
COSO internal control framework: What it is & how to use it

A quarter of directors surveyed in Diligent’s What Directors Think 2025 report said improving cybersecurity and risk management was a top priority. Much of those improvements come down to internal controls, which have long been essential to risk assessment and management. However, isn’t always easy to incorporate internal controls into business processes. The COSO Internal Control Framework gives organizations a strategic path forward.
This framework helps businesses embed internal controls and internal controls management software in their day-to-day activities. When used effectively, it assures shareholders and the board that the organization meets ethical and security standards.
Organizations that do adopt the COSO Internal Control Framework can also be more efficient, more secure, and, ultimately, more resilient as the risk landscape evolves. Here, we’ll explain:
- What the COSO Internal Control Framework is
- How COSO defines internal controls
- The five components of the framework
- Benefits and challenges of implementation
- A closer look at how organizations use the COSO framework
- The 17 principles of COSO
- How COSO stacks up to other frameworks
- How COSO applies across industries and company sizes
- COSO and GRC, automation and AI
What is the COSO Internal Control Framework?
The COSO Framework helps organizations connect their internal controls to their business process. It reaches back to 1992 when the Committee of Sponsoring Organizations (COSO) met to create a more significant relationship between the risk and business landscapes. Several private sector organizations also contributed to the framework, including:
- American Accounting Association
- American Institute of Certified Public Accountants
- The Institute of Management Accountants
- Financial Executives International
- The Institute of Internal Auditors
In 2013, they updated the COSO Framework to include a diagram of the relationship between all elements of internal controls. They edited it again in 2017 with the enterprise risk management framework, demonstrating how to prioritize risk and establish a connection between risk and business performance.
COSO’s definition of internal control
According to the COSO definition, internal control is a process designed to provide reasonable assurance with regard to achieving operations, reporting and compliance objectives. Boards of directors, management and other relevant personnel, should oversee this process on an ongoing basis.
Optimize your internal audit
Streamline processes, automate workflows and provide meaningful insights to leadership. Enhance compliance and risk management with this essential checklist.
Get the checklist!5 Components of the COSO Internal Control Framework
The five components of the COSO Framework establish the key areas where organizations need to work towards compliance.
The five components are:
1. Control environment
In the control environment, organizations should verify that their business processes meet industry risk standards by testing all controls. This ensures that all activities are done responsibly, reducing an organization’s legal liability. Organizations should also work to meet all regulatory compliance requirements.
2. Risk assessment and management
Risks are inevitable. That doesn’t mean organizations should ignore them. Businesses can minimize the possible harm by assessing the risks their organization currently faces and putting a plan in place to manage and mitigate them. This process should be ongoing or even automated so that organizations can identify new risks as they emerge.
3. Control activities
Control activities are integral to risk management, ensuring that all business activities tie back to internal controls. Those controls should both support business performance and reduce the organization’s risk exposure.
4. Information and communications
An organization’s communications also need to follow strict requirements. Various legal, ethical and industry standards apply to internal and external communications. Privacy policies and other application controls are examples of how organizations can apply controls to communication processes.
5. Monitoring
Risks can evolve, as do organizations’ systems, software and processes. Monitoring ensures that these changes don’t expose the organization to risk. An internal auditor is usually responsible for this, but external auditors often monitor organizations in relation to regulatory compliance. Both auditors will ultimately report to the board of directors.

The 17 principles of COSO
Nested within each of the above components are principles that explain the controls in greater detail. These are:
Control environment
- Demonstrates commitment to integrity and ethical values: Management leads by example, and the organization as a whole promotes honesty and ethical behavior.
- Exercises oversight responsibility: The board oversees internal controls and enacts independent, informed governance.
- Establishes structure, authority and responsibility: Clear roles and reporting lines are defined, and everyone knows their responsibilities.
- Demonstrates commitment to competence: People have the skills needed for their roles and feel supported in ongoing training and development.
