Sarbanes-Oxley (SOX) Section 404 requires management at publicly traded companies to select an internal control framework and then assess and report on the design and operating effectiveness of their internal controls annually. The majority of public companies have adopted the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control–Integrated Framework (Framework).
While SOX may not apply to your government, the Framework is a best practice in design of internal controls, and following it would be good for your entity.
Three factors within COSO’s Internal Control―Integrated Framework make it easier to design and evaluate the effectiveness of internal control:
The overall COSO Framework has not changed. This states that an effective control structure is designed to address the following three objectives:
These objectives are met within the Framework through five components and seventeen principles as shown in the following table.
There are seventeen COSO principles by component:
Information and communication
1. Demonstrates commitment to integrity and ethical values
6. Specifies suitable objectives
10. Selects and develops
13. Uses relevant information
16. Conducts ongoing and/or separate evaluations
2. Exercises oversight responsibility
7. Identifies and analyzes risk
11. Selects and develops general controls over technology
14. Communicates internally
17. Evaluates and communicates deficiencies
3. Establishes structure, authority, and responsibility
8. Assesses fraud risk
12. Deploys through policies and procedures
15. Communicates externally
4. Demonstrates commitment to competence
9. Identifies and analyzes significant change
5. Enforces accountability
Fundamental concepts remain similar to the 1992 original, but the updated Framework released in 2013 also includes points of focus describing the characteristics that underlie each principle. Management can use the points to design, implement, and evaluate internal controls. The points also help assess if relevant principles are present and functioning. The framework also explicitly considers potential sources of fraud when assessing risks to the achievement of an organization’s objectives. These sources include management override, safeguarding of assets, incentives, pressures, and opportunities for inappropriate acts, as well as attitudes and rationalizations that may justify these acts.
Many organizations that are not subject to SOX compliance have adopted the COSO Framework. Whether you choose to adopt the Framework or not, the components and principles shared above provide a solid overview of entity-wide controls that should be in place for organizations. It is important for your government to review your control environment to ensure proper controls are in place to ensure effective and efficient operations, proper reporting and compliance exist, governance oversight is in place, and that your control environment supports the obtainment of the government’s mission and strategy.
For more information on this topic, or to learn how Baker Tilly state and local government specialists can help, contact our team.