The Sarbanes Oxley Act of 2002 mandates that management of public companies will evaluate the effectiveness of its internal control system over its financial reporting. Specifically under section 404 of the Sarbanes Oxley Act, it delegates that management needs to provide statements in its annual report stating that:
1- “Management is solely responsible for the establishment and maintenance of a solid system of internal control” and
2- “Management’s assessment of the effectiveness of its internal control system”
Under section 404, auditors of a public company are required to attest to, and report on the internal control system. Internal controls are defined as the process designed to provide reasonable assurance about the achievement of an entity’s objectives. An entity’s main objectives are split into three main categories:
- Reliability of financial reporting
- Effectiveness and efficiency of operations
- Compliance with applicable laws and regulations
External parties rely on an entity's financial statements to determine decisions related to investments or creditworthiness. Therefore an entity's top priority is producing reliable financial statements that are in conformance with the appropriate financial reporting standards (GAAP or IFRS). Implementing a proper system of internal controls allow for an entity to generate accurate financial statements.
The effectiveness and efficiency of an entity's operations relate to both financial and non-financial operations. A proper system of internal controls allows for an entity to operate effectively and efficiently.
Compliance with applicable laws and regulations are related to an entity following all the laws that are required such as labor laws, OHSA laws, etc.
The committee of sponsoring organizations (COSO) is an independent association established to analyze and assess the factors that contribute to a perfect internal control model for an organization. It developed the Internal Control Integrated Framework which provides an organization a guide on how to implement the proper internal control system.
A well-established system of internal controls requires five interrelated components that employ the foundation of a well-built system. All five components complement one another and provide for a more efficient and effective system of internal controls.
The first component is referred to as control environment. This component is the most important component required to establish a successful system of internal controls. It states that an entity should start with a top down approach of applying strong internal controls. The control environment consists of standards, processes and structures that allow an organization to establish internal controls within the organization. There are five principles that are relevant to an organizations control environment:
1st Principle: “The organization demonstrates a commitment to integrity and ethical values.” It is important and imperative for an organization’s top executives to promote actions of integrity, honesty, and strong ethical values by example. There should be consequences in place for those employees and members of senior management that violate any rules or display any signs of unethical behaviors such as suspensions, probation's or immediate terminations. Senior management and top executives should enforce these principles to display the severe punishment if there are any signs of deviation from performing ethically.
2nd Principle: “The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control”. The board of directors should be independent from the organization it oversees. Officers of an organization can make up the board, however it is considered that majority of the board consist of non-officers. In order to exercise clear objectivity, the board needs to distance itself from the role of an officer to effectively make critical judgments and decisions on how to meet organizational goals. This level of objectivity allows the board of directors to properly manage the officers and their implementation of internal controls.
3rd Principle: “Management establishes with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives”. It is up to management to develop organizational charts that display proper lines of authority and responsibility from each level of the organization. The organizational charts should display clear distinct levels between senior, middle management and lower level personnel. Management is responsible to assign appropriate, segregate and custodial duties amongst all personnel. These duties should not be commingled between the same personnel.
4th Principle: “The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives”. It is extremely important that the board of directors display objectivity by evaluating officers periodically to ensure they are competent to manage at a high level. This principle is relevant towards the human resources department which provides employees the opportunity to be mentored, trained and professionally developed in order to continue benefiting an organization.
5th Principle: “The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives”. This principle relates to the first principle. There should be consequences and procedures set in place for employees who display unethical behavior. Top executives, management personnel and employees must be held accountable. To promote proper ethical behavior, management should consider both financial and non-financial goals before offering rewards and bonuses.
The second component is referred to as risk assessment. The risk assessment component focuses on an entity's incapability of achieving its objectives. There are four principles relevant to risk assessment:
1st Principle: “The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives”. This principle relates to an organization distinguishing the different types of risks that prevent it from achieving its three main objectives.
2nd Principle: “The organization identifies risks to the achievement of its objectives across the entity and analyzes risk as a basis for determining how the risks should be managed”. An organization must carefully analyze the risks of not achieving those objectives and plan alternatives in the event that the organization cannot avoid those risks.
