What is COSO Guidance for Health Care Providers?

The COSO Internal Control-Integrated Framework: An Implementation Guide for the Healthcare Provider Industry, was published in 2013 by the Committee of Sponsoring Organizations (COSO) in collaboration with professional services firm Crowe and CommonSpirit Health.

The guide is meant to help healthcare businesses navigate the enormously complicated world of U.S. healthcare. It addresses subjects such as access control, system integrity, clinical documentation, coding, and billing procedures; all to help healthcare businesses comply with the Affordable Care Act of 2010, and to protect patient data while health records (EHR) have become the norm. COSO’s guidance provides an outline and best practices for meeting those standards.

“Healthcare organizations experience issues with system access, system integrity, clinical documentation, coding, and billing; all of which may result in potential non-compliance with federal and state regulations—and costly mistakes,” the guide’s executive summary states.

To meet those compliance obligations, the guide says, healthcare organizations “must review their control environment to confirm proper controls are in place to ensure effective and efficient operations, proper financial reporting, and compliance; and that their control environment supports the attainment of the organization’s mission and strategy; and COSO provides the direction to do this.”

What Is COSO?

COSO developed its original internal control framework in 1992 with fraud deterrence in mind. The framework provides an effective internal control structure to ensure that an organization’s financial practices, including financial statements and external financial reporting, are accurate and reliable.

COSO defines internal control as “a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”

For a detailed history of COSO’s internal control framework (which had a major overhaul in 2013) and a complete guide on compliance with this important document, check out our Guide to COSO Framework and Compliance.

COSO also helps organizations comply with laws and regulations including the Sarbanes-Oxley Act (SOX), a federal law enacted in 2002 to protect public companies and their shareholders from accounting errors and fraud; and the Foreign Corrupt Practices Act (FCPA). 

COSO has also published an enterprise risk management (ERM) framework, and several smaller volumes on specific issues such as corporate compliance and environmental, social, and governance (ESG) reporting.

Components of Internal Control

COSO lists five components of internal control.

1. Control Environment

This is the foundation. It includes the organization’s values, governance structure, and overall attitude toward risk and compliance. In healthcare, a strong control environment might include a clear tone from leadership around patient data privacy, accountability for coding accuracy, and well-defined roles across clinical and IT administrative functions.

2. Risk Assessment

Healthcare providers face unique regulatory, operational, and reputational risks. Risk assessment means identifying what could go wrong, followed by analyzing the likelihood and impact, then prioritizing controls accordingly. For instance, the introduction of telehealth may introduce new risks around data security and patient identity verification that need to be addressed early.

3. Control Activities

These are the policies, procedures, and tools that actually mitigate the risks. For healthcare, control activities might include dual-authorization for prescription access or regular user access reviews within EHR systems. The goal is to make sure controls are strategically embedded into routine workflows.

4. Information and Communication

Effective controls rely on the right information flowing to the right people at the right time. This includes everything from staff training on new compliance protocols to dashboards that surface anomalies in billing patterns. Frontline teams should be empowered to understand what’s expected and how to report issues.

5. Monitoring Activities

Monitoring ensures that controls keep working as conditions change. This could involve continuous access logging, post-implementation reviews of IT system upgrades, or structured internal audits. As COSO stresses, monitoring should be ongoing, not just periodic. This is especially applicable in a sector as fast-moving as healthcare.

The new guidance, COSO Integrated Framework: An Implementation Guide for the Healthcare Provider Industry, explores how healthcare organizations can use the framework to improve internal control over their specific business environment. COSO offered several ways healthcare providers could use its framework when it published the guidance:  

• Evaluate and strengthen the existing internal control structure, including operational functions, procedures, and systems. An example would be hosting a secure Active Directory environment to control access to sensitive systems and information.
• Implement controls to help mitigate significant risks. Risks come in myriad forms. Implementing a system that prevents external access to servers can reduce the risk that a hacker will gain access to systems from outside the environment.
• Optimize the effectiveness of the control environment. Improving the technical environment of healthcare providers can redirect resources from maintaining control environments to allow the administration to focus on its primary objectives.

Improve the efficiency of governance, compliance, operations, management, and assurance functions. Efficient operations support the effectiveness of controls. Having a simplified scope of what needs to be addressed in an audit or controls remediation plan allows the organization to evolve with the changing technical and regulatory landscape more deftly.

Turning Monitoring Into Control Progress

In healthcare, internal controls can’t be something you “set and forget.” With shifting regulations and sensitive patient data, your systems need to adapt fast. That’s where continuous monitoring comes into play, giving you real-time visibility that leads to smarter decisions and stronger safeguards.

So what does that look like in practice?

• Build monitoring into the flow of work. Don’t rely on periodic reviews alone. Integrate tools that automatically flag suspicious access, repeated documentation gaps, or billing anomalies as they happen. COSO calls for ongoing monitoring, but healthcare practically demands it.
• Close the feedback loop. Catching issues is just step one. What matters more is what you do with that data. If a department keeps missing documentation, the fix could mean tweaking workflows or updating training altogether.
• Make control everyone’s job. Monitoring doesn’t sit in a compliance silo. IT teams, clinical staff, billing departments—they all play a part. The more cross-functional visibility you create, the more responsive your internal control system becomes.
• Spot the cracks before they widen. Effective monitoring highlights where things are fragile, like manual steps that slow everything down during busy periods. Fixing those weak links early makes your whole operation more resilient.

Building a Stronger Control Environment with ZenGRC

Using the COSO framework is a great start, but putting it into practice takes more than checklists or spreadsheets. Healthcare organizations need a way to manage, monitor, and update their controls regularly.

ZenGRC is a governance, risk, and compliance platform that makes it easier to run your internal control program. It helps you stay organized, track progress, and keep up with audits or changes in risk. Everything is in one place, from workflows to documentation, so your team can stay on top of what matters. With features like automated evidence collection and customizable dashboards, ZenGRC makes continuous improvement part of your process.