- Enforces accountability: Individuals are held responsible for their actions, and there are both rewards and consequences for their performance.
Risk assessment and management
- Specifies suitable objectives: Clear goals are set, and objectives are measurable and aligned with the organization’s mission.
- Identifies and analyzes risks: Risks that could affect the achievement of goals are identified, and risks are assessed in terms of likelihood and impact.
- Assesses fraud risk: Risks of fraud (intentional misstatements or theft) are considered, and preventive measures are developed.
- Identifies and analyzes significant changes: The organization considers changes in its environment, leadership or systems and adjusts controls to keep up.
Control activities
- Selects and develops control activities: Actions are designed to reduce risk to acceptable levels, and controls are chosen based on risk and efficiency.
- Selects and develops general controls over technology: IT systems are secure and well-managed, and controls ensure data accuracy and access security.
- Deploys control activities through policies and procedures: Policies are put into practice with clear procedures, and controls are followed day-to-day.
Information and communications
- Uses relevant information: Accurate and timely data is gathered, and information supports effective internal controls.
- Communicates internally: Information flows across departments and levels, and everyone understands their role in internal controls.
- Communicates externally: Stakeholders like regulators and investors get the necessary information, and communication with them is open and transparent.
Monitoring
- Conducts ongoing and/or separate evaluations: Controls are regularly reviewed and tested, and assessments may be built-in or periodic.
- Evaluates and communicates deficiencies: Issues are identified and reported quickly, and corrective actions are taken promptly.
How do organizations use the COSO Framework?
The COSO Framework establishes how the organization will complete all business processes. This embeds risk management into all parts of the organization, facilitating legal and regulatory compliance. Once all controls are in place, the framework also prioritizes monitoring, which helps organizations verify that all internal controls are followed and that they can stay ahead of emerging risks.
Benefits and limitations of the COSO Framework
While the COSO Framework does create a strategic path forward for risk management, it also has its limitations that organizations should be aware of.
These are three key benefits organizations can expect by following the COSO Internal Control Framework:
- Standardizes business processes: When organizations implement the COSO Framework, they also standardize how their teams do business. This improves the organization’s efficiency and centralizes data while also reducing risk.
- Stay ahead of risks: In 2024, the FBI reported that cybercrime resulted in over $16 billion in global losses. The COSO Framework positions organizations to stay ahead of these risks using best practices.
- Reduce costs: When all teams follow the same internal controls, the business becomes more efficient. Many organizations that follow the COSO Framework act more strategically, which allows them to reduce costs over time.
As effective as the COSO Framework can be, it can also be restricting in the following ways:
- Challenging to implement: The COSO Framework is broad by design. While this allows many different types of organizations to follow it, it lacks specific guidance on implementing and maintaining it over a longer period. Organizations may struggle to adopt the framework, especially if they don’t already have an effective risk management strategy.
- Rigid structure: The COSO Framework has a particular structure. Many organizations could fall into multiple categories within the framework, making it difficult for businesses to identify the best path forward for their teams.
COSO versus SOX, ISO and other frameworks
The COSO Internal Control Framework is widely used, but it’s one of many that organizations today rely on to strengthen controls and manage risk. There is overlap between frameworks, but there are also key distinctions:
- COSO helps organizations design, implement and assess controls.
- Sarbanes-Oxley Act (SOX) is a U.S. law that mandates financial reporting controls for public companies, with COSO a tool for meeting its requirements.
- International Organization for Standardization (ISO) guidelines, like ISO 3100 and ISO 27001, offer internationally recognized standards for managing risk and securing information.
- Control Objectives for Information and Related Technologies focuses on IT governance and aligning technology with business objectives.
- National Institute of Standards and Technology Cybersecurity Framework provides practical cybersecurity guidance, particularly for critical infrastructure and organizations seeking robust security practices.
