| Key Takeaways |
| The COSO framework provides two complementary models: the Internal Control – Integrated Framework (2013) with 5 components and 17 principles for internal controls, and the Enterprise Risk Management – Integrating with Strategy and Performance (2017) with 5 components and 20 principles for strategic risk management. |
| Only 32% of organizations rate their risk oversight as mature or robust (2025 AICPA/NC State report), despite COSO being the most widely adopted internal control and ERM framework for U.S. public companies under Sarbanes-Oxley. |
| The 2013 Internal Control framework addresses three objective categories (operations, reporting, compliance) across five components: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities. |
| The 2017 ERM framework shifted the focus from risk as a defensive exercise to risk as a strategic enabler, integrating risk management with strategy setting and performance measurement. |
| COSO continues to evolve: the 2023 guidance on Internal Controls over Sustainability Reporting (ICSR) extends the framework to ESG, and a corporate governance framework draft was released for comment in May 2025. |
| Implementing COSO requires a phased approach: understand the framework, assess current maturity against the 17 principles, identify gaps, remediate, and establish ongoing monitoring aligned with the organization’s risk appetite. |
The COSO framework is the most widely adopted model for internal controls and enterprise risk management among U.S. public companies, yet the 2025 AICPA/NC State State of Risk Oversight report found that only 32% of organizations rate their risk oversight as mature or robust.
That gap between framework adoption and actual maturity represents a significant opportunity for practitioners who understand not just what COSO says, but how to implement it effectively.
The 2025 State of Risk Oversight data surveyed 273 U.S. organizations and found that only 11% view their ERM process as delivering strategic advantage.
This article provides a practitioner’s guide to both COSO frameworks: the Internal Control – Integrated Framework (ICIF, 2013) and the Enterprise Risk Management – Integrating with Strategy and Performance (2017).
Rather than restating the theory, the focus is on practical implementation: how each component translates into specific organizational actions, where the two frameworks connect, how COSO compares to ISO 31000, and what a 90-day implementation roadmap looks like for organizations building or maturing their programs.
What COSO Actually Is: History and Scope
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) was founded in 1985 to combat fraudulent financial reporting.
Five professional associations jointly sponsor it: the American Accounting Association, the AICPA, Financial Executives International, the Institute of Internal Auditors (IIA), and the Institute of Management Accountants.
COSO’s mission has expanded over four decades from fraud prevention to comprehensive guidance on internal controls, enterprise risk management, fraud risk management, and most recently, governance and sustainability reporting.
COSO Timeline and Key Publications
| Year | Publication | Significance |
| 1992 | Internal Control – Integrated Framework (original) | Established the first widely accepted definition and framework for internal controls; became the de facto standard for SOX compliance after 2002 |
| 2004 | Enterprise Risk Management – Integrated Framework | Expanded beyond internal controls to address enterprise-wide risk management with eight interrelated components |
| 2013 | Internal Control – Integrated Framework (updated) | Revised the 1992 framework with 17 explicit principles; incorporated technology and globalization considerations; became mandatory reference for SOX compliance |
| 2016 (updated 2023) | Fraud Risk Management Guide | Provided guidance on establishing fraud risk management programs aligned with the internal control framework |
| 2017 | Enterprise Risk Management – Integrating with Strategy and Performance | Significantly revised the 2004 ERM framework; reduced to 5 components and 20 principles; linked risk management directly to strategy and performance |
| 2023 | Internal Controls over Sustainability Reporting (ICSR) | Extended the ICIF framework to environmental, social, and governance (ESG) reporting |
| 2024 | Alternative Data: The COSO Perspective | Guidance on integrating nontraditional data sources (social media, satellite imagery, IoT) into ERM frameworks |
| 2025 | Corporate Governance Framework (draft) | Released for public comment May 2025; withdrawn July 2025 for stakeholder feedback and revision |
The COSO Internal Control Framework: 5 Components and 17 Principles
The 2013 Internal Control – Integrated Framework defines internal control as a process designed to provide reasonable assurance regarding the achievement of objectives in three categories: operations (effectiveness and efficiency), reporting (reliability of financial and non-financial reporting), and compliance (adherence to applicable laws and regulations).
