COSO Objectives Setting

Objectives Setting and Internal Control

An organization adopts a mission and vision, sets strategies, establishes objectives it wants to achieve, and formulates plans for achieving them. Objectives may be set for an entity as a whole, or be targeted to specific activities within the entity. Though many objectives are specific to a particular entity, some are widely shared. For example,
objectives common to most entities are sustaining organizational success, reporting to stakeholders, recruiting and retaining motivated and competent employees, achieving and maintaining a positive reputation, and complying with laws and regulations.

Supporting the organization in its efforts to achieve objectives are five components of internal control:

These components are relevant to an entire entity and to the entity level, its subsidiaries, division, or any of its individual operating units, functions, or other subsets of the entity.

Relationship of Objectives, Components, and the Entity:

A direct relationship exists between objectives, which are what an entity strives to achieve, components, which represent what is required to achieve the objectives, and entity structure (the operating units, legal entities, and other structures). The relationship can be depicted in the form of a cube.


•      The three categories of objectives operations, reporting, and compliance are represented by the columns.
•       The five components are represented by the rows.
•       The entity structure, which represents the overall entity,  divisions, subsidiaries, operating units, or functions, including business processes such as sales, purchasing, production, and marketing and to which internal control relates, are depicted by the third dimension of the cube.  

Each component cuts across and applies to all three categories of objectives. For example, attracting, developing, and retaining competent people who are able to conduct internal control—part of the control environment component—is relevant to all three objectives categories.

The three categories of objectives are not parts or units of the entity. For instance, operations objectives relate to the efficiency and effectiveness of operations, not specific operating units or functions such as sales, marketing, procurement, or human resources.

Accordingly, when considering the category of objectives related to reporting, for example, knowledge of a wide array of information about the entity’s operations is needed. In that case, focus is on the middle column of the model—reporting objectives—rather than on the operations objectives category.

Internal control is a dynamic, iterative, and integrated process. For example, risk assessment not only influences the control environment and control activities, but also may highlight a need to reconsider the entity’s requirements for information and communication, or for its monitoring activities. Thus, internal control is not a linear process where one component affects only the next. It is an integrated process in which components can and will impact another.

No two entities will, or should, have the same system of internal control. Entities, objectives, and systems of internal control differ dramatically by industry and regulatory environment, as well as by internal considerations such as the size, nature of the management operating model, tolerance for risk, reliance on technology, and competence and number of personnel. Thus, while all entities require each of the components to maintain effective internal control over their activities, one entity’s system of internal control usually looks different from another’s.


Management, with board oversight, sets entity-level objectives that align with the entity’s mission, vision, and strategies. These high-level objectives reflect choices made by management and board of directors about how the organization seeks to create, preserve, and realize value for its stakeholders. Such objectives may focus on the entity’s unique operations needs, or align with laws, rules, regulations, and standards imposed by legislators, regulators, and standard setters, or some combination of the two. Setting objectives is a prerequisite to internal control and a key part of the management process relating to strategic planning.

Individuals who are part of the system of internal control need to understand the overall strategies and objectives set by the organization. As part of internal control, management specifies suitable objectives so that risks to the achievement of such objectives can be identified and assessed. Specifying objectives includes the articulation of specific, measurable or observable, attainable, relevant, and time-bound objectives.

However there may be instances where an entity might not explicitly document an objective. Objectives specified in appropriate detail can be readily understood by the people who are working toward achieving them

Categories of Objectives

The Framework groups entity objectives into the three categories of operations, reporting, and compliance.

Operations Objectives

Operations objectives relate to achievement of an entity's basic mission-the fundamental reason for its existence. These objectives vary based on management's choices relating to structure, industry considerations, and performance of the entity. Entity-level objectives cascade into related sub-objectives for operations within the divisions, subsidiaries, operating units, and functions, directed at enhancing effectiveness and efficiency in moving the entity toward its ultimate goal.

As such, operations objectives may relate to improving financial performance, productivity (e.g., avoiding waste and rework), quality, environmental practices, innovation, and customer and employee satisfaction. These objectives pertain to all types of entities. For example, a for-profit entity may focus on revenue, profitability, return on assets, and liquidity. In contrast, a not-for-profit entity, though certainly concerned with revenues or levels of spending, may focus more on increasing donor participation. A governmental agency may focus primarily on executing its spending in line with the designated purposes of its appropriators to ensure that the spending supports its mission objectives. If an entity’s operations objectives are not well conceived or clearly specified, its resources may be misdirected.

Safeguarding of Assets

The operations category of objectives includes safeguarding of assets, which refers to protecting and preserving entity assets. For instance, an entity may set objectives relating to the prevention of loss of assets and the timely detection and reporting of any such losses. These objectives form the basis of assessing risk relating to safeguarding of assets and selecting and developing controls needed to mitigate such risk.

The efficient use of an entity’s assets, and prevention of loss through waste, inefficiency, or poor business decisions (e.g., selling product at too low a price, extending credit to bad risks, failing to retain key employees, preventing patent infringement, incurring unforeseen liabilities) relate to a broader operations objectives and are not a specific consideration relating to safeguarding of assets.

Laws, rules, regulations, and standards have created an expectation that management reporting on internal control includes controls relating to preventing and detecting unauthorized acquisition, use, or disposition of the assets. In addition, some entities consider safeguarding of assets a separate category of objective, and that view can be accommodated within the application of the Framework.

Reporting Objectives

Reporting objectives pertain to the preparation of reports for use by organizations and stakeholders. Reporting objectives may relate to financial or non-financial reporting and to internal or external reporting. Internal reporting objectives are driven by internal requirements in response to a variety of potential needs such as the entity’s strategic directions, operating plans, and performance metrics at various levels. External reporting objectives are driven primarily by regulations and/or standards established by regulators, and standard-setting bodies.

