[Verse 1] Back in two thousand four, COSO took a leap Extended their control model, made it broad and deep Eight components in a cube, framework crystallized Risk management got a makeover, enterprise-wide [Chorus] Internal Environment sets the tone Objective Setting carved in stone Event ID and Risk Assessment too Risk Response and Controls review Info flows and Monitoring's eye Eight components reaching high The cube that promised to align Every risk in perfect time [Verse 2] Internal Environment builds the foundation ground Objective Setting makes the targets crystal sound Event Identification spots what could go wrong Risk Assessment weighs the impact, measures strong [Chorus] Internal Environment sets the tone Objective Setting carved in stone Event ID and Risk Assessment too Risk Response and Controls review Info flows and Monitoring's eye Eight components reaching high The cube that promised to align Every risk in perfect time [Bridge] But critics called it process-heavy, hard to use Too tightly wound around controls, easy to confuse Operationalize the framework? Companies would stumble The cube looked neat on paper but made practice crumble [Verse 3] Risk Response chooses strategies to deploy Control Activities execute without decoy Information Communication keeps the data flowing Monitoring watches closely, keeps the system knowing [Chorus] Internal Environment sets the tone Objective Setting carved in stone Event ID and Risk Assessment too Risk Response and Controls review Info flows and Monitoring's eye Eight components reaching high The cube that promised to align Every risk in perfect time [Outro] Widely adopted but flawed in execution Set the stage for twenty-seventeen's revolution
← 1 Origins of COSO | 3 The 2017 Revision: Strategy and Performance →