Here’s how these frameworks compare at a glance:
Framework | Purpose | Key focus areas |
---|---|---|
COSO | To provide a comprehensive framework for designing, implementing and evaluating internal controls | Control environment, risk assessment, control activities, information and communication, monitoring |
SOX | U.S. federal law aimed at improving corporate accountability and preventing fraud | Financial reporting, internal control over financial reporting, corporate governance |
ISO 31000 | Provides principles and guidelines for risk management systems | Risk identification, risk assessment, risk treatment, risk monitoring |
ISO 27001 | Framework for managing information security risks | Confidentiality, integrity, availability of information |
COBIT | Framework for IT governance and management | IT processes, risk management, compliance, value delivery |
NIST | Provides a policy framework of computer security guidance for how private sector organixations can assess | Identify, protect, detect, respond, recover |
How to implement the COSO framework
Putting the COSO Internal Control Framework into practice helps organizations strengthen governance, improve risk management and ensure operational and financial integrity. Below is a simplified roadmap for adopting COSO’s components and principles:
- Understand the framework: Familiarize leadership and staff with COCO’s structure. Ensure stakeholders know the five components and 17 principles and how they could impact the organization’s operations. Review also how COSO aligns with your industry’s compliance needs, whether that be SOX, ISO or another standard.
- Define your objectives: Clearly define what your organization is trying to achieve through better internal controls. For example, you might seek to make your operations more efficient and effective, safeguard assets or improve regulatory and legal compliance. Your objectives inform which controls you implement and later report on.
- Perform a risk assessment: Identify internal and external threats that could put your objectives at risk, then evaluate the likelihood and impact of each risk. Include an analysis of fraud risks and any potential changes, like market shifts or technology updates.
- Map controls to risk: Controls keep risks in check. Identify existing control activities that could address specific risks, then design or revise control activities where gaps exist. Ensure you document and test all controls aligning with the 17 COSO abovementioned principles.
- Evaluate your control environment: The success of internal controls depends, in large part, on whether your culture is conducive to them. Examine the tone at the top and any ethical standards and accountability structures. Provide periodic ethics training and clarify responsibilities for internal controls so employees at all levels know their part in upholding them.
- Strengthen information and communication: Ensure relevant, timely, accurate information flows across departments. Communicate internal control roles and updates throughout the organization. Consider how you can also build external communication mechanisms like whistleblower lines or compliance portals.
- Monitor and improve: Establish ongoing monitoring and periodic evaluations to identify deficiencies or put reviews on autopilot with an internal audit tool. Track any remediation efforts and update controls continuously to remain compliant and effective.
- Document and report: Maintain clear documentation of your internal control system, evaluations and updates. Report up to leadership and your board as you go, and include regulators and stakeholders as necessary. This can build trust in your internal control system and prove compliance with relevant standards.
Common structural and implementation challenges and how to overcome them
Implementing the COSO framework — or any new internal control or risk management system — can uncover obstacles that hinder your progress. However, even if your resources are limited, you’re unsure about roles and responsibilities or facing another complication, you can still adopt strong controls. Below are proven strategies to help you navigate key challenges:
1. Challenge: Lack of leadership buy-in
Risk, compliance, and audit teams may have a vision for using the COSO internal control framework before leadership fully understands and is ready to sign off.
Solutions: Engage executive leadership early. Articulate how internal controls support strategic goals, regulatory requirements and reputation risk. Use real-world examples like those below to show failures or successes in your industry, helping illustrate what’s at stake.
2. Challenge: Siloed departments and poor communication
Teams may begin to develop internal controls based on their distinct needs, then fail to communicate with other teams, leading to a fragmented and duplicative internal control system.
Solutions: Form a cross-functional implementation team with representation from finance, compliance, operations, IT and HR. This helps ensure the internal control system will adapt to different use cases. Set up recurring check-ins throughout implementation to share updates and remove barriers.
