MetricStream enables organizations to design, assess, and improve internal controls under the COSO framework. It helps establish a systematic process to assess the effectiveness of internal controls and easily provide evidence to external auditors that an internal control was tested to the satisfaction of the audit group. Our document control functionality provides a central repository with comprehensive change control capabilities.
COSO Implementation Simplified
MetricStream enables organizations to design, assess, and improve internal controls under the COSO framework. It helps establish a systematic process to assess the effectiveness of internal controls and easily provide evidence to external auditors that an internal control was tested to the satisfaction of the audit group. Our document control functionality provides a central repository with comprehensive change control capabilities. MetricStream also provides greater control over and clear visibility into compliance issues, statuses, and plans.
How Does MetricStream Help You Implement the COSO 2013 Framework?
Centralized Control Library
Create a central library of controls and map them to processes, risks, and regulations, simplifying information-sharing across assurance functions such as internal audit and compliance. Prioritize and rationalize controls related to high-risk areas, or that have a greater material impact.
Systematic Risk Assessments
Organize and structure workflows for risk assessments – define the plan, scope, schedule, and owners. Perform risk assessments based on impact and likelihood, rate the effectiveness of controls, and document inherent and residual risk ratings. Determine the nature, schedule, and extent of testing that must be carried out for each area along with the required sample size.
Streamlined Control Testing and Documentation
Design and plan control tests, including the schedule, scope, frequency, and test owners. Identify controls for testing based on various parameters and assign them to control owners or testers. Easily conduct control tests with built-in standard templates. Select control samples, record tests results, and attach supporting documents and compliance evidence.
Well-Defined Remediation and Disclosure Processes
Identify and document control issues and deficiencies, mark them for remediation, and assign to owners. Create remediation action plans and channel them to reviewers for approval. Structure workflows for the review of issues marked for disclosure and route to the disclosure committee for recommendations and inclusion in regulatory filings.
Efficient Monitoring and Reporting
Deliver timely, actionable insights on control test results and deficiencies to make informed decisions on control improvements. Effectively monitor internal control design, process ownership, evaluation plans, test results, and more on graphical charts with drill-down capabilities. Easily track the number and test status of controls with key control metrics cards.
What Benefits You Can Expect?
- Greater confidence in SOX compliance through a unified approach to manage risk and control data across financial processes
- Reduced compliance costs and efforts through rationalized controls
- Consistent and streamlined processes for control testing, documentation, and issue remediation
- Improved stakeholder confidence with accurate and reliable data on control testing, certifications, and issue resolution
Frequently Asked Questions
In February 2026, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released Achieving Effective Internal Control Over Generative AI, applying the five components of the COSO Internal Control-Integrated Framework, control environment, risk assessment, control activities, information and communication, and monitoring activities, to generative AI use cases. The guidance introduces a six-step roadmap: govern, inventory, assess, design, implement, and monitor. It addresses risks such as model drift, limited explainability, and unauthorized shadow AI adoption. Organizations already using COSO for SOX compliance can extend the same control library to their generative AI governance.
The COSO framework applies to generative AI risk by treating AI use cases as a new category of control activity requiring documented risk assessment, defined ownership, and ongoing monitoring, rather than a wholesale departure from existing internal control practices. Organizations are guided to maintain a living inventory of generative AI use cases, map them to key business processes, and apply human review proportional to each use case's risk profile. This approach helps organizations avoid treating generative AI outputs as inherently reliable without validation. Pairing this guidance with information security standards further strengthens governance.
The COSO Internal Control-Integrated Framework (ICIF) is built on five components: control environment, risk assessment, control activities, information and communication, and monitoring activities. These components are further broken down into 17 principles that anchor most Sarbanes-Oxley (SOX) Section 404 compliance programs. Together, they provide a structured way for organizations to design, implement, and evaluate internal controls across operations, reporting, and compliance objectives. The framework has since been extended to address sustainability reporting and, most recently, generative AI governance.
The COSO 2013 Internal Control-Integrated Framework helps organizations comply with Section 404 of the Sarbanes-Oxley Act (SOX) by providing a structured method for designing, testing, and documenting internal controls over financial reporting. It guides organizations through establishing control environments, conducting risk assessments, and maintaining evidence that controls were tested to the satisfaction of internal and external auditors. Since its 2013 update, the framework has remained the most widely referenced internal control standard for SOX programs in the United States and beyond.
Organizations managing a COSO-aligned control environment through MetricStream gain a centralized library of controls mapped to processes, risks, and regulations, reducing the effort required to demonstrate compliance across SOX and other reporting obligations. Streamlined control testing, documentation, and issue remediation workflows help organizations respond more quickly when new guidance, such as COSO's generative AI roadmap, expands the scope of internal control responsibilities. Real-time dashboards give stakeholders visibility into control test status, deficiencies, and remediation progress. This supports greater confidence in reported financial and operational data.











