The most contentious aspect of SOX is Section 404, which requires management
and the external auditor to report on the adequacy of the company's internal
control over financial reporting (ICFR). This is the most costly (and,
therefore, most important) aspect of the legislation for companies to
implement, as documenting and testing important financial manual and
automated controls requires enormous effort.
Both management and the external auditor are responsible for performing
their assessment in the context of a
top-down risk assessment,
which requires management to base both the scope of its assessment and
evidence gathered on risk. Both the
Public Company Accounting Oversight
Board (PCAOB) and
Securities Exchange Commission (SEC) recently issued guidance on this topic
to help alleviate the significant costs of compliance and better focus the
assessment on the most critical risk areas.
The SEC identifies the
Committee of Sponsoring Organizations of the Treadway Commission
(COSO) framework by name as a methodology for achieving compliance.
According to the COSO framework, internal control consists of five
interrelated components. These
components provide an effective framework for describing and analyzing the
internal control system implemented in an organization. The five components
are the following:
Control environment:
The control environment sets the tone of an organization, influencing the
control consciousness of its people. It is the foundation for all other
components of internal control, providing discipline and structure. Control
environment factors include the integrity, ethical values, management's
operating style, delegation of authority systems, as well as the processes
for managing and developing people in the organization.
Risk assessment:
Every entity faces a variety of risks from external and internal sources
that must be assessed. A precondition to risk assessment is establishment of
objectives and thus risk assessment is the identification and analysis of
relevant risks to achievement of assigned objectives. Risk assessment is a
prerequisite for determining how the risks should be managed.
Control activities:
Control activities are the policies and procedures that help ensure
management directives are carried out. They help ensure that necessary
actions are taken to address risks to achievement of the entity's
objectives. Control activities occur throughout the organization, at all
levels and in all functions. They include a range of activities as diverse
as approvals, authorizations, verifications, reconciliations, reviews of
operating performance, security of assets and
segregation of duties.
Information and communication:
Information systems play a key role in internal control systems as they
produce reports, including operational, financial and compliance-related
information that make it possible to run and control the business. In a
broader sense, effective communication must ensure information flows down,
across and up the organization. Effective communication should also be
ensured with external parties, such as customers, suppliers, regulators and
shareholders.
Monitoring:
Internal control systems need to be monitored—a process that assesses the
quality of the system's performance over time. This is accomplished through
ongoing monitoring activities or separate evaluations. Internal control
deficiencies detected through these monitoring activities should be reported
upstream and corrective actions should be taken to ensure continuous
improvement of the system.