Green Book to COSO ERM Mapping

  • COSO/Green Book IC Components
  • COSO ERM Components
  •   Green Book Principles1 Optional Use Toolset Form#
    1. Control Environment
    1. The oversight body & management should demonstrate a commitment to integrity and ethical values.
    2. The oversight body should oversee the entity's internal control system.
    3. Management should establish an organizational structure, assign responsibility, and delegate authority to achieve the entity's objectives.
    4. Management should demonstrate a commitment to attract, develop, and retain competent individuals.
    5. Management should evaluate performance and hold individuals accountable for their internal control responsibilities.
    1

    2. Risk Assessment

    1. Management should define objectives clearly to enable the identification of risks and define risk tolerances.
    2. Management should identify, analyze, and respond to risks related to achieving the defined objectives.
    3. Management should consider the potential for fraud when identifying, analyzing, and responding to risks.
    4. Management should identify, analyze, and respond to significant changes that could impact the internal control system.
    2,3
    3. Control Activities
    1. Management should design control activities to achieve objectives and respond to risks.
    2. Management should design the entity's information system and related control activities to achieve objectives and respond to risks.
    3. Management should implement control activities through policies.
    3
    4. Information & Communication
    1. Management should use quality information to achieve the entity's objectives.
    2. Management should internally communicate the necessary quality information to achieve the entity's objectives.
    3. Management should externally communicate the necessary quality information to achieve the entity's objectives.
    4
    5. Monitoring
    1. Management should establish and operate monitoring activities to monitor the internal control system and evaluate the results.
    2. Management should remediate identified internal control deficiencies on a timely basis.
    5

    Minimum Documentation Requirements

    1 Paragraph OV2.06 ‐ If management determines that a principle is not relevant, management supports that determination with documentation that includes the rationale of how, in the absence of that principle, the associated component could be designed, implemented, and operated effectively.

  •   Green Book Attributes Optional Use Toolset Form#
    1. Internal Environment 1.02 ‐ 1.10
    2.02 ‐ 2.13
    3.02 ‐ 3.121
    4.02 ‐ 4.08
    5.02 ‐ 5.08
    1
    2. Objective Setting 6.02 ‐ 6.07
    2
    3. Event Identification 7.02 ‐ 7.04
    8.02 ‐ 8.05
    9.02 ‐ 9.03
    3
    4. Risk Assessment 6.08 ‐ 6.10
    7.05 ‐ 7.07
    8.06
    9.04 ‐ 9.05
    3
    5. Risk Response 9.04 ‐ 9.05
    7.08 ‐ 7.09
    8.07
    3
    6. Control Activities 10.02 ‐ 10.14
    11.02 ‐ 11.17
    12.022 ‐ 12.05
    3
    7. Information & Communication 13.02 ‐ 13.06
    14.02 ‐ 14.08
    15.02 ‐ 15.09
    4
    8. Monitoring 16.02 ‐ 16.103
    17.02 ‐ 17.064
    5

    Minimum Documentation Requirements

    1Paragraph 3.09 ‐ Management develops and maintains documentation of its internal control system.

    2 Paragraph 12.02 ‐ Management documents in policies the internal control responsibilities of the organization.

    3 Paragraph 16.09 ‐ Management evaluates and documents the results of ongoing monitoring and separate evaluations to identify internal control issues.

    4 Paragraph 17.05 ‐ Management evaluates and documents internal control issues and determines appropriate corrective actions for internal control deficiencies on a timely basis.