The framework’s five components and 17 principles provide the structural foundation for every internal control system aligned with SOX requirements.
Component 1: Control Environment (Principles 1–5)
The control environment is the foundation that sets the organizational tone for internal controls. The five principles address: commitment to integrity and ethical values; board independence and oversight; organizational structure with clear authority and responsibility; commitment to attracting and retaining competent individuals; and holding individuals accountable for their internal control responsibilities.
A weak control environment undermines every other component, regardless of how well-designed the controls themselves may be.
Component 2: Risk Assessment (Principles 6–9)
Risk assessment requires the organization to identify and analyze risks that could prevent it from achieving its objectives.
The four principles cover: specifying objectives clearly enough to identify risks; identifying and analyzing risks across the entity; considering the potential for fraud; and identifying and assessing changes that could significantly impact the internal control system.
This component connects directly to the organization’s broader risk assessment process and should produce outputs that feed the enterprise risk register.
Component 3: Control Activities (Principles 10–12)
Control activities are the policies and procedures that help ensure management directives are carried out.
The three principles address: selecting and developing control activities that mitigate risks to acceptable levels; selecting and developing general controls over technology; and deploying control activities through policies that establish expectations and procedures that put policies into action.
Control activities can be preventive or detective, manual or automated, and should be designed proportionally to the risk they address.
Component 4: Information and Communication (Principles 13–15)
This component ensures the organization obtains, generates, and uses relevant quality information to support internal control functioning.
The three principles cover: obtaining and using relevant quality information; communicating internal control information internally; and communicating with external parties about matters affecting internal control.
Effective information and communication ensure that risk and control data flows to the right people at the right time, supporting the KRI reporting that boards and management need for oversight.
Component 5: Monitoring Activities (Principles 16–17)
Monitoring evaluates whether each of the five components is present and functioning.
The two principles address: conducting ongoing and/or separate evaluations to ascertain whether internal control components are present and functioning; and evaluating and communicating deficiencies in a timely manner to those responsible for corrective action. Monitoring is where internal audit plays a critical assurance role, providing independent evaluation of control effectiveness as part of the Three Lines Model.
The Complete 17 Principles Reference
| # | Component | Principle |
| 1 | Control Environment | The organization demonstrates a commitment to integrity and ethical values |
| 2 | Control Environment | The board of directors demonstrates independence from management and exercises oversight of internal control development and performance |
| 3 | Control Environment | Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities |
| 4 | Control Environment | The organization demonstrates commitment to attract, develop, and retain competent individuals aligned with objectives |
| 5 | Control Environment | The organization holds individuals accountable for their internal control responsibilities in pursuit of objectives |
| 6 | Risk Assessment | The organization specifies objectives with sufficient clarity to enable identification and assessment of risks relating to objectives |
| 7 | Risk Assessment | The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how they should be managed |
| 8 | Risk Assessment | The organization considers the potential for fraud in assessing risks to the achievement of objectives |
| 9 | Risk Assessment | The organization identifies and assesses changes that could significantly impact the system of internal control |
| 10 | Control Activities | The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels |
| 11 | Control Activities | The organization selects and develops general control activities over technology to support the achievement of objectives |
| 12 | Control Activities | The organization deploys control activities through policies that establish what is expected and procedures that put policies into action |
| 13 | Information & Communication | The organization obtains or generates and uses relevant, quality information to support the functioning of internal control |
| 14 | Information & Communication | The organization internally communicates information, including objectives and responsibilities for internal control |
| 15 | Information & Communication | The organization communicates with external parties regarding matters affecting the functioning of internal control |
| 16 | Monitoring Activities | The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning |
| 17 | Monitoring Activities | The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action |
The COSO ERM Framework: 5 Components and 20 Principles
The 2017 Enterprise Risk Management – Integrating with Strategy and Performance framework represents a fundamental shift from risk management as a defensive exercise to risk management as a strategic enabler.
