COSO provides guidance on application of ERM to cloud computing

By Ken Tysiac

Enterprise risk management for cloud computing, which has emerged as an important issue for companies in an environment with numerous technological opportunities and cybersecurity threats, is addressed in new guidance issued Wednesday by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

The guidance in Enterprise Risk Management for Cloud Computing uses the principles of COSO’s 2017 publication on Enterprise Risk Management (ERM) — Integrating With Strategy and Performance to establish a framework for cloud computing governance.

Appropriate roles and responsibilities are addressed in the guidance, and a road map for implementing cloud computing is provided.

“The speed at which cloud computing can be procured and implemented is one of its many valuable traits,” COSO Chairman Paul Sobel said in a news release. “However, some organizations may not have had the capability to implement appropriate controls designed to mitigate the risks in their cloud environments.”

Sobel said a structured adoption of cloud computing, including a holistic cloud computing governance program addressing the associated risks that is incorporated into the ERM program, will enable an organization to derive the most value and achieve its strategic objectives.

According to the guidance, an organization can use the COSO ERM framework to integrate cloud computing into its ERM function. The guidance provides detailed instructions on how the COSO ERM framework’s components and its 20 principles apply to cloud computing governance.

Mike Grob, a principal at Crowe LLP who is a co-author of the cloud computing guidance, said that successful ERM goes beyond internal controls to address governance, culture, strategy, and performance. The COSO guidance provides a mechanism for addressing those issues related to cloud computing.

“Effective cloud computing and cloud enterprise risk management is integrated within the organization to support the organization’s strategy and objectives, align with culture, and enhance value,” Grob said in the release.

COSO is a voluntary private-sector organization that develops thought leadership to enhance internal control, ERM, governance, and fraud deterrence. The AICPA is a sponsor of COSO. More information is available at

Ken Tysiac ( is the JofA’s editorial director.


Get your clients ready for tax season

Upon its enactment in March, the American Rescue Plan Act (ARPA) introduced many new tax changes, some of which retroactively affected 2020 returns. Making the right moves now can help you mitigate any surprises heading into 2022.


Black CPA Centennial, 1921–2021

With 2021 marking the 100th anniversary of the first Black licensed CPA in the United States, a yearlong campaign kicked off to recognize the nation’s Black CPAs and encourage greater progress in diversity, inclusion, and equity in the CPA profession.