COSO Framework Explained for Nigerian Businesses: Simple Breakdown of Five Components

Internal controls sound boring. Until something goes wrong.

Then you wish you had them.

The COSO Framework is the global standard for internal controls. Nigerian regulators are now demanding it. The Securities and Exchange Commission (SEC) directed all Capital Market Operators to implement COSO-compliant Enterprise Risk Management frameworks in June 2024.

If you run a business in Nigeria, you need to understand COSO.

Let me break it down simply.

What is the COSO Framework?

The Committee of Sponsoring Organisations of the Treadway Commission updated the framework in 2013 to focus on five integrated components of internal controls. Control environment. Risk assessment. Control activities. Information and communication. Monitoring activities.

COSO stands for Committee of Sponsoring Organisations of the Treadway Commission. It was first developed in 1992 and significantly updated in 2013.

Think of it as a blueprint for building strong internal controls. It tells you what to do, how to do it, and how to know if it is working.

Why Nigerian businesses need COSO now

On 14 June 2024, the Securities and Exchange Commission directed all Capital Market Operators to implement an Enterprise Risk Management framework that conforms to international standards such as COSO.

This is not optional for many companies anymore.

For Nigerian businesses, COSO helps with four things. Enhance operational efficiency. Ensure reliable financial reporting. Comply with laws and regulations. Safeguard organisational assets.

Global updates you should know about

COSO issued supplemental guidance in 2023 for internal control over sustainability reporting. Nigerian companies pursuing ESG initiatives can use this to establish controls over environmental data collection and ensure the reliability of sustainability metrics.

In 2024, COSO released guidance on alternative data. This addresses risks from social media analytics, IoT sensor data, and web scraping. Nigerian businesses using digital technologies should pay attention.

COSO also released guidance in 2024 on internal controls for Robotic Process Automation. As Nigerian companies adopt automation, this helps design controls around automated processes and monitor bot activities.

The COSO Cube explained simply

The COSO Framework is often shown as a three-dimensional cube.

The top face shows three objectives. Operations objectives (effectiveness and efficiency). Reporting objectives (reliability of internal and external reporting). Compliance objectives (adherence to laws and regulations).

The front face shows the five components we will explore in detail. Control environment. Risk assessment. Control activities. Information and communication. Monitoring activities.

The side face shows the organisational structure. Entity level. Division level. Operating unit level. Function level.

Component 1: Control environment

This is the foundation of your entire internal control system. It represents your organisational culture around controls and ethics.

Think of it as the attitude your leaders have about doing things right.

The control environment includes commitment to integrity and ethical values. Board independence and oversight. Organisational structure and assignment of authority. Commitment to competence. Performance measurement and accountability.

For Nigerian businesses, focus on establishing a Code of Conduct that reflects local values while meeting international standards. Ensure board members are independent and understand their oversight responsibilities. Leadership must demonstrate a visible commitment to ethical behaviour.

A Nigerian bank implementing a strong control environment would establish an independent audit committee, adopt a comprehensive ethics code, provide annual compliance training, and implement a whistleblower hotline with guaranteed protection.

Component 2: Risk assessment

Risk assessment means identifying and analysing internal and external risks that could stop you from achieving your objectives.

You cannot control risks you have not identified.

Key elements include specifying objectives clearly. Identifying and analysing risks to achieving those objectives. Assessing fraud risk. Identifying significant changes that could impact internal controls.

Given Nigeria’s unique operating environment, businesses should assess economic risks like currency fluctuations and inflation. Regulatory risks from the SEC, CBN, and FIRS. Fraud risks, including internal fraud and cyber fraud. Operational risks like supply chain disruptions and power challenges.

A manufacturing company in Lagos should conduct quarterly risk assessments evaluating foreign exchange exposure, customs regulation changes, logistics challenges, and power supply reliability. Then develop specific controls and contingency plans for each risk.

Component 3: Control activities

Control activities are the policies, procedures, and practices that ensure management directives are carried out.

This is where the rubber meets the road.

There are four types. Preventive controls stop errors or fraud before they happen. Detective controls identify errors or fraud after they occur. Corrective controls fix identified issues. Directive controls encourage desired outcomes.

For Nigerian businesses, key control activities include segregation of duties (no single person controls all aspects of a transaction). Authorisation and approval based on monetary thresholds. Regular bank reconciliations and inventory counts. Physical controls safeguarding assets. Performance reviews comparing actual results to budgets.

A Nigerian retail chain would implement dual authorisation for payments above ₦500,000. Daily cash reconciliations at all locations. Surveillance cameras at cash points. Automated inventory management with variance reporting. Monthly financial performance reviews.

Component 4: Information and communication

Good information and communication systems ensure that relevant, quality information is captured and shared on time.

Information includes financial data, operational metrics, compliance reports, market conditions, and regulatory changes. It must be relevant, timely, accurate, and accessible.

Communication happens internally (up, down, and across departments) and externally (with customers, suppliers, regulators, and shareholders).

For Nigerian businesses, use regular management meetings to discuss performance and issues. Open-door policies encourage employees to raise concerns. Whistleblower mechanisms provide anonymous reporting channels. Performance dashboards give real-time visibility.

A Nigerian telecommunications company should implement quarterly town halls where executives communicate performance. Establish a fraud reporting hotline. Deploy business intelligence dashboards accessible to managers. Create standardised templates for regulatory reporting.

Component 5: Monitoring activities

Monitoring means ongoing evaluations and separate assessments to verify that controls are present and working.

There are two types.

Ongoing evaluations are built into business processes. Real-time or near real-time. Performed by operational personnel. Examples include supervisory reviews, reconciliations, and automated exception reports.

Separate evaluations are periodic assessments. Conducted by internal audit or external parties. In-depth review of specific areas. Examples include internal audits, management self-assessments, and external audits.

A Nigerian manufacturing company should establish a three-year internal audit plan covering all major processes. Implement monthly management control certifications. Use data analytics to monitor duplicate payments and vendor fraud. Present quarterly internal control reports to the audit committee.

SEC Nigeria directive on ERM

On 14 June 2024, the SEC directed all Capital Market Operators to implement an ERM framework conforming to international standards such as COSO.

This means Capital Market Operators must now formally adopt COSO-compliant ERM frameworks. Nigerian financial institutions face increased scrutiny regarding internal control systems. Public companies should proactively implement COSO principles to meet regulatory expectations.

Benefits of COSO for Nigerian businesses

Regulatory compliance. Meet SEC requirements. Align with CBN guidelines. Prepare for similar regulations.

Fraud prevention and detection. Reduce opportunities through segregation of duties. Detect anomalies through monitoring. Protect assets.

Operational efficiency. Standardise processes. Eliminate redundancies. Improve resource allocation.

Risk management. Proactively identify risks. Develop contingency plans. Build organisational resilience.

Stakeholder confidence. Increase investor confidence. Improve credit ratings. Enhance reputation.

Strategic advantage. Position for international partnerships. Attract foreign investment. Support expansion plans.

Implementing COSO step by step

Phase one: Planning and assessment (months 1-3).

Obtain leadership commitment. Present the business case to the board. Secure budget. Appoint the implementation team.

Conduct current state assessment. Document existing controls. Identify gaps against COSO. Prioritise improvements.

Define scope and objectives. Determine which business units to include. Set clear success metrics. Create a timeline.

Phase two: Design and documentation (months 4-8).

Design control framework. Map business processes. Identify key controls. Assign control ownership.

Develop policies and procedures. Update control policies. Document standard operating procedures. Define approval authorities.

Establish governance structure. Form risk committee. Define roles and responsibilities. Create escalation procedures.

Phase three: Implementation and training (months 9-15).

Implement controls. Roll out new policies. Configure system controls. Communicate changes.

Conduct training. Train all employees on control responsibilities. Provide specialised training for control owners. Create reference guides.

Test controls. Perform initial testing. Document results. Address weaknesses. Refine controls.

Phase four: Monitoring and continuous improvement (ongoing).

Establish monitoring mechanisms. Implement ongoing evaluations. Schedule periodic assessments. Create control dashboards.

Report and remediate. Regular reporting to management and board. Track remediation of deficiencies. Update controls for changing risks.

Continuous improvement. Annual framework assessment. Update for regulatory changes. Incorporate lessons learned.

Common challenges and solutions

Limited resources. Start with high-risk areas and expand. Leverage existing systems. Use technology to automate where possible.

Resistance to change. Communicate the “why” behind controls. Involve employees in design. Recognise and reward compliance.

Inadequate technology. Prioritise manual controls where technology is lacking. Use cloud-based solutions. Leverage mobile technology.

Skills and knowledge gaps. Invest in training. Hire experienced control professionals. Partner with audit firms for technical guidance.

Complex regulatory environment. Maintain a compliance calendar. Assign responsibility for monitoring changes. Build relationships with regulators.

Industry-specific applications

Banking and financial services. Credit controls and loan approvals. Fraud detection systems. Regulatory reporting controls. Anti-money laundering controls.

Oil and gas. Revenue recognition controls. Joint venture accounting. Health and safety controls. Contract management.

Telecommunications. Revenue assurance. Billing controls. Network security. Interconnect and settlement controls.

Manufacturing. Inventory management. Production planning. Quality assurance. Supply chain controls. Foreign exchange exposure management.

Retail and consumer goods. Point-of-sale controls. Cash management. Inventory shrinkage prevention. Pricing controls.

Measuring COSO success

Track control effectiveness metrics. Percentage of controls tested and found effective. Number of deficiencies identified and remediated. External audit adjustments and material weaknesses.

Track operational metrics. Reduction in errors and rework. Decrease in losses from fraud. Improvement in compliance scores.

Track financial metrics. Cost savings from process improvements. Reduction in bad debt. Return on investment in control systems.

Track strategic metrics. Improvement in credit ratings. Increase in investor confidence. Access to new markets.

Where to start tomorrow

Do not try to implement everything at once.

Start with a gap assessment. Understand where you are today compared to COSO standards.

Secure leadership commitment. Without top support, your implementation will fail.

Focus on high-risk areas first. Get quick wins to build momentum.

Invest in training. Your people need to understand why controls matter.

Get expert help if needed. COSO implementation is complex. External advisors bring experience and efficiency.

Final word

The COSO Framework is not just another compliance exercise.

It is a proven system for building stronger, more resilient organisations. Nigerian regulators are demanding it. The SEC June 2024 directive makes COSO compliance mandatory for Capital Market Operators.

Companies that embrace COSO will meet regulatory requirements, prevent fraud, improve efficiency, and build stakeholder confidence. Those who ignore it will face penalties, control failures, and missed opportunities.

Start your COSO journey today. Assess your current state. Secure leadership commitment. Take a phased approach.

Your organisation’s future depends on it.

CALL TO ACTION

Take Action Today: Partner with Stonehill Research

At Stonehill Research, we understand the unique challenges facing Nigerian businesses in implementing robust internal control systems. Our team of experienced professionals specialises in helping organisations design, implement, and maintain COSO-compliant frameworks tailored to the Nigerian business environment.

Our COSO Framework Services Include

Gap Assessment. Comprehensive evaluation of your current controls against COSO standards.

Framework Design. Customised COSO implementation roadmap for your organisation.

Process Documentation. Detailed documentation of controls, policies, and procedures.

Training and Capacity Building. Hands-on training for your team on COSO principles and practices.

Internal Audit Support. Risk-based internal audit services and quality assurance.

Technology Solutions. Guidance on control automation and monitoring tools.

Regulatory Compliance. Support meeting SEC, CBN, and other regulatory requirements.

Ongoing Support. Continuous improvement and framework updates.

Why Choose Stonehill Research?

Nigerian Market Expertise. Deep understanding of local regulations, business culture, and challenges.

International Standards. Global best practices adapted for the Nigerian context.

Proven Track Record. Successful COSO implementations across multiple industries.

Comprehensive Approach. End-to-end support from assessment through implementation and monitoring.

Cost-Effective Solutions. Scalable services designed for organisations of all sizes.

Knowledge Transfer. Building internal capacity while delivering results.

Ready to Strengthen Your Internal Controls?

Don’t wait for regulatory pressure or control failures to act. Contact Stonehill Research today to schedule a complimentary consultation and learn how we can help your organisation implement a world-class COSO Framework.

📧 Email: info@stonehillresearch.com
📞 Phone: +234 802 320 0801
📍 Address: 5, Ishola Bello Close, Off Iyalla Street, Alausa, Ikeja, Lagos, Nigeria

Schedule Your Free Consultation Today

Take the first step toward building stronger internal controls and positioning your organisation for sustainable success. Our experts are ready to guide you through every step of your COSO Framework implementation journey.

Stonehill Research – Your Partner in Governance, Risk Management, and Compliance Excellence.

REFERENCES

The Institute of Internal Auditors. Understanding the COSO Internal Control Framework. https://www.theiia.org/en/products/learning-solutions/on-demand/understanding-the-coso-internal-control-framework/

Aluko & Oyebode. Banking and Finance Regulatory Legislative Update – June 2024. https://www.aluko-oyebode.com/wp-content/uploads/2024/07/Aluko-Oyebode-Banking-and-Finance-Regulatory-Legislative-Update-June-2024.pdf

COSO. Internal Control – Integrated Framework. Committee of Sponsoring Organisations of the Treadway Commission. https://www.coso.org/guidance-on-ic

COSO. Achieving Effective Internal Control over Sustainability Reporting (ICSR). Committee of Sponsoring Organisations of the Treadway Commission. https://www.coso.org/guidance-on-ic

Global Cyber-Security. Complete Overview of COSO Framework in Detail 2024. https://www.globalcyber-security.com/blog/complete-overview-of-coso-framework-in-detail/

TechTarget. What are the COSO Frameworks? How are They Used? https://www.techtarget.com/searchcio/definition/COSO-Framework

Rehmann. (2025). COSO updates its Enterprise Risk Management (ERM) framework to address modern data sources. https://www.rehmann.com/resource/coso-updates-its-enterprise-risk-management-erm-framework-to-address-modern-data-sources/

Pathlock. (2025). COSO Framework: Definition, Pillars, Principles, Stages & Processes. https://pathlock.com/learn/internal-control-framework-a-practical-guide-to-the-coso-framework/

Securities and Exchange Commission Nigeria. (2024). Directive on Implementation of Enterprise Risk Management Framework.

Committee of Sponsoring Organisations of the Treadway Commission. (2024). Alternative Data: The COSO Perspective. COSO.