I was sitting in a boardroom in 2017 when the CFO of a publicly-traded manufacturing company looked me straight in the eye and said, "We have over 200 controls documented. We passed our SOX audit. So why did we just lose $3.2 million to a vendor payment fraud scheme that should have been impossible?"
That question haunted me for weeks. Here was an organization that had checked all the boxes, documented all the procedures, and still got blindsided. The answer, I eventually realized, wasn't about having controls—it was about understanding how those controls work together as a system.
That's exactly what the COSO Internal Control Framework addresses. And after fifteen years of implementing these principles across dozens of organizations, I can tell you: understanding the five components of COSO isn't just about passing audits—it's about building an organization that can actually prevent, detect, and correct problems before they become catastrophes.
What Is COSO and Why Should You Care?
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed this framework in 1992, updated it significantly in 2013, and it's become the gold standard for internal controls worldwide. If you're dealing with financial reporting, SOX compliance, or enterprise risk management, COSO is your blueprint.
But here's what most people miss: COSO isn't just for finance teams. I've used these principles to fix everything from IT security programs to operational processes to vendor management nightmares.
"COSO doesn't give you the answers. It teaches you how to ask the right questions."
Let me walk you through each of the five components, not as theory, but as I've seen them work (and fail) in the real world.
Component 1: Control Environment - The Foundation That Makes or Breaks Everything
The Control Environment is what I call the "oxygen" of your organization. You can't see it, but without it, nothing else survives.
What It Actually Means
The Control Environment is your organization's culture, ethics, and attitude toward controls. It's set by leadership and reflected in how people actually behave when nobody's watching.
I learned this lesson the hard way in 2019 working with a financial services firm. On paper, they had impeccable controls. In practice, their CEO regularly told people to "move fast and don't let process slow you down." Guess what happened? People bypassed controls constantly because they knew leadership didn't actually care about them.
Six months later, a trading desk employee exploited those weak controls and caused $4.7 million in unauthorized losses. The controls existed. The culture killed them.
The Five Principles of Control Environment
Principle | What It Means | Real-World Example |
|---|---|---|
1. Commitment to Integrity and Ethics | Leadership demonstrates and enforces ethical behavior | CEO publicly disciplined a top performer for policy violation, sending clear message |
2. Board Independence and Oversight | Board actively challenges management and asks hard questions | Board rejected three major projects in 2023 due to inadequate risk assessment |
3. Organizational Structure and Authority | Clear reporting lines and accountability | Every process has a named owner; no "committee responsibility" |
4. Commitment to Competence | Hiring, developing, and retaining capable people | Mandatory 40 hours annual training; skills assessments tied to promotion |
5. Accountability for Performance | People are held responsible for their control responsibilities | Manager removed after third control failure despite hitting revenue targets |
What Strong Control Environment Looks Like
I worked with a healthcare organization where the CEO started every quarterly meeting by reviewing control failures and what was learned from them. Not to punish—to improve. Within eighteen months:
Control violation incidents dropped by 73%
Employee-reported potential issues increased by 340%
Audit findings decreased by 61%
Why? Because people understood that leadership cared about doing things right, not just doing things fast.
Red Flags I've Learned to Spot
When I assess a Control Environment, here's what makes me nervous:
Leadership says "just get it done" more often than "how should we do this?"
High performers get special treatment and don't have to follow the rules
Raising concerns is discouraged or results in retaliation
The board rubber-stamps everything management proposes
People can't clearly explain who's responsible for what
"Show me an organization where the CEO bypasses approval processes 'because I'm the CEO,' and I'll show you an organization heading for a compliance disaster."
Building a Strong Control Environment: Practical Steps
From my experience, here's what actually works:
Week 1-2: Leadership Commitment
Conduct anonymous survey: Do employees believe leadership values integrity?
Review last 12 months: Did leadership demonstrate commitment to controls?
Establish "tone at the top" communication plan
Month 1-3: Structure and Accountability
Map organizational reporting relationships
Assign control ownership to specific individuals (never "the team")
Create consequence framework for control violations at ALL levels
Month 3-6: Competence and Performance
Assess team capabilities against control requirements
Develop training programs for control-critical roles
Build control performance into annual reviews
Ongoing: Measurement and Reinforcement
Quarterly control effectiveness reviews
Public recognition for strong control culture
Regular communication about why controls matter
Component 2: Risk Assessment - Finding Problems Before They Find You
In 2020, I watched a company lose $8.3 million because they never assessed the risk of a key supplier going bankrupt. "They've been around for 30 years," the procurement director told me. "Why would we worry about that?"
Because 30-year-old companies fail too. And when you haven't assessed the risk, you can't prepare for it.
The Four Principles of Risk Assessment
Principle | What It Means | Common Mistake I See |
|---|---|---|
1. Specifies Objectives | Clear goals at entity, division, and process levels | Vague objectives like "be secure" instead of measurable targets |
2. Identifies and Analyzes Risks | Systematic identification of what could prevent achieving objectives | Only focusing on obvious risks, ignoring emerging threats |
3. Assesses Fraud Risk | Specific evaluation of fraud potential | Assuming "our people would never do that" |
4. Identifies and Assesses Changes | Evaluating how internal/external changes affect risk | Implementing new technology without reassessing risk |
My Risk Assessment Framework That Actually Works
After years of trial and error, here's the process I use with every client:
Step 1: Define What Success Looks Like
I make organizations get specific. Not "improve security" but "reduce successful phishing attacks by 60% within 12 months." Not "strengthen controls" but "achieve zero unauthorized access to financial systems."
Why? Because if you don't know what you're trying to achieve, you can't assess what might prevent you from achieving it.
Step 2: Identify What Could Go Wrong
I use a three-layer approach:
Risk Category | Example Risks | Assessment Frequency |
|---|---|---|
Strategic Risks | Market disruption, regulatory changes, competitive threats | Quarterly |
Operational Risks | Process failures, system outages, vendor issues | Monthly |
Compliance Risks | Regulatory violations, audit failures, control breakdowns | Continuous |
Financial Risks | Fraud, errors, unauthorized transactions | Daily monitoring |
Technology Risks | Cyberattacks, data breaches, system failures | Real-time alerts |
Step 3: Analyze Risk Likelihood and Impact
Here's the matrix I've used successfully across 40+ organizations:
Impact Level | Likelihood: Rare | Unlikely | Possible | Likely | Almost Certain |
|---|---|---|---|---|---|
Catastrophic (>$5M) | Medium | High | Extreme | Extreme | Extreme |
Major ($1M-$5M) | Low | Medium | High | Extreme | Extreme |
Moderate ($100K-$1M) | Low | Medium | Medium | High | Extreme |
Minor ($10K-$100K) | Low | Low | Medium | Medium | High |
Negligible (<$10K) | Low | Low | Low | Low | Medium |
Step 4: Decide What to Do About It
For each risk, you have four options:
Accept - Acknowledge it and move on (low impact/low likelihood)
Mitigate - Implement controls to reduce likelihood or impact
Transfer - Use insurance or outsourcing to shift risk
Avoid - Don't do the activity that creates the risk
Real-World Risk Assessment Success Story
I worked with an e-commerce company in 2021. They were growing 200% year-over-year and had never done formal risk assessment. We spent six weeks mapping their risks.
What we found shocked them:
67% of revenue came through a single payment processor (concentration risk: EXTREME)
No backup vendor was under contract
Implementation timeline for new processor: 4-6 months
Impact of losing current processor: Complete revenue stop
We immediately:
Negotiated contract with backup processor
Implemented dual-processing capability
Created rapid-switch procedures
Reduced concentration to 45% within 90 days
Four months later, their primary processor suffered a major outage. While competitors lost millions in sales, they switched to backup processing in 47 minutes. Total revenue loss: $23,000 versus projected $4.2 million.
That's risk assessment paying for itself 180x over.
"Risk assessment isn't about preventing bad things from happening. It's about not being surprised when they do."
The Fraud Risk Reality Check
Let me be blunt about something uncomfortable: fraud happens in good organizations with good people.
I've seen:
A 15-year employee embezzle $890,000 through fake vendor payments
An IT admin sell customer data for $50,000
A finance manager manipulate expense reports for $200,000 over three years
Every single one was "trusted" and "would never do that." Until they did.
The COSO framework requires specific fraud risk assessment, and here's my approach:
Fraud Type | How It Happens | Detection Controls | Prevention Controls |
|---|---|---|---|
Asset Misappropriation | Stealing cash, inventory, data | Reconciliations, physical counts, access logs | Segregation of duties, dual authorization |
Financial Statement Fraud | Manipulating numbers to hide problems | Analytical reviews, trend analysis | Independent oversight, whistleblower hotline |
Corruption | Bribes, kickbacks, conflicts of interest | Vendor analysis, gift registries | Code of conduct, disclosure requirements |
Component 3: Control Activities - Where Policy Meets Practice
Control Activities are the actual policies and procedures that ensure management's directives are carried out. This is where most organizations focus all their energy—and where most miss the point entirely.
