COSO provides guidance on application of ERM to cloud computing

By Ken Tysiac

Enterprise risk management for cloud computing, which has emerged as an important issue for companies in an environment with numerous technological opportunities and cybersecurity threats, is addressed in new guidance issued Wednesday by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

The guidance in Enterprise Risk Management for Cloud Computing uses the principles of COSO’s 2017 publication on Enterprise Risk Management (ERM) — Integrating With Strategy and Performance to establish a framework for cloud computing governance.

Appropriate roles and responsibilities are addressed in the guidance, and a road map for implementing cloud computing is provided.

“The speed at which cloud computing can be procured and implemented is one of its many valuable traits,” COSO Chairman Paul Sobel said in a news release. “However, some organizations may not have had the capability to implement appropriate controls designed to mitigate the risks in their cloud environments.”

Sobel said a structured adoption of cloud computing, including a holistic cloud computing governance program addressing the associated risks that is incorporated into the ERM program, will enable an organization to derive the most value and achieve its strategic objectives.

According to the guidance, an organization can use the COSO ERM framework to integrate cloud computing into its ERM function. The guidance provides detailed instructions on how the COSO ERM framework’s components and its 20 principles apply to cloud computing governance.

Mike Grob, a principal at Crowe LLP who is a co-author of the cloud computing guidance, said that successful ERM goes beyond internal controls to address governance, culture, strategy, and performance. The COSO guidance provides a mechanism for addressing those issues related to cloud computing.

“Effective cloud computing and cloud enterprise risk management is integrated within the organization to support the organization’s strategy and objectives, align with culture, and enhance value,” Grob said in the release.

COSO is a voluntary private-sector organization that develops thought leadership to enhance internal control, ERM, governance, and fraud deterrence. The AICPA is a sponsor of COSO. More information is available at

Ken Tysiac ( is the JofA’s editorial director.

Where to find March’s flipbook issue

The Journal of Accountancy is now completely digital. 





Get Clients Ready for Tax Season

This comprehensive report looks at the changes to the child tax credit, earned income tax credit, and child and dependent care credit caused by the expiration of provisions in the American Rescue Plan Act; the ability e-file more returns in the Form 1040 series; automobile mileage deductions; the alternative minimum tax; gift tax exemptions; strategies for accelerating or postponing income and deductions; and retirement and estate planning.