Are you under control? Avoid unnecessary risk exposure

In June 2003, the US Securities and Exchange Commission (SEC) published its final rule to implement Section 404 of the the Sarbanes-Oxley Act 2002. Section 404 requires management’s annual assertion that internal controls over financial reporting are effective.

S404 specifies a series of minimum requirements to be contained in management’s report, such as:

• A statement of management’s responsibility for establishing and maintaining adequate internal control over financial reporting for the registrant;
• A statement identifying the framework used by management to evaluate the effectiveness of the registrant’s internal control over financial reporting;
• Management’s assessment of the effectiveness of the registrant’s internal control over financial reporting as of the end of the registrant’s most recent fiscal year, including a statement as to whether or not internal control over financial reporting is effective; and
• A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management’s assessment of the registrant’s internal control over financial reporting.

I recently returned from an engagement where I was helping a client improve his internal control environment in order to achieve Sarbanes-Oxley s404 compliance. I don’t advocate that operators subscribe to SOX-levels of control, unless required to do so. However, I do strongly believe in the benefits of a strong internal control environment.

As defined by the Committee of Sponsoring Organizations (COSO), internal control provides management and the board of directors with reasonable assurance over the:

• effectiveness and efficiency of operations
• compliance with applicable laws and regulations
• reliability over financial reporting

Given that CEO’s and CFO’s can be held accountable for faults spanning from the above 3 categories, it’s clear that internal control plays a key business role. Yet, the benefits go beyond limiting management exposure to risk. For example, improvements in internal control may yield some of the following benefits:

• Decrease in revenue leakage
• Reduction in, and enhanced detection of fraud incidents
• Increase in management ability to trace issues
• Reduction of audit burden (internal & external)

The following teaser on mmC GROUP’s approach to strengthening internal control provides further details. Enjoy!

TRA