrated Framework ("ERM 2017") — the framework for enterprise-wide risk management, replacing the original 2004 COSO ERM Framework.

Neither framework is legally required, but the SEC and PCAOB recognize COSO ICIF as a "suitable framework" for management's SOX 404 assessment, and virtually all SEC registrants use it. ERM 2017 is widely adopted but not as universally as ICIF.

COSO ICIF (2013) — Internal Control

The 2013 framework defines internal control across five integrated components and seventeen underlying principles:

1. Control Environment — the foundation. Principles 1–5: integrity and ethical values, board oversight, structure and reporting lines, attracting and retaining competent people, accountability.

2. Risk Assessment — identifying and analyzing risks to objectives. Principles 6–9: specifying objectives, identifying and analyzing risks, considering fraud risk, identifying and assessing changes.

3. Control Activities — the policies and procedures. Principles 10–12: selecting control activities, selecting general IT controls, deploying through policies and procedures.

4. Information and Communication — flowing information through the entity. Principles 13–15: obtaining quality information, communicating internally, communicating externally.

5. Monitoring Activities — assessing effectiveness over time. Principles 16–17: ongoing and separate evaluations, communicating deficiencies.

For SOX 404 purposes, all 17 principles must be present and functioning, and the five components must operate together as an integrated system. A deficiency in any principle is presumed to be a deficiency in the overall ICFR, unless management can demonstrate otherwise through compensating controls.

COSO ERM (2017) — Enterprise Risk Management

The 2017 ERM framework reframes risk management as integrated with strategy and performance, not a parallel siloed activity. Five integrated components:

  1. Governance and Culture — tone at the top, board oversight, operating structures, core values, attracting and developing capable individuals.
  2. Strategy and Objective-Setting — analyzing business context, defining risk appetite, evaluating alternative strategies, formulating business objectives.
  3. Performance — identifying risk, assessing severity, prioritizing risks, implementing risk responses, developing portfolio view.
  4. Review and Revision — assessing substantial change, reviewing risk and performance, pursuing improvement in ERM.
  5. Information, Communication, and Reporting — leveraging information systems, communicating risk information, reporting on risk, culture, and performance.

ERM 2017 is broader than ICIF. ICIF is about controls; ERM is about how risk is integrated into strategic decision-making.

SOX 404 mechanics

For SEC registrants subject to SOX 404, two parallel attestations are required:

  • Section 404(a) — Management's assessment. Management must document its evaluation of ICFR design and operating effectiveness as of fiscal year-end, using a suitable framework (almost always COSO ICIF).
  • Section 404(b) — Auditor's attestation. For accelerated filers and large accelerated filers, the external auditor must independently audit ICFR and issue a separate opinion. Non-accelerated filers and emerging growth companies are exempt from 404(b) but still subject to 404(a).

The audit follows PCAOB Auditing Standard 2201 (An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements).

Common pitfalls

  • Treating COSO as a checklist. The 17 principles are not boxes to tick. They're a framework for thinking about whether controls are designed and operating to mitigate the risks they're intended to address. A company can have a documented control for every principle and still have a material weakness if the controls don't actually work.
  • Confusing entity-level and process-level controls. Entity-level controls (tone at the top, monitoring, IT general controls) and process-level controls (revenue, payables, payroll) both fall under COSO but require different testing approaches. Auditors often find weaknesses at the entity level that the company never identified because the company was only looking at transaction-level controls.
  • Letting documentation drift from reality. A control narrative that describes a process that no one actually performs is a material weakness waiting to be found. Walkthroughs catch this; SOX programs that skip walkthroughs and rely on self-attestation routinely have surprises in the audit.
  • Underweighting IT general controls (ITGCs). Access management, change management, computer operations, and program development are the bedrock of every automated control. A weak ITGC environment compromises every dependent application control above it, multiplying the deficiency.

Operator note

The 2013 framework refresh was a major project for SOX programs that had built their 1992-framework documentation over the prior decade. Mapping legacy control language to the new 17 principles, identifying gaps, and rebuilding the assessment took most accelerated filers 12–18 months. If you're inheriting a SOX program built before 2014, audit the mapping — gaps from the transition are not uncommon.

For SOX 404 implementations, COSO ICIF is the foundation but the heavy lifting is in scoping (which accounts, processes, and locations are in-scope based on materiality and risk), control rationalization (cutting redundant controls without losing coverage), and ITGC architecture. Get those three right and the rest of the SOX program runs without drama.

Access

COSO publications are available through the COSO website at coso.org. Executive summaries are freely available; the full Framework volumes require purchase from the AICPA or other authorized resellers.

Related references

  • PCAOB Auditing Standards (AS 2201 audit of ICFR)
  • SEC Reporting (SOX disclosure requirements)
  • AICPA Standards (audit standards for non-public entities)
This summary is an operator's working reference. For authoritative guidance, consult the official source at https://www.coso.org/guidance-on-internal-control. Updated: 2026-01.