Committee of Sponsoring Organizations of the Treadway Commission

In 1985, COSO began as a private sector initiative to investigate the causal factors that lead to fraudulent financial reporting as a result of a number of accounting scandals in the 1970s and mid-1980s.

In 2013, COSO re-released the Integrated Framework, stating that significant changes in technology and global business trends increased the need for quality systems of internal control, and provided enhanced guidance for the application of the overall principles.

The COSO framework defines internal control as a process, carried out by the board of directors, the administration and other personnel of an entity, designed to provide "reasonable security" with respect to the achievement of objectives in operations, financial reporting, and compliance with applicable laws and regulations.

Factors in the control environment include integrity, ethical values, the operational style of administration, the delegation of authority systems, as well as the processes for managing and developing people in the organization.

They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, operational performance reviews, asset safety and segregation of functions.

Internal control deficiencies detected through these monitoring activities must be reported upstream and corrective measures must be taken to ensure continuous improvement of the system.

"[5] CFO magazine continued to state that many organizations are creating their own risk and control matrix by taking the COSO model and modifying it to focus on the components that relate directly to Section 404 of the Sarbanes-Oxley Act.

In 2001, COSO initiated a project and hired PricewaterhouseCoopers to develop a framework that administrations could easily use to evaluate and improve the business risk management of their organizations.

High-profile commercial scandals and failures (e.g., Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom) prompted calls to improve corporate governance and risk management.

"[6] COSO believes that this framework is expanded in internal control, providing a more robust and extensive approach to the broader issue of business risk management.

Over time, effective monitoring can lead to organizational efficiencies and reduced costs associated with public information about internal control because problems are identified and addressed proactively, rather than reactively.

To preserve its independence of judgment, the internal audit should not assume any direct responsibility in the design, establishment or maintenance of the controls that it is supposed to evaluate.

Under Section 404 of the Sarbanes-Oxley Act, management and external auditors must report on the adequacy of the company's internal control over financial information.