The COSO framework is a means of designing, implementing, and evaluating control within an organization. The COSO framework’s five components are control environment, risk assessment, control activities, information and communication, and monitoring activities. As a fraud risk management tool, businesses can design, implement, and evaluate internal control procedures.
Contents
Understanding the COSO framework
According to the Association of Certified Fraud Examiners, weak internal control is the cause of almost 50% of all company fraud.
To develop a strong and effective internal control system, the COSO framework was created by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
The committee is comprised of representatives from various industries, including accounting, finance, and auditing.
Collectively, the committee develops procedural guidance that assists businesses with risk assessment. In so doing, internal controls are strengthened to reduce the likelihood of fraud.
What constitutes internal control? How is it defined?
The COSO framework states that internal control is a “process effected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance of the achievement of objectives” under the following categories:
- Operational effectiveness and efficiency. This includes performance goals and securing assets against potential fraud.
- Financial reporting liability – whether that be internally or externally. Transparency, punctuality, and reliability are vital.
- Legal and regulatory compliance.
The five components of the COSO framework
Five components work together to deliver an effective internal control system while supporting the vision, goals, or objectives of the business concerned.
Let’s take a look at each in more detail.
1 – Control Environment
This encompasses the standards or processes that dictate internal control across an organization.
Typically, upper management will set the tone regarding the importance of establishing and then maintaining internal control.
This creates an environment that attracts, develops, and then retains talented individuals.
There is also accountability in performance and rewards and incentives are routinely given where appropriate.
To some extent, the control environment also extends to ethical values and organizational structure.
2 – Risk assessment
Every business deals with risk, but not all deal with risk effectively.
Those with robust internal control will assess each risk according to the level of the threat to company objectives and established risk tolerances.
Importantly, businesses must consider internal and external risks that can weaken internal control.
3 – Control activities
Once risks have been identified, policies and procedures must be devised to mitigate against them.
These so-called “control activities” must be implemented across the organization to help it achieve stated goals without taking unnecessary risks.
Here, internal control is maintained by authorizations, approvals, verifications, and performance reviews. If possible, employee duties should also be segregated commensurate with experience or skill level.
4 – Information and communication
COSO framework principles help ensure that all internal and external communications adhere to company procedures and further company objectives.
Information must also be disseminated only when appropriate. For example, a new policy should be communicated to every employee in the organization.
However, share price-sensitive information should be confined to upper management until released to the market.
5 – Monitoring activities
Monitoring controls is just as important – if not more important – than establishing them.
Periodic evaluation should be incorporated into all business practices to ensure that controls are being maintained.
Externally, financial reporting is particularly important in deterring fraud.
COSO framework example
The development of the COSO framework is a complex and detailed process, so we’ll focus on a single example to conclude this article.
In this case, we’ve taken inspiration from an implementation guide released by the COSO coalition itself in 2019 for the healthcare industry.
Hospitals need to comply with a substantial amount of laws and other directives.
In addition to laws that relate to patient care, they must be compliant from the moment the patient enters the building until the moment they are discharged and billed.
If any of these internal processes do not function properly, the hospital is unable to receive reimbursement for services rendered or, in some cases, its ability to do is severely hampered.
This has obvious impacts on financial performance and organizational success – particularly for healthcare institutions that are run privately and do not receive governmental support.
However, since all hospitals depend on the compliance and coordination of numerous departments and stakeholders to provide proper care, there is no institution that would not benefit from a robust internal control system.
With that said, let’s take a look at how the COSO framework can be implemented in a healthcare organization across five important phases.
Phase 1 – Planning and scoping
According to COSO, the first phase is comprised of three components that are specific to healthcare contexts:
- Orientation – to start, executive management must be fully supportive of the initiative and communicate with strong, consistent messaging to the rest of the organization. This is seen as important in large and complex healthcare organizations that have undergone multiple mergers and acquisitions.
- Planning – since there are often competing simultaneous priorities in hospitals, timelines should be flexible and responsive to match.
- Scoping – in healthcare organizations, risk management scoping should focus on the quality of care, patient and employee safety, IT capacity, compliance, and cybersecurity.
Phase 2 – Assessment and documentation
Like most other organizations, the existing control structure of a hospital depends on variables such as size, location, and various state or federal requirements. Some aspects that are more pertinent to healthcare include:
- Centralized vs. decentralized system structure – whether the system structure is centralized or decentralized affects the implementation approach. This may encompass the departments under consideration, the number of personnel to interview, and the number of hospital system locations to visit. Some healthcare organizations with a global presence may also find it useful to create process maps to illustrate control-related variability. In turn, this enables management to minimize absenteeism and travel disruption for important staff.
- Fraud risk assessment – hospitals are not immune to fraud. Some of the most common instances of fraud are related to drug and supply theft, billing patients for procedures that have not been performed, and unauthorized access to confidential patient information.
- Gap assessment – for an example of where controls may be lacking, consider the clinical documentation improvement (CDI) process. Some hospital systems may perform a CDI review before the medical bill is sent to the patient, with this weakness resulting in substantial financial reporting errors.
Phase 3 – Remediation planning and implementation
Once all gaps have been assessed and the deficiencies identified and rated, the healthcare organization can start the process of remediation and action plan design.
Remediation plans in hospitals tend to be complex and may require the collaboration of multiple processes, personnel, systems, and third-party service providers.
These plans also require management to devote extra time and attention to ensuring their successful implementation.
Phase 4 – Design, testing, and reporting of controls
In the fourth phase, the healthcare organization selects controls for testing and then designs the tests for each control. COSO advocates two main testing methods in these contexts:
- Observation – where the team observes the actual performance of the control. This method works well for real-time error messages such as a patient record returning a “not authorized” error message. Observation is also useful to validate control design for manual processes since it can determine whether written procedures are being followed to the letter in practice.
- Documentation examination – where the entire population of activities or transactions that necessitate control performance is understood. If a control stated that journal entries need to be reviewed and approved by qualified personnel, for example, tests would examine the supporting evidence generated by the control. In other words, proof that the journal entry was in fact reviewed and approved before its entry.
Phase 5 – Optimization of the effectiveness of internal controls
In the final phase, the healthcare organization optimizes its internal control system by continuously ensuring it is aligned with its vision, mission, strategies, and objectives.
It’s also important to select a mix of preventative and detective controls, and the same can also be said for manual and automated controls.
An example of a manual control in a hospital is the documentation review performed by a CDI specialist when interacting with patient charts or electronic health record (EHR) screens.
This control needs to check for completeness, accuracy, and appropriateness of the information since the risk of inaccurate information, as we discussed at the outset, can lead to patient dissatisfaction, non-compliance, and financial loss.
Key takeaways
- The COSO framework is a fraud risk management tool that businesses use to design, implement, and evaluate internal control procedures.
- The COSO framework guides the best practices for operational effectiveness, financial reporting, and legal or regulatory compliance.
- The COSO framework has five core components. In combination, each allows a business to maintain internal control without sacrificing the ability to meet goals or uphold company values.
Connected Analysis Frameworks
Failure Mode And Effects Analysis



























Other related business frameworks:
- AIDA Model
- Ansoff Matrix
- Business Analysis
- Business Model Canvas
- Business Strategy Frameworks
- Blue Ocean Strategy
- VRIO Framework
Additional resources: