Home / COSO & COBIT Center / COSO Framework: 2004 Version

COSO Framework: 2004 Version

The COSO Financial Controls Framework

This page describes the 2004 Enterprise Risk Management (ERM) COSO Framework. See also the original, 1992 COSO Financial Controls Framework

Why was the COSO framework updated from the 1992 Version? Here’s the word from COSO:

Enterprise Risk Management — Integrated Framework (2004)
In response to a need for principles-based guidance to help entities design and implement effective enterprise-wide approaches to risk management, COSO issued the Enterprise Risk Management – Integrated Framework in 2004. This framework defines essential enterprise risk management components, discusses key ERM principles and concepts, suggests a common ERM language, and provides clear direction and guidance for enterprise risk management. The guidance introduces an enterprise-wide approach to risk management as well as concepts such as: risk appetite, risk tolerance, portfolio view. This framework is now being used by organizations around the world to design and implement effective ERM processes.

Click here to view the Executive Summary of the 2004 COSO Document: Enterprise Risk Management (ERM) COSO Framework.

View the New COSO Cube



The new Enterprise Risk Management (ERM) COSO framework emphasizes the importance of identifying and managing risks across the enterprise. The new COSO framework consists of eight components:
1. Internal control environment
2. Objective setting
3. Event identification
4. Risk assessment
5. Risk response
6. Control activities
7. Information and communication
8. Monitoring.

The three new components of the COSO framework are Objective setting, Event identification, and Risk response.



Have questions? Click here to get answers to the following Frequently Asked Questions:

FAQs for COSO’s Enterprise Risk Management — Integrated Framework A. What is the framework and how do I get it?

1. What is in the framework?
2. Where can I find the framework?

B. Why is this a framework that organizations should support?

1. What limitations of existing enterprise risk management models prompted creation of a new framework?
2. How might the framework assist organizations in structuring their entities to best manage exposure to risk?
3. Is there such a thing as being overly conscientious about risk?

C. What are some of the key concepts established in this framework?

1. What is the difference between risk appetite and risk tolerance?
2. How does an organization determine the right amount of risk for the value it is trying to create for stakeholders and how should it communicate its risk policy to stakeholders?
3. What is the relationship between effective enterprise risk management and improved financial reporting and transparency?
4. Is this intended for private organizations? Is there any organization this is not intended for?

D. How does this framework relate to COSO’s Internal Control Framework?

1. Are you replacing the Internal Control Framework with the Enterprise Risk Management Framework?
2. What is the relationship between technology controls and effective enterprise risk management?
3. If you have good internal control, isn’t that a way of managing risk?
4. What does the new framework offer clients that are focusing on internal control?

E. How might organizations view the framework in the context of their Sarbanes-Oxley 404 compliance process?

1. With the significant amount of implementation efforts companies are currently undertaking for Sarbanes-Oxley compliance and adoption of new accounting standards, why should companies be motivated to implement enterprise risk management?
2. What makes this different from the internal control framework? How does it relate to Sarbanes-Oxley reporting?

F. How do people in an organization intersect with this framework?

1. What is the role of the board in enterprise risk management? How does this framework help them?
2. What is the role of the CFO and others in the financial management organization in enterprise risk management? How will this framework help them?
3. What is the role of internal auditors in enterprise risk management? How will this framework help them?
4. Who are the potential implementers of the framework?


Why the focus on Enterprise Risk Management?

Here’s what COSO says:

Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. Enterprise risk management encompasses:

  • Aligning risk appetite and strategy – Management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.
  • Enhancing risk response decisions – Enterprise risk management provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing, and acceptance.
  • Reducing operational surprises and losses – Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.
  • Identifying and managing multiple and cross-enterprise risks – Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response to the interrelated impacts, and integrated responses to multiple risks.
  • Seizing opportunities – By considering a full range of potential events, management is positioned to identify and proactively realize opportunities.
  • Improving deployment of capital – Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation.

These capabilities inherent in enterprise risk management help management achieve the entity’s performance and profitability targets and prevent loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the entity’s reputation and associated consequences. In sum, enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.