COSO Releases New Guidance: Enterprise Risk Management for Cloud Computing

Bolstering Cloud Governance to Reduce Risk Even More Important in Today’s Environment

Lake Mary, FL (July 28, 2021) – With increased need for more remote and flexible work environments as a result of the pandemic, utilizing cloud computing has become an essential element to compete in the marketplace. New guidance issued today from the Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Enterprise Risk Management for Cloud Computing,” is intended to serve as a guide to establishing cloud computing governance leveraging the principles of COSO’s Enterprise Risk Management (ERM) – Integrating with Strategy and Performance framework (2017).

The project, commissioned by COSO and co-authored by Mike Grob, Principal, and Victoria Cheng, Managing Director, in Crowe LLP’s Consulting services, provides a concise roadmap to implement cloud computing and describe appropriate roles and responsibilities. The guide provides a structure to utilize the COSO ERM framework in thinking through evolving cloud computing risks.

“The speed at which cloud computing can be procured and implemented is one of its many valuable traits,” said Paul Sobel, COSO Chairman. “However, some organizations may not have had the capability to implement appropriate controls designed to mitigate the risks in their cloud environments. A structured adoption of cloud computing, including a holistic cloud computing governance program that addresses the associated risks and is incorporated into the ERM program, will enable an organization to derive the most value and enable the organization to achieve its strategic objectives.”

“Successful ERM goes beyond internal controls to address governance, culture, strategy, and performance,” added Mike Grob, Principal at Crowe and co-author of the paper. “Effective cloud computing and cloud enterprise risk management is integrated within the organization to support the organization’s strategy and objectives, align with the culture, and enhance value.”

The use of the COSO ERM framework enables cloud computing to be integrated with the organization’s ERM function. The guidance explains how to apply the COSO ERM framework by evaluating each component as well as the 20 principles to cloud computing governance.

As noted in the guidance, those organizations that have not yet created a cloud governance program can do so at any time and continue to refresh as changes occur. By incorporating cloud governance into the organization’s cloud computing processes, the organization is better positioned to manage risks that threaten the strategy and objectives of the organization.

“Bolstering cloud governance is even more important in today’s multi-cloud environment as it will reduce the organization’s risk and allow for more efficient and effective use of cloud computing and monitoring,” noted Victoria Cheng, Managing Director at Crowe and co-author of the paper. “The cloud computing governance approach provides a holistic view of cloud computing throughout the organization.”

Please visit for the full paper.

About COSO
Originally formed in 1985, COSO is a voluntary private sector organization dedicated to helping organizations improve performance by developing thought leadership that enhances internal control, enterprise risk management, governance and fraud deterrence. COSO is jointly sponsored by the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and The Institute of Internal Auditors (IIA). For more information, visit

About Crowe
Crowe LLP is a public accounting, consulting and technology firm with offices around the world. Crowe uses its deep industry expertise to provide audit services to public and private entities. The firm and its subsidiaries also help clients make smart decisions that lead to lasting value with its tax, advisory and consulting services. Crowe is recognized by many organizations as one of the best places to work in the U.S. As an independent member of Crowe Global, one of the largest global accounting networks in the world, Crowe serves clients worldwide. The network consists of more than 200 independent accounting and advisory services firms in more than 130 countries around the world.

Contact Us

Amanda Reich
Amanda Reich