Internal Controls For 404
|
"Internal Control" is a phrase exercising the mind of every executive, finance officer and auditor of an American publicly listed company. It is hot. What is an internal control then? Not only American companies, any European or Asian company that lists in the US or has American shareholders is affected. The reason that internal control is hot, is the Sarbanes-Oxley Act of 2002. (SOX) The target of Sarbanes-Oxley is financial reporting. Previous to the act, it was enough to present financial results to the investment community and regulators, in particular the Security Exchange Commission (SEC). As long as the results are transparent, fair and backed up with relevant information to make them readable, that was sufficient. Sarbanes-Oxley places an additional load the financial reports. The company has to evaluate and analyze the processes used to produce the report. Executives and the auditors then have to attest that in the annual report that the controls and processes are of sufficient quality. The requirements to evaluate and attest to the quality of a firms internal controls are laid down in the now famous Section 404. Companies have found evaluating all the processes and controls contributing to financial reporting an onerous task. Certain European blue chips have voiced concerns. To the extent of hinting that they may even delis from the New York Stock Exchange (NYSE). It should be noted that Sarbanes-Oxley only requires companies and auditors to evaluate and analyse internal controls covering financial reporting. The term internal control over financial reporting, as used in the Sarbanes-Oxley environment is defined by the SEC. ...process designed by, or under the supervision of, the issuer's principal executive and principal financial officers or, persons performing similar functions, and effected by the issuer's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. The definition then includes processes for records maintenance, recording of transactions and ensuring acquisition and disposal of assets are correctly conducted. The SEC view is itself derived from another organisation. The Treadway Commission or it's formal name of the National Commission on Fraudulent Reporting, was formed to study and report on the causal factors that lead to fraudulent financial reporting. A committee, the Committee Of Sponsoring Organizations (COSO) was formed to sponsor the Treadway Commission. Internal Control - Integrated Framework was published by COSO in 1992. Tools for evaluating controls were also included with the framework. COSO defines an Internal Control as a process, not an outcome. Whilst these might be very close, they are exclusive. A undesirable outcome may be indicative of a bad process but that is not necessarily always the case. Five components of an internal control are listed by COSO. Control Environment An appropriate "tone at the top" must be set by senior management. This tone has to postively influence the control consciousness of other personnel. Risk assessment The organisation must be aware of risk it faces. Objectives must be set and integrated through all value chain activities, so that the organisation is acting in concert. Identification and analysis of the risks to achieving those objectives must ensue. Methods of managing the risks are then developed. Control Activities Control policies and procedures are established and executed to ensure risk management actions are carried out. Information and Communications These surround the control activities. Information needed to manage and control operations is collected through these systems. They include the accounting system. Monitoring The entire process has to be monitored and if necessary modifications made. The five components may look fairly hierachial. However the COSO framework explicitly makes it clear that they are very closely interrelated. When checking or testing internal controls, an integrated and holistic view should be taken. The framework of internal controls is not a bolt on to a company's operations. Instead it should be an integral part of its business. According to COSO, an internal control has no intrinsic value. It only has value to the extent it enables the organisation meet its objectives. Lastly, COSO is not a one size fits all framework. Indeed, it acknowledges that organisations will make their own decisions on how to implement controls. Further, it acknowledges that over time, after monitoring they will have to change. The next article will attempt to put some of these points in the context of the current WorldCom trial.
|
Related Articles
Similar Areas Selected Books Keywords
|