I was sitting in a boardroom in Chicago in 2017, reviewing the aftermath of a compliance failure that cost a Fortune 500 company $47 million in regulatory fines. The CISO looked at me, bewildered, and said something I'll never forget: "We had all the data. We had reports. We had dashboards. How did we miss this?"
The answer was painfully simple: they had information everywhere, but communication nowhere.
After fifteen years working with organizations implementing COSO frameworks, I've learned a fundamental truth: the fourth component of COSO's Internal Control Framework—Information and Communication—is the one most organizations underestimate and the one that fails them most spectacularly when things go wrong.
Let me show you why this matters and, more importantly, how to get it right.
What COSO Information and Communication Actually Means (And Why Most People Get It Wrong)
When executives hear "Information and Communication" in the context of internal controls, they typically think: "Great, we have email and a data warehouse. Check!"
Not even close.
COSO's Information and Communication component addresses something far more sophisticated: How does relevant, quality information flow through your organization to enable people to carry out their internal control responsibilities?
Think of it as the nervous system of your organization. Your brain (senior management) needs to receive signals from your fingertips (front-line operations). Your fingertips need to receive commands from your brain. When this system breaks down, you can't feel when you're touching a hot stove, and you can't pull your hand away in time.
"Information without communication is just data sitting in a database. Communication without information is just noise. COSO demands both, working in harmony."
The Three Critical Dimensions of COSO Information and Communication
Based on my experience implementing COSO frameworks across healthcare, financial services, manufacturing, and technology sectors, I've identified three dimensions that determine success or failure:
1. Information Quality and Relevance
I once worked with a manufacturing company that generated 847 reports monthly. Yes, 847. Their compliance team was drowning in data, spending 60+ hours per week just reviewing reports.
When we analyzed these reports, we discovered:
312 reports had no defined owner or consumer
189 reports contained data that was 30+ days old when reviewed
94 reports duplicated information from other reports
Only 47 reports were actually used for decision-making
We eliminated 800 reports.
The result? The compliance team reduced review time by 78%, caught issues 3x faster, and their auditors praised the clarity of their reporting structure.
Here's the framework I use to evaluate information quality:
Quality Attribute | Key Questions | Red Flags |
|---|---|---|
Accuracy | Is the data correct and error-free? | Manual data entry, no validation rules, inconsistent definitions |
Completeness | Does it include all necessary information? | Missing fields, partial records, unexplained gaps |
Timeliness | Is it available when needed? | Delayed reports, batch processing only, outdated snapshots |
Relevance | Does it support specific control objectives? | Generic reports, unused metrics, "nice to have" data |
Accessibility | Can the right people access it easily? | Complex retrieval, permission issues, manual requests |
Validity | Does it measure what it claims to measure? | Proxy metrics, unverified sources, assumption-based calculations |
2. Communication Channels and Direction
Here's where organizations really struggle. COSO explicitly requires communication to flow in three directions: up, down, and across.
I learned this lesson the hard way in 2019 while consulting for a healthcare provider. They had perfect upward communication—every metric, every incident, every concern flowed to senior management. They had decent downward communication—policies, procedures, and directives cascaded through the organization.
But lateral communication? Non-existent.
The security team knew about a critical vulnerability affecting the patient portal. The compliance team knew about a new HIPAA interpretation that would require changes to that same portal. The IT development team was planning a major update to... you guessed it, the patient portal.
All three teams were working independently. The result was a 6-month project delay, $340,000 in rework, and a near-miss on compliance deadlines.
Communication Direction Matrix:
Direction | Purpose | COSO Requirement | Common Failures |
|---|---|---|---|
Upward | Escalate issues, report performance, highlight risks | Enable management to fulfill oversight responsibilities | Filtered information, delayed escalation, fear-based reporting |
Downward | Communicate expectations, policies, feedback | Ensure personnel understand their control responsibilities | One-way broadcasts, unclear expectations, policy dumping |
Lateral | Share information across functions, coordinate activities | Enable integrated risk management | Silos, territorial behavior, no cross-functional forums |
External | Communicate with customers, regulators, vendors | Meet external obligations and stakeholder needs | Inconsistent messaging, lack of coordination, reactive only |
3. Technology and Infrastructure
Let me share a story that perfectly illustrates the technology trap.
In 2020, I worked with a financial services firm that had invested $2.8 million in a state-of-the-art GRC (Governance, Risk, and Compliance) platform. It had every feature imaginable: automated workflows, real-time dashboards, AI-powered analytics, integration capabilities.