Relationship within Reporting Category of Objective:
The overall relationship between the four sub-categories of reporting objectives is depicted in the graphic below.

Reporting objectives are different from the information and communication component of internal control. Management establishes, with board oversight, reporting objectives when the organization needs reasonable assurance of achieving a particular reporting objective. In these situations all five components of internal control are needed. For instance, in preparing internal non-financial reporting to the board on the status of merger integration efforts, the organization specifies internal reporting objectives (e.g., prepares reliable, relevant, and useful reports), assigns competent individuals, assesses risks relating to specified objectives, selects and develops controls within the five components necessary to mitigate such risks, and monitors components of internal control supporting the specified non-financial reporting objective.

In contrast, the Information and Communication component supports the functioning of all components of reporting objectives, as well as operations and compliance objectives. For instance, controls within information and communication support the preparation of the above report, helping to provide relevant and quality information underlying the report, but these controls are only part of the overall system of internal control. 

Compliance Objectives

Entities must conduct activities, and often take specific actions, in accordance with applicable laws and regulations. As part of specifying compliance objectives, the organization needs to understand which laws, rules and regulations apply across the entity. Many laws and regulations are generally well known, such as those relating to human resources, taxation, and environmental compliance, but others may be more obscure, such as those that apply to an entity conducting operations in a remote foreign territory.

Laws and regulations establish minimum standards of conduct expected of the entity. The organization is expected to incorporate these standards into the objectives set for the entity. Some organizations will set objectives to a higher level of performance than established by laws and regulations. In setting those objectives, management is able to exercise discretion relative to the performance of the entity. For instance, a particular law may limit minors working outside school hours to eighteen hours in a school week. However, a retail food service company may choose to limit its minor-age staff to working fifteen hours per week.

For purposes of the Framework, compliance with an entity’s internal policies and procedures, as opposed to compliance with external laws and regulations as discussed above, relates to operations objectives.

Overlap of Objectives Categories

An objective in one category may overlap or support an objective in another. For example, "closing financial reporting period within five workdays" may be a goal supporting primarily an operations objective-to support management in reviewing business performance. But it also supports timely reporting and timely filings with regulatory agencies.

The category in which an objective falls may vary depending on the circumstances. For instance, controls to prevent theft of assets—such as maintaining a fence around inventory, or having a gatekeeper to verify proper authorization of requests for movement of goods—fall under the operations category. These controls may not be relevant to reporting where inventory losses are detected after a periodic physical inspection and recording in the financial statements. However, if for reporting purposes management relies solely on perpetual inventory records, as may be the case for interim or internal
financial reporting, the physical security controls would then also fall within the reporting category. These physical security controls, along with controls over the perpetual inventory records, are needed to achieve reporting objectives. A clear understanding is needed of the entity’s business processes, policies and procedures, and the respective impact on each category of objectives.

Basis of Objectives Categories

Some objectives are derived from the regulatory or industry environments in which the entity operates. For example:

These objectives are established largely by law or regulation, and fall into the category of compliance, external reporting, or, in these examples, both.

Conversely, operations and internal reporting objectives are based more on the organization’s preferences, judgments, and choices. These objectives vary widely among entities simply because informed and competent people may select different objectives. For example, one organization might choose to be an early adopter of emerging technologies in developing new products, whereas another might be a quick follower, and yet another a late adopter. These choices would reflect the entity’s strategies and the competencies, technologies, and controls within its research and development function. Consequently, no one formulation of objectives can be optimal for all entities.

Objectives and Sub-Objectives

Management links specified entity-level objectives to more specific sub-objectives that cascade throughout the organization. Sub-objectives also are established as part of or flowing from the strategy-setting process, and relate to the entity and its subunits and functional activities such as sales, production, engineering, marketing, productivity, employee engagement, innovation, and information technology. Management aligns these sub-objectives with entity-level objectives and coordinates these across the entity.

Where entity-level objectives are consistent with prior practice and performance, the linkage between activities is usually known. Where objectives depart from an entity’s past practices, management addresses the linkages or accepts increased risks. For example, an entity-level objective relating to customer satisfaction depends on linked sub-objectives dealing with the introduction of services that use a newer and less proven technology infrastructure. These sub-objectives might need to be substantially changed if past practice used older, proven technologies.

Sub-objectives for operating units and functional activities also need to be specific, measurable or observable, attainable, relevant, and time-bound. In addition, they must be readily understood by the people who are working toward achieving them. Management and other personnel require a mutual understanding of both what is to be accomplished and the means of determining to what extent it is accomplished in order to ensure individual and team accountability. 

Entities may specify multiple sub-objectives for each activity, flowing both from the entity-level objectives and from established standards relating to compliance and reporting objectives, as deemed suitable in the circumstances. For example, procurement operations objectives may be to:

As another example, when specifying suitable external reporting objectives relating to the preparation of external financial statements, management considers accounting standards, financial statement assertions, and qualitative characteristics that are applicable to the entity and its subunits. For example, management may set an entity-level external financial reporting objective as follows: “Our company prepares reliable financial statements reflecting transactions and events in accordance with generally accepted accounting principles.”

Management also specifies suitable sub-objectives for divisions, subsidiaries, operating units, and functions with sufficient clarity to support entity-level objectives. For instance, management specifies sub-objectives for sales transactions that apply appropriate accounting standards based on the circumstances and that address relevant financial statement assertions and qualitative characteristics, such as


Purchase and Download a PDF version of the Quick Reference Guide - $10