Blogs

COSO’s First Pass at Governance Framework: Good to Use Even Now

By Matt Kelly posted 07-14-2025 12:00 PM

  

DISCLAIMER: This blog post is no longer current or valid as of July 16. The COSO draft corporate governance framework referenced in this post has been removed and is no longer available for public comment. 

Global businesses need a system of internal controls that can withstand scrutiny from any direction. So today let’s turn our eyes to the United Kingdom, where a new “Failure to Prevent Fraud” offense could pose some significant challenges for compliance and internal audit teams later this year. 

Good corporate governance is about getting your organization to pursue its business objectives — financial targets, market expansion, ethical business conduct, and so forth — in a consistent and disciplined manner, even though you can’t predict exactly what challenges you might encounter on any given day.

Lovely concept; really difficult to implement in practice. 

Now COSO has proposed a way to remedy that situation. It recently released a draft framework for corporate governance, open for public comment through Sept. 12. COSO will then consider that public feedback and publish a final version of the framework sometime after that. 

Even now, however, internal audit teams can take this draft framework and put it to good use. Its (proposed) components and principles can be the starting point to tackle all sorts of issues, such as auditing corporate culture or improving information quality. All you need are the right tools and a bit of imagination.

 

The Draft Framework Itself

 

In many ways this draft framework for corporate governance is like the previous frameworks COSO has published over the years. For example, if you use the COSO internal control framework to guide your SOX compliance efforts, this will all feel familiar.

The draft framework starts with six fundamental components: oversight, strategy, culture, people, communication, and resilience. Those six components are then supported by 24 principles, and each principle is supported by several more specific “points of focus.” (So that’s several dozen points of focus for the framework in total.)

We can divide the framework’s six components into two groups. 

First are oversight, strategy, culture. They mostly address organization fundamentals, such as establishing board structure, defining strategy, and articulating the corporate culture. These three components are supported by 13 principles, as seen in Figure 1, below.

 

 

The second three components are people, communication, and resilience. They deal more with the tactical issues of how you organize the company’s resources to achieve your objectives. These three components are supported by 11 principles, as seen in Figure 2. 

 

 

We should always remember that this framework is only an exposure draft. COSO might end up publishing a final framework that looks quite different: different components, different principles, a different number of principles, or even a different visual image than the six components arranged in a circle. 

That’s no reason to do nothing, or even to wait until the final framework arrives. Audit teams can put this draft version to work on practical challenges right now. Let’s consider a few examples of how. 

 

Example 1: Auditing Culture

 

Every board or senior management team that takes governance (and worker performance) seriously will want a strong corporate culture, but auditing corporate culture is seldom easy. So you could start by taking the three principles of the Culture component — 

  • Establish and model culture and behaviors

  • Promote ethics, respect, and open communication

  • Assess and adapt culture

— and converting them into a risk-and-control matrix that can guide your audit activities more precisely. For example, I took the three principles and asked ChatGPT to build me a risk-and-control matrix. The result is below, and it’s not half bad.

 

 

Of course, you don’t need to follow the above matrix precisely. For example, you might already have a matrix of your own that addresses corporate culture to some extent, and perhaps you could map the three Culture principles to those instead. Or you could use these suggested controls as inspiration for other types of controls that are more relevant to your organization and its risks.

The point is simply that even this draft framework can provide the raw material for a control mapping exercise to help you tackle an often-elusive issue. It can bring the fuzzy goal of “auditing culture” into sharper focus.

 

Example 2: Information Quality

 

We can run the same sort of exercise for the more tactical challenge of communication, too. (After all, as we keep moving into a future dependent on data, IT, and artificial intelligence, clear and accurate communication among stakeholders will become a top priority for every organization.)

I took three of the four principles for the Communication component (I excluded the “Engage stakeholders strategically” principle mostly for the sake of concision) and asked ChatGPT for another risk-and-control framework. Moments later I had this:

 

 

Again, this is only a simple example of what you could do. But notice that some of these governance controls really are just labels for whole sets of other procedures and controls, that let you dig deeper into your controls library. 

For example, to address the risk of poor data governance, the control is listed as “information governance framework. Well, we could dedicate an entire separate post on what a good information governance framework should entail. Likewise, another control is “external communication approval workflows.” That simple idea contains a host of more precise controls. 

With the right tools, you can tie those more precise control activities back to these governance controls, confirming that everything exists, is documented, and works properly. 

 

So Start Now

 

As we said, this is only a draft framework for corporate governance. COSO’s final version might look quite different, depending on the feedback it receives. (Which also means you should comment on the exposure draft while you can, to make your opinion heard.) 

Even this exposure draft, however, can help you drive better corporate governance right now. You can start having conversations with the board, management, and First Line operating units to discuss how your organization scores on governance, where you might improve processes, and so forth. 

The modern challenges for boards and senior management are all about good governance. We simply can’t anticipate every single new regulatory policy, security risk, financial uncertainty, or ethical challenge that might strike. The key is to have good governance that builds strong, durable structures so that organizations can prevail despite all that uncertainty. 

So take the concepts in this draft framework, put them into your GRC tools, and start to see what’s possible.

About Matt Kelly

Matt Kelly is an independent compliance consultant specializing in corporate compliance, governance, and risk management. He shares insights on business issues on his blog, Radical Compliance, and is a frequent speaker on compliance, governance, and risk topics.

Kelly was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and named to Ethisphere's "Most Influential in Business Ethics" list in 2011 and 2013. He served as editor of Compliance Week from 2006 to 2015.

Based in Boston, Mass., Kelly can be contacted at mkelly@RadicalCompliance.com.


#SOXPro
#AI
#Audit
#Cybersecurity
#Legal
#Compliance
#ControlsManagement
#Fraud
#InternalAudit
#RiskManagement
#SOX

0 comments
11 views

Related Content

Permalink

https://www.progroups.org/blogs/matt-kelly/2025/07/08/cosos-first-pass-at-governance-framework