3. Challenge: Resource constraints like time, budget and staffing
Smaller organizations may not have the budget for dedicated internal compliance teams, but even larger enterprises may struggle to allocate enough time and staff to deploy a single internal controls framework across complex systems.
Solutions: Start with a risk-based, phased implementation approach, prioritizing high-risk areas first. Leverage existing processes where possible, and consider the right-sized tools rather than building everything from scratch or jumping into a tool too robust for your needs.
4. Challenge: Unclear roles and accountability
Internal controls are often shared across teams, creating confusion about who oversees the process, who executes it and who is responsible for maintaining it daily.
Solutions: Define and document responsibilities for each COSO component and principle. This will enable you to assign and hold specific team members accountable for specific parts of the framework. Responsible, Accountable, Consulted and Informed charts can clarify ownership.
5. Challenge: Difficult embedding controls into daily operations
Employees may be used to specific ways of working and struggle to adapt to the new internal controls.
Solutions: Rather than bolting on internal controls, consider how they can integrate into existing workflows or systems. Train staff on the “why” behind controls so they’re inspired to help implement them, not just the “what” and “how.”
6. Challenge: Lack of data or technology to support implementation
Small businesses may struggle to find robust tools that suit their budgets, while larger enterprises often lack tools that can span entities and jurisdictions.
Solutions: Use existing data sources and automate controls where possible. Invest in scalable tools that support documentation, risk tracking and reporting to streamline your internal controls system.
How does the COSO Framework apply across industries?
The COSO internal control framework is flexible and scalable by design, making it well-suited to various industries. While the components remain the same, how organizations interpret, implement and prioritize them can vary based on their industry’s risks, regulations and operations.
Below are some key ways COSO can be applied and tailored across key sectors.
Financial services
Organizations in the financial services industry face regulations like Basel III and SOX. Fraud risk is high, and internal audit integration is essential. Controls in this industry are often targeted toward high-volume, high-risk transactions.
Applying the COSO Framework to financial services includes an emphasis on a strong governance and control environment to withstand heavy regulations. Detailed risk assessments and robust monitoring systems are also critical to ensure the internal controls are effective and defensible. Financial services organizations may layer COSO with risk frameworks like COSO Enterprise Risk Management or the Federal Financial Institutions Examination Council (FFIEC) guidelines for additional protection.
Manufacturing
Manufacturers often prioritize efficiency and supply chain integrity. Given their vast inventory and equipment, controls also emphasize asset protection. Environmental, health and safety compliance has also emerged in recent years.
As a result, the COSO control activities are typically physical, involving regular inventory counts and maintenance logs. Risk assessments may dig into logistics, production downtime or quality failures. Internal controls are in place, and manufacturers monitor plant-level performance indicators and safety inspections.
Technology and software
Information security and data privacy are critical in this industry. Most organizations will be subject to strict regulations like GDPR. Controls will also focus on protecting intellectual property, scaling growth and managing party and vendor risks.
Technology companies use IT internal controls heavily, aligning with COSO’s tech principles. Rapid change and innovation also require more continuous risk reassessment than other industries. Software companies should seek to cultivate a control environment that supports agile structures while maintaining accountability.
Healthcare
Like financial services, healthcare is a highly regulated industry. Many healthcare regulations, like HIPAA, focus on safeguarding patients’ personally identifiable information. Organizations in this industry must also emphasize clinical and billing accuracy, regulatory reporting and ethical practices.
Healthcare internal controls are rooted in cross-functional coordination involving clinical, administrative and financial teams. Monitoring often includes real-time data dashboards and audits, as healthcare organizations are frequent targets of cyberattacks. Fraud risk can also include internal abuse and external claims fraud, expanding the scope of internal controls.
Flexing the COSO Framework to suit different company sizes
COSO is designed to be scalable and tailored to fit organizations of all sizes. Whether you’re a small startup or a global enterprise, the COSO Framework helps improve internal controls, manage risk and build trust with stakeholders. The key is adapting the principles proportionally to your resources, complexity and objectives.
