Whistleblowing | Workplace Compliance
COSO Internal Control Integrated Framework (ICIF)
A voluntary US-origin framework for designing, implementing, and evaluating systems of internal control, applicable globally across all sectors, with particular use in compliance with the U.S. Sarbanes-Oxley Act.
Region: Global/
Sector: Public & Private/
Introduced: 05/14/2013/
Last update: 03/30/2023/
Mandatory:No/Table of contents
What Is the COSO Internal Control Integrated Framework?
Originally published in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the COSO Internal Control – Integrated Framework (ICIF) is a principles-based framework for designing, implementing, and evaluating the effectiveness of an internal control system across operations, reporting, and compliance.
The framework defines internal control as a process effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of its objectives. The 2013 update introduced 17 principles to codify the internal control concepts in its five components, making the framework more explicit and easier to apply in practice.
The 5 Core Concepts of ICIF | |
Control Environment | The foundation of the system, including organizational culture, ethical values, governance structures, and tone from the top, that sets the conditions for control to function effectively. |
Risk Assessment | The process of identifying and analyzing risks to achieving objectives, including fraud risk, and determining how to manage those risks. |
Control Activities | The preventive and detective policies, procedures, and mechanisms that organizations put in place to address identified risks and achieve control objectives. |
Information & Communication | The systems and processes for capturing, processing, and communicating relevant information, both internally and externally, to support the operation and oversight of the internal control system. |
Monitoring Activities | Ongoing evaluations and separate evaluations (including internal audit) to assess whether controls are present and functioning; deficiencies must be communicated promptly. |
In 2023, COSO released Internal Control Over Sustainability Reporting (ICSR), a supplemental guidance extending the framework to sustainability, reflecting the growing intersection between financial and non-financial reporting.
Although the ICIF is not a regulatory requirement, it is the most widely used internal control evaluation framework in the United States. It also plays a significant role under the Sarbanes-Oxley (SOX) Act’s Section 404, which requires management to assess internal control over financial reporting against a recognized framework, with the ICIF being the framework of choice for many.
Beyond the U.S., the 2013 COSO Framework has been adopted in numerous other countries and industries. Nevertheless, it is not a certifiable framework, with organizations implementing it completely of their own volition to match the expectations of partners, auditors, or regulators.
What Does the COSO ICIF Require?
Since the ICIF is a voluntary framework rather than a regulation, it does not prescribe any legal requirements. However, it provides a structured approach to designing and evaluating a system of internal controls, organized into 17 principles across 5 components. To achieve effective internal control, all components and principles must be present and functioning.
Core COSO ICIF Requirements | |
Control Environment Assessments | Assess whether governance structures, ethical standards, competencies, and accountability mechanisms create the foundation for effective control. Board oversight and management's tone from the top are central to this component. |
Risk Identification & Assessments | Identify and analyze risks to operational, reporting, and compliance objectives, including fraud risk, and determine appropriate responses. Risk assessment must be performed at both the entity and activity levels. |
Control Activity Design & Implementation | Control activities must be selected and developed to align with the organization's risk appetite and address identified risks. These include authorization controls, reconciliations, physical controls, segregation of duties, and IT general controls. |
Information Quality & Communication | Ensure that relevant, quality information is obtained, generated, and used to support internal control. Communication must flow internally (up, down, and across the organization) and externally with relevant parties. |
Monitoring Design & Implementation | Perform ongoing monitoring embedded in operations and periodic separate evaluations to determine whether controls are present and functioning. Deficiencies must be reported to appropriate management. |
Documentation & Evidence | Effective application of the framework requires documentation that supports management's assertion that internal controls are operating effectively. For SOX purposes, this documentation is subject to external auditor scrutiny. |
Fraud Risk Consideration | Consider fraud types, including fraudulent reporting, misappropriation of assets, and corruption, and design controls to address these risks. |
Why Is the Internal Control Integrated Framework Important?
The COSO Internal Control Integrated Framework is the de facto global standard for internal control, used by boards, audit committees, external auditors, and regulators across jurisdictions to assess whether an organization has adequate controls. Under SOX’s Section 404, the framework provides a practical method for conducting these assessments.
From a global perspective, the 2023 ICSR guidance directly expanded the framework to cover sustainability disclosures, which is particularly relevant for organizations subject to the EU’s Corporate Sustainability Reporting Directive (CSRD) or preparing for third-party assurance of ESG reporting.
Organizations that have already built COSO-aligned control environments for financial reporting are better positioned to extend that rigor to sustainability, reducing the risk of inconsistent control quality between financial and non-financial reporting areas.
How FaceUp Helps Comply with the COSO ICIFÂ
Although the COSO Internal Control Integrated Framework does not require organizations to operate a whistleblowing channel, its control environment and risk assessment components recognize that mechanisms for reporting misconduct without fear of retaliation are a key feature of an effective control environment.
FaceUp provides organizations with an easily deployable solution for multi-channel reporting and centralized case management. Audit-ready logging, role-based access controls, and real-time analytics dashboards support ongoing monitoring and separate evaluations.
Combined, these features help support internal audit and management review processes by providing structured, traceable records of reported issues and their resolution. FaceUp also reinforces the framework’s emphasis on ethical values, tone from the top, and accountability structures.
Â
The FaceUp Solution
FaceUp is an anonymous reporting and compliance platform designed to help businesses meet whistleblowing regulations worldwide, including those in the US, EU, UK, and UAE.
Fully Anonymous Reporting
Give staff multiple secure channels to report their concerns, complete with an anonymous two-way chat.
Mobile-First Accessibility
No IP storage, no device IDs, encrypted submissions
Customizable forms, categories, routing rules, and more
Customizable Case Management
Create an easily verifiable audit trail through a customizable case management system with automatic routing.
Supports multiple locations, subsidiaries, or units
Entity-specific routing and access permissions
Optional notifications via email, Teams, or Slack
Real-Time Data Analytics
Identify trends, repeated issues, and escalation risks early with customizable visual real-time dashboards.
Filter by category, region, channel, and more
Share without revealing sensitive information
ISO 27001 and SOC 2-certified local servers