COSO Framework’s 17 Principles of Effective Internal Control

Read the most updated version here

Earlier this year, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) updated its Internal Control — Integrated FrameworkThe updated principles-based framework, which supersedes the original 1992 framework, now explicitly describes its principles rather than simply implying them, thus making it easier for companies to apply the principles. The revised COSO framework’s 17 principles of effective internal control are as follows:

Internal Control Component


Control environment

1. Demonstrates commitment to integrity and values
2. Demonstrates independence and exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to attracting, developing and retaining competent staff
5. Enforces accountability

Risk assessment

6. Specifies suitable, specific objectives
7. Identifies and analyzes risks
8. Assesses fraud risk
9. Identifies and analyzes significant changes

Control activities

10. Selects and develops control activities that help mitigate risks
11. Selects and develops general controls over technology
12. Bases controls on thorough policies and procedures

Information and communication

13. Uses relevant, high-quality information
14. Communicates internally to support controls
15. Communicates externally


16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies


Depending on a company’s facts and circumstances, making the transition to the updated framework can take time, so it’s a good idea to begin the process as soon as possible. Companies may begin by familiarizing themselves with the aforementioned 17 principles and other COSO guidelines. Then, companies may evaluate the current state of their internal control system and develop a plan for correcting any weaknesses.

To learn more about the revised COSO Framework, view the Weaver Insights article Updated COSO Framework: Will Your Company’s Internal Controls Make the Grade?

© 2013