SOX 404 under COSO Framework

Overview: Financial reporting for Public Companies became increasingly complex for smaller public companies with the introduction of a federal law called the Sarbanes-Oxley Act (SOX) which was passed in 2002. Of course, SOX was enacted in response to numerous large-company accounting scandals and it created a new world of responsibilities (as well as burdens and risks) for senior executives of Issuers and their audit committees.

Section 404(a) of SOX requires management to evaluate its internal controls over financial reporting. The most commonly used and understood framework for evaluating internal controls over financial reporting is that contained in the report of The Committee of Sponsoring Organizations of the Treadway Commission (COSO). The COSO report, Internal Control—Integrated Framework, established a broad definition of internal control extending to all objectives of an organization. The COSO report established three categories of controls: effectiveness and efficiency of operations; reliability of financial reporting; and compliance with laws and regulations. It also identified five interrelated components that must be present and functioning to have an effective internal control system, and it described the criteria for effective internal control.

The risks of non-compliance are enormous for those responsible for certifying the accuracy of financial data. Compliance administration is complex and costly which can stretch financial resources thin. The costs of implementing and maintaining compliance with Section 404, if not properly managed, can be exorbitant.

Services: Certainly, there are many consulting solutions in the market place that provide turn-key solutions to most companies’ SOX 404 implementation and monitoring requirements. Our services, conversely, are designed to empower management and its employees to assume most of the responsibilities for implementation and monitoring.

We have extensive experience providing SOX 404 services and, as a result our team has developed and continuously improved upon a robust SOX-404 Toolkit. With the proper tools our general approach is:

  • Provide initial training on the COSO Framework and the use of the Toolkit
  • Supervise employees in developing the planning phase elements (risk assessments, definitions, plans)
  • Review significant elements of production and manage the timeliness of commitments
  • Play a heavier role where needed (e.g. Entity Level Assessments)
  • Frequently report to management and the Audit Committee on the status of the project.

We believe that management prefers the empowerment of company employees taking on this daunting task. We provide that empowerment.

Case Study: A middle-market, very cost-conscious public company approached us for an alternative to the highly-expensive proposals for their initial SOX404 implementation, necessary for management’s report under Section 404(a). Management reviewed our approach and tools and concluded that company employees could “block-and-tackle” the project with our oversight. Granted, there was an internal cost associated with the implementation. However, when completed our fees were less than 25% of the lowest proposal that management had received.