COSO Framework’s 17 Principles of Effective Internal Control

Read the most updated version here.

Earlier this year, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) updated its Internal Control — Integrated Framework. The updated principles-based framework, which supersedes the original 1992 framework, now explicitly describes its principles rather than simply implying them, thus making it easier for companies to apply the principles. The revised COSO framework’s 17 principles of effective internal control are as follows:

Internal Control Component	Principles
Control environment	1. Demonstrates commitment to integrity and values 2. Demonstrates independence and exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to attracting, developing and retaining competent staff 5. Enforces accountability
Risk assessment	6. Specifies suitable, specific objectives 7. Identifies and analyzes risks 8. Assesses fraud risk 9. Identifies and analyzes significant changes
Control activities	10. Selects and develops control activities that help mitigate risks 11. Selects and develops general controls over technology 12. Bases controls on thorough policies and procedures
Information and communication	13. Uses relevant, high-quality information 14. Communicates internally to support controls 15. Communicates externally
Monitoring	16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies

Depending on a company’s facts and circumstances, making the transition to the updated framework can take time, so it’s a good idea to begin the process as soon as possible. Companies may begin by familiarizing themselves with the aforementioned 17 principles and other COSO guidelines. Then, companies may evaluate the current state of their internal control system and develop a plan for correcting any weaknesses.

To learn more about the revised COSO Framework, view the Weaver Insights article Updated COSO Framework: Will Your Company’s Internal Controls Make the Grade?