Creating internal controls over financial reporting (ICFR) is mandated under the Sarbanes-Oxley Act (SOX). SOX internal controls provide important insights into the accuracy and presentation of a company’s financial position while serving as a valuable risk management tool.
The Purpose of SOX and Who is Required to Follow the Standards
Section 404 of the Sarbanes-Oxley Act requires publicly traded companies to establish, assess, and report on the design and operational effectiveness of its internal controls over financial reporting.
The objective of SOX is to protect investors by improving the accuracy and reliability of an organization’s financial position and disclosures. Accuracy and reliability are vital to protect investors and other stakeholders from the risk of loss due to reporting errors or fraud. Errors and fraud may occur if a company does not have adequate policies and procedures over how financial data is recorded, processed, generated, and reported.
Although mandatory for companies publicly traded in the United States, SOX requirements are often followed by private companies that plan to become public (or to be acquired) in the near future, as well as private companies interested in demonstrating strong governance practices to external stakeholders.
Developing Effective SOX Internal Controls
It’s important for companies to distinguish their SOX internal controls from other control procedures, including those designed to improve operational efficiency. These controls typically fall outside the scope of an ICFR review under SOX Section 404. The focus of SOX internal controls is on the risk of financial misstatement.
Identifying and Assessing Risk
In order to properly manage the risk of financial misstatement, management teams need to adequately identify risks faced by the organization. This is accomplished through a review of the company’s financial statements and significant transactional flows, while considering the people, processes, and systems involved in each. As management and auditors understand the company’s processes, the identification of financial misstatement risks will be defined.
With an understanding of risk, management will perform procedures to identify and assess the risks of material misstatement to the financial statements, whether due to fraud or error. Risks defined as being more significant will be the drivers for where SOX internal control activities are required.
When management and their external auditors have a common understanding of the company’s processes and financial misstatement risks, the next step is to use an agreed-upon system or framework to define control objectives and organize control activities. Together with its external auditors, management will design a risk-based approach to its internal controls, SOX compliance, and the scope of its financial statement audit.
The best approach for developing an organization’s SOX compliance program is the COSO Framework. The COSO Framework provides organizations with principles-based guidance for designing and implementing effective internal controls. While the COSO Framework is generally accepted, there are other control frameworks a company may adopt. However, the COSO framework provides components, principles, and points of focus that are commonly accepted by auditors.
The COSO framework is built around interconnected components that include:
- Control environment: Standards and processes for the company’s internal controls.
- Risk assessment: How the company identifies organizational risk.
- Control activities: Risk mitigation tactics including reconciliations, approvals and segregation of duties.
- Information and communication: How the organization communicates objectives and responsibilities for internal controls.
- Monitoring: Understanding how your internal controls are performing over time.
Beyond the COSO Framework, external auditors will likely use the top-down approach recommended by the Public Company Accounting Oversight Board (PCAOB) to select controls for testing. This approach starts at the financial statement level and the auditor’s understanding of the organization’s overall ICFR risks.
The auditor then focuses on entity-level controls and works down to significant accounts and disclosures and relevant assertions, before selecting controls for testing that address the more significant risks of financial misstatement.
This will typically be achieved by reviewing samples of transactions to verify amounts are being recorded accurately. If, for example, the auditor’s testing provides reasonable assurance that revenue transactions are reported reliably, the company can assume its controls are performing as designed and, in turn, the risk is low that its financial statements are materially inaccurate.
These procedures help companies and auditors provide investors with assurance that the company’s financial statements have been reviewed, the reported amounts are correct, and the statement provides an accurate report on the company’s financial performance and balance sheet at the close of the reporting period.
Need Help Establishing Your Internal Controls?
If your company needs assistance with implementing effective SOX internal controls, reach out to our team of audit professionals who can support you throughout the process.