Page 190 - COSO Guidance Book
P. 190

SOX Section 404



            Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) required the SEC to establish rules requiring that
            each registrant’s annual report contain an internal control report stating management’s

            1.  responsibilities for establishing and maintaining an adequate internal control structure and
               procedures for financial reporting; and
            2.  assessment, as of the end of the company’s most recent fiscal year, of the effectiveness of the
               company’s internal control structures and procedures for financial reporting.

            A question arises concerning the definition of internal control: How does management assess whether a
            company’s internal control system is effective for financial reporting purposes without understanding
            internal control?

            The definition of internal control has changed somewhat throughout the past century. Transactions are
            executed in accordance with management’s general or specific authorization (the authorization function).

              Transactions are recorded as necessary to permit preparation of financial statements in accordance
               with generally accepted accounting principles or any other criteria applicable to such statements and
               to maintain accountability for assets (the bookkeeping function).
              Access to assets is permitted only in accordance with management’s general or specific
               authorization (the access to assets function).
              The recorded accountability for assets is compared with existing assets at reasonable intervals and
               appropriate action is taken with respect to any differences (the independent reconciliation function).

            If these functions are separated (authorization, bookkeeping, access to assets, and independent
            reconciliation), then it was assumed that a system had effective controls over financial reporting. This is
            a well-established conceptual foundation for internal control. However, this definition ignores the fact
            that, in numerous fraud cases, even though there was adequate segregation of duties, several
            perpetrators with separated functions have colluded to commit fraud.


            It should be noted that the SEC added safeguarding of assets to these separation-of-duties controls as an
            important control to be considered when assessing the effectiveness of internal control systems over
            financial reporting. The SEC stated that internal controls over safeguarding of assets should be such that
            the controls provide reasonable assurance regarding prevention or timely detection of (a) unauthorized
            acquisition, (b) use, and (c) disposition of assets that could have a material effect on the financial
            statements.

            The SEC final rules define internal control over financial reporting as

                   A process designed by, or under the supervision of, the registrant’s principal executive and
                   principal financial officers, or persons performing similar functions and effected by the
                   registrant’s board of directors, management and other personnel, to provide reasonable
                   assurance regarding the reliability of financial reporting and the preparation of financial
                   statements for external purposes in accordance with generally accepted accounting principles
                   and includes those policies and procedures that




            © 2020 Association of International Certified Professional Accountants. All rights reserved.    2-2
   185   186   187   188   189   190   191   192   193   194   195