Six months after implementation, adoption was at 23%. Most people were still using spreadsheets and email.
Why? Because they'd focused entirely on the technology and ignored the human element of communication.
"The best communication system is the one people actually use, not the one with the most features."
After working with them to redesign their approach—simplifying workflows, training users, and integrating the tool into existing processes rather than forcing process changes—adoption jumped to 91% within three months.
The Five Information Flows That COSO Demands You Master
Through my years of COSO implementations, I've identified five critical information flows that organizations must establish. Get these right, and everything else becomes easier.
Flow 1: Control Performance Information
What it is: Data about how well your internal controls are operating.
I worked with a retail company in 2021 that discovered they were measuring control existence but not control effectiveness. They had documented controls for segregation of duties in their purchasing process. Those controls were "operating."
But when we analyzed the data, we found:
34% of purchase orders bypassed approval workflows via manual overrides
89% of segregation of duties violations were auto-approved due to poor system configuration
The average time to detect a violation was 67 days
They were measuring "Did the control run?" instead of "Did the control work?"
Control Performance Metrics Framework:
Metric Type | Example Measures | Frequency | Who Needs It |
|---|---|---|---|
Control Execution | Tests performed vs. planned, automated controls running | Daily/Weekly | Control owners, Operations managers |
Control Effectiveness | Issues detected, violations identified, defects found | Weekly/Monthly | Risk managers, Audit committee |
Control Efficiency | Time to execute, resource consumption, automation rate | Monthly/Quarterly | Process owners, CFO |
Control Coverage | Processes controlled, risk areas addressed, gaps identified | Quarterly | CISO, Audit committee, Board |
Flow 2: Risk Event and Exception Data
This is where the rubber meets the road. When something goes wrong—a control fails, a risk materializes, an exception occurs—information needs to flow immediately.
I once investigated a breach at a healthcare organization where the security team detected suspicious activity on Day 1. The incident response team was notified on Day 3. Senior management learned about it on Day 11. The breach notification was sent on Day 47—17 days past the HIPAA deadline.
The cost? $1.2 million in fines, not counting the breach response costs.
The problem wasn't detection. It was communication.
Exception Escalation Framework:
Severity Level | Response Time | Notification Path | Required Actions |
|---|---|---|---|
Critical | Immediate (< 1 hour) | Direct to CISO, CEO, Legal | Emergency response team activation, external counsel, board notification preparation |
High | Same business day | Department head, Risk manager, Compliance officer | Incident investigation, impact assessment, remediation plan |
Medium | Within 24 hours | Process owner, Control owner | Root cause analysis, corrective action, monitoring enhancement |
Low | Within 72 hours | Team lead, Supervisor | Documentation, trend analysis, preventive measures |
Flow 3: Compliance and Regulatory Intelligence
Regulations change. Standards evolve. Court cases set precedents. Your organization needs to know.
I worked with a financial services company that missed a critical regulatory update in 2018. The regulation changed on July 1. Their compliance team found out on November 3. They were non-compliant for four months simply because information didn't flow.
The fix was surprisingly simple: establish a regulatory monitoring process with clear communication protocols.
Regulatory Intelligence Communication Model:
Information Source | Monitoring Frequency | Analysis Owner | Communication Timeline |
|---|---|---|---|
Federal Regulations | Daily | Compliance team | New regulations: 24 hours; Proposed rules: 5 days |
Industry Standards | Weekly | Standards officer | Updates: 7 days; Major revisions: 3 days |
Court Decisions | Weekly | Legal team | Relevant decisions: 3 days; Significant impacts: 24 hours |
Audit Findings | Per audit | Audit liaison | Critical findings: Immediate; Recommendations: 5 days |
Vendor Alerts | Real-time | Vendor manager | Critical: 2 hours; High: 24 hours; Medium: 72 hours |
Flow 4: Control Design and Process Change Communication
Here's a scenario I see constantly: someone changes a business process without informing the compliance or risk team. Suddenly, controls that were working perfectly are bypassed or rendered ineffective.
In 2022, I worked with a manufacturing company where the sales team implemented a new quoting system without telling IT security. The system allowed customers to upload files directly to their network—completely bypassing security controls that screened for malware.
They discovered the gap during a SOC 2 audit. The gap had existed for seven months.
