By: Dave Gruber, CPA
In familiarizing yourself with SOX and what your company needs to do to be compliant with SOX, there are two main documents that help drive this understanding – The Sarbanes-Oxley Act of 2002 and 2013 Internal Control – Integrated Framework.
The Sarbanes-Oxley Act of 2002 (SOX) was passed mainly to protect shareholders and the general public from accounting errors and fraudulent practices of a public company. Section 404 of SOX requires public companies to annually make an assessment of internal control over financial reporting. Section 404 also requires the company’s auditor to attest to the effectiveness of the company’s internal control over financial reporting.
The Committee of Sponsoring Organizations (COSO) published the 2013 Internal Control – Integrated Framework (The COSO Framework) which is an update of the original 1992 version. The COSO Framework is recognized as the leading framework for designing, implementing, and conducting internal control and assessing the effectiveness of internal control – basically providing a road map to compliance with SOX. An executive summary (which is a great overview of internal control and the necessary elements to achieve an effective internal control system) of The COSO Framework can be obtained for free on COSO’s website.
In the latest framework, COSO defines internal control as a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. Operations Objectives pertain to the effectiveness and efficiency of the entity’s operations, including operational and financial performance goals, and safeguarding assets against loss. Reporting Objectives pertain to internal and external financial and non-financial reporting and may encompass reliability, timeliness, transparency, or other terms as set forth by regulators, recognized standard setters, or the entity’s policies. Compliance Objectives pertain to adherence to laws and regulations to which the entity is subject.
The COSO Framework contains five components (Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities) of internal control necessary to meet internal control objectives. This framework also breaks down the five components into 17 principles representing the fundamental concepts associated with the components:
1.) Demonstrates a commitment to integrity and ethical values
2.) Exercises oversight responsibility
3.) Establishes structure, authority and responsibility
4.) Demonstrates commitment to competence
5.) Enforces accountability
6.) Specifies suitable objectives
7.) Identifies and analyzes risk
8.) Assesses fraud risk
9.) Identifies and analyzes significant change
10.) Selects and develops control activities
11.) Selects and develops general control activities over technology
12.) Deploys control activities through policies and procedures
Information and Communication:
13.) Uses relevant information
14.) Communicates internally
15.) Communicates externally
16.) Conducts ongoing and/or separate evaluations
17.) Evaluates and communicates deficiencies
The COSO Framework mandates that all of the above 5 components and the related 17 principles must be present and functioning in order for management to conclude that internal control over financial reporting is effective.
To set up an effective set of internal controls, an entity should properly design and document internal controls, mapping these controls to the COSO components and principles outlined above. Once documented, the entity should perform detailed tests of the controls, evaluate test results (remediate testing exceptions where applicable), and make a final assessment of the effectiveness of the controls. In short, utilizing The COSO Framework as a guide provides the right path to SOX compliance.
Contact Holbrook & Manter today for more information regarding SOX Compliance. We would be happy to assist you.