The Six Principles of Control Activities
Principle | Description | Implementation Tip |
|---|---|---|
1. Selects and Develops Control Activities | Choose controls that address risks at acceptable levels | Start with high risks, not all risks |
2. Selects Technology Controls | Use IT controls appropriate to support business objectives | Automate detective controls first |
3. Deploys Through Policies | Document expectations and responsibilities | Make policies findable and understandable |
The Control Activities That Actually Matter
After implementing hundreds of controls, I've learned which ones provide the most value:
Preventive Controls - Stop Problems Before They Start
Control Type | Example | When to Use |
|---|---|---|
Segregation of Duties | Person who approves invoices can't also pay them | High-value transactions, fraud-prone processes |
Authorization Limits | Purchases >$50K require VP approval | Any financial commitment or resource allocation |
Physical Controls | Server room requires badge + biometric | Sensitive assets, critical infrastructure |
Access Controls | Role-based permissions in systems | All technology systems, especially those with sensitive data |
Detective Controls - Find Problems Fast
Control Type | Example | Frequency |
|---|---|---|
Reconciliations | Bank statement vs. accounting records | Daily for high-volume, monthly for low-volume |
Variance Analysis | Actual vs. budget review | Monthly with immediate investigation of >10% variance |
Log Reviews | System access and change logs | Daily for critical systems, weekly for others |
Exception Reports | Transactions outside normal patterns | Real-time for fraud indicators, daily for others |
A Story About Segregation of Duties
In 2018, I was called in after a mid-sized distributor discovered an $1.8 million fraud. Their accounts payable clerk had been creating fake vendors, approving invoices, and processing payments for three years.
"How?" the CEO demanded. "We have controls!"
I pulled up their system. The AP clerk had:
Vendor creation rights
Invoice approval authority
Payment processing access
Bank reconciliation responsibility
One person controlled the entire procure-to-pay cycle. That's not a control failure—that's a control absence.
We redesigned their process:
Process Step | Old Owner | New Owner | Approval Required |
|---|---|---|---|
Vendor Setup | AP Clerk | Procurement Team | CFO for new vendors |
Invoice Entry | AP Clerk | AP Clerk | (No change) |
Invoice Approval | AP Clerk | Department Manager | Based on PO matching |
Payment Processing | AP Clerk | Treasury Team | CFO for >$10K |
Bank Reconciliation | AP Clerk | Controller | Monthly senior review |
The fraud would have been impossible under the new structure. It would have required conspiracy across four different people and two levels of management.
"If one person can commit fraud and cover it up without help, your controls are decorative, not functional."
Technology Controls: Automating What Humans Get Wrong
I'm a huge advocate for automating controls wherever possible. Why? Because humans are terrible at repetitive verification tasks.
Here's what I've seen work:
High-Impact Technology Controls
Manual Control | Automated Replacement | Impact |
|---|---|---|
Monthly access reviews | Automated certification with 30-day auto-revocation | 95% reduction in inappropriate access |
Invoice matching (3-way) | Automated PO/receipt/invoice matching | 99.7% accuracy vs 87% manual |
Password complexity checks | Automated enforcement at creation | Zero weak passwords vs ~30% manual |
Backup verification | Automated daily test restores | 100% confidence vs "we think backups work" |
Security patch management | Automated scanning and deployment | 14-day avg patching vs 60+ days manual |
Designing Control Activities: My Proven Process
Step 1: Map the Process End-to-End
I literally draw it out. Every step. Every decision point. Every handoff. You can't control what you don't understand.
Step 2: Identify Risk Points
Where could things go wrong? Where do we handle money, data, or make important decisions?
Step 3: Design Controls at Risk Points
Match control type to risk:
High fraud risk → Preventive controls (dual authorization)
High error risk → Detective controls (reconciliations)
Compliance risk → Both (prevent violations, detect if they occur)
Step 4: Make Controls Efficient
I've seen organizations create so many controls that people spend more time documenting compliance than doing actual work. That's when people start bypassing controls.
Good controls are:
Proportional - Effort matches risk
Clear - Anyone can understand them
Efficient - Minimum burden for maximum protection
Measurable - You can tell if they're working
Component 4: Information and Communication - Making Sure the Right People Know the Right Things
I once worked with a company that had perfect controls for expense report approval. Managers reviewed and approved everything. The problem? The policy said expenses over $500 needed VP approval, but the system didn't enforce it and nobody told the managers.
For eighteen months, managers approved expenses up to $5,000 thinking they had authority. When the auditors discovered it, 2,847 expense reports were non-compliant.
That's an information and communication failure.
The Three Principles of Information and Communication
Principle | What It Means | Failure Mode I've Seen |
|---|---|---|
1. Uses Relevant Information | Right data, right quality, right time | Systems that track everything except what matters |
2. Communicates Internally | Information flows to people who need it | Control changes not communicated to those affected |
3. Communicates Externally | Stakeholders get necessary information | Vendors unaware of new security requirements |
Information Quality: The Framework Nobody Talks About
Information that drives controls must meet specific criteria:
Quality Characteristic | What It Means | Test Question |
|---|---|---|
Relevant | Addresses specific business need | Would a decision change without this information? |
Reliable | Accurate and complete | Can we verify this information independently? |
Timely | Available when needed | Is this information still useful when we get it? |
Accessible | People who need it can get it | Can authorized users access this in under 2 minutes? |
Secure | Protected from unauthorized access | Are access controls proportional to sensitivity? |
Retained | Available for required period | Can we retrieve historical data when needed? |
Communication Channels That Actually Work
I've tested dozens of communication approaches. Here's what I've found effective:
For Control Policy Changes
Method | Effectiveness | When to Use |
|---|---|---|
Email blast | 23% read rate | Never (unless legally required) |
Required training | 67% completion | Major changes affecting everyone |
Just-in-time popups | 89% awareness | System-enforced changes |
Manager cascades | 91% awareness | Role-specific changes |
All-hands meetings | 34% retention | Setting context, not conveying details |
Real Example: Communication Done Right
In 2022, a financial services client needed to implement new fraud controls that changed how 450 employees processed transactions.
Old approach would have been:
Email policy update
Post to intranet
Hope people read it
New approach we designed:
Week 1: Managers briefed on why change matters (fraud cost context)
Week 2: Department meetings with Q&A (employees could ask questions)
Week 3: Short (8-minute) video showing new process
Week 4: Just-in-time help built into system
Week 5: Manager certification that team was trained
Ongoing: Monthly newsletter with "control spotlight"
Result: 96% compliance in first month versus typical 40-60% with email-only approach.
"The best control policy in the world is useless if the people who need to follow it don't know it exists."
External Communication: The Overlooked Element
COSO requires communication with external parties. I see organizations overlook this constantly.
Critical External Communications
Stakeholder | What They Need | Consequences of Failure |
|---|---|---|
Vendors | Security requirements, compliance expectations | Supply chain compromise, data breaches |
Customers | Privacy policies, data handling practices | Loss of trust, regulatory violations |
Regulators | Compliance status, incident notifications | Fines, enforcement actions |
Auditors | Control documentation, test results | Qualified opinions, restatements |
Board | Risk status, control effectiveness | Poor governance, fiduciary failures |
Component 5: Monitoring Activities - Trust, But Verify
"We have controls, so we're good."
I hear this constantly. And it's wrong every single time.
Having controls doesn't mean they work. Having them documented doesn't mean people follow them. Having them approved doesn't mean they're effective.
That's why monitoring exists.
The Two Principles of Monitoring Activities
Principle | Description | What Failure Looks Like |
|---|---|---|
1. Conducts Ongoing and Separate Evaluations | Regular assessment of control effectiveness | Controls deteriorate and nobody notices |
2. Evaluates and Communicates Deficiencies | Finding problems and telling the right people | Issues discovered but not escalated or fixed |
Ongoing Monitoring: Real-Time Assurance
Ongoing monitoring happens as part of normal operations. It's built into business processes.
Examples of Effective Ongoing Monitoring
Process | Monitoring Activity | Frequency | Who Monitors |
|---|---|---|---|
Accounts Payable | Duplicate payment detection | Daily | AP System |
Access Management | Excessive privilege alerts | Real-time | Security Team |
Change Management | Unauthorized change detection | Continuous | Change Control System |
Financial Reporting | Account balance variance alerts | Daily | Finance Team |
Vendor Payments | Statistical analysis of payment patterns | Weekly | Internal Audit |
Separate Evaluations: The Deep Dive
Separate evaluations are periodic, focused assessments. Think internal audits, control testing, process reviews.
My Monitoring Calendar Framework
Activity | Frequency | Scope | Performer |
|---|---|---|---|
Management Self-Assessment | Quarterly | Key control effectiveness | Process Owners |
Internal Audit | Annual | Rotation of high-risk areas | Internal Audit |
External Audit | Annual | Financial reporting controls | External Auditors |
Control Testing | Semi-annual | Sample of all controls | Compliance Team |
Risk Assessment Review | Quarterly | Risk landscape changes | Risk Management |
The Monitoring Mistake That Cost $12 Million
I worked with a healthcare organization in 2019. They had documented controls for protecting patient data. They even tested the controls annually. Everything always passed.
Then they got breached. 340,000 patient records compromised.
Investigation revealed: The annual testing only verified that the controls were documented, not that they were effective. The firewall rules tested in January weren't the same rules in production in July. Nobody monitored for configuration drift.
We implemented continuous monitoring:
What We Monitored | How | Detection Time |
|---|---|---|
Firewall rule changes | Automated comparison to approved baseline | Real-time |
Unauthorized access attempts | Log analysis with ML anomaly detection | 3-8 minutes |
Data exfiltration | Network traffic analysis | Real-time |
Privilege escalation | Active Directory monitoring | Real-time |
Patch status | Automated compliance scanning | Daily |
Within 60 days, we caught:
12 unauthorized firewall changes
47 excessive privilege assignments
3 potential data exfiltration attempts
847 unpatched critical vulnerabilities
All before they became breaches.
"Monitoring without action is just expensive documentation. The value is in what you do when you find problems."
Communicating and Remediating Deficiencies
Finding control deficiencies is only half the battle. Here's my framework for what comes next:
Deficiency Classification
Severity | Definition | Response Time | Escalation |
|---|---|---|---|
Critical | Could result in >$1M loss or major compliance violation | 24 hours | CEO, Board |
High | Could result in $100K-$1M loss or significant impact | 1 week | CFO, Audit Committee |
Medium | Could result in $10K-$100K loss or moderate impact | 30 days | VP, Department Head |
Low | Could result in <$10K loss or minor impact | 90 days | Manager |
Remediation Tracking
I've seen too many organizations find problems and then... nothing happens. I use this structure:
Document the deficiency - What's broken, how it broke, why it matters
Assign clear ownership - One person responsible (not "the team")
Define success criteria - How will we know it's fixed?
Set deadline - Based on severity classification
Track progress - Weekly updates for High/Critical, monthly for others
Verify effectiveness - Test that the fix actually works
Prevent recurrence - What systemic change prevents this pattern?
Bringing It All Together: The COSO Integration That Actually Works
Here's what I've learned after fifteen years: the five COSO components only work when they work together.
Think of them as interconnected gears:
Control Environment sets the tone that makes people want to follow controls
Risk Assessment identifies what controls you need
Control Activities are the actual controls addressing those risks
Information and Communication ensures controls are understood and followed
Monitoring verifies everything actually works
Remove any gear, and the machine breaks down.
Real-World Integration Example
Let me show you how this works with a real scenario from 2021:
The Situation: Healthcare provider implementing new electronic health records system
Component 1: Control Environment
CEO mandated "zero compromises on patient data security"
CIO given authority to delay launch if controls inadequate
Clear accountability: CISO owns security, CIO owns delivery, CMO owns clinical workflow
Component 2: Risk Assessment
Identified risks: Unauthorized access, data loss, workflow disruption, compliance violations
Assessed likelihood and impact
Prioritized: Patient data access (High), System availability (High), Training gaps (Medium)
Component 3: Control Activities
Implemented role-based access (preventive)
Daily access reviews (detective)
Automated backup verification (detective)
Change management process (preventive)
Component 4: Information & Communication
Weekly steering committee updates
Provider training program (4 weeks before launch)
Just-in-time help system in application
Patient communication about data protection
Component 5: Monitoring
Real-time access monitoring
Weekly control effectiveness review
Monthly internal audit testing
Quarterly risk reassessment
Result: Successful implementation with zero security incidents, 97% user adoption, and full HIPAA compliance maintained throughout.
