What’s the difference between COSO and SOX? Do they combine? Keep reading to learn the key features of each, and how to take control of your SOX documentation to maps your controls to the COSO Internal Control Framework.
What Does COSO Mean?
For the past 30 years, COSO has been the dominant control framework used throughout the world. According to an article in the Journal of Accountancy, after the passage of the Sarbanes-Oxley Act of 2002, “COSO’s framework became part of a worldwide movement to enhance periodic accounting and reporting of financial results.” Five organizations developed the framework as a joint initiative: The Institute of Internal Auditors (IIA), American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Association of Accountants and Financial Professionals in Business (IMA), and American Accounting Association (AAA). Initially led by committee president James C. Treadway, these five organizations came together to understand the impact of internal controls on fraudulent financial reporting. The name COSO is an acronym for the Committee of Sponsoring Organizations of the Treadway Commission.
What About Sarbanes-Oxley Act (SOX)?
The Sarbanes-Oxley Act of 2002 was a bill enacted by the US government after a series of significant frauds and accounting scandals severely impacted the US stock market. Like Enron, WorldCom, and Tyco International, many of the companies involved are well known even 20 years after their demise. The legislation was co-sponsored by US Senator Paul Sarbanes and US Representative Michael G. Oxley, hence the Sarbanes-Oxley Act. Since 2002, many countries have passed similar laws. Two of the most impactful provisions in the act are Section 302: Disclosure Controls and Section 404: Assessment of Internal Controls. Together, the two sections mandate a controlled environment for financial reporting that includes designing, implementing, testing, and certifying internal controls’ effectiveness.
What’s the Difference Between COSO and SOX?
COSO and SOX address the need for more robust internal controls from different angles. COSO provides a framework for managers to use when designing their control environment. In the 2013 COSO Framework update, the committee expanded the framework to include 17 principles and 87 points of focus to consider when evaluating the control environment.
On the other hand, the SOX Act does not provide any guidance related to internal controls. The act implemented an effective control environment as a legal requirement for all publicly traded companies. The SOX Act went even further by holding the CEO and CFO criminally liable for failure to control risk related to financial reporting.
How Do COSO and SOX Combine?
For public companies that need to meet SOX compliance, the COSO framework provides a solid foundation for designing the internal controls over financial reporting. One of the main difficulties in developing an effective control environment is knowing if you have adequate coverage. The precise nature of the COSO “2013 Framework also makes it easier for management to see what’s covered and where gaps may exist in their current SOX 404 compliance program.” Since SOX Section 404(a) requires management to sign off on their internal controls over financial reporting, following the COSO framework brings peace of mind from knowing that their controls support a trusted set of guidelines.
What Happens If You Are Not SOX Compliant?
As mentioned earlier, SOX is a legislative act that includes criminal penalties for the heads of public companies who fail to maintain an effective control environment related to financial reporting. Most auditors focus on just two sections of the SOX Act, namely Section 302 and Section 404, but the SOX Act includes much more. Multiple sections of the act specifically describe the penalties that come from non-compliance related to:
- Altering documents (Sec. 802).
- Defrauding shareholders (Sec. 807).
- Mail and wire fraud (Sec. 903).
- Violating retirement laws (Sec. 904).
- Retaliating against whistleblowers (Sec. 1107).
Section 1106 of the SOX Act increased the fines for a “corporate officer who does not comply or submits an inaccurate certification is subject to be fined not more than $5,000,000, or imprisoned not more than 20 years, or both”. Beyond the corporate officer, the company could face “a fine not exceeding $25,000,000“.
Aside from the fines, the impact on a company’s reputation could be catastrophic. Remember, the driving force for this legislation was the dissolution of several public companies. When the US implemented SOX, not all companies had adequate controls around financial reporting. In the article SOX: Culprit Behind Increased Delisting?, the author pointed out that “within the first two years that SOX was implemented, 370 publicly traded companies delisted from a major exchange.” She further explained that when “companies choose to delist in order save time and money, they degrade their public respectability and reputation.”
What Is the COSO Framework?
The COSO Internal Control Framework was developed to help “organizations design and implement internal control in light of the many changes in business and operating environments.” The Treadway Commission designed the framework with SOX in mind, but the framework goes beyond financial reporting controls since it applies to operations, compliance, and reporting (both internal and external). For most public companies, the process of using the COSO Internal Control Framework is an exercise in mapping their SOX controls to the COSO Internal Control Framework and then evaluating the control environment in total against the framework. In some areas of the company, the controls may be more effective than in others. Mapping the controls to the framework highlights the areas with strengths and weaknesses so that management can implement new or different controls. For example, suppose we find that all of our controls around application security are manual, detective controls. In that case, we may replace these manual controls with an automated control that is more effective and probably less costly.
What Are the 5 Components of the COSO Framework?
The COSO Internal Control Framework is a comprehensive model comprising five integrated components. Seventeen principles then support the five components. The goal of COSO is for organizations to achieve effective internal control by applying the principles:
- Control Environment
- Exercise integrity and ethical values.
- Make a commitment to competence.
- Use the board of directors and audit committee.
- Facilitate management’s philosophy and operating style.
- Create organizational structure.
- Issue assignment of authority and responsibility.
- Utilize human resources policies and procedures.
- Risk Assessment
- Create company wide objectives.
- Incorporate process-level objectives.
- Perform risk identification and analysis.
- Manage change.
- Control Activities
- Follow policies and procedures.
- Improve security (application and network).
- Conduct application change management.
- Plan business continuity/backups.
- Perform outsourcing.
- Information and Communication
- Measure quality of information.
- Measure effectiveness of communication.
- Perform ongoing monitoring.
- Conduct separate evaluations.
- Report deficiencies.
The control environment is the totality of the policies, procedures, standards, and processes that management has established within the organization. The environment also includes the organization’s integrity and ethical values, heavily influenced by management’s tone at the top.
There is an underlying set of objectives within every organization, the risks that can prevent management from achieving the objectives, and controls to mitigate the risk. To determine the risk level in any area of the organization, there must be a risk assessment to determine the impact and likelihood of the risk occurring. The assessment helps determine the level of controls needed and the amount of residual risk after taking the controls into account.
Control activities are the specific actions management uses to enact the policies and procedures established in the control environment. For example, a company may have the policy to provide system access based on the minimum access needed. A control activity could be a system that assigns access based on a role established and reviewed by the person’s manager.
Information and Communication
Controls only work if people know what to do, when to act, and what to do if there is a concern. Information and communication cover both internal and external communication.
The assurance efforts performed by management, compliance, and auditors all fall under monitoring activities. Management owns any issues that come out of the monitoring process and formulates corrective action plans.
Bottom Line: Start Taking Charge of Your SOX Documentation Process
In the end, SOX compliance depends on strong documentation. Internal management, audit committees, and external auditors all rely on our documentation to assess our internal controls over financial reporting. You can take the first step to creating strategic SOX documentation by ensuring you have logical, useful information that includes:
- COSO Mapping
- Process Narratives
- Issue Tracking
Technology enablement is the key to developing reliable SOX documentation that maps your controls to the COSO Internal Control Framework. Taking control of your SOX documentation process makes SOX compliance significantly easier for everyone involved. Auditors, process owners, executives, and external auditors will be able to gain instant visibility into your control certification status and sync updates across risks, controls, and testing information. If you have not taken the critical step to take charge of your documentation, there is no reason to wait any longer. Learn how connected SOX compliance software can help your organization achieve compliance and scale your compliance programs to take on increasing requirements..