Internal Control Frameworks and Meeting ICFR Requirements

The first codification of internal accounting controls happened nearly four decades ago, spurred on by the increasing bribery and corruption cases of U.S. businesses in 1977.  Since then, and more notoriously due to the Enron Accounting scandal and others, the requirements of financial controls and reporting have slowly become more clearly defined and enforced. The Sarbanes-Oxely Act (SOX) has been in effect for all U.S. listed companies and those conducting business in the U.S since 2002, as a means to prevent and protect against accounting errors and fraudulent practices. Section 404 requires the implementation of adequate Internal Control over Financial Reporting (ICFR) within listed companies to guarantee fair financial reporting practices in accordance with Generally Accepted Accounting Principles (GAAP). External auditors must attest to the design and effectiveness of Internal Control over Financial Reporting and the accuracy of an organisation’s financial statements.

Although there is mention above of requirements becoming “more clearly defined”, the actual requirements on how to achieve compliance are not so simple and SOX is not praised for straightforward guidance on how best to achieve compliance. The Sarbanes-Oxley Act, despite requiring organisations to have established and effective internal controls governing both IT and financial spheres, does not provide a checklist to follow, nor milestones to measure achievements. The ambiguity of SOX requirements has been widely condemned due to its vague nature, let alone the missing differentiation between key process parts.

Despite the lack of a clearly defined control framework from SOX, two leading organisations responsible for implementing SOX, namely the SECC and PCAOB – do point to common widely accepted frameworks, such as COSO and COBIT, and even a combination of the two, to adopt in your quest for SOX Compliance and ensuring ICFR. Combining frameworks can also help ensure that all aspects are covered in your SOX compliance checklist and help your organisations to meet ICFR requirements, as listed in Section 404.

COSO, COBIT, SOX & ICFR

Committee of Sponsoring Organisations of Treadway Commission (COSO) – 1985

The COSO framework provides an applied risk management approach to internal controls and articulates key concepts that organisations can use to deter fraud. The framework also places emphasis on financial related controls, designed to enable SOX 404 requirements of ICFR. The framework, however, lacks full consideration for the IT environment of the organisation. According to COSO, there are three types of internal controls:

• Those that affect a company’s operation
• Those that affect a company’s compliance with laws and regulations.
• Those that affect a company’s financial reporting. (ICFR)

Control Objectives for Information and Related Technology (COBIT) – 1992

COBIT is an IT Management framework developed by ISACA, which provides a clear path for developing policies and good practice for IT control, helping organisations achieve their objectives in the sphere of information technology. The COBIT model allows managers to bridge the gap between control requirements, technical isssues and business risks.

Sarbanes-Oxley Act (SOX) – 2002

• Section 404 – Internal Control over Financial Reporting

SOX applies to all publicly traded companies in the United States as well as wholly-owned subsidiaries and foreign companies that are publicly traded and do business in the United States. The Internal Controls Report, mandated by Section 4 of the Act, commonly known as SOX 404, requires that all applicable companies have adequate internal controls in place to report accurate financial data in their annual reports. More specifically, SOX 404 requires companies to implement adequate Internal Control over Financial Reporting (ICFR) to ensure fair financial reporting practices have been put in place in accordance with Generally Accepted Accounting Principles (GAAP).

SOX Compliance and Meeting ICFR Requirements within Alyne

In an interconnected world, financial integrity relies heavily on a secure, properly functioning IT infrastructure. The ability to follow your finances requires full transparency and assurance of where and how your data flows. Meeting ICFR requirements set out in SOX 404, requires an organisation to have not only sound Financial Controls, focusing on the financial integrity of an enterprise, but also cover relevant Business Controls, with IT and information security related topics.

Covered within Alyne:

• Full mapping based on COBIT-COSO.

• Extensive IT and Information Security related controls.

• Library of Financial Controls focused purely on the financial integrity of an enterprise.

ICFR Control Set and Assessment Template:

The content available within the Alyne platform has enabled us to release an out-of-the-box Control Set for ICFR: Internal Control over Financial Reporting (ICFR) for compliance with SOX and SOC 1.

In addition to the Control Set, Alyne offers an out-of-the-box Assessment Template with pre-configured maturity levels which help corporations assess the maturity of their financial integrity. Regular self-assessments help organisations review compliance within their financial reporting requirements and assists them in strengthening their Internal Control over Financial Reporting. Alyne’s latest Internal Control over Financial Reporting capability allows a complete health-check of your company as well as your vendor base, for both SOX and SOC 1 compliance.

Download our latest white paper and learn more about SOX/SOC-in-a-Box and how Alyne can help your organisation with the Internal Control over Financial Reporting (ICFR) requirements of the U.S. Sarbanes- Oxley Act (SOX) “Management Assessment of Internal Controls”, and the System and Organisation Controls 1 (SOC 1) framework, defined as “Reporting on an Examination of Controls at a Service Organisation Relevant to User Entities’ Internal Control Over Financial Reporting.”