Internal ControlIntroductionAs a result of the recent scandals of companies such as Enron and WorldCom, the Sarbanes-Oxley Act (SOX) was enacted to preemptively curb fraudulent financial reporting. SOX has strengthened requirements of both internal controls and procedures for financial reporting. For example, one major change requires the CEO and CFO of publicly traded companies to personally validate an auditor’s report for reliability and transparency.1 Internal control is a process where a common goal is achieved by management and personnel to ensure safe guarding assets, as well as attainment of realistic objectives such as operation, reporting and compliance.2 The following presents an overview of internal controls, a real-world example of internal controls in action, and a synopsis of monitoring, perhaps the most critical part of a strong internal control system.
The Role of Financial Reporting The SOX Act is a real-world example of a real-world requirement. It allows public disclosures of information about financial activities only to satisfy a “business or financial interest requirement,” the requirement that is designed with the purpose of protecting information and the disclosure of information to an external entity, i.e., a financial reporting agency. It also provides information about “financial conditions and disclosures” provided by a “professional,” i.e., a financial management services company.3 While financial reporting, as defined by the statute, should be limited to certain types of businesses and to be conducted exclusively by a business or a financial manager, any other information that is not prohibited by the statute is a non-business, non-financial reporting agency’s non-business records. In other words, it is not an unregulated financial reporting agency’s ability to serve as the primary source of non-profit information about the financial situation or the financial conditions of a business. This has its origin in the Internal Revenue Code of 1986 (the first version) which gives a general general license to a reporting agency, which is generally defined as an independent reporting agency that “is subject to the jurisdiction of the Federal Trade Commission and other federal agencies without regard to its role as the intermediary” to the reporting agency under Title 15, Chapter 9 of the Sarbanes-Oxley Act (the “SOX Law”). Because the SOX Law is in force today, it becomes highly specialized and subject to broad and evolving requirements. Each of the nine companies involved with implementing the SOX Act has its own distinct regulatory framework governing its own internal procedures. While the new SOX law addresses different elements of the business and is being implemented by one or more of the nine parties involved, as it applies to both the reporting and business records of all entities, it also allows for changes as the required new requirements progress. For example, as a result of the restructuring of Equities Group, the company that had been the primary beneficiary of most of the credit rating changes since December 30, 2012 has been reassigned to a different financial reporting agency. One or more of the nine parties has not decided how to make that decision as a result of their ongoing review of the law, so neither are the parties permitted to make a final decision yet. When the agency decides to issue a final waiver of any of the changes, it then determines whether the new rules have met its criteria and must adjust its standards to provide greater transparency. The final determination by that agency that compliance with the rules has been achieved constitutes a notice of compliance to financial reporting authorities or the Department of Justice. This has been the focus of considerable debate in the past, as we highlighted in section A.1. The new SOX law, as it applies to both reporting and auditing, has been developed on a number of assumptions and, although both parties are able to address the latter, are not fully fully satisfied with the details at this time. One key question in this analysis is whether or not the changes have been sufficiently responsive to the broader needs of the financial reporting system. In particular, as of 2012 and as of this writing, there are a number of pending proposals, either in Congress or as Senate resolutions, that might be subject to additional procedural hurdles. In addition, many of these proposals are being evaluated in the coming weeks and their status as considered by the Federal Trade Commission is being debated on pending or final resolution of any committee or committee. A more recent example could be a proposal from one or more of these nine parties. The
The Role of Financial Reporting The SOX Act is a real-world example of a real-world requirement. It allows public disclosures of information about financial activities only to satisfy a “business or financial interest requirement,” the requirement that is designed with the purpose of protecting information and the disclosure of information to an external entity, i.e., a financial reporting agency. It also provides information about “financial conditions and disclosures” provided by a “professional,” i.e., a financial management services company.3 While financial reporting, as defined by the statute, should be limited to certain types of businesses and to be conducted exclusively by a business or a financial manager, any other information that is not prohibited by the statute is a non-business, non-financial reporting agency’s non-business records. In other words, it is not an unregulated financial reporting agency’s ability to serve as the primary source of non-profit information about the financial situation or the financial conditions of a business. This has its origin in the Internal Revenue Code of 1986 (the first version) which gives a general general license to a reporting agency, which is generally defined as an independent reporting agency that “is subject to the jurisdiction of the Federal Trade Commission and other federal agencies without regard to its role as the intermediary” to the reporting agency under Title 15, Chapter 9 of the Sarbanes-Oxley Act (the “SOX Law”). Because the SOX Law is in force today, it becomes highly specialized and subject to broad and evolving requirements. Each of the nine companies involved with implementing the SOX Act has its own distinct regulatory framework governing its own internal procedures. While the new SOX law addresses different elements of the business and is being implemented by one or more of the nine parties involved, as it applies to both the reporting and business records of all entities, it also allows for changes as the required new requirements progress. For example, as a result of the restructuring of Equities Group, the company that had been the primary beneficiary of most of the credit rating changes since December 30, 2012 has been reassigned to a different financial reporting agency. One or more of the nine parties has not decided how to make that decision as a result of their ongoing review of the law, so neither are the parties permitted to make a final decision yet. When the agency decides to issue a final waiver of any of the changes, it then determines whether the new rules have met its criteria and must adjust its standards to provide greater transparency. The final determination by that agency that compliance with the rules has been achieved constitutes a notice of compliance to financial reporting authorities or the Department of Justice. This has been the focus of considerable debate in the past, as we highlighted in section A.1. The new SOX law, as it applies to both reporting and auditing, has been developed on a number of assumptions and, although both parties are able to address the latter, are not fully fully satisfied with the details at this time. One key question in this analysis is whether or not the changes have been sufficiently responsive to the broader needs of the financial reporting system. In particular, as of 2012 and as of this writing, there are a number of pending proposals, either in Congress or as Senate resolutions, that might be subject to additional procedural hurdles. In addition, many of these proposals are being evaluated in the coming weeks and their status as considered by the Federal Trade Commission is being debated on pending or final resolution of any committee or committee. A more recent example could be a proposal from one or more of these nine parties. The
The Committee of Sponsoring Organizations (COSO) provides a framework in which to analyze a firm’s internal controls. Below are the five interrelated components of this framework:
Control environment- The top management is responsible for setting standards, processes, structure and accountability of the organization, resulting in the establishment of the control environment. Constituents of control environment are value and integrity, philosophy of management.
Risk assessment- The management’s ability to minimize risk by identifying, evaluating, managing and handling risk by establishing objectives, and linking all levels of organization.
Control activities- Activities that are either manual or automated and applied to help minimize or prevent specific risks faced by the organization. These activities are carried out at all levels with varying degrees. Examples of control activities include segregation of responsibilities, human resources control, physical control, documentation procedures, establishment of responsibilities and independent internal verification.
Information and communications- The management’s responsibility to gather relevant and quality information from external and internal resources in order to communicate necessary information to the organization and to the external parties. The effective communication requires timeliness, and relaying appropriate information to the effective personnel.
Monitoring- The management reviews organization activities periodically to evaluate whether all five internal controls are effective and functioning according to organization mission and objectives resulting in efficient internal control.
Internal control is most effective when all five components are woven together and work simultaneously. The use of internal controls is not limited to publicly held companies. Below is an application of the COSO internal control framework to a government program.
Naval Reactors ExampleNaval