Sarbanes-Oxley (SOX) Section 404 requires management at publicly traded companies to select an internal control framework and then assess and report on the design and operating effectiveness of their internal controls annually. The majority of public companies have adopted the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control–Integrated Framework (Framework).
While SOX may not apply to your government, the Framework is a best practice in design of internal controls, and following it would be good for your entity.
Three factors within COSO’s Internal Control―Integrated Framework make it easier to design and evaluate the effectiveness of internal control:
- Inclusion of internal control principles. Seventeen principles explain concepts associated with the five internal control components. Each of the five components of internal control and relevant principles must be present and functioning.
- Consideration of operational changes. The framework includes guidance for assessing risk and updating related controls that consider how operations may have changed, particularly through outsourcing of processes and reliance on information technology.
- Beyond financial reporting. Objectives are expanded beyond financial reporting, to include internal and non-financial external reporting.
The overall COSO Framework has not changed. This states that an effective control structure is designed to address the following three objectives:
- A‒Operations – effective and efficient use of resources
- B‒Reporting – reliability of reporting
- C‒Compliance objectives – compliance with applicable laws and regulations
These objectives are met within the Framework through five components and seventeen principles as shown in the following table.
There are seventeen COSO principles by component:
|Information and communication||Monitoring|
|1. Demonstrates commitment to integrity and ethical values||6. Specifies suitable objectives||10. Selects and develops|
|13. Uses relevant information||16. Conducts ongoing and/or separate evaluations|
|2. Exercises oversight responsibility||7. Identifies and analyzes risk||11. Selects and develops general controls over technology||14. Communicates internally||17. Evaluates and communicates deficiencies|
|3. Establishes structure, authority, and responsibility||8. Assesses fraud risk||12. Deploys through policies and procedures||15. Communicates externally|
|4. Demonstrates commitment to competence||9. Identifies and analyzes significant change|
|5. Enforces accountability|
Fundamental concepts remain similar to the 1992 original, but the updated Framework released in 2013 also includes points of focus describing the characteristics that underlie each principle. Management can use the points to design, implement, and evaluate internal controls. The points also help assess if relevant principles are present and functioning. The framework also explicitly considers potential sources of fraud when assessing risks to the achievement of an organization’s objectives. These sources include management override, safeguarding of assets, incentives, pressures, and opportunities for inappropriate acts, as well as attitudes and rationalizations that may justify these acts.
Many organizations that are not subject to SOX compliance have adopted the COSO Framework. Whether you choose to adopt the Framework or not, the components and principles shared above provide a solid overview of entity-wide controls that should be in place for organizations. It is important for your government to review your control environment to ensure proper controls are in place to ensure effective and efficient operations, proper reporting and compliance exist, governance oversight is in place, and that your control environment supports the obtainment of the government’s mission and strategy.
For more information on this topic, or to learn how Baker Tilly state and local government specialists can help, contact our team.