3rd Principle: “The organization considers the potential for fraud in assessing risks to the achievement of objectives”. Management needs to consider the pressure, benefits, and reasoning behind committing fraudulent behavior. Fraud is committed if all three of those components are mixed together. Management should consider the potential and possibility of embezzlement, theft of assets and alteration of an entity’s financial reporting records committed by any employee.
4th Principle: “The organization identifies and assesses changes that could significantly impact the system of internal control.” This principle emphasizes that an organization’s internal control system should be capable to withstand any significant impact on its business model, internal environment, and leadership structure.
The third component of internal controls is control activities. This is the set of procedures and policies that allow management’s orders to be implemented so the organization can avoid risk and achieve its objectives. There are three principles relevant to this component.
1st Principle: “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.” It is management’s responsibility to determine which business processes require the most extensive control activity procedures and to enforce those activities. Control activities can be broken down into different types such as preventive controls, detective controls, and compliance controls. Preventive controls are controls designed to prevent a fraudulent activity from occurring. Detective controls are set in place so that if there is a breach of internal controls, the entity has the proper tools to find the culprit. Compliance controls are designed to ensure that an organization is always abiding by its regulatory agency law. Lastly, there should be an emphasis on the segregation of incompatible duties. It is important that all authorizing, recordkeeping, and custodial duties be segregated amongst different personnel.
2nd Principle: “The organization selects and develops general control activities over technology to support the achievement of objectives.” This principle is relevant towards the information systems department of an organization. An organization should select an information system that is designed to ensure the completeness, accuracy, availability and the integrity of its financial data. The information system must be capable of limiting access to different departments and personnel. Specifically information and data related to payroll should be kept private and secure from other departments in an organization.
3rd Principle: “The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.” There should be policies and procedures that allow for an organization to implement proper control activities over the daily business operations. These policies and procedures should be reviewed consistently to ensure they remain current and effective. The organization should make sure employees who perform control activity procedures are competent and have sufficient authority.
The fourth component of internal control is information and communications. It is important that an organization have a proper system set in place that allows it to carry out its internal control responsibilities which support its objectives. This component of internal controls refers to information being communicated both internally and externally amongst various groups. There are three principles associated with this component.
1st Principle: “The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.” This principle relates to an organization’s use of its information system. The information system should be designed to function by capturing internal and external sources of data, process and transform relevant data into information. This information should be timely, current, accurate, complete, accessible, protected, verifiable, and retainable for further analysis.
2nd Principle: “The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control”. This principle is relevant towards an organization allowing for proper communication between management and its board of directors regarding the fulfillment of its objectives and responsibilities towards the implementation of a strong system of internal controls.
3rd Principle: “The organization communicates with external parties regarding matters affecting the functioning of internal control.” Communication in this principle is related to the communication with external parties (shareholders, partners, financial analysts, etc.) Information should be relevant and timely and it should be communicated to the board of directors; therefore any deficiencies in internal control can be corrected. Referring to the first component, second principle, the board of directors should be "independent from the organization it oversees", hence it is considered an "external party".
The fifth and final component of internal controls is monitoring. This component of internal control emphasizes that an organization consistently execute performance evaluations of its internal control system to ensure they are effective and efficient and allow it to achieve its three main objectives. There are two principles relevant towards this component.
1st Principle: “The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.” An organization should consider changes in its business structure and processes during the course of its life that may negatively impacts its internal control system. Therefore it is necessary to perform ongoing and separate evaluations of the internal control system. These evaluations should be performed periodically to remain objective and support any changes needed in an organizations internal control system.
2nd Principle: “The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.” This principle is relevant towards the fact that internal auditors should report any and all internal control deficiencies without any obstacles to the board of directors. This allows for clear objectivity and internal control issues to be resolved and corrected. This principle relates back to most of the information and communication principles.
This is a breakdown of COSO's integrated framework for internal controls. This guide is intended for larger organizations, however it can be adapted and shaped for smaller organizations that have limited capital resources and personnel. Auditors require a strong understanding of internal controls during the course of an audit. It is imperative for both internal and external auditors to have a strong background in the establishment of internal controls and its relevancy towards Sarbanes Oxley Act of 2002.