Change Communication Requirements:
Change Type | Pre-Implementation Requirements | Post-Implementation Requirements |
|---|---|---|
Process Changes | Impact assessment, control review, risk analysis | Updated documentation, control testing, training completion |
System Changes | Security review, control mapping, integration testing | Configuration validation, access review, monitoring setup |
Policy Changes | Stakeholder review, legal assessment, compliance verification | Communication plan execution, acknowledgment tracking, effectiveness review |
Organizational Changes | Role mapping, control ownership review, segregation of duties analysis | Updated responsibilities, new control assignments, competency verification |
Flow 5: Training and Awareness Information
People can't fulfill their control responsibilities if they don't understand what those responsibilities are.
I audited a company in 2020 where 67% of employees couldn't describe a single internal control they were responsible for. Not because they were negligent—they'd simply never been told.
The COSO framework explicitly requires that personnel understand how their actions support the system of internal control. That requires ongoing communication, not just annual training.
Communication-Based Training Model:
Training Component | Delivery Method | Frequency | Effectiveness Measure |
|---|---|---|---|
Role-Specific Controls | Interactive workshops, job aids | Quarterly + upon role change | Competency assessment, control execution accuracy |
Policy Updates | Email notification + acknowledgment | As policies change | Acknowledgment rate, comprehension quiz results |
Incident Lessons Learned | Team meetings, case studies | After each significant incident | Behavioral change, similar incident reduction |
Risk Awareness | Monthly newsletters, lunch & learns | Monthly | Risk identification rate, proactive reporting |
New Hire Orientation | Structured onboarding program | At hire | First 90-day control performance, error rates |
Building Your Information and Communication Architecture
After implementing COSO frameworks in over 40 organizations, I've developed a systematic approach to building effective information and communication systems.
Step 1: Map Your Information Needs (Weeks 1-3)
Start by identifying what information each stakeholder actually needs to fulfill their control responsibilities.
I use this framework:
Stakeholder Role | Control Responsibility | Information Needed | Current State | Gap |
|---|---|---|---|---|
Board of Directors | Oversight of risk management | Aggregate risk metrics, control effectiveness, major incidents | Quarterly summary reports | Need real-time exception alerts |
Audit Committee | Monitor internal controls and compliance | Control test results, audit findings, remediation status | Monthly meetings | Need automated dashboards |
Executive Management | Risk management and resource allocation | Risk trends, control costs, business impact | Email reports | Need integrated platform |
Process Owners | Execute and monitor controls | Control performance, exceptions, resource usage | Manual reports | Need automated workflows |
Control Operators | Perform control activities | Work instructions, exception handling, escalation procedures | Policy documents | Need job aids and real-time guidance |
Step 2: Design Communication Channels (Weeks 4-6)
One size does not fit all. Different information requires different channels.
Communication Channel Selection Matrix:
Information Type | Urgency | Complexity | Best Channel | Backup Channel |
|---|---|---|---|---|
Critical Security Events | Immediate | High | Automated alert + phone call | SMS + email |
Compliance Deadlines | Scheduled | Medium | Calendar integration + email reminder | Dashboard notification |
Policy Updates | Moderate | High | Email with acknowledgment + training session | Intranet posting |
Performance Metrics | Regular | Low | Automated dashboard + weekly summary | Email report |
Process Changes | Moderate | Medium | Team meeting + documentation update | Email + change log |
Step 3: Implement Technology Enablers (Weeks 7-12)
Technology should enable communication, not complicate it.
I worked with a healthcare provider that tried to implement seven different communication tools simultaneously. The result? Confusion, low adoption, and people reverting to email and spreadsheets.
We simplified to three core platforms:
GRC Platform for structured control and compliance data
Collaboration Tool (Microsoft Teams) for day-to-day communication
Automated Reporting (Power BI) for metrics and dashboards
Adoption went from 31% to 94% within six weeks.
Step 4: Establish Governance and Ownership (Weeks 13-16)
Every piece of information needs an owner. Every communication channel needs governance.
Information Governance Structure:
Element | Owner | Responsibilities | Review Frequency |
|---|---|---|---|
Data Definitions | Data governance council | Define terms, ensure consistency, resolve conflicts | Quarterly |
Report Content | Report owner | Accuracy, relevance, timeliness | Monthly |
Communication Protocols | Compliance officer | Channel usage, escalation paths, response times | Semi-annually |
Technology Platforms | IT operations | Availability, security, integration | Continuous |
Training Materials | Training coordinator | Accuracy, effectiveness, currency | Quarterly |
Step 5: Test and Validate (Weeks 17-20)
Here's something most organizations skip: actually testing whether their information and communication systems work.
