COSO Internal Control: The 17 Principles Explained Simply
If you are studying for the AUD exam, you can't escape COSO. It is the gold standard for how companies design, implement, and treat internal controls. When I was studying for my score of 90 on AUD, I realized that the AICPA doesn't just want you to list these 17 principles - they want you to know how they work in a real business.
In this guide, we'll break down the 5 components and 17 principles of the COSO framework using the CRIME mnemonic to make sure you never forget them on exam day.
Why COSO Matters on the CPA Exam
COSO is a massive part of Area II: Assessing Risk and Developing a Planned Response on the AUD Blueprint.
On the exam, you'll see COSO in two ways:
- Multiple Choice: Questions will ask you to identify which component a specific activity belongs to (e.g., "Hiring competent employees belongs to which component?").
- Simulations (SIMs): You might be given a "memo" about a company's problems and asked to identify which COSO principle is being violated.
Want to master AUD concepts like COSO?
I've put together a free course that walks you through the exact framework I used to score 90 on AUD.
Get My Free CPA 101 CourseThe Master Mnemonic: CRIME
To remember the five components of internal control, just remember that it's a CRIME not to have them:
| C | Control Environment |
| R | Risk Assessment |
| I | Information and Communication |
| M | Monitoring |
| E | Existing Control Activities |
1. Control Environment (C)
The Control Environment is the foundation. It's the "company culture." If the culture is weak, the rest of the controls won't matter. There are 5 principles here:
- Commitment to integrity and ethical values: Prioritize acting ethically. This is usually done through a Code of Conduct.
- Exercises oversight responsibility: The Board of Directors must oversee the internal control process.
- Establishes structure, authority, and responsibility: Management must make job roles and reporting lines clear.
- Commitment to competence: Value hiring and retaining highly competent people to minimize errors.
- Enforces accountability: Employees must feel responsible for following the rules.
Kyle's Pro-Tip:
Watch out for the phrase "Tone at the Top." If senior management doesn't take controls seriously, nobody will. This is the most frequently tested part of the Control Environment.
2. Risk Assessment (R)
Management must identify where things could go wrong. There are 4 principles here:
- Specifies suitable objectives: You can't assess risk if you don't know what you're trying to achieve.
- Identifies and analyzes risks: Determine how to manage risks once they are found.
- Assesses fraud risk: Specifically look for opportunities, pressures, and rationalizations for fraud.
- Identifies and analyzes significant changes: Risk assessment isn't a one-time event. If the economy, technology, or leadership changes, you must reassess.
3. Control Activities (E - Existing)
These are the "Boots on the Ground" policies that make sure management's directives are carried out. There are 3 principles here:
- Selects and develops control activities: Developing the actual "checks and balances."
- Selects and develops general controls over technology: This is huge in 2026. For example, ensuring accountants don't have access to the source code of their software. If you want to see how technology controls show up in real exam scenarios, you can check out my Free CPA 101 course.
- Deploys through policies and procedures: Creating the manuals that tell employees exactly how to follow the controls.
4. Information and Communication (I)
Controls only work if people know about them. There are 3 principles here:
- Uses relevant information: High-quality data leads to high-quality controls.
- Communicates internally: Making sure everyone from the warehouse to the C-suite is on the same page.
- Communicates externally: Engaging with outside sources (like auditors or regulators) to understand diverse perspectives.
5. Monitoring (M)
This is the process of assessing the quality of the control system over time. There are 2 principles here:
- Conducts ongoing and/or separate evaluations: Ongoing monitoring is constant; separate evaluations (like an internal audit review every two months) happen periodically.
- Evaluates and communicates deficiencies: If a control is broken, you must have a plan to fix it and communicate it to the right people.
The 4 Steps of Monitoring:
- Create a baseline: What does "normal" look like?
- Identify changes: Spot deviations from the baseline.
- Implement changes: Fix the issues found.
- Develop an updated baseline: Set the new standard for "normal."
Summary: COSO vs. ERM
A common trap on the exam is confusing Internal Control with Enterprise Risk Management (ERM).
COSO Internal Control (this article)
Making sure the numbers are right and the assets are safe.
COSO ERM
About strategy and helping the company achieve its goals while taking the "right" amount of risk.
Quick Reference: All 17 Principles
| Component | # of Principles |
|---|---|
| Control Environment | 5 |
| Risk Assessment | 4 |
| Control Activities (Existing) | 3 |
| Information and Communication | 3 |
| Monitoring | 2 |
| TOTAL | 17 |
About the Author
Kyle Ashcraft is a CPA that scored a 90+ on all four CPA exams. Kyle founded Maxwell CPA Review, which is an exam-prep company that offers video courses and private tutoring.
Kyle can be reached at MaxwellCPAreview@gmail.com or by visiting MaxwellCPAreview.com.
Ready to master COSO and ace the AUD exam?
Understanding COSO is just one piece of the AUD puzzle. I built a Free CPA 101 Course that covers all the high-yield AUD topics with the same mnemonic techniques and practical examples.