Most internal auditors have heard the word 'COSO', some will hopefully be familiar with the internal controls cube and the enterprise risk management cube that followed....In 2017 there was a major update to the risk cube.

This piece will not only bring you up to speed on the latest COSO thinking regarding enterprise risk management (ERM) but provide an overview of COSO; maybe answering some of those questions that you don’t want to ask as audit leaders.

Who or what is COSO?

COSO (Committee of Sponsoring Organizations of the Treadway Commission) began in 1985 as an independent private sector fraud initiative in the United States comprising of five organisations, including IIA Global. They provide thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.

Richard Chambers, president and CEO of IIA Global sits on the COSO board.

Is COSO about internal controls or risk management?

It is both. There are two frameworks.

Originally focused on internal control, the well-known COSO Cube was first published in 1992.
The Internal Control – Integrated Framework was revised in 2013. All COSO internal control activity links to objectives in three areas; Operations, Reporting and
Compliance. The framework sets out seventeen principles across its five component areas; these are the foundations for the provision of comprehensive internal controls 
assurance. Audit leaders unfamiliar with this may find it useful to read the detail and consider the completeness of their current controls assurance activities. 

In 2004, COSO published a version of the cube for Enterprise Risk Management (ERM). It expanded on the risk assessment component of the internal controls framework, to include event identification and risk response. It also introduced the objective area of strategy recognising the importance of risk on the board agenda.

Several thought papers have been produced…