Testing Entity-Level Controls
|
The Control Environment is a central concept for internal control as it sets the "tone at top" according to COSO. The big question is how to ensure section 404 compliance.? Section 404 of the Sarbanes-Oxley Act centres on management assertions on the effectiveness of internal controls. One of control elements in the COSO Framework (Committee Of Sponsoring Organizations of the Treadway Commission) the Control Environment should positively influence the control consciousness of the company's personnel. COSO makes it clear that through the control environment, management must set the "tone at the top". Thus the element is seen as the foundation of all internal controls. Sarbanes-Oxley is obviously concerned with the control environment. Particularly as at least one of the debacles that bought it into being, WorldCom and Enron, centred on management mandating fraudulent and misleading accounting practices. A very important element of control from all viewpoints then. One small snag though. Neither SOX nor COSO give much guidance on how to measure its effectiveness. COSO makes a great play about integrity and ethical values. Excellent ideas to promote no doubt. However they can be extremely nebulous and vague. The easy part is to identify the controls. For example these include having a code of conduct or ensuring staff having training on internal controls. How to measure effectiveness is more difficult. COSO has a great deal of to say on Internal Control. An omission is the actual measurement of their effectiveness. The most important item concerns how the control is implemented in practice rather than written policies and procedures. Internal controls in the control environment are probably the most difficult to measure. Foundation of internal control is in the control environment. Discipline and structure comes from the management's commitment to ethics and integrity. Measuring ethics or conduct can not be measured in the same way as baseball or cricket. Also other internal controls such as confirming cheque processing procedures and policies can be quantified and followed. One method is to use an "Internal Control Reliability model". Typically based on models such as the Capability Maturity Model (CMM). CoBIT also produce a similar framework. The levels range from initial to optimized. At the highest level, management makes a real commitment with resources to continous improvement of internal controls. We must not forget the reason for the basis for analyzing internal control. The effectiveness to determine whether controls are capable of reducing to an acceptable the level of risk that material misstatements to the financial statements will go undetected.
|
Related Articles
Similar Areas Selected Books Keywords Sarbanes-Oxley and control environment section 404 and control environment Committee Of Sponsoring Organizations of the Treadway Commission
|