Small to medium-sized businesses (SMBs)
COSO provides structure without being prescriptive, making it ideal for SMBs to formalize processes without overcomplicating operations. Using the framework can help SMBs protect against fraud and theft, demonstrate transparency to lenders, investors and donors and support growth by systematizing operations.
However, SMBs’ focus will be slightly different than their larger counterparts:
- Start with risk-based priorities: Focus on the most critical objectives, like cash handling, cybersecurity and compliance. Demphasize less immediate risks so you don’t overextend your resources.
- Use existing staff and systems: Adapt roles and responsibilities to current personnel instead of creating new layers. This can help you kickstart an internal controls system before you can afford a dedicated team member.
- Implement simple but effective controls: Basic documentation, separation of duties, and regular reviews go a long way. Right-sized tools like Diligent AI Risk Essentials can streamline controls and extend your coverage without overwhelming you with capabilities.
- Keep it lean and iterative: Start small, build momentum and expand over time. Doing so will lead to deeper coverage over time rather than minimally adequate controls applied broadly.
Enterprise organizations
Large organizations need a unified framework to manage complexity, cross-functional risk, and regulatory compliance. COSO provides a common language and structure across business units and geographies. Enterprises commonly use COSO to comply with SOX and financial reporting requirements, integrate controls with enterprise risk management (ERM) and unify global supply chain, data privacy and third-party risk controls.
With the essentials already covered, enterprises should use COSO to:
- Align enterprise-wide: Use COSO to create consistency across departments, subsidiaries or regions. While larger entity structures are inherently complex, COSO is a simple way to ensure your entire organization follows the same policies and procedures.
- Integrate systems and reporting: Leverage technology to monitor controls and risks in real-time. This enables you to catch risks humans may miss, especially those that strike outside of business hours.
- Bolster governance and accountability: Ensure strong board oversight, clear accountability and independent assurance, like an internal audit. The more effective your internal controls leadership, the more robust your system will be.
- Adapt across functions: Apply COSO in operations, compliance, IT, finance and strategy. Giving functions the same controls framework breaks down silos and keeps teams working toward the same objectives.
COSO Framework examples
A small credit management company
A Rome-based credit management company needed to set up its internal audit function. At that time, the board brought on a new Chief Controls Officer, who was charged with developing an internal controls system, enhancing audit committee activities, and providing ongoing guidance around risk. Like in many SMBs, the Chief Controls Officer had a small team that needed to have a significant impact.
The team first set up and implemented the Diligent One Platform to manage, track and monitor internal controls, which they developed based on the COSO Internal Control Framework. The platform streamlined every implementation step, from assessing risks to managing and monitoring controls to reporting on audits and risk posture.
Together, the new control system and the tools to execute it empowered the audit team to report on issues and provide evidence, which risk owners can update within the platform. They can also tie risk assessments directly to the owners so they can truly own and manage risk.
A 160-year-old global beverage company
After rapid consolidation in the beverage industry, the company acquired at least 30 companies. This expansion increased business complexity and resulted in significant challenges for the audit team. The merging of multiple organizations had distinct data, requirements, and ways of working, including internal controls.
Adopting the Diligent One Platform enabled the company to supply one set of controls for all legal entities across the globe and audit those controls quickly and efficiently. The tool became the company’s “center of excellence” for control development and design. Using Diligent One, the audit team developed and refined 150 internal controls in just two years, providing a clear roadmap for how the business can operate efficiently, securely and compliantly.
How to measure the effectiveness of your COSO-based internal controls
Implementing the COSO framework is only the first step. Ongoing measurement and evaluation are essential to ensuring your internal controls do what they’re meant to: reduce risk, ensure compliance and support strategic objectives.
“Stakeholders now want everything in real-time. It used to be we could report things three months later. Now, three months is becoming three days,” says AIG Executive Vice President and Chief Auditor Naohiro Mouri.