I run tabletop exercises that simulate scenarios:
"A critical control fails. Walk me through the communication process."
"A new regulation is published. Show me how it gets from publication to implementation."
"An employee identifies a risk. Demonstrate the escalation path."
In one exercise with a financial services firm, we discovered that the documented escalation process took 14 steps and involved 8 people. In a real incident, nobody would follow it.
We redesigned it to 4 steps and 3 people. When a real incident occurred two months later, the response was textbook perfect.
Real-World Implementation: A Case Study
Let me walk you through a recent implementation that demonstrates these principles in action.
The Challenge
In 2023, I worked with a mid-sized healthcare technology company (annual revenue: $180M, employees: 650) that was preparing for SOC 2 Type II certification and needed to demonstrate COSO compliance.
Their information and communication landscape was a disaster:
23 different reporting tools
No standardized definitions (they had 7 different definitions of "active user")
Communication primarily through email and ad-hoc meetings
No formal escalation procedures
Average time from issue identification to management awareness: 18 days
The Approach
Month 1-2: Assessment and Design
Interviewed 45 stakeholders to map information needs
Documented current communication flows
Identified 127 critical information gaps
Designed target-state architecture
Month 3-4: Foundation Building
Established data governance council
Created unified data dictionary
Implemented GRC platform
Defined communication protocols
Month 5-6: Implementation
Migrated critical processes to new system
Trained 650 employees
Established automated reporting
Launched communication channels
Month 7-8: Testing and Refinement
Ran tabletop exercises
Measured adoption and effectiveness
Addressed pain points
Fine-tuned configurations
The Results
After 8 months of implementation:
Metric | Before | After | Improvement |
|---|---|---|---|
Time to escalate critical issues | 18 days | 2.3 hours | 99% reduction |
Report creation time | 120 hours/month | 12 hours/month | 90% reduction |
Control visibility | 34% of controls tracked | 98% of controls tracked | 188% increase |
Employee awareness | 41% could describe their control responsibilities | 89% could describe their control responsibilities | 117% increase |
Audit findings | 23 communication-related findings | 2 minor observations | 91% reduction |
System adoption | 28% (previous tools) | 93% (new platform) | 232% increase |
Financial Impact:
Compliance staff reduction: 2.5 FTEs (saved $285,000 annually)
Avoided audit findings: estimated $500,000+ in remediation costs
Faster issue resolution: prevented estimated $1.2M in potential incidents
SOC 2 certification achieved on first attempt
The CFO told me: "I thought COSO was bureaucracy. Turns out it's efficiency."
Common Pitfalls and How to Avoid Them
After fifteen years of implementations, I've seen the same mistakes repeatedly. Here's how to avoid them:
Pitfall 1: Over-Engineering the Solution
The mistake: Implementing complex systems that require PhD-level expertise to understand.
The fix: Start simple. Use tools people already know. Build complexity only where it adds value.
"The best information and communication system is one that works on Monday morning, not one that looks good in a PowerPoint deck."
Pitfall 2: Focusing on Tools Instead of Processes
The mistake: Buying expensive software and expecting it to solve communication problems.
The fix: Design the process first. Choose technology that supports the process, not the other way around.
Pitfall 3: One-Way Communication
The mistake: Only pushing information down from management without creating channels for feedback and escalation.
The fix: Establish feedback loops. Measure whether information is being received and understood, not just sent.
Pitfall 4: Information Overload
The mistake: More is better! Send everything to everyone!
The fix: Apply the relevance filter ruthlessly. Each piece of information should have a specific purpose and audience.
Pitfall 5: No Ownership or Accountability
The mistake: Information and communication are "everyone's responsibility" (which means nobody's responsibility).
The fix: Assign clear ownership. Measure performance. Hold people accountable.