The COSO Maturity Model I Use
Maturity Level | Description | Characteristics |
|---|---|---|
Level 1: Initial | Ad-hoc, reactive | Controls exist but aren't systematic; failures common |
Level 2: Developing | Some structure | Controls documented but inconsistently applied |
Level 3: Defined | Formalized | Controls standardized and mostly followed |
Level 4: Managed | Measured | Controls monitored and improved based on metrics |
Level 5: Optimized | Continuous improvement | Controls constantly refined; organizational culture of excellence |
Most organizations I work with start at Level 2. Getting to Level 3 takes 12-18 months. Reaching Level 4 takes another 18-24 months. Very few achieve Level 5—and those that do treat it as a journey, not a destination.
Common COSO Implementation Mistakes (And How to Avoid Them)
After watching dozens of COSO implementations, here are the mistakes I see repeatedly:
Mistake #1: Treating COSO as a Finance Project
The Problem: CFO owns it, finance team implements it, everyone else ignores it.
The Fix: COSO is an enterprise framework. IT, operations, HR, procurement—everyone needs to be involved. I insist on cross-functional steering committees.
Mistake #2: Over-Documenting, Under-Implementing
The Problem: 400-page control manual that nobody reads or follows.
The Fix: Start with critical processes and high risks. Document what people actually do, not what you wish they did. Build from there.
Mistake #3: Testing Controls Without Testing Effectiveness
The Problem: "Yes, we have a firewall" passes the test, but the firewall is misconfigured.
The Fix: Test that controls work, not just that they exist. Sample actual transactions, review actual logs, verify actual outcomes.
Mistake #4: Ignoring the Control Environment
The Problem: Perfect policies that leadership routinely violates or bypasses.
The Fix: Start at the top. If the CEO won't follow controls, nobody else will either. Get leadership commitment before building anything else.
Mistake #5: Set-It-and-Forget-It Mentality
The Problem: Implement controls, pass audit, stop paying attention.
The Fix: Build monitoring into regular operations. Make control reviews part of normal management meetings.
Your COSO Implementation Roadmap
Based on what's actually worked across 50+ implementations:
Months 1-2: Foundation
Secure executive sponsorship and commitment
Form cross-functional steering committee
Conduct current state assessment
Identify critical processes and high risks
Months 3-4: Design
Define control environment principles
Document risk assessment methodology
Design control activities for high-risk processes
Establish information and communication channels
Months 5-8: Implementation
Deploy controls in priority order
Train process owners and performers
Build monitoring into operational processes
Document everything clearly and concisely
Months 9-12: Testing and Refinement
Test control effectiveness
Address identified gaps
Refine based on operational feedback
Prepare for external assessment
Year 2+: Maturity and Optimization
Expand to additional processes
Increase automation
Enhance monitoring capabilities
Drive continuous improvement
The Bottom Line: Why COSO Components Matter
That CFO I mentioned at the beginning—the one whose company lost $3.2 million despite having 200 controls? We spent six months rebuilding their control framework using COSO principles.
Here's what changed:
Before:
Controls existed in isolation
Nobody understood why they mattered
Testing was checkbox exercise
Failures were hidden or blamed on individuals
After:
Controls worked as integrated system
Everyone understood risk management role
Monitoring detected issues early
Failures triggered root cause analysis and systemic fixes
Results in First 18 Months:
Zero fraud incidents (down from 7 in prior year)
Control testing findings down 89%
Audit costs reduced 34% due to demonstrated effectiveness
Three near-misses detected and prevented before becoming incidents
The company didn't just avoid another $3.2 million loss. They built organizational capability to prevent, detect, and respond to problems systematically.
"COSO isn't about compliance. It's about building an organization that knows what it's doing, does what it says, and learns from what happens."
Your Next Steps
If you're implementing or improving COSO-based controls:
Assess your control environment - Survey employees anonymously: Do they believe controls matter to leadership?
Map your highest risks - Identify the top 10 things that could prevent achieving your objectives
Review your critical controls - Are they actually preventing or detecting those risks?
Check your information flows - Do the right people get the right information at the right time?
Test your monitoring - When was the last time your monitoring detected a real problem before it caused damage?
Start with one high-risk process. Apply all five COSO components to that process. Learn what works. Then expand.
Because the goal isn't perfection. It's progress toward an organization that can trust its own operations—and prove that trust isn't misplaced.