You should measure internal controls' effectiveness by how well they are designed, implemented and functioning. Here are key questions to ask and steps to take to evaluate different aspects of your controls:
- Evaluate design versus performance: Are the controls well-designed to address specific risks tied to your objectives? Are the controls being executed consistently, correctly and on time?
- Use COSO’s five components as a framework for assessment:
- Control environment: Are ethics, tone at the top and governance strong?
- Risk assessment: Are risks identified, analyzed and updated regularly?
- Control activities: Are policies and procedures implemented and followed?
- Information and communication: Is information timely, accurate and shared appropriately?
- Monitoring activities: Are you continuously monitoring and addressing control deficiencies?
- Set and track key performance indicators (KPIs): Your KPIs will vary based on your objectives but could include the percentage of key risks with aligned controls, the percentage of controls performed on time, the number of internal and external audit issues per quarter or the average time to remediate control deficiencies.
- Leverage internal audit and self-assessments: Internal audit should periodically review control performance, offering independent validation or objective feedback. Control owners can also evaluate their operating controls to build accountability and uncover issues early.
- Identify and address deficiencies promptly: Use COSO’s deficiency criteria. A deficiency means a control is missing or not operating effectively. A significant deficiency is one important enough to escalate to management. A material weakness is a deficiency severe enough that it may result in a material misstatement.
- Monitor over time: COSO emphasizes ongoing monitoring over periodic reviews. This includes embedded control dashboards, real-time alerts, automated workflows, and continuous risk reassessment as operations, technology and regulations evolve.
COSO and GRC, automation and AI
The COSO Internal Controls Framework provides a strong foundation for internal control and risk management. When paired with governance, risk and compliance (GRC) platforms and purpose-built AI, COSO becomes even more powerful, offering organizations a pathway to smarter, faster, more responsive controls.
COSO and GRC integration
GRC platforms unify risk, compliance and internal control management. While COSO offers the principles and structure, a GRC system is a vital tool for:
- Mapping COSO’s 17 principles directly into GRC modules
- Centralizing policies, risks and controls in a single system
- Standardizing assessments, workflows and reporting across departments
- Providing real-time visibility into control effectiveness and compliance gaps
COSO, automation and AI
Process automation helps implement and maintain COSO-aligned controls with less manual effort. Emerging tools use AI to elevate internal control and risk management further, identifying patterns, predicting risks and automating decisions.
“With the right technology and automations, you can take an enterprise-type product, develop your audits and audit reporting in a way that’s streamlined and automated. It adds a ton of value to your process and to your organization,” says Cherry Hill Advisory Chief Executive Officer Mike Levy.
AI tools can:
- Automate controls, like system-enforced workflows, audit trail generation and reconciliation alerts
- Monitor in real-time, including continuous exception tracking or compliance flagging
- Streamline control testing with automation that reduces human error and increases testing frequency
- Predict tools using AI-powered forecasting based on historical and external data
- Detect anomalies, flagging potential fraud, compliance breaches or systems failures faster
- Analyze contracts, policies or incident reports to find control weaknesses
- Suggest control improvements based on control performance data and risk trends
Use an audit checklist to master your internal controls
The COSO Internal Control Framework provides valuable insight into how risk management should look. However, it doesn’t prescribe what an organization should do day-to-day to maintain that framework. The internal audit committee needs to operate on an always-on basis, but it can be challenging to prioritize risks, track remediations, and develop reports on risk and revenue opportunities.
Diligent’s Internal Audit Checklist equips teams with next-level efficiency and strategic insight to keep up with internal audit’s ever-expanding scope. Explore the five essential steps that help leading audit teams navigate growing responsibilities, COSO Internal Control Framework implementation and evolving regulations with confidence. Download the checklist to learn more.
FAQs
What does COSO stand for?
