Internal control audits have always been important but in recent years new emphasis has been placed on internal controls by the government and investors because of numerous corporate accounting scandals. As a result internal control audits are more important now than ever before. Internal control audits are conducted to ensure that internal control systems are functioning as intended, to identify material weaknesses that need to be corrected and to comply with the external reporting requirements of the Securities and Exchange Commission and the Sarbanes-Oxley Act.
Accurate and timely accounting records are necessary for directors and managers to determine operating results and to be able to make adjustments when necessary in their operations. They are necessary for satisfying external reporting requirements, for government regulators to determine compliance with laws and regulations and for investors to make sound investment decisions. Accurate and timely accounting records allow for the efficient and effective management of a business. Without timely and accurate accounting records confusion and chaos would result.
This is where internal controls come into play. A strong internal control system is necessary to provide reasonable assurance of accurate and timely accounting records.
According to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with laws and regulations.
The COSO integrated internal control framework, which is generally accepted in the United States, has five components: control environment, risk assessment, information and communication, control activities, and monitoring.
The aggregate control system of the organization as defined by COSO includes accounting controls but goes much further to include administration, operations and governance. All five components apply to the entire organization, not just the accounting and financial reporting functions.
Properly designed internal controls provide reasonable assurance that objectives will be met. There cannot be absolute assurance because there are inherent limitations to internal controls and at some point the cost of tighter and/or more controls outweighs the benefit of those incremental control procedures. The concept of reasonable assurance implies a high degree of assurance, limited by cost/benefit considerations and other inherent limitations.
Since internal control involves human action, there is always the possibility of errors in processing or judgment. Internal controls can also be overridden by employee collusion or coercion by top management.
Internal Control Audits
Internal control audits are mandated by the Sarbanes-Oxley Act, otherwise known as SOX, and are part of the annual SEC reporting package for public companies. On a quarterly basis, section 302 of SOX requires management to assess their internal controls and report any material weaknesses as well as corrective actions. The CEO and CFO must certify these reports. On an annual basis an independent audit firm must be engaged to conduct an internal control audit under section 404 of SOX. The external auditor must provide an annual opinion as to the reliability of the control representations (certifications) made by the CEO and CFO. These internal control audits focus on internal controls over financial reporting and would disclose any noncompliance by management with regard to management’s quarterly assessments and reports. Section 906 requires that the CEO and CFO ensure all financial reporting accurately represents the financial position and results of operations of the company and that they are in compliance with SOX. This section also has criminal penalties for noncompliance.
CEO and CFO Requirements
Section 906 requires that a company's CEO and CFO ensure all financial reporting accurately represents the financial position and results of operations of the company and that they are in compliance with SOX. This section also has criminal penalties for noncompliance.
Because these internal control audits are mandated by law and have been made a part of the SEC reporting package, they are very important to management, regulators and the investing public. Internal control audits verify that proper internal controls are in place and are functioning as intended.