Home / COSO & COBIT Center / Original COSO Framework

Original COSO Framework

The COSO Financial Controls Framework: 1992 version

This page describes the original, 1992 COSO Financial Controls Framework. See also the 2004 Enterprise Risk Management (ERM) COSO Framework


The original COSO framework is outlined in a document: 1992 COSO Report: Internal Control – An Integrated Framework.
This document identifies what the commission believed to be the fundamental and essential objectives of any business or government entity:

  • economy and efficiency of operations, including safeguarding of assets and achievement of desired outcomes;
  • reliability of financial and management reports; and
  • compliance with laws and regulations.


Describes a unified approach for evaluation of the internal control systems that management has designed to:

  • provide reasonable assurance of achieving corporate mission, objectives, goals and desired outcome,
  • while adhering to laws and regulations
  • allow the company to accurately report successes and outcomes to the public and interested third parties
  • serves as a common basis for managements, directors, regulators, academics and others to better understand enterprise risk management, its benefits and limitations, and to effectively communicate about enterprise risk management


Control Components
The COSO Cube
The original COSO framework contains five control components needed to help assure sound business objectives. The control components are:

  • Control Environment.
  • Risk Assessment.
  • Control Activities.
  • Information and Communication.
  • Monitoring.

More specifically, the thought process behind these five components was that they would work together to support efforts to achieve an organization’s mission, strategies and related business objectives. All five components would need to be in place to achieve an “effective” internal control system.


Control Environment
- Integrity and Ethical Values
- Commitment to Competence
- Board of Directors and Audit Committee
- Management’s Philosophy and Operating Style
- Organizational Structure
- Assignment of Authority and Responsibility
- Human Resource Policies and Procedures

Risk Assessment
- Company-wide Objectives
- Process-level Objectives
- Risk Identification and Analysis
- Managing Change

Control Activities
- Policies and Procedures
- Security (Application and Network)
- Application Change Management
- Business Continuity / Backups
- Outsourcing

Information and Communication
- Quality of Information
- Effectiveness of Communication

- On-going Monitoring
- Separate Evaluations
- Reporting Deficiencies


In 2004, COSO was updated. Read about the 2004 Enterprise Risk Management (ERM) COSO Framework here