COSO stands for the Committee of Sponsoring Organizations of the Treadway Commission. It is a joint initiative that developed a widely accepted framework for internal control, risk management and fraud deterrence. The COSO Framework helps organizations design, implement, and evaluate internal controls across operations, compliance and reporting.
What are the 5 components of COSO internal control?
The five components of the COSO Internal Control Framework are:
- Control environment: Foundation for all other components; includes ethical tone and governance.
- Risk assessment: Identifies and analyzes risks that could impact objectives.
- Control activities: Actions and procedures that mitigate identified risks.
- Information and communication: Internal and external communication of relevant data.
- Monitoring activities: Ongoing evaluations and corrections of internal control systems.
These components work together to promote effective internal control across the organization.
Is COSO required by law?
COSO itself is not legally mandated, but its use is strongly encouraged or indirectly required by several regulations. For example, under the Sarbanes-Oxley Act (SOX), U.S. public companies must establish internal controls over financial reporting, and the COSO Framework is the most commonly used standard to meet that requirement.
What’s the difference between COSO 1992 and COSO 2013?
The COSO 2013 Framework updated the original 1992 version by:
- Adding 17 clear principles to better define effective internal control
- Emphasizing technology, governance and fraud risk
- Aligning with modern business practices and emerging risks
While the core structure (the five components) stayed the same, COSO 2013 offers greater clarity, relevance and adaptability for today’s organizations.
How is COSO used in SOX compliance?
The COSO Internal Control Framework is the most widely used standard for complying with Section 404 of the Sarbanes-Oxley Act (SOX), which requires public companies to establish and report on internal controls over financial reporting (ICFR).
COSO helps organizations:
- Design and implement effective controls to prevent and detect material misstatements
- Assess and document control performance in a structured, principle-based way
- Support audit readiness through clear mapping of risks, controls, and responsibilities
Beyond SOX, COSO provides a flexible, scalable model used to comply with other regulations, including:
- FCPA (anti-corruption): Monitoring third-party payments and approvalsGDPR, HIPAA, CCPA (data privacy): Ensuring risk-informed data governance
- Basel III, FFIEC (financial services): Supporting enterprise risk and control frameworks
- ESG reporting: Enhancing integrity and auditability of sustainability data
Is the COSO Framework suitable for all types and sizes of organizations?
Yes. The COSO Framework is easily adaptable, making it suitable for organizations of all sizes and across sectors.
- Small and medium-sized businesses (SMBs): COSO can be applied streamlined, focusing on the most relevant risks and using simplified, cost-effective controls that align with available resources. The key for SMBs is right-sizing the framework by prioritizing the most critical risks and their associated controls.
- Large enterprises: COSO flexes across complex operations, subsidiaries, and geographies, offering a consistent framework for enterprise-wide risk and control management.
What resources or tools can help with COSO Framework implementation?
Resources and tools that can help with COSO implementation include:
- The Diligent One Platform, which maps and monitors COSO principles in real-time
- Pre-built control libraries and risk assessment templates within Diligent One
- Professional guidance, including Diligent’s robust risk and audit and compliance content
- Diligent’s internal audit checklist, audit technology checklist and control management series will help you cover all your internal controls bases
How often should an organization review and update its COSO-based internal controls?
Best practice recommends:
- Ongoing monitoring to catch and address issues in real-time
- Formal evaluations at least annually or when there are significant changes (e.g., mergers, new regulations, tech updates)
- Periodic internal audits or self-assessments to identify gaps
Controls should evolve with your organization’s risks and objectives to stay effective and compliant.
Related resources

6 internal controls checklists, definition & examples
Boost your compliance and risk management using an internal controls checklists. Explore examples like COSO, NIST, and SOX checklists for a proactive approach.

Internal auditors' role in risk management
What responsibility do internal auditors have for risk & how can organizations ensure their approach supports their risk management procedures?

13 reasons why internal controls are important
Internal controls play a vital role in ensuring the security of an organization’s systems and assets. Discover more reasons why they are important.