Title / definition
COSO – The Committee of Sponsoring Organizations.
The mission of COSO is to provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management.
The Committee of Sponsoring Organizations (COSO).

Brief history and description
COSO was organized in 1985 to sponsor the US National Commission on Fraudulent Financial Reporting, an independent private-sector initiative that studied the causal factors that can lead to fraudulent financial reporting. It also developed recommendations for public companies and their independent auditors, for the US Securities and Exchange Commission (SEC) and other regulators, and for educational institutions.
The National Commission was sponsored jointly by five major professional associations headquartered in the United States: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants – IMA).
COSO has published comprehensive guidance in the areas of Risk Management, Internal controls and fraud deterrence. The central part of this guidance is formed by two integrated frameworks.
COSO Frameworks:

  • Internal Control — Integrated Framework (1992; latest update 2011)
  • Enterprise Risk Management — Integrated Framework (2004)

The scope of the Internal Control – Integrated framework comprises (business) operations, compliance and financial reporting. It consists of five components:

  • Control Environment
  • Risk Assessment
  • Control Activities
  • Information and Communication
  • Monitoring

The five control components are represented in the so-called “COSO cube”. The cube was last updated in 2011. The COSO cube for Internal Control (2011) consists of five rows of activities: Monitoring, Information & Communication, Control Activities, Risk Assessment and Control Environment. On the top side of the cube are three rows of enterprise objectives:  Operations, (Financial) Reporting, and Compliance. On the third side are five (organizational) unit columns (see picture) .


COSO cube for Internal Control (2011) (source: COSO.org)

The Enterprise Risk Management — Integrated Framework was developed in response to a need for principles-based guidance and to help organizations to design and implement effective enterprise-wide approaches to risk management. This framework defines and describes key enterprise risk management components, ERM principles and concepts. Part of the concept is a common ERM language.

COSO define Risk Management as follows:Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”


(source: COSO.org)

This COSO framework is also depicted by a cube. It is called the COSO cube  for Enterprise Risk Management (2004), and consists of eight interrelated components: Internal Environment, Objective Setting, Event Identification, Risk Assessment, Risk Response, Control Activities, Information and Communication, and Monitoring, four categories of enterprise objectives: Strategic, Operations, Reporting and Compliance and four organizational entities.


COSO cube for Enterprise Risk Management (2004) (source: COSO.org)

Target Audience
Board members, senior management, financial controllers, accountants and auditors.

User communities and groups

Official publisher
COSO – The Committee of Sponsoring Organizations.

Accreditations and qualifications



Official Sites COSO official site
User groups and communities n/a
Publications COSO official publications
Accreditations and Qualifications n/a
Tooling n/a
Other useful links IBPI home page