Measuring Success: KPIs That Actually Matter
You can't improve what you don't measure. Here are the KPIs I track for COSO Information and Communication:
Effectiveness Metrics:
KPI | Target | Measurement Method | Review Frequency |
|---|---|---|---|
Critical issue escalation time | < 4 hours | Incident logs, timestamp analysis | Weekly |
Report accuracy rate | > 98% | Validation checks, error reports | Monthly |
Employee control awareness | > 85% | Survey, quiz results | Quarterly |
Information accessibility | < 5 minutes to retrieve | User access logs, help desk tickets | Monthly |
Communication channel effectiveness | > 90% acknowledgment rate | Read receipts, response tracking | Monthly |
Efficiency Metrics:
KPI | Target | Measurement Method | Review Frequency |
|---|---|---|---|
Reporting automation rate | > 75% | Manual vs. automated report count | Quarterly |
Time spent on reporting | < 10% of compliance team time | Time tracking | Monthly |
Duplicate information sources | 0 | Information architecture review | Semi-annually |
System adoption rate | > 90% | Login frequency, feature usage | Monthly |
Training completion rate | 100% | Learning management system | Quarterly |
The Technology Stack: What Actually Works
People always ask me: "What tools should we use?"
Here's my honest answer: it depends. But here's what I typically recommend based on organization size and maturity:
Small Organizations (< 100 employees):
GRC Platform: ServiceNow (if budget allows) or Vanta (SaaS-friendly)
Communication: Microsoft Teams or Slack
Reporting: Power BI or Tableau
Documentation: Confluence or SharePoint
Mid-Size Organizations (100-1000 employees):
GRC Platform: ServiceNow, RSA Archer, or LogicGate
Communication: Microsoft Teams with structured channels
Reporting: Power BI with automated data pipelines
Workflow Automation: Power Automate or Zapier
Document Management: SharePoint with version control
Large Organizations (1000+ employees):
Integrated GRC Suite: ServiceNow GRC, SAP GRC, or IBM OpenPages
Communication: Enterprise collaboration platform with API integrations
Advanced Analytics: Tableau, Qlik, or custom BI solution
Workflow Automation: Integrated with ERP and core systems
Knowledge Management: Enterprise content management system
Key Integration Requirements:
System Type | Must Integrate With | Integration Method | Priority |
|---|---|---|---|
GRC Platform | HR system, Active Directory, IT service management | API, SSO, automated sync | Critical |
Reporting Tools | Data warehouse, operational systems, GRC platform | Direct connection, scheduled ETL | Critical |
Communication Platform | Email, calendar, GRC platform | Native integration, webhooks | High |
Training System | HR system, GRC platform, communication tools | API, manual sync | Medium |
Building a Sustainable Information Culture
Here's the part that most consultants won't tell you: technology and processes only get you 60% of the way there. The remaining 40% is culture.
I worked with a company that had perfect systems, comprehensive processes, and expensive tools. Adoption was abysmal because the culture punished people for reporting bad news.
We spent six months working on culture change:
Leadership started each meeting by asking "What's not working?"
We celebrated early problem identification
We removed penalty for reporting issues
We measured and rewarded transparency
Within a year, proactive issue reporting increased 340%. Control failures decreased 67%. Why? Because people felt safe communicating.
"In a blame culture, people hide problems until they become catastrophes. In a learning culture, people report issues while they're still manageable."
Your Action Plan: Getting Started This Week
If you're reading this and thinking "We need to fix our information and communication," here's your starting point:
This Week:
Map your three most critical information flows
Identify where communication breaks down most often
Interview five people at different levels about what information they need but don't get
This Month:
Document your current state (be brutal in your honesty)
Identify your top five communication gaps
Design simple solutions for those five gaps
Assign ownership for each solution
This Quarter:
Implement fixes for critical gaps
Establish basic metrics for effectiveness
Train your team on new processes
Test your communication channels with real scenarios
This Year:
Build comprehensive information architecture
Implement technology enablers
Establish governance structures
Create sustainable processes that don't depend on heroic individuals
The Truth About COSO Information and Communication
Let me close with a hard truth: most organizations fail at Information and Communication not because they lack sophistication, but because they lack simplicity.
They build complex systems that nobody uses. They generate reports that nobody reads. They establish communication channels that nobody trusts.
The organizations that succeed do three things well:
Keep it simple - Make information easy to find, understand, and act upon
Make it relevant - Every piece of information serves a specific purpose
Build trust - Create a culture where communication flows freely in all directions
I've seen small organizations with basic tools outperform large organizations with expensive platforms simply because they got these fundamentals right.
The COSO framework for Information and Communication isn't about checking boxes or impressing auditors. It's about building a nervous system for your organization that enables you to sense threats, respond to changes, and coordinate action effectively.
When done right, it's not overhead—it's your competitive advantage.
Because in today's complex regulatory environment, the organizations that master information flow are the ones that survive, thrive, and grow.