Internal control is a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of 3 objectives categories:
(1) Effectiveness and efficiency of operations,
(2) Reliability of financial reporting, and
(3) Compliance with applicable laws and regulations.
Organizations achieve these 3 objectives categories through 5 interrelated components of internal control:
(1) Control Environment (tone of organization or ethical environment)
(2) Risk Assessment (identify risks in achieving objectives)
(3) Control Activities (policies and procedures to ensure risks addressed)
(4) Information and Communication (pertinent info flows throughout the organization)
(5) Monitoring (of internal control system)
SOX Act updates to SEC rules pertaining to issuer’s internal controls
Sextion 302 Corporate Responsibility for Financial Reports (a)
(4) “the signing officers are (A) responsible for establishing and maintaining internal controls; (B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared; (C) have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and (D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;
(5) the signing officers have disclosed to the issuer’s auditors and the audit committee of the board of directors (or persons fulfilling the equivalent function) (A) all significant deficiencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report financial data and have identified for the issuer’s auditors any material weaknesses in internal controls; and (B) any fraud, whether or not material, that involves management or other employees who have a significant role in the issuer’s internal controls; and
(6) the signing officers have indicated in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including corrective actions with regard to significant deficiencies and material weaknesses.”
Section 404 Management Assessment of Internal Controls
(a) (1) “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
(b) Internal Control Evaluation and Reporting – With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the [Public Company Accounting Oversight] Board.”
SEC Final Rule, Management’s Report on Internal Control over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports
“We have modified the final requirements to specify that management must base its evaluation of the effectiveness of the company’s internal control over financial reporting on a suitable, recognized control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment.
The COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management’s annual internal control evaluation and disclosure requirements. However, the final rules do not mandate use of a particular framework, such as the COSO Framework, in recognition of the fact that other evaluation standards exist outside of the United States, and that frameworks other than COSO may be developed within the United States in the future, that satisfy the intent of the statute without diminishing the benefits to investors.”
Updates to auditor standards pertaining to internal controls:
The Public Company Accounting Oversight Board (PCAOB)’s Auditing Standard No. 5 (AS5), approved by the SEC on 7/25/07, and which supersedes AS2, “establishes requirements and provides direction that applies when an auditor is engaged to perform an audit of management’s assessment of the effectiveness of internal control over financial reporting that is integrated with an audit of financial statements.”
AS5 Introduction states “the auditor should use the same suitable, recognized control framework to perform his or her audit of internal control over financial reporting as management uses for its annual evaluation of the effectiveness of the company’s internal control over financial reporting.” SEC rules require management to base its evaluation of the effectiveness of the company’s internal control over financial reporting on a suitable, recognized control framework (also known as control criteria)…for example, the COSO report…[or] the Turnbull Report [published by the Institute of Chartered Accountants in England & Wales] [or the Guidance on Assessing Control published by the Canadian Institute of Chartered Accountants].
[Established in 1998, the IT Governance Institute’s Control Objectives of Information and Related Technology (COBIT) is also used by many companies as a framework supporting IT SOX 404 efforts.]