SOX/Internal Control Services

Internal control is not a new concept or a new responsibility for management. The need for a strong system of internal controls that considers the risks an entity faces, including fraud and technology, has not changed. In 1992, the first version of the report on Internal Control – Integrated Framework by the Committee of Sponsoring Organizations of the Treadway Commission (COSO Report) was issued. The COSO internal control framework serves as a benchmark for entities in today’s business environment. So if internal control isn’t new and internal control frameworks have been widely published for years, what has changed?

In response to the wide adoption of COSO framework, fundamental concepts underlying the five components of COSO have been formalized as principles. The updated framework is due to be released in the first quarter of 2013.

Cherry Bekaert provided feedback on the Exposure Draft (ED) to COSO as a member firm of the American Institute of Certified Public Accountants (AICPA) Internal Control Task Force for the 2012 COSO Internal Control over External Financial Reporting (ICEFR).

Some key takeaways of the Task Force’s review of the ED:

  • There was a concern among Task Force members that the COSO ED will cause management and auditors to conduct a “gap analysis,” which will likely impose additional burdens on entities reporting on effectiveness of ICEFR, especially in transitioning from the original framework.
  • The 17 Principles are supported by approximately 450 “Points of Focus,” plus a 150-page Compendium of ICEFR Approaches and Examples, which tends to create a more prescriptive impression of how to apply the COSO framework.
  • More information on how to deal with technology, both information technology (IT) general controls and IT application control activities.
  • Significant emphasis on the quality of documentation in the form of narratives and flowcharts.
  • Classification of deficiencies is limited to “deficiencies” and “major deficiencies,” which is similar to Japanese internal control requirements also known as JSOX. The updated framework does not attempt to align “major deficiencies” with currently defined terms “significant deficiency” and “material weakness.”
  • Regulators, such as the SEC and PCAOB, are yet to comment on how companies should address the updated framework when released.

The business and regulatory environment has changed. It has changed in such a way that what was once, and still is, just good business sense can now be, at its most extreme, a regulated function – requiring management to self-certify the internal control environment and, in some cases, requiring an external auditor to opine on management’s process of evaluating internal controls and on the internal control environment itself.

Cherry Bekaert recognizes the challenges facing entities in today’s environment and has designed a continuum of internal control services to complement our Risk Advisory suite of services. The internal control service continuum allows us to adjust the engagement depth and breadth to meet the unique needs of your organization – from a simple review of internal controls for a not-for-profit organization to a full-blown Sarbanes-Oxley Section 404 (SOX 404) implementation project.

Our professionals are up-to-date on the regulatory challenges facing your organizations, and we will work with you to design a service that is right for your needs.