Where the 2004 version treated ERM as a parallel process to strategy, the 2017 update integrates them. The framework is built on five components: Governance and Culture; Strategy and Objective-Setting; Performance; Review and Revision; and Information, Communication, and Reporting.
Together, they contain 20 principles that guide organizations in embedding risk into strategy and performance. PwC served as the principal author of this update.
ERM Framework Components Overview
| ERM Component | Focus | Key Principles |
| Governance and Culture | Establishes the foundation: board risk oversight, operating structures, culture, and core values | Board exercises oversight of strategy and risk; establishes operating structures; defines desired culture; demonstrates commitment to core values; attracts, develops, and retains capable individuals |
| Strategy and Objective-Setting | Integrates ERM into strategic planning and business objective definition | Analyzes business context; defines risk appetite; evaluates alternative strategies; formulates business objectives |
| Performance | Identifies and assesses risks that may impact strategy and objectives; selects risk responses; develops portfolio view | Identifies risk; assesses severity of risk; prioritizes risks; implements risk responses; develops portfolio view of risk |
| Review and Revision | Evaluates how well ERM components are functioning; reviews risk and performance; pursues improvement | Assesses substantial change; reviews risk and performance; pursues improvement in enterprise risk management |
| Information, Communication, and Reporting | Leverages information systems; communicates risk information; reports on risk, culture, and performance | Leverages information and technology; communicates risk information; reports on risk, culture, and performance |
COSO vs. ISO 31000: Choosing Your Framework
Both frameworks are valid and widely used. The choice depends on your organization’s regulatory environment, geographic footprint, and strategic priorities. Many organizations adopt elements of both.
A detailed comparison is available in the COSO vs. ISO 31000 guide on riskpublishing.com.
Framework Comparison
| Dimension | COSO (ICIF 2013 + ERM 2017) | ISO 31000:2018 |
| Origin | U.S. private sector initiative; five sponsoring organizations | International Organization for Standardization; global consensus standard |
| Primary Use | SOX compliance; SEC/PCAOB audit requirements; U.S. public company governance | Universal risk management applicable to any organization, sector, or geography |
| Structure | ICIF: 5 components, 17 principles, 3 objective categories; ERM: 5 components, 20 principles | 3 elements: Principles, Framework, Process; 8 principles; 6-step process |
| Strategic Integration | ERM 2017 explicitly links risk to strategy setting and performance measurement | Principles-based; recommends integration but does not prescribe strategic linkage methodology |
| Internal Control Focus | Core strength; ICIF provides detailed guidance on control design, implementation, and evaluation | References controls within risk treatment but does not provide equivalent depth on control frameworks |
| Regulatory Recognition | Required for SOX compliance; referenced by PCAOB, SEC, FDIC, OCC | Recognized globally; referenced by EU regulators, APRA, and various national standards bodies |
| Certification | No organizational certification; framework serves as governance benchmark | No organizational certification (unlike ISO 9001 or ISO 27001); practitioner certifications available |
How to Implement COSO: A Practical Approach
Implementation requires translating COSO’s principles into specific organizational actions. The following approach works for both the ICIF and ERM frameworks and aligns with the risk management lifecycle and risk management process steps that practitioners already follow.
Implementation Steps
| Step | Actions | Key Outputs | Success Criteria |
| 1. Understand the Framework | Study the 17 principles (ICIF) or 20 principles (ERM); establish an implementation team with cross-functional representation; secure executive sponsorship | Framework knowledge base document; implementation team charter; executive sponsor confirmed | All team members demonstrate working knowledge of applicable principles; sponsor actively engaged |
| 2. Assess Current Maturity | Evaluate existing controls and risk processes against each COSO principle; collect documentation (policies, risk registers, control matrices, audit logs); rate maturity per principle | Maturity assessment scorecard (per principle); gap inventory with severity ratings; existing documentation catalog | Every principle rated on a defined maturity scale; all gaps documented with root causes identified |
| 3. Identify and Prioritize Gaps | Classify gaps by risk impact and regulatory requirement; prioritize remediation starting with highest-impact gaps; map gaps to responsible owners | Prioritized gap register with owners and target dates; remediation roadmap; resource requirements documented | Gaps ranked by severity; all high-impact gaps assigned to owners with approved timelines |
| 4. Remediate | Develop and implement controls, policies, and processes to close identified gaps; build or enhance risk registers, KRI dashboards, and monitoring procedures | Updated control documentation; new or enhanced processes deployed; risk register operational; KRI dashboards configured | Gap closure progress tracked against milestones; new controls tested for design and operating effectiveness |
| 5. Monitor and Improve | Establish ongoing monitoring cadence; schedule periodic evaluations (internal audit); report control effectiveness to board; update controls for business changes | Monitoring schedule published; first internal audit of COSO alignment completed; board reporting template operational | Monitoring activities detect and escalate deficiencies; continuous improvement cycle documented |
90-Day Implementation Roadmap
| Phase | Actions | Deliverables | Success Metrics |
| Days 1–30: Foundation | Secure executive sponsorship; form cross-functional implementation team; conduct COSO framework training; perform initial maturity assessment against all 17 principles (ICIF) or 20 principles (ERM); identify quick wins | Executive charter; team roster and RACI; training completion records; maturity scorecard; quick-win action list | Sponsor confirmed; team trained; maturity baseline established for all principles; top 5 quick wins identified |
| Days 31–60: Gap Closure | Close quick-win gaps; develop remediation plans for high-impact gaps; build or update risk register aligned with COSO risk assessment principles; configure KRI dashboards for key controls; draft updated policies where gaps exist | Quick wins closed and documented; remediation plans for all high-impact gaps; operational risk register; KRI dashboard (minimum 10 indicators); updated policy drafts | Quick wins producing measurable improvement; all high-impact gaps have approved remediation plans with owners and dates |
| Days 61–90: Operationalize | Deploy updated controls and policies; conduct first monitoring cycle for key controls; run tabletop exercise testing control effectiveness; deliver first board-ready COSO maturity report; establish quarterly review cadence | Controls deployed and evidence collected; monitoring results documented; tabletop exercise after-action report; board COSO maturity report; quarterly review schedule | Controls operational with documented evidence; monitoring detecting and escalating issues; board report delivered; ongoing improvement cadence established |
Common Pitfalls and How to Avoid Them
| Pitfall | Root Cause | Remedy |
| Treating COSO as a compliance checkbox rather than a management tool | Sarbanes-Oxley compliance pressure drives a minimum-effort approach focused on passing the audit rather than improving operations | Reframe COSO implementation as a performance improvement initiative; demonstrate how effective controls reduce operational losses, improve reporting accuracy, and support strategic decision-making |
| Implementing the ICIF without connecting to ERM | Organizational silos between internal audit (which owns ICIF) and risk management (which owns ERM) | Establish a shared governance structure; map ICIF control activities to ERM risk responses; use a unified risk register that serves both frameworks |
| Assessing maturity at the component level without examining individual principles | Components are too broad for actionable assessment; maturity ratings at the component level mask principle-level gaps | Assess each of the 17 (ICIF) or 20 (ERM) principles individually; use a defined maturity scale (Initial, Developing, Defined, Managed, Optimizing) per principle |
| Ignoring the control environment while focusing on control activities | Control activities are tangible and testable; the control environment feels abstract and difficult to measure | Assess tone-at-the-top, ethical culture, and accountability structures explicitly; include control environment KRIs such as ethics hotline utilization, policy acknowledgment rates, and turnover in key control positions |
| Failing to integrate technology controls (Principle 11) | COSO implementation led by finance or audit teams without IT involvement | Include IT governance and cybersecurity professionals in the implementation team; map general IT controls to COSO Principle 11; align with NIST CSF or ISO 27001 for technology-specific guidance |
| Not updating the assessment when the business changes | Static COSO assessment performed annually without triggered reviews for material changes | Define trigger events (M&A, new product lines, regulatory changes, leadership transitions) that require immediate reassessment of affected COSO principles |
Looking Ahead: COSO Developments for 2026–2028
COSO continues to expand its guidance to address emerging challenges. The 2023 Internal Controls over Sustainability Reporting (ICSR) guidance extends the ICIF framework to ESG reporting, providing organizations with a structured approach to ensuring the reliability of sustainability disclosures.
As ESG regulations tighten globally (EU CSRD, SEC climate disclosure proposals), ICSR guidance will become increasingly relevant for organizations that need to demonstrate the same rigor in sustainability reporting that COSO provides for financial reporting.
The 2024 Alternative Data guidance addresses how organizations can integrate nontraditional data sources (social media analytics, satellite imagery, IoT sensor data, web scraping) into their ERM frameworks without introducing unacceptable risks around data quality, privacy, and bias.
This guidance directly connects to the growing role of AI and machine learning in risk management.
The draft corporate governance framework, released in May 2025 and subsequently withdrawn for revision, signals COSO’s intention to expand into a third major framework area alongside internal controls and ERM. When finalized, this governance framework will likely influence how boards structure their risk oversight, connecting the Three Lines Model to COSO’s governance principles.
The 2025 AICPA/NC State data showing that 64% of executives see no or minimal strategic advantage from their risk management processes underscores the need for practitioners to move beyond framework compliance toward genuine strategic integration.
COSO’s 2017 ERM framework provides the blueprint; the challenge is execution. Organizations that treat COSO as a living management system rather than a periodic audit exercise will be best positioned to close the maturity gap and extract real strategic value from their risk and control programs.
Strengthen your internal controls and ERM program with COSO. Visit riskpublishing.com for implementation guides, risk register templates, and KRI frameworks that connect COSO principles to daily practice. Need support? Contact our consulting team for tailored COSO implementation and maturity assessment services.
References
1. COSO – Internal Control – Integrated Framework (2013) – The 5-component, 17-principle internal control framework
2. COSO – Enterprise Risk Management – Integrating with Strategy and Performance (2017) – The 5-component, 20-principle ERM framework
3. PwC – COSO Enterprise Risk Management Framework – Principal author perspective on the 2017 ERM update
4. AICPA/NC State – 2025 State of Risk Oversight Report (16th Edition) – 32% maturity rate; 11% strategic advantage data
5. AICPA – COSO Enterprise Risk Management Framework and Compendium Bundle – Case studies illustrating ERM principle application
6. SEC – Sarbanes-Oxley Act Section 404 Requirements – Internal control requirements for public companies
7. PCAOB – AS 2201: Audit of Internal Control Over Financial Reporting – Auditing standard referencing COSO framework
8. PCAOB – AS 2110: Identifying and Assessing Risks of Material Misstatement – Risk assessment procedures for financial audits
9. Rehmann – COSO Updates ERM Framework for Alternative Data (2024) – Guidance on nontraditional data integration into ERM
10. TechTarget – What Are the COSO Frameworks? – Overview of COSO frameworks including 2025 governance draft
11. AuditBoard – Fundamentals of the COSO Framework – Implementation guidance and SOX alignment
12. Pathlock – COSO Framework: Definition, Pillars, Principles – COSO cube visualization and maturity assessment guidance
13. Riskonnect – How to Align Operations with COSO Requirements – GRC software integration with COSO compliance
14. ISO – ISO 31000:2018 Risk Management Guidelines – International risk management standard for framework comparison
15. IIA – Three Lines Model – Governance model for roles and responsibilities in risk and control
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.