The COSO cube is a diagram that shows the relationship among all parts of an internal control system. Aside from showing how these parts are connected, it also identifies a number of principles an organization should follow to meet their internal control objectives.
The COSO cube is a part of a control framework generally called the COSO framework. It was created by the Committee of Sponsoring Organizations of the Treadway Commission, or COSO. COSO is made up of representatives from five different organizations: the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, the Institute of Management Accountants and the Institute of Internal Auditors. Together, they develop guidance documents to aid organizations with risk assessment, internal controls and fraud prevention.
The COSO framework was originally conceived in 1992, and later updated in 2013 and 2017. The 2013 updated framework contains the COSO cube. The framework was developed to help organizations reach objectives related to operations, reporting and compliance. The purpose of internal control is to ensure these objectives are achieved. This process is normally implemented by an organization's board of directors, management and other personnel. For years, the 2013 framework was considered a gold standard for applying and testing internal controls.
The COSO cube
While the 1992 framework was proficient at evaluating existing controls, it wasn't comprehensive. The 2013 version addressed this with the addition of the COSO cube, which focused on the design and implementation of a risk management framework. The COSO cube replaced the previous framework principle image that was shaped like a pyramid.
The cube is made up of a number of columns and rows that visualize internal control systems. Columns of the cube make up the three objective categories. The rows in the cube are the five components. On the third dimension is organizational structure.
The three objective categories found in the columns consist of operations, reporting and compliance. In the image, this is normally the top side of the cube.
The five components found in rows on the front face of the cube include -- from top to bottom -- the control environment, risk assessment, control activities, information and communication as well as monitoring activities. The control environment is a set of standards, processes and structures that form internal control. Risk assessment forms the basis for which risk is managed -- in both internal and external environments. Control activities are the preventative and detective policies, procedures and standards that aid management in mitigating risks. Information and communication relate to information gained that can support internal control components. Monitoring activities include consistent evaluations verifying that each of the five components of internal control are present and are working correctly.
The organizational structure is the hierarchy of an organization. On the right side of the cube -- from left to right -- an organization's entity level, division, operating unit and function are displayed. Each may be affected by business unit activities, function controls and business-level controls.
The 17 principles
The COSO framework also outlines 17 principles an organization should adopt in order to reach its internal control objectives. Framework principles fall within each component of the COSO cube: five principles for the control environment, four for risk assessment, three for control activities, three for information and communication, and the last two for monitoring activities.
Control environments principles include:
- commit to integrity and ethical values;
- exercise oversight responsibility;
- establish structure and reporting lines;
- demonstrate a commitment to competence; and
- enforce accountability.
Risk assessment principles include:
- specify suitable objectives;
- identify and analyze risk;
- assess fraud risk; and
- identify and analyze significant changes.
Control activity principles include:
- select and develop control activities that mitigate risk;
- select and develop control activities involving technology; and
- deploy control activities through specific policies and procedures.
Information and communication principles include:
- use relevant information;
- communicate internally; and
- communicate externally.
Monitoring activity principles include:
- conduct ongoing or separate evaluations; and
- evaluate and communicate deficiencies.
The updated COSO framework
The COSO framework was updated in 2017, with a name change to "Enterprise Risk Management -- Integrating with Strategy and Performance." The update focuses on ERM and more heavily considers risk in processes and performance management. Along with the update, the graphic changed from a cube to a helix structure. Organizations that abide by the previous COSO framework aren't required to change to the new one. The COSO cube can continue to be useful to organizations since it still provides a framework for improving risk management and internal control. An understanding of the COSO cube provides a fair amount of background knowledge for the 2017 version of the framework as well.
The helix-shaped graphic for the COSO ERM framework represents how risk management principles are integrated throughout an organization's lifecycle.
The helix is based on five components, each supported by multiple principles. Ideally, by following COSO's updated graphic, organizations will be able to implement and enforce its principles, leading to improved performance in ERM initiatives.
The five components shown in the helix include:
- Governance and culture -- which establish the oversight for ERM.
- Strategy and objective-setting -- which form a strategic-planning process.
- Performance -- which identifies risks that affect strategic-planning processes. This should also include a way to highlight and respond to apparent issues.
- Review and revision -- which focus on reviewing organization performance to determine how ERM components are functioning and if any changes should be made.
- Information, communication and reporting -- which focus on gathering and sharing information as necessary, typically from internal and external sources.
Twenty principles support the five components, which should lead organizations to understand and manage risks and business objectives.