Section 404 of the Sarbanes-Oxley Act of 2002 required the SEC to adopt rules that required each regulated company’s management to present an internal control report in the company’s annual report which must:
“(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.”
In addition, section 302 of the Sarbanes-Oxley Act of 2002 expressly states that the signing officers:
“(A) are responsible for establishing and maintaining internal controls;
(B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;
(C) have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and
(D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date…”
With the term ‘signing officers’ defined as;
” the principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions.”
Complying with actions that these two sections require collectively can be costly and extremely resource intensive. Companies generally adopt a framework such as COSO as a guideline to aid in compliance.
Centralizing and automating financial reporting systems can greatly reduce resources needed for section 404 compliance, however, SOX 404 attestation also requires confidence in the IT systems that house, move, and transform data. The COBIT (Control Objectives for Information and related Technology) framework is utilized by many companies to ensure compliance in this aspect as well.
The current standard for control auditing, Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 for Public Accounting Firms, adopted on July 25, 2007, together with SEC Interpretive Guidance a complementary guide aimed at assisting management, (adopted June 27, 2007) provide guidelines for performing the assessment in the context of a top-down risk assessment.
The SEC has expressed very clear opinions about internal controls:
- Excerpt from Final Rule: Management’s Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports.
- SEC Chairman Comments on Compliance
- Why you need both an Accounting and an IT framework