Submit Search
 
Home > About WCU > Leadership > Office of the Chancellor > Chancellor's Division > Office of Internal Audit > Sarbanes-Oxley and the COSO Approach
Sarbanes-Oxley and the COSO Approach

You may hear a lot of discussion regarding the role of the Internal Auditor regarding Sarbanes-Oxley and the Committee of Sponsoring Organization of the Treadway Commission (COSO) approach. We felt that a little background information would clarify the issue somewhat ...

The Sarbanes-Oxley Act of 2002 arose in response to a series of high-profile business scandals and failures where investors, company personnel and other stakeholders suffered tremendous loss (i.e. Enron). It applies to publicly traded companies. Some of Sarbanes Oxley's most important stipulations are that:

  • The CEO and CFO of each issuer must certify the appropriateness of the financial statements and disclosures contained in the periodic report and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer. Section 302
  • Each annual report of an issuer shall contain an internal control report which shall 1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting and 2) contain an assessment, as of the end of the issuer's fiscal year, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. Section 404

In other words, management is REQUIRED to certify that their financial statements and accompanying notes fairly represent operations/finances of the issuer and that internal controls are adequate. Maximum penalties for willful and knowing violations of this section are a fine of not more than $500,000 and/or imprisonment of up to 5 years.

While the Sarbanes-Oxley Act does not apply to institutions of higher education or other public or not-for-profit entities, many colleges and universities are considering implementing similar standards as a best business practice.

Control-Integrated and Enterprise Risk Management-Integrated Framework

The Committee of Sponsoring Organization of the Treadway Commission, or COSO, was originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private sector initiative which studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors, for the SEC and other regulators, and for educational institutions.

COSO developed a tool to assess and enhance internal control systems called Internal Control-Integrated Framework. COSO has also issued Enterprise Risk Management-Integrated Framework which expands on the study of internal control and looks at the broader subject of risk management. Both are based on the key concepts outlined below.

COSO Definition of Internal Control

Internal control is a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

Key Concepts

  • Internal control is a process. It is a means to an end, not an end in itself.
  • Internal control is effected by people. It's not merely policy manuals and forms, but people at every level of an organization.
  • Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity's management and board.
  • Internal control is geared to the achievement of objectives in one or more separate but overlapping categories

Hard Controls versus Soft Controls

Internal Controls can either be "hard" or "soft". Hard controls consist of organizational structure, assignment of authority and responsibility, and human resources policies and practices. All three are relatively traditional areas examined in most audits.

Soft controls include ethics, commitment to competence, and management operating style. Such controls have traditionally been overlooked in audits because documented evidence of the audit condition is difficult to obtain and test.

Office of Internal Audit will be considering both Sarbanes-Oxley and COSO when preparing and performing future audits.

Read more about COSO
 

Copyright 2012 by Western Carolina University       •     Cullowhee. NC 28723       •      Contact WCU
Maintained by the Office of Web Services       •      Directions       •      Campus Map       •      Emergency Information       •      Text-Only