After the accounting scandals of companies such as Waste Management, Enron, WorldCom, and Tyco International, congress passed the Sarbanes-Oxley Act. This law, written in 2002, initiated the most extensive corporate government reforms since the 1930’s, when President Franklin Delano Roosevelt enacted the New Deal. SOX instituted new duties regarding “internal control structure,” which pertain to both managing agents and auditors. The two main sections which address these internal controls are sections 302 and 404.
Requirements of SOX Sections 302 and 404
According to Section 302, any corporate officer who signs periodic financial reports (e.g. quarterly, semi-annual, or annual reports) must also certify that they have evaluated internal controls within the last 90 days, have reported their findings, and that they are responsible for the internal controls of their company. In the report, officers are required to list any deficiencies in, significant changes to, and factors which may negatively affect those controls.
Section 404 requires similar accountability measures, yet it is directed specifically to the business entity and its auditors. The reporting business must publish information about the scope of its internal control, including its adequacy and effectiveness, and the auditors must submit reports assessing and verifying the internal control of the business entity. These two sections work together to prevent false reporting and reduce the occurrence of corporate malfeasance.
Defining Internal Controls
Defining internal control is trickier than it sounds. Even SOX itself does not directly define “internal control,” despite its common usage throughout the legal document. Fortunately, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides the following definition: “A process…designed to provide reasonable assurance regarding…the effectiveness and efficiency of operations, reliability of financial reporting, [and] compliance with applicable laws and regulations.”
So, while “internal control” can mean different things to different people, and these varying interpretations may lead to miscommunication between corporations and legislators, the commonly accepted interpretation is that “internal control” refers to a process which provides such reasonable assurance of the security and stability of the company. These assurances are often broken into five interrelated components.
- Control Environment: Control environment refers to the structuring, ethical values, and general operating style of the company.
- Risk Assessment: As every company faces potential risks in the market, companies must take proper precautions to avoid those risks. Risk assessment as a component of internal control refers to a company’s efforts to understand and mitigate potential risks inherent in their business model and transactions with other entities.
- Control Activities: Control activities are defined as “policies and procedures that help ensure management directives are carried out.” Such activities might include policies regarding approvals, authorizations, verifications, reviews of operating performances, and many other things.
- Information and Communication: Information must adequately be stored, communicated, and then reported. Properly communicating information, both internally generated and information about external entities, is crucial to maintaining control and transparency.
- Monitoring: The fifth and final component of this process is that of monitoring. Companies should implement monitoring activities which report on the efficacy of the program for the company and allow the company to adjust and improve their compliance.
Through the implementation of these five steps in the process of internal controls, a company complies with SOX Sections 302 and 404. Exactly how a company decides to do this is up to the individual company, though some methods are easier than others. Using contract management software can simplify the internal controls process and increase a company’s compliance with SOX regulations, specifically with with components #3 and #4.
5-2-